add system config bat and others

apps.json

@@ -123,6 +123,10 @@
                 "Type": "FileCopy",
                 "Source": "./assets/hosts",
                 "Destination": "$env:SystemRoot\\System32\\drivers\\etc\\hosts"
+            },
+            {
+                "Type": "Command",
+                "Command": "\"$PSScriptRoot\\config\\sys_config.bat\""
             }
         ]
     }

config/sys_config.bat

@@ -0,0 +1,141 @@
+@echo off
+
+:: 关闭危险端口
+echo closing 135 port...
+netsh advfirewall firewall add rule name = "Disable port 135 - TCP" dir = in action = block protocol = TCP localport = 135
+netsh advfirewall firewall add rule name = "Disable port 135 - UDP" dir = in action = block protocol = UDP localport = 135
+
+echo closing 137 port...
+netsh advfirewall firewall add rule name = "Disable port 137 - TCP" dir = in action = block protocol = TCP localport = 137
+netsh advfirewall firewall add rule name = "Disable port 137 - UDP" dir = in action = block protocol = UDP localport = 137
+
+echo closing 138 port...
+netsh advfirewall firewall add rule name = "Disable port 138 - TCP" dir = in action = block protocol = TCP localport = 138
+netsh advfirewall firewall add rule name = "Disable port 138 - UDP" dir = in action = block protocol = UDP localport = 138
+
+echo closing 139 port...
+netsh advfirewall firewall add rule name = "Disable port 139 - TCP" dir = in action = block protocol = TCP localport = 139
+netsh advfirewall firewall add rule name = "Disable port 139 - UDP" dir = in action = block protocol = UDP localport = 139
+
+echo closing 445 port...
+netsh advfirewall firewall add rule name = "Disable port 445 - TCP" dir = in action = block protocol = TCP localport = 445
+netsh advfirewall firewall add rule name = "Disable port 445 - UDP" dir = in action = block protocol = UDP localport = 445
+
+echo closing 593 port...
+netsh advfirewall firewall add rule name = "deny593" dir = in action = block protocol = TCP localport = 593
+echo closing 1025 port...
+netsh advfirewall firewall add rule name = "deny1025" dir = in action = block protocol = TCP localport = 1025
+echo closing 2745 port...
+netsh advfirewall firewall add rule name = "deny2745" dir = in action = block protocol = TCP localport = 2745
+echo closing 3127 port...
+netsh advfirewall firewall add rule name = "deny3127" dir = in action = block protocol = TCP localport = 3127
+echo closing 3389 port...
+netsh advfirewall firewall add rule name = "deny3389" dir = in action = block protocol = TCP localport = 3389
+echo closing 6129 port...
+netsh advfirewall firewall add rule name = "deny6129" dir = in action = block protocol = TCP localport = 6129
+
+echo Turn on firewall logging ...
+netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log
+netsh advfirewall set currentprofile logging maxfilesize 20480
+netsh advfirewall set currentprofile logging droppedconnections enable
+netsh advfirewall set currentprofile logging allowedconnections enable
+
+echo Make sure firewall is turned on...
+netsh advfirewall set allprofile state on
+
+
+:: Computer Browser(关闭维护网络上计算机的更新列表)
+net stop Browser /y
+sc config Browser start= disabled
+:: Workstation(关闭客户端网络与远程服务器的连接)
+net stop LanmanWorkstation /y
+sc config LanmanWorkstation start= disabled
+:: 禁用TCP/IP的NetBOIS 
+net stop lmhosts /y 1>nul 2>nul
+sc config lmhosts start= disabled 1>nul 2>nul
+
+echo closing feedback, search services...
+::Connected User Experiences and Telemetry
+net stop DiagTrack /y
+sc config DiagTrack start= disabled
+::SysMain
+net stop SysMain /y
+sc config SysMain start= disabled
+::Windows Search
+net stop WSearch /y
+sc config WSearch start= disabled
+
+echo closing xbox services...
+::Xbox Accessory Management Service
+net stop XboxGipSvc /y
+sc config XboxGipSvc start= disabled
+net stop xbgm /y
+sc config xbgm start= disabled
+::Xbox Live 游戏保存
+net stop XblGameSave /y
+sc config XblGameSave start= disabled
+::Xbox Live 网络服务
+net stop XboxNetApiSvc /y
+sc config XboxNetApiSvc start= disabled
+::Xbox Live 身份验证管理器
+net stop XblAuthManager /y
+sc config XblAuthManager start= disabled
+
+::Task Scheduler(关闭在此计算机上配置和计划自动任务)
+net stop Schedule /y
+sc config Schedule start= disabled
+::关闭TeamViewer
+net stop TeamViewer /y
+sc config TeamViewer start= disabled
+::关闭IP Helper
+net stop iphlpsvc /y
+sc config iphlpsvc start= disabled
+::Application Layer Gateway Service(关闭为Internet连接共享提供第三方协议插件的支持)
+net stop ALG /y
+sc config ALG start= disabled
+::Internet Connection Sharing (ICS)
+net stop SharedAccess /y
+sc config SharedAccess start= disabled
+
+::Application Management(关闭应用程序管理)
+net stop AppMgmt /y
+sc config AppMgmt start= disabled
+::Distributed Link Tracking Client(关闭NTFS文件维护工具)
+net stop TrkWks /y
+sc config TrkWks start= disabled
+::Print Spooler(关闭打印机的交互)
+net stop Spooler /y
+sc config Spooler start= disabled
+::shell hardware detection(关闭自动播放的通知)
+net stop ShellHWDetection /y
+sc config ShellHWDetection start= disabled
+
+
+:: 密码策略
+echo.[version]>gp.inf
+echo.signature="$CHICAGO$">>gp.inf
+echo.[System Access]>>gp.inf
+echo.MinimumPasswordAge = 30 >>gp.inf
+echo.MaximumPasswordAge = 180 >>gp.inf
+echo.MinimumPasswordLength = 8 >>gp.inf
+echo.PasswordComplexity = 1 >>gp.inf
+echo.PasswordHistorySize = 3 >>gp.inf
+
+:: 账户锁定策略
+echo.LockoutBadCount = 10 >>gp.inf
+echo.ResetLockoutCount = 15 >>gp.inf
+echo.LockoutDuration = 30 >>gp.inf
+
+:: 开启全部审核策略
+echo [Event Audit] >>gp.inf
+echo AuditSystemEvents=3 >>gp.inf
+echo AuditObjectAccess=3 >>gp.inf
+echo AuditPrivilegeUse=3 >>gp.inf
+echo AuditPolicyChange=3 >>gp.inf
+echo AuditAccountManage=3 >>gp.inf
+echo AuditProcessTracking=3 >>gp.inf
+echo AuditDSAccess=3 >>gp.inf
+echo AuditAccountLogon=3 >>gp.inf
+echo AuditLogonEvents=3 >>gp.inf
+secedit /configure /db gp.sdb /cfg gp.inf /log gp.log /quiet
+del gp.* /q

config/sys_optimize.reg

@@ -10,31 +10,116 @@ Windows Registry Editor Version 5.00
 ; 仅搜索图标
 "SearchboxTaskbarMode"=dword:00000001
 
-; === 1. 设置“更多固定项”布局 (Win11) ===
 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
+; === 设置“更多固定项”布局 (Win11) ===
 "Start_Layout"=dword:00000001
-
+; === 关闭“显示最常用的应用” ===
-; === 2. 关闭“显示最近添加的应用” (通过策略禁用) ===
-[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer]
-"HideRecentlyAddedApps"=dword:00000001
-
-; === 3. 关闭“显示最常用的应用” ===
-[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
 "Start_TrackProgs"=dword:00000000
-
+; === 关闭“在开始菜单中显示推荐的文件/跳转列表” ===
-; === 4. 关闭“在开始菜单中显示推荐的文件/跳转列表” ===
-[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
 "Start_TrackDocs"=dword:00000000
-
+; === 关闭“显示浏览历史记录中的网站” ===
-; === 5. 关闭“显示提示、应用促销等建议” ===
+"Start_RecoPersonalizedSites"=dword:00000000
-[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
+; === 关闭“显示有关提示、快捷方式、新应用等的建议” ===
-"SubscribedContent-338388Enabled"=dword:00000000
+"Start_IrisRecommendations"=dword:00000000
-
+; === 关闭“显示与帐户相关的通知” (Win11 新特性) ===
-; === 6. 关闭“显示与帐户相关的通知” (Win11 新特性) ===
-[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
 "Start_AccountNotifications"=dword:00000000
 
 ; === 微软拼音输入法设置 ===
 [HKEY_CURRENT_USER\Software\Microsoft\InputMethod\Settings\CHS]
 ; 关闭“尝试必应的文本建议” (也就是云候选项/Web文本建议)
 "EnableCloudCandidate"=dword:00000000
+
+
+; 关闭 IPv6
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters]
+"DisabledComponents"=dword:000000ff
+
+; 关闭快速存取和最近使用过的档案
+[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
+"ShowFrequent"=dword:00000000
+"ShowRecent"=dword:00000000
+
+; 关闭自动播放
+[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers]
+"DisableAutoplay"=dword:00000001
+
+; UAC级别设置为最高
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
+"ConsentPromptBehaviorAdmin"=dword:00000002
+"EnableLUA"=dword:00000001
+"PromptOnSecureDesktop"=dword:00000001
+
+; 关闭远程协助
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
+"fAllowToGetHelp"=dword:00000000
+"fAllowUnsolicited"=dword:00000000
+"fDenyTSConnections"=dword:00000001
+
+; 关闭 隐私-常规
+[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo]
+"Enabled"=dword:00000000
+
+[HKEY_CURRENT_USER\Control Panel\International\User Profile]
+"HttpAcceptLanguageOptOut"=dword:00000001
+
+[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
+"SubscribedContent-338393Enabled"=dword:00000000
+"SubscribedContent-353694Enabled"=dword:00000000
+"SubscribedContent-353696Enabled"=dword:00000000
+
+; 关闭 隐私-语音识别
+[HKEY_CURRENT_USER\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy]
+"HasAccepted"=dword:00000000
+
+; 关闭 隐私-墨迹书写和键入个性化
+[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Personalization\Settings]
+"AcceptedPrivacyPolicy"=dword:00000000
+
+; 关闭 隐私-诊断与意见反馈
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection]
+"AllowTelemetry"=dword:00000001
+[HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC]
+"Enabled"=dword:00000000
+[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy]
+"TailoredExperiencesWithDiagnosticDataEnabled"=dword:00000000
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\EventTranscriptKey]
+"EnableEventTranscript"=dword:00000000
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection]
+"DisableDeviceDelete"=-
+[HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules]
+"NumberOfSIUFInPeriod"=dword:00000000
+
+; 关闭 隐私-活动历史记录
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
+"PublishUserActivities"=dword:00000000
+"UploadUserActivities"=dword:00000000
+"EnableActivityFeed"=dword:00000000
+
+; 关闭 其他隐私（除麦克风和摄像头）
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy]
+"LetAppsAccessLocation"=dword:00000002
+"LetAppsAccessNotifications"=dword:00000002
+"LetAppsAccessAccountInfo"=dword:00000002
+"LetAppsAccessContacts"=dword:00000002
+"LetAppsAccessCalendar"=dword:00000002
+"LetAppsAccessCallHistory"=dword:00000002
+"LetAppsAccessEmail"=dword:00000002
+"LetAppsAccessTasks"=dword:00000002
+"LetAppsAccessMessaging"=dword:00000002
+"LetAppsAccessRadios"=dword:00000002
+"LetAppsSyncWithDevices"=dword:00000002
+"LetAppsGetDiagnosticInfo"=dword:00000002
+
+; 关闭 隐私-后台应用程序
+[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications]
+"GlobalUserDisabled"=dword:00000001
+
+; 关闭 隐私-文档/图片/视频/文件系统
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary]
+"Value"="Deny"
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary]
+"Value"="Deny"
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary]
+"Value"="Deny"
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess]
+"Value"="Deny"

main.ps1

@@ -125,5 +125,5 @@ foreach ($app in $apps) {
     }
 }
 
-Write-Host "`n=== Done ===" -ForegroundColor Green
+Write-Host "`n=== Done. Need restart ===" -ForegroundColor Green
 Pause