# This script will disable most of the Windows security-related features.
# It is mostly intended for use in disposable VMs, such as simulation and CI/CD runners.
# Read the source to see what exactly is done.
# Author: Pavel Kirienko <pavel.kirienko@zubax.com>

# Relaunch elevated if needed
$IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()
           ).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if (-not $IsAdmin) {
    Write-Host 'Elevating privileges...'
    Start-Process powershell.exe "-ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs
    exit
}

function Disable-ServicePermanent {
    param([Parameter(Mandatory)][string]$Name)

    $svc = Get-Service -Name $Name -ErrorAction SilentlyContinue
    if ($svc) {
        if ($svc.Status -ne 'Stopped') {
            Stop-Service $Name -Force -ErrorAction SilentlyContinue
        }
        Set-Service  $Name -StartupType Disabled -ErrorAction SilentlyContinue
        Write-Host "Service '$Name' disabled."
    }
}

# Disable Microsoft Defender
Write-Host "`n=== Disabling Microsoft Defender ==="
Disable-ServicePermanent -Name 'WinDefend'
Import-Module Defender -ErrorAction SilentlyContinue
$mpPrefs = @{
    DisableRealtimeMonitoring         = $true
    DisableBehaviorMonitoring         = $true
    DisableBlockAtFirstSeen           = $true
    DisableIOAVProtection             = $true
    DisablePrivacyMode                = $true
    DisableScriptScanning             = $true
    UILockdown                        = $true
    DisableArchiveScanning            = $true
    DisableIntrusionPreventionSystem  = $true
    DisableRemovableDriveScanning     = $true
}
try { Set-MpPreference @mpPrefs } catch { Write-Host 'Set-MpPreference failed (likely due to tamper protection), continuing...' }
# Persist via Group-Policy registry key
$defKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender'
if (-not (Test-Path $defKey)) { New-Item $defKey -Force | Out-Null }
Set-ItemProperty -Path $defKey -Name DisableAntiSpyware -Type DWord -Value 1

# Disable Windows Update
Write-Host "`n=== Disabling Windows Update services ==="
$updateServices = @(
    'wuauserv',      # Windows Update
    'UsoSvc',        # Update Orchestrator
    'WaaSMedicSvc',  # Update Medic
    'BITS'           # Background Intelligent Transfer (optional, but keeps WU silent)
)
$updateServices | ForEach-Object { Disable-ServicePermanent $_ }
# Block Automatic Updates via policy registry
$wuKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
if (-not (Test-Path $wuKey)) { New-Item $wuKey -Force | Out-Null }
Set-ItemProperty -Path $wuKey -Name NoAutoUpdate -Type DWord -Value 1
Set-ItemProperty -Path $wuKey -Name AUOptions   -Type DWord -Value 2   # Notify-before-download (redundant when service disabled)

# Disable Windows Defender Firewall
Write-Host "`n=== Disabling Windows Firewall ==="
try {
    Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled False  # Domain, Private, Public
    Write-Host 'Firewall profiles disabled.'
} catch {
    Write-Warning "Set-NetFirewallProfile failed: $_"
}
Disable-ServicePermanent -Name 'MpsSvc'
# Persist via policy registry so GP/Defender UI can't turn it back on
$fwKey = 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall'
if (-not (Test-Path $fwKey)) { New-Item $fwKey -Force | Out-Null }
foreach ($profile in 'DomainProfile','PrivateProfile','PublicProfile') {
    $k = Join-Path $fwKey $profile
    if (-not (Test-Path $k)) { New-Item $k -Force | Out-Null }
    Set-ItemProperty -Path $k -Name EnableFirewall -Type DWord -Value 0
}
Write-Host 'Firewall disabled in policy registry.'

# === Disable SmartScreen globally ===
Write-Host "`n=== Disabling SmartScreen ==="
$sysKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System'
if (-not (Test-Path $sysKey)) { New-Item $sysKey -Force | Out-Null }
Set-ItemProperty -Path $sysKey -Name EnableSmartScreen      -Type DWord -Value 0
Set-ItemProperty -Path $sysKey -Name ShellSmartScreenLevel  -Type String -Value 'Off'
# Reputation-based checks for EXE/MSI downloads
$attKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments'
if (-not (Test-Path $attKey)) { New-Item $attKey -Force | Out-Null }
Set-ItemProperty -Path $attKey -Name ScanWithAntiVirus      -Type DWord -Value 2   # 2 = disabled
Set-ItemProperty -Path $attKey -Name SaveZoneInformation    -Type DWord -Value 2
Write-Host 'SmartScreen disabled.'

# === Enable Developer Mode (this enables symlinks) ===
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /v AllowDevelopmentWithoutDevLicense /d 1 /f
Write-Host 'Developer Mode enabled.'

# === Disable UAC ===
Write-Host "`n=== Disabling User Account Control (UAC) ==="
$uacKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
if (-not (Test-Path $uacKey)) { New-Item $uacKey -Force | Out-Null }
Set-ItemProperty -Path $uacKey -Name EnableLUA -Type DWord -Value 0
# Remove every kind of prompt even if UAC is later re-enabled
Set-ItemProperty -Path $uacKey -Name ConsentPromptBehaviorAdmin -Type DWord -Value 0
Set-ItemProperty -Path $uacKey -Name ConsentPromptBehaviorUser  -Type DWord -Value 0
Set-ItemProperty -Path $uacKey -Name PromptOnSecureDesktop      -Type DWord -Value 0
Write-Host 'UAC disabled.'

# === Enable insecure guest logons (e.g., to access public network shares) ===
$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters'
$regName = 'AllowInsecureGuestAuth'
if (Test-Path $regPath) {
    Get-ItemProperty -Path $regPath -Name $regName -ErrorAction SilentlyContinue |
        Select-Object $regName
}
Write-Host "`nEnabling insecure guest logons...`n"
# 1) Enable at SMB client level (preferred interface)
Set-SmbClientConfiguration -EnableInsecureGuestLogons $true -Force
# 2) Ensure matching registry value exists
if (-not (Test-Path $regPath)) {
    New-Item -Path $regPath -Force | Out-Null
}
New-ItemProperty -Path $regPath -Name $regName -Value 1 -PropertyType DWord -Force | Out-Null
Write-Host "Resulting state:"
Get-SmbClientConfiguration | Select-Object EnableInsecureGuestLogons
Get-ItemProperty -Path $regPath -Name $regName | Select-Object $regName
Write-Host "Insecure logons enabled"

# === Allow anonymous share access ===
$lsaPath    = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa'
$backupPath = "$env:SystemDrive\lsa-anon-backup.xml"
$props = 'RestrictAnonymous','RestrictAnonymousSAM','EveryoneIncludesAnonymous'
Write-Host "Enabling anonymous share enumeration (Relaxing RestrictAnonymous) ..."
New-ItemProperty -Path $lsaPath -Name 'RestrictAnonymous' -PropertyType DWord -Value 0 -Force | Out-Null
net user Guest /active:yes
$lsaPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa'
New-ItemProperty -Path $lsaPath -Name 'EveryoneIncludesAnonymous' -PropertyType DWord -Value 1 -Force | Out-Null
New-ItemProperty -Path $lsaPath -Name 'RestrictAnonymous'          -PropertyType DWord -Value 0 -Force | Out-Null
New-ItemProperty -Path $lsaPath -Name 'RestrictAnonymousSAM'       -PropertyType DWord -Value 0 -Force | Out-Null
Set-SmbServerConfiguration -EnableInsecureGuestLogons $true -Force
Restart-Service LanmanServer -Force
Write-Host "Enabled anonymous share access."


Write-Host "`nSuccess! :3 Please restart the machine for the changes to take effect."