CONFIGURATION AUDIT OF MICROSOFT WINDOWS

CONFIGURATION AUDIT OF MICROSOFT WINDOWS Computer: Operating system: Audit date: Checklist:

W10W (Standalone) Windows 10 Pro (64bit) 2015-09-21 15:15 Audit Square - std. security/2015c

Area Basic tests

Check BASE-01 BASE-02 BASE-03 BASE-04 SVCS-01 SVCS-02 SVCS-03 SVCS-04 SVCS-05 SECP-01 SECP-02 SECP-03 SECP-04 SECP-05 SECP-06 USER-01 USER-02 USER-03 USER-04 ACLS-01 ACLS-02 NETW-01

System services

Security policy

User accounts

Access control Network settings

OS version and updates Installed software Environment variables Other operating system settings Basic configuration of system services Drivers Services and drivers access permissions Service accounts Other programs that run automatically Passwords and account locking policy Security settings Audit settings Parameters of log files Other security settings Privacy System-wide privileges Problematic active accounts Local groups membership Logon cache File system of local drives File access permissions Global settings

NETW-02 Problematic open TCP/UDP ports

54% Result *) Warning Ok Ok Ok Fail Warning Ok Ok Ok Fail Fail Fail Warning Fail Warning Fail Fail Fail Ok Ok Ok Fail Warning

NETW-03 System server components configuration

Ok

NETW-04 Shared resources

Ok

*) You can get to detailed findings by clicking on the check result.

W10W / Windows 10 Pro / 2015-09-21 15:15

1 / 38

1

COMPUTER W10W [INFO-xx] [BASE-xx] [SVCS-xx] [SECP-xx] [USER-xx] [ACLS-xx] [NETW-xx]

Assessment info Basic tests System services Security policy User accounts Access control Network settings

1.1

[INFO-xx] Assessment info

1.1.1

[INFO-01] Server/workstation

Brief description of the examined computer is shown in the table: Computer name Domain/workgroup membership Operating system version CPU architecture, thread count Installed physical memory size HW classification OS root directory OS install date Boot time

W10W Workgroup (WORKGROUP) 10.0 (Windows 10 Pro) x86-64 x 1 (Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz) 2.00 GB virtual (vmware) C:\Windows 2015-07-30 11:33 2015-09-18 14:45

[Computer W10W]

1.1.2

[Top][Summary][Explanatory notes]

[INFO-02] Data collection

Data collection parameters are listed in the table below: Collection date Account used Client version Data processor version

2015-09-21 15:15 W10W\John Doe 2.7.0 1.1.3.1

[Computer W10W]


1.2

[BASE-xx] Basic tests

1.2.1

[BASE-01] OS version and updates

The check verifies the operating system version, installed service packs and hotfixes and settings of automatic updates service. If the version of the operating system is different from the given value, if the number of installed service pack is less than the specified value, if more than a specified time passed since the last hotfix installation, or if the configuration of automatic updates does not comply with the requirements, the overall result of a check is FAIL. Optional parameters allow to fine-tune the behavior of the check. Check result: OK WITH WARNING. Problematic values are given in the table below: Category Version Hotfixes and patches Automatic Updates

Parameter name OS Version Service Pack Last hotfix installation date Service status

Value WINDOWS 10 (10.0) SP0 2015-08-30 Running/Manual (Trigger Start)

Updates configuration

Locally enabled (default setting)

Server redirection

--

Status server redirection

--

Recommendation

 (local WSUS via encrypted connection)

W10W / Windows 10 Pro / 2015-09-21 15:15

 (local WSUS via encrypted 2 / 38

Category

Parameter name

Value

Recommendation

Delivery optimization

1 = subnet peering (locally)

connection)

[Computer W10W]

1.2.2

 disable [Top][Summary][Explanatory notes]

[BASE-02] Installed software

The installed software packages are checked against the set of rules. If any installed software does not comply with requirements, the overall result of the check is FAIL. Details of instances found are given in the results table. Note: only the software installed by standard means and recorded in the system installation database is reported. Check result: OK. Problematic software packages must either be uninstalled or updated to the safe version, as indicated in the column with the recommendation. Software Producer Microsoft Visual C++ 2008 Microsoft Corporation Redistributable - x64 9.0.30729.6161 Microsoft Visual C++ 2008 Microsoft Corporation Redistributable - x86 9.0.30729.4148 VMware Tools VMware, Inc.

Version 9.0.30729.6161

Finding ok

9.0.30729.4148

ok

9.9.2.2496486

ok

[Computer W10W]

1.2.3

Recommendation


[BASE-03] Environment variables

The check verifies correctness of the settings of several important system environment variables, namely COMSPEC, PATHEXT and PATH. COMSPEC must refer to std. command interpreter (cmd.exe). PATHEXT must not contain non-default values for the given operating system. The most comprehensive is the testing of the PATH variable, which for the successful test outcome must not contain a directory writable by unprivileged users (exceptions can be specified using the check parameters if necessary). Check result: OK. These settings must be fixed manually directly on the server/workstation (Control Panel - System - Advanced System Settings - Environment Variables). However, in the case of problematic entries in the PATH, the preferred solution is to fix directory permissions (removing the write permissions for unprivileged users and groups).Related link:Setting the PATH Parameter PATHEXT

ComSpec PATH

Value Recommendation . COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.W SF;.WSH;.MSC C:\Windows\system32\cmd.exe C:\Windows\system32 C:\Windows C:\Windows\system32\Wbem C:\Windows\system32\WindowsPowerShell\v1 .0

[Computer W10W]

1.2.4


[BASE-04] Other operating system settings

Check verifies the settings of several operating system parameters not included in other chapters. Audited settings include OS loader configuration, the OS response to fatal accidents, time synchronization and automatic login. Individual tests can optionally be turned off by the corresponding check arguments. The details of tests behavior can sometimes be further refined by check arguments as well. Check result: OK.

W10W / Windows 10 Pro / 2015-09-21 15:15

3 / 38

The settings tested in this check must usually be adjusted manually directly on the computer without help of Group Policy. Details are beyond the scope of this report, please refer to the operating system manufacturer's documentation. Here only a quick hint on some topics: • OS loader - Control Panel - System - Advanced System Settings - Startup and Recovery, or command line tools (bootcfg, bcdedit) (related link: DEP configuration); • Crash control - Control Panel - System - Advanced System Settings - Startup and Recovery (related link: Crash control); • Automatic logon - utility netplwiz (Windows Vista and higher), or direct modification of the registry, the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (related link: Disabling autologon). Component OS clock Winlogon

Parameter name Time synchronization Automatic logon

Value Ok Disabled

[Computer W10W]

Recommendation


1.3

[SVCS-xx] System services

1.3.1

[SVCS-01] Basic configuration of system services

The check evaluates the configuration of system services, according to the specified set of rules. Following service attributes are verified: the current state of the service, its start mode, path to the binary image, image maker and image signer. With a set of custom rules blacklist-type checking can be performed (ban on the operation of certain services) as well as whitelist (allowing only the listed services) or requestlist (request the mandatory operation of certain services). Check result: FAIL. Security issues detected in this chapter may be fixed in different ways depending on the problem found: by removing or disabling the problematic services, adding them to the set of rules (whitelist), or changing the services' starting parameters. The latter could be performed locally (eg. by using mmc snap-in Services), but the use of Group Policy is recommended for efficiency reasons. GPO path to the settings is Computer Configuration(/Policies)/Windows Settings/Security Settings/System Services. However, caution is required when preparing the GPO; it should set only the service starting mode, but not service access permissions. The table lists the system services with configuration or current state not matching the requirements: Service AJRouter (Služba směrovače AllJoyn)

Status Stopped/Manual (Trigger Start)

Exe Company (svchost) Microsoft Corporation C:\Windows\system32 \AJRouter.dll

Signer Microsoft Windows

ALG (Brána aplikační vrstvy) AppIDSvc (Identita aplikace)

Stopped/Manual

Microsoft Corporation

Microsoft Windows


Microsoft Windows

Appinfo (Informace o aplikaci)

Running/Manual (Trigger Start)


Microsoft Windows

AppMgmt (Správa aplikací)

Stopped/Manual

C:\Windows\system32 \alg.exe (svchost) C:\Windows\system32 \appidsvc.dll (svchost) C:\Windows\system32 \appinfo.dll (svchost) C:\Windows\system32 \appmgmts.dll (svchost) C:\Windows\system32 \AppReadiness.dll (svchost) C:\Windows\system32 \appxdeploymentserve r.dll (svchost) C:\Windows\system32 \audioendpointbuilder. dll


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Stopped/Manual (Trigger Start)

AppReadiness Stopped/Manual (Připravenost aplikací) AppXSvc (AppX Deployment Service (AppXSVC))

Stopped/Manual

AudioEndpointBuilder (Koncové vytváření služby Windows Audio)

Running/Auto

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

 adjust the starting of the service (disabled)

4 / 38

Service Audiosrv (Zvuk systému Windows)

Status Running/Auto

AxInstSV (Instalační program ovládacích prvků ActiveX (AxInstSV)) BDESVC (Služba BitLocker Drive Encryption) BFE (Služba BFE (Base Filtering Engine)) BITS (Služba inteligentního přenosu na pozadí) BrokerInfrastructure (Služba infrastruktury úloh na pozadí) Browser (Prohledávání počítačů)

Stopped/Manual

Exe Company (svchost) Microsoft Corporation C:\Windows\system32 \audiosrv.dll (svchost) Microsoft Corporation C:\Windows\system32 \AxInstSv.dll Microsoft Corporation

Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

CDPSvc (Služba CDPS)

Stopped/Manual


Microsoft Windows

CertPropSvc (Šíření certifikátů)

Stopped/Manual


Microsoft Windows

ClipSVC (Služba pro klientské licence (ClipSVC)) COMSysApp (Systémová aplikace modelu COM+) CoreMessagingRegistr ar (CoreMessaging)


(svchost) C:\Windows\system32 \cdpsvc.dll (svchost) C:\Windows\system32 \certprop.dll (svchost) C:\Windows\system32 \ClipSVC.dll C:\Windows\system32 \dllhost.exe


Microsoft Windows


Microsoft Windows


Microsoft Windows

CryptSvc (Šifrování)

Running/Auto


Microsoft Windows

CscService (Offline soubory)



Microsoft Windows

DcomLaunch (Spouštěč procesů serveru DCOM) DcpSvc (DataCollectionPublish ingService) defragsvc (Optimalizace jednotek) DeviceAssociationServ ice (Služba přidružování zařízení) DeviceInstall (Služba instalace zařízení)

Running/Auto


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

DevQueryBroker

Stopped/Manual

(svchost) C:\Windows\system32 \CoreMessaging.dll (svchost) C:\Windows\system32 \cryptsvc.dll (svchost) C:\Windows\system32 \cscsvc.dll (svchost) C:\Windows\system32 \rpcss.dll (svchost) C:\Windows\system32 \dcpsvc.dll (svchost) C:\Windows\system32 \defragsvc.dll (svchost) C:\Windows\system32 \das.dll (svchost) C:\Windows\system32 \umpnpmgr.dll (svchost)


Microsoft Windows

bthserv (Služba pro podporu technologie Bluetooth)

Running/Manual

Running/Auto

Stopped/Manual (Trigger Start) Stopped/Manual

Running/Manual (Trigger Start) Stopped/Manual (Trigger Start)

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

(svchost) C:\Windows\system32 \bdesvc.dll Running/Auto (svchost) C:\Windows\system32 \BFE.DLL Running/Auto (svchost) (Delayed) C:\Windows\system32 \qmgr.dll Running/Auto (svchost) C:\Windows\system32 \bisrv.dll Stopped/Manual (svchost) (Trigger Start, Trigger C:\Windows\system32 Stop) \browser.dll Stopped/Manual (svchost) (Trigger Start) C:\Windows\system32 \BthHFSrv.dll Stopped/Manual (svchost) (Trigger Start) C:\Windows\system32 \bthserv.dll

BthHFSrv (Služba Bluetooth Handsfree)



 adjust the starting of the service (disabled)

5 / 38

Service Status (DevQuery Backgroud (Trigger Start) Discovery Broker) Dhcp (Klient DHCP) Running/Auto

diagnosticshub.standar Stopped/Manual dcollector.service (Standardní služba sběru dat pro Centrum diagnostiky Microsoft (R)) DiagTrack (Služba Running/Auto diagnostického trasování)

Exe Company C:\Windows\system32 \DevQueryBroker.dll (svchost) Microsoft Corporation C:\Windows\system32 \dhcpcore.dll C:\Windows\system32 Microsoft Corporation \DiagSvcs\Diagnostics Hub.StandardCollector .Service.exe

Signer

(svchost) Microsoft Corporation C:\Windows\system32 \diagtrack.dll

Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \Windows.Internal.Ma nagement.dll (svchost) Microsoft Corporation C:\Windows\system32 \dmwappushsvc.dll

Microsoft Windows

DmEnrollmentSvc (Služba zápisu při správě zařízení)

Stopped/Manual

dmwappushservice (dmwappushsvc)

Stopped/Auto (Delayed, Trigger Start)

Dnscache (Klient DNS)

Running/Auto (Trigger (svchost) Start) C:\Windows\system32 \dnsrslvr.dll Running/Auto (svchost) (Delayed) C:\Windows\system32 \dosvc.dll Stopped/Manual (svchost) C:\Windows\system32 \dot3svc.dll Running/Auto (svchost) C:\Windows\system32 \dps.dll Stopped/Manual (svchost) (Trigger Start) C:\Windows\system32 \DeviceSetupManager .dll Running/Manual (svchost) (Trigger Start) C:\Windows\system32 \dssvc.dll Stopped/Manual (svchost) C:\Windows\system32 \eapsvc.dll

DoSvc (Optimalizace doručení) dot3svc (Wired AutoConfig Service) DPS (Služba DPS (Diagnostic Policy Service)) DsmSvc (Správce nastavení zařízení)

DsSvc (Služba sdílení dat) Eaphost (Protokol EAP (Extensible Authentication Protocol)) EFS (Systém souborů EFS (Encrypting File System)) embeddedmode (embeddedmode) EntAppSvc (Enterprise App Management Service)

fdPHost (Hostitel poskytovatele

Microsoft Windows

Microsoft Windows

Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


C:\Windows\system32 Microsoft Corporation \lsass.exe

Microsoft Windows


(svchost) C:\Windows\system32 \embeddedmodesvc.dll (svchost) C:\Windows\system32 \EnterpriseAppMgmtS vc.dll (svchost) C:\Windows\system32 \wevtsvc.dll (svchost) C:\Windows\system32 \es.dll C:\Windows\system32 \FXSSVC.exe


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Running/Manual

(svchost) Microsoft Corporation C:\Windows\system32

W10W / Windows 10 Pro / 2015-09-21 15:15



Stopped/Manual


Microsoft Windows

EventLog (Protokol Running/Auto událostí systému Windows) EventSystem (Systém Running/Auto událostí COM+) Fax (Fax)

Microsoft Windows


Stopped/Manual

Recommendation


Microsoft Windows

6 / 38

Service rozpoznávání funkce) FDResPub (Publikování prostředků rozpoznávání funkcí) fhsvc (Služba Historie souborů)

Status

FontCache (Mezipaměť písem Windows) gpsvc (Klient zásad skupiny)

Running/Auto

hidserv (Služba Zařízení standardu HID) HomeGroupListener (Naslouchací proces domácí skupiny)

Running/Manual


Exe Company \fdPHost.dll (svchost) Microsoft Corporation C:\Windows\system32 \FDResPub.dll

Signer

Recommendation

Microsoft Windows

 adjust the starting

(svchost) Microsoft Corporation C:\Windows\system32 \fhsvc.dll

Microsoft Windows

(svchost) C:\Windows\system32 \FntCache.dll Running/Auto (Trigger (svchost) Start) C:\Windows\system32 \gpsvc.dll Stopped/Manual (svchost) (Trigger Start) C:\Windows\system32 \hidserv.dll Stopped/Manual (svchost) C:\Windows\system32 \ListSvc.dll

of the service (disabled)

of the service (disabled)


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


(svchost) Microsoft Corporation C:\Windows\system32 \provsvc.dll

Microsoft Windows

icssvc (Služba mobilní hotspot systému Windows) IEEtwCollectorService (Služba sběru událostí funkce ETW pro aplikaci Internet Explorer) IKEEXT (Služba IKE and AuthIP IPsec Keying Modules) iphlpsvc (Pomocná služba protokolu IP)


(svchost) Microsoft Corporation C:\Windows\system32 \tetheringservice.dll C:\Windows\system32 Microsoft Corporation \IEEtwCollector.exe

Microsoft Windows


Microsoft Windows


Microsoft Windows

KeyIso (Izolace klíče CNG) KtmRm (Služba KTMRM pro koordinátor DTC) LanmanServer (Server)

Running/Manual (Trigger Start) Stopped/Manual (Trigger Start)


Microsoft Windows


Microsoft Windows


Microsoft Windows

LanmanWorkstation (Pracovní stanice)

Running/Auto

(svchost) C:\Windows\system32 \IKEEXT.DLL (svchost) C:\Windows\system32 \iphlpsvc.dll C:\Windows\system32 \lsass.exe (svchost) C:\Windows\system32 \msdtckrm.dll (svchost) C:\Windows\system32 \srvsvc.dll (svchost) C:\Windows\system32 \wkssvc.dll (svchost) C:\Windows\system32 \lfsvc.dll


Microsoft Windows


Microsoft Windows

(svchost) C:\Windows\system32 \licensemanagersvc.dll Stopped/Manual (svchost) C:\Windows\system32 \lltdsvc.dll Running/Manual (svchost) (Trigger Start, Trigger C:\Windows\system32 Stop) \lmhsvc.dll Running/Auto (svchost) C:\Windows\system32 \lsm.dll Stopped/Auto (svchost)


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Stopped/Manual (Trigger Start) Running/Auto

Running/Auto

lfsvc (Služba sledování Running/Manual zeměpisné polohy) (Trigger Start) LicenseManager (Služba správce licencí Windows) lltdsvc (Mapovač zjišťování topologie linkové vrstvy) lmhosts (Podpora rozhraní NetBIOS nad protokolem TCP/IP) LSM (Místní správce relací) MapsBroker (Správce


W10W / Windows 10 Pro / 2015-09-21 15:15


HomeGroupProvider (Zprostředkovatel domácích skupin)

Stopped/Manual

 adjust the starting


Microsoft Windows


7 / 38

Service stažených map)

Status (Delayed)

MpsSvc (Brána Windows Firewall)

Running/Auto

MSDTC (Služba DTC (Distributed Transaction Coordinator)) MSiSCSI (Služba iniciátoru iSCSI společnosti Microsoft) msiserver (Instalační služba systému Windows) NcaSvc (Pomocník pro připojení k síti)

Running/Manual

NcbService (Zprostředkovatel síťového připojení) NcdAutoSetup (Automatické nastavení zařízení připojených k síti) Netlogon (Služba Netlogon) Netman (Síťová připojení)

Stopped/Manual

Stopped/Manual

Stopped/Manual (Trigger Start, Trigger Stop) Running/Manual (Trigger Start) Running/Manual (Trigger Start)

Stopped/Manual Stopped/Manual

netprofm (Služba seznamu sítí)

Running/Manual

NetSetupSvc (Služba nastavení sítě)


NetTcpPortSharing (Služba sdílení portů Net.Tcp)

Stopped/Disabled

NgcCtnrSvc (Microsoft Stopped/Manual Passport Container) (Trigger Start) NgcSvc (Microsoft Passport) NlaSvc (Sledování umístění v síti (NLA))

Stopped/Manual (Trigger Start) Running/Auto

nsi (Služba rozhraní síťového úložiště)

Running/Auto

p2pimsvc (Správce identit sítě rovnocenných počítačů) p2psvc (Seskupování v sítích peer-to-peer)

Stopped/Manual

Stopped/Manual

PcaSvc (Program Running/Auto Compatibility Assistant Service) PeerDistSvc Stopped/Manual (BranchCache) PerfHost

Stopped/Manual

Exe Company C:\Windows\system32 \moshost.dll (svchost) Microsoft Corporation C:\Windows\system32 \MPSSVC.dll C:\Windows\system32 Microsoft Corporation \msdtc.exe

Signer

(svchost) Microsoft Corporation C:\Windows\system32 \iscsiexe.dll C:\Windows\system32 Microsoft Corporation \msiexec.exe

Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \NcaSvc.dll (svchost) Microsoft Corporation C:\Windows\system32 \ncbservice.dll (svchost) Microsoft Corporation C:\Windows\system32 \ncdautosetup.dll

Microsoft Windows

C:\Windows\system32 \lsass.exe (svchost) C:\Windows\system32 \netman.dll (svchost) C:\Windows\system32 \netprofmsvc.dll (svchost) C:\Windows\system32 \NetSetupSvc.dll C:\Windows\Microsoft. NET\Framework64\v4 .0.30319\SMSvcHost. exe (svchost) C:\Windows\system32 \NgcCtnrSvc.dll C:\Windows\system32 \lsass.exe (svchost) C:\Windows\system32 \nlasvc.dll (svchost) C:\Windows\system32 \nsisvc.dll (svchost) C:\Windows\system32 \pnrpsvc.dll


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Microsoft Windows

Microsoft Windows

Microsoft Windows

Microsoft Windows

Microsoft Windows



(svchost) Microsoft Corporation C:\Windows\system32 \p2psvc.dll

Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \pcasvc.dll (svchost) Microsoft Corporation C:\Windows\system32 \peerdistsvc.dll C:\Windows\SysWOW Microsoft Corporation

Microsoft Windows

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation


Microsoft Windows

Microsoft Windows

8 / 38

Service Status (Performance Counter DLL Host) pla (Výstrahy a Stopped/Manual protokolování výkonu) PlugPlay (Plug and Play)

Running/Manual

PNRPAutoReg (Služba Stopped/Manual publikování názvu počítače pomocí protokolu PNRP) PNRPsvc (Protokol Stopped/Manual PNRP (Peer Name Resolution Protocol)) PolicyAgent (Agent Stopped/Manual zásad protokolu IPsec) (Trigger Start) Power (Napájení)

Running/Auto

PrintNotify (Rozšíření a oznámení tiskárny)

Stopped/Manual

ProfSvc (Služba Profil uživatele)

Running/Auto

QWAVE (Sada qWave Stopped/Manual (Quality Windows Audio Video Experience)) RasAuto (Správce Stopped/Manual automatického připojení pomocí vzdáleného přístupu) RasMan (Správce Stopped/Manual vzdáleného přístupu) RemoteAccess (Směrování a vzdálený přístup) RemoteRegistry (Vzdálený registr)

Stopped/Disabled

RetailDemo (Služba ukázkového režimu pro prodejny)

Stopped/Manual

RpcEptMapper (Mapovač koncových bodů protokolu RPC) RpcLocator (Lokátor vzdáleného volání procedur (RPC)) RpcSs (Vzdálené volání procedur (RPC)) SamSs (Správce zabezpečení účtů) SCardSvr (Čipová karta)

Running/Auto

ScDeviceEnum (Služba výčtu zařízení čipové karty)


Stopped/Disabled

Stopped/Manual

Running/Auto

Running/Auto Stopped/Disabled

Exe 64\perfhost.exe

Company

Signer

(svchost) Microsoft Corporation C:\Windows\system32 \pla.dll (svchost) Microsoft Corporation C:\Windows\system32 \umpnpmgr.dll (svchost) Microsoft Corporation C:\Windows\system32 \pnrpauto.dll

Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \pnrpsvc.dll

Microsoft Windows

(svchost) C:\Windows\system32 \IPSECSVC.DLL (svchost) C:\Windows\system32 \umpo.dll (svchost) C:\Windows\system32 \spool\drivers\x64\3\ PrintConfig.dll (svchost) C:\Windows\system32 \profsvc.dll (svchost) C:\Windows\system32 \qwave.dll


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Microsoft Windows

Microsoft Windows




(svchost) Microsoft Corporation C:\Windows\system32 \rasauto.dll

Microsoft Windows

(svchost) C:\Windows\system32 \rasmans.dll (svchost) C:\Windows\system32 \mprdim.dll (svchost) C:\Windows\system32 \regsvc.dll (svchost) C:\Windows\system32 \RDXService.dll


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows



(svchost) Microsoft Corporation C:\Windows\system32 \RpcEpMap.dll C:\Windows\system32 Microsoft Corporation \Locator.exe

Microsoft Windows

(svchost) C:\Windows\system32 \rpcss.dll C:\Windows\system32 \lsass.exe (svchost) C:\Windows\system32 \SCardSvr.dll (svchost) C:\Windows\system32 \scdeviceenum.dll


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

9 / 38

Service Schedule (Plánovač úloh)

Status Running/Auto

SCPolicySvc (Zásady Stopped/Manual odebrání čipové karty) SDRSVC (Windows Zálohování)

Stopped/Manual

seclogon (Sekundární přihlašování)

Stopped/Manual

SENS (Služba oznamování událostí systému) SensorDataService (Služba dat ze senzorů) SensorService (Senzorová služba)

Running/Auto

SensrSvc (Služba monitorující senzory)


Stopped/Manual (Trigger Start) Running/Manual (Trigger Start)

SessionEnv Stopped/Manual (Konfigurace vzdálené plochy) SharedAccess (Sdílení Stopped/Manual připojení k internetu (ICS)) ShellHWDetection Running/Auto (Rozpoznávání hardwaru) smphost (Prostory úložiště SMP společnosti Microsoft) SmsRouter (Služba směrovače SMS systému Microsoft Windows) SNMPTRAP (Zachytávání pro službu SNMP) Spooler (Služba zařazování tisku) sppsvc (Ochrana softwaru) SSDPSRV (SSDP Discovery)

Stopped/Manual

Exe (svchost) C:\Windows\system32 \schedsvc.dll (svchost) C:\Windows\system32 \certprop.dll (svchost) C:\Windows\system32 \sdrsvc.dll (svchost) C:\Windows\system32 \seclogon.dll (svchost) C:\Windows\system32 \Sens.dll C:\Windows\system32 \SensorDataService.e xe (svchost) C:\Windows\system32 \sensorservice.dll (svchost) C:\Windows\system32 \sensrsvc.dll (svchost) C:\Windows\system32 \SessEnv.dll (svchost) C:\Windows\system32 \ipnathlp.dll (svchost) C:\Windows\system32 \shsvcs.dll

Company Microsoft Corporation



Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \snmptrap.exe

Microsoft Windows

Running/Auto

C:\Windows\system32 Microsoft Corporation \spoolsv.exe C:\Windows\system32 Microsoft Corporation \sppsvc.exe

Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \ssdpsrv.dll

Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \sstpsvc.dll (svchost) Microsoft Corporation C:\Windows\system32 \Windows.StateReposi tory.dll (svchost) Microsoft Corporation C:\Windows\system32 \wiaservc.dll

Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \StorSvc.dll

Microsoft Windows

Stopped/Auto (Delayed, Trigger Start) Running/Manual

SstpSvc (Služba SSTP Stopped/Manual (Secure Socket Tunneling Protocol)) StateRepository Running/Manual (Služba State Repository) stisvc (Načítání obrázků (WIA))

Stopped/Manual

StorSvc (Služba úložiště)


W10W / Windows 10 Pro / 2015-09-21 15:15


(svchost) Microsoft Corporation C:\Windows\system32 \smphost.dll (svchost) Microsoft Corporation C:\Windows\system32 \SmsRouterSvc.dll


Recommendation

Microsoft Windows


Microsoft Windows


Microsoft Windows

Microsoft Windows


10 / 38

Service svsvc (Ověřování přechodných chyb)

Status Stopped/Manual (Trigger Start)

Exe Company (svchost) Microsoft Corporation C:\Windows\system32 \svsvc.dll (svchost) Microsoft Corporation C:\Windows\system32 \swprv.dll


(svchost) Microsoft Corporation C:\Windows\system32 \sysmain.dll SystemEventsBroker Running/Auto (Trigger (svchost) Microsoft Corporation (Zprostředkovatel Start) C:\Windows\system32 systémových událostí) \systemeventsbrokers erver.dll TabletInputService Stopped/Manual (svchost) Microsoft Corporation (Služba Panelu (Trigger Start) C:\Windows\system32 dotykové klávesnice a \TabSvc.dll rukopisu) TapiSrv (Telefonie) Stopped/Manual (svchost) Microsoft Corporation C:\Windows\system32 \tapisrv.dll TermService Stopped/Manual (svchost) Microsoft Corporation (Vzdálená plocha) C:\Windows\system32 \termsrv.dll Themes (Motivy) Running/Auto (svchost) Microsoft Corporation C:\Windows\system32 \themeservice.dll tiledatamodelsvc Running/Auto (svchost) Microsoft Corporation (Server datového C:\Windows\system32 modelu dlaždic) \tileobjserver.dll TimeBroker Running/Manual (svchost) Microsoft Corporation (Zprostředkovatel (Trigger Start) C:\Windows\system32 času) \timebrokerserver.dll TPAutoConnSvc (TP Running/Manual C:\Program Cortado AG AutoConnect Service) Files\VMware\VMware Tools\TPAutoConnSvc .exe TPVCGateway (TP VC Stopped/Manual C:\Program Cortado AG Gateway Service) Files\VMware\VMware Tools\TPVCGateway.e xe TrkWks (Klient služby Running/Auto (svchost) Microsoft Corporation Sledování C:\Windows\system32 distribuovaných \trkwks.dll odkazů) TrustedInstaller Stopped/Auto C:\Windows\servicing\ Microsoft Corporation (Instalační služba TrustedInstaller.exe modulů systému Windows) UI0Detect (Zjišťování Stopped/Manual C:\Windows\system32 Microsoft Corporation interaktivních služeb) \UI0Detect.exe UmRdpService Stopped/Manual (svchost) Microsoft Corporation (Přesměrovač portů C:\Windows\system32 uživatelského režimu \umrdp.dll služby Vzdálená plocha) upnphost (Hostitel Stopped/Manual (svchost) Microsoft Corporation zařízení UPnP) C:\Windows\system32 \upnphost.dll

Microsoft Windows

UserManager (Správce uživatelů)

Microsoft Windows

swprv (Služba Stopped/Manual Zprostředkovatel softwaru služby Stínová kopie svazků) SysMain (Superfetch) Running/Auto

UsoSvc (Aktualizovat službu Orchestrator)

Running/Auto (Trigger (svchost) Microsoft Corporation Start) C:\Windows\system32 \usermgr.dll Running/Manual (svchost) Microsoft Corporation C:\Windows\system32 \usocore.dll

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

Microsoft Windows

Microsoft Windows

Microsoft Windows

Microsoft Windows

Microsoft Windows

Microsoft Windows

Microsoft Windows

Cortado AG

Cortado AG

Microsoft Windows


Microsoft Windows

Microsoft Windows Microsoft Windows

Microsoft Windows


Microsoft Windows

11 / 38

Service VaultSvc (Správce pověření) vds (Virtuální disk)

Status Running/Manual




Microsoft Windows

vmicguestinterface (Rozhraní služby hosta technologie Hyper-V) vmicheartbeat (Služba prezenčního signálu technologie Hyper-V) vmickvpexchange (Služba výměny dat technologie Hyper-V) vmicrdv (Služba Virtualizace vzdálené plochy Hyper-V) vmicshutdown (Služba vypínání hostovaného počítače technologie Hyper-V) vmictimesync (Služba synchronizace času technologie Hyper-V) vmicvmsession (Služba relací virtuálního počítače s technologií Hyper-V) vmicvss (Žadatel služby Stínová kopie svazku technologie Hyper-V) VMTools (VMware Tools)



Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \icsvc.dll (svchost) Microsoft Corporation C:\Windows\system32 \icsvc.dll

Microsoft Windows


(svchost) Microsoft Corporation C:\Windows\system32 \icsvc.dll

Microsoft Windows

Running/Auto

C:\Program Files\VMware\VMware Tools\vmtoolsd.exe C:\Windows\system32 \dllhost.exe C:\Windows\system32 \VSSVC.exe (svchost) C:\Windows\system32 \w32time.dll (svchost) C:\Windows\system32 \WalletService.dll C:\Windows\system32 \wbengine.exe

VMware, Inc.

VMware, Inc.

vmvss (VMware Snapshot Provider) VSS (Stínová kopie svazku) W32Time (Windows Time)

Stopped/Manual


Microsoft Windows


Microsoft Windows


Microsoft Windows

WalletService (WalletService)

Stopped/Manual


Microsoft Windows

wbengine (Služba jádra pro zálohování dat na úrovni bloků) WbioSrvc (Biometrická služba systému Windows) Wcmsvc (Správce připojení systému Windows) wcncsvc (Technologie Windows Connect Now – Registrátor konfigurací) WcsPlugInService (Systém barev systému Windows) WdiServiceHost (Hostitel diagnostické služby) WdiSystemHost (Hostitel

Stopped/Manual


Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \wbiosrvc.dll Running/Auto (Trigger (svchost) Microsoft Corporation Start) C:\Windows\system32 \wcmsvc.dll Stopped/Manual (svchost) Microsoft Corporation C:\Windows\system32 \wcncsvc.dll

Microsoft Windows

Stopped/Manual

Microsoft Windows

Stopped/Manual

Stopped/Manual (Trigger Start) Stopped/Manual (Trigger Start) Stopped/Manual (Trigger Start) Stopped/Manual (Trigger Start)

Stopped/Manual (Trigger Start) Stopped/Manual (Trigger Start)

Stopped/Manual Running/Manual (Trigger Start)

Exe C:\Windows\system32 \lsass.exe C:\Windows\system32 \vds.exe (svchost) C:\Windows\system32 \icsvc.dll (svchost) C:\Windows\system32 \icsvc.dll (svchost) C:\Windows\system32 \icsvc.dll (svchost) C:\Windows\system32 \icsvc.dll (svchost) C:\Windows\system32 \icsvc.dll


Running/Manual

Running/Manual

(svchost) Microsoft Corporation C:\Windows\system32 \WcsPlugInService.dll (svchost) Microsoft Corporation C:\Windows\system32 \wdi.dll (svchost) Microsoft Corporation C:\Windows\system32

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

Microsoft Windows

Microsoft Windows


Microsoft Windows

Microsoft Windows

12 / 38

Service diagnostického systému) WdNisSvc (Služba kontroly sítě programu Windows Defender) WebClient (Webový klient)

Status

Exe \wdi.dll

Company

Signer

Running/Manual

C:\Program Files\Windows Defender\NisSrv.exe


Microsoft Windows


(svchost) Microsoft Corporation C:\Windows\system32 \WebClnt.dll (svchost) Microsoft Corporation C:\Windows\system32 \wecsvc.dll (svchost) Microsoft Corporation C:\Windows\system32 \wephostsvc.dll

Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \wercplsupport.dll

Microsoft Windows


(svchost) Microsoft Corporation C:\Windows\system32 \wersvc.dll

Microsoft Windows

Stopped/Manual

(svchost) Microsoft Corporation C:\Windows\system32 \wiarpc.dll

Microsoft Windows

C:\Program Files\Windows Defender\MsMpEng.e xe (svchost) C:\Windows\system32 \winhttp.dll (svchost) C:\Windows\system32 \wbem\WMIsvc.dll (svchost) C:\Windows\system32 \WsmSvc.dll


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Wecsvc (Sběr událostí Stopped/Manual systému Windows) WEPHOSTSVC (Hostitelská služba zprostředkovatele šifrování Windows) wercplsupport (Podpora ovládacího panelu Oznámení a řešení problémů) WerSvc (Služba Zasílání zpráv o chybách systému Windows) WiaRpc (Události načítání snímků)


WinDefend (Služba Windows Defender)

Running/Auto

Stopped/Manual

WinHttpAutoProxySvc Running/Manual (Služba WinHTTP WPAD) Winmgmt (Služba Running/Auto WMI) WinRM (Vzdálená správa systému Windows (WSManagement)) WlanSvc (Automatická konfigurace sítě WLAN) wlidsvc (Pomocník pro přihlášení pomocí účtu Microsoft)

Stopped/Manual

Microsoft Windows

Microsoft Windows


(svchost) Microsoft Corporation C:\Windows\system32 \wlidsvc.dll

Microsoft Windows

wmiApSrv (Adaptér Stopped/Manual výkonu rozhraní WMI) WMPNetworkSvc Stopped/Manual (Služba Windows Media Player Network Sharing) workfolderssvc Stopped/Manual (Pracovní složky)

C:\Windows\system32 Microsoft Corporation \wbem\WmiApSrv.exe C:\Program Microsoft Corporation Files\Windows Media Player\wmpnetwk.exe

Microsoft Windows

(svchost) C:\Windows\system32 \workfolderssvc.dll (svchost) C:\Windows\system32 \wpdbusenum.dll (svchost) C:\Windows\system32 \WpnService.dll (svchost) C:\Windows\system32


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Running/Auto (Delayed)

W10W / Windows 10 Pro / 2015-09-21 15:15


Microsoft Windows

Stopped/Manual


(svchost) Microsoft Corporation C:\Windows\system32 \wlansvc.dll



Stopped/Manual

WPDBusEnum (Služba Výčet přenosných zařízení) WpnService (Služba nabízených oznámení Windows) wscsvc (Centrum zabezpečení)

Recommendation


Microsoft Windows


13 / 38

Service

Status

Exe Company \wscsvc.dll C:\Windows\system32 Microsoft Corporation \SearchIndexer.exe (svchost) Microsoft Corporation C:\Windows\system32 \WSService.dll

Signer

WSearch (Windows Search) WSService (Služba Windows Store (WSService))

Running/Auto (Delayed) Stopped/Manual (Trigger Start)

wuauserv (Windows Update)


wudfsvc (Platforma WDF (Windows Driver Foundation) – platforma ovladače v uživatelském režimu) WwanSvc (Automatická konfigurace sítě WWAN) XblAuthManager (Xbox Live Auth Manager)


XblGameSave (Uložení hry Xbox Live)

Stopped/Manual

XboxNetApiSvc (Síťová služba Xbox Live)

Stopped/Manual

(svchost) Microsoft Corporation C:\Windows\system32 \wuaueng.dll (svchost) Microsoft Corporation C:\Windows\system32 \WUDFSvc.dll

Microsoft Windows

Stopped/Manual

(svchost) Microsoft Corporation C:\Windows\system32 \wwansvc.dll

Microsoft Windows

Stopped/Manual

(svchost) Microsoft Corporation C:\Windows\system32 \XblAuthManager.dll

Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \XblGameSave.dll

Microsoft Windows

(svchost) Microsoft Corporation C:\Windows\system32 \XboxNetApiSvc.dll

Microsoft Windows

[Computer W10W]

1.3.2

Recommendation



Microsoft Windows





[SVCS-02] Drivers

The check evaluates the configuration of system drivers, according to the specified set of rules. Following driver attributes are verified: the current state of the driver, its start mode, path to the binary image, image maker and image signer. With a set of custom rules blacklist-type checking can be performed (ban on the operation of certain drivers) as well as whitelist (allowing only the listed drivers) or requestlist (request the mandatory operation of certain drivers). Check result: OK WITH WARNING. Fixing of security issues detected in this chapter used to be rather problematic, the driver usually can only be disabled or completely removed, or perhaps updated to newer version. The table lists the system drivers with configuration or current state not matching the requirements: Driver 1394ohci (Hostitelský řadič pro rozhraní OHCI standardu 1394) 3ware (3ware)

Status Stopped/Manual

Exe Company C:\Windows\system32 Microsoft Corporation \drivers\1394ohci.sys


Stopped/Manual

Microsoft Windows

ACPI (Ovladač standardu ACPI společnosti Microsoft) acpiex (Microsoft ACPIEx Driver) acpipagr (Ovladač agregačního procesoru standardu ACPI) AcpiPmi (Ovladač měřiče napájení standardu ACPI) acpitime (Ovladač buzení rozhraní ACPI) ADP80XX (ADP80XX)

Running/Boot

C:\Windows\system32 LSI \drivers\3ware.sys C:\Windows\system32 Microsoft Corporation \drivers\acpi.sys C:\Windows\system32 Microsoft Corporation \drivers\acpiex.sys C:\Windows\system32 Microsoft Corporation \drivers\acpipagr.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\acpipmi.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\acpitime.sys C:\Windows\system32 PMC-Sierra

Microsoft Windows

Running/Boot Stopped/Manual

Stopped/Manual

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

Microsoft Windows

Microsoft Windows

14 / 38

Driver

Status

AFD (Ovladač pomocných funkcí pro rozhraní Winsock) agp440 (Filtr Intel sběrnice AGP) ahcache (Application Compatibility Cache) AmdK8 (Ovladač procesoru AMD K8) AmdPPM (Ovladač procesoru AMD) amdsata (amdsata)

Running/System

amdsbs (amdsbs)

Stopped/Manual

amdxata (amdxata)

Stopped/Manual

Stopped/Manual Running/System Stopped/Manual Stopped/Manual Stopped/Manual

AppID (AppID Driver) Stopped/Manual arcsas (Adaptec SAS/SATA-II RAID Storport – ovladač miniportu) AsyncMac (Ovladač asynchronních médií připojení RAS) atapi (Kanál IDE)

Stopped/Manual

b06bdrv (Broadcom NetXtreme II VBD) BasicDisplay (BasicDisplay)

Stopped/Manual

BasicRender (BasicRender)

Running/System

bcmfn2 (bcmfn2 Service) bowser (Ovladač podpory prohlížeče) BthAvrcpTg (Dálkové ovládání zvuku nebo videa Bluetooth standardu HID) BthHFEnum (Enumerátor zařízení Bluetooth handsfree pro ovládání zvuku a hovorů standardu HID) bthhfhid (Zařízení Bluetooth handsfree pro ovládání hovorů standardu HID) BTHMODEM (Ovladač pro sériovou komunikaci protokolem Bluetooth) buttonconverter (Služba pro zařízení pro ovládání přenosných zařízení) CapImg (Ovladač HID

Stopped/Manual

Exe Company \drivers\adp80xx.sys C:\Windows\system32 Microsoft Corporation \drivers\afd.sys

Signer

C:\Windows\system32 \drivers\AGP440.sys C:\Windows\system32 \drivers\ahcache.sys C:\Windows\system32 \drivers\amdk8.sys C:\Windows\system32 \drivers\amdppm.sys C:\Windows\system32 \drivers\amdsata.sys C:\Windows\system32 \drivers\amdsbs.sys C:\Windows\system32 \drivers\amdxata.sys C:\Windows\system32 \drivers\appid.sys C:\Windows\system32 \drivers\arcsas.sys


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Advanced Micro Devices AMD Technologies Inc. Advanced Micro Devices Microsoft Corporation

Microsoft Windows

PMC-Sierra, Inc.

Microsoft Windows

Microsoft Windows

Microsoft Windows Microsoft Windows Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\asyncmac.sys

Microsoft Windows

Running/Boot

C:\Windows\system32 \drivers\atapi.sys C:\Windows\system32 \drivers\bxvbda.sys C:\Windows\system32 \drivers\BasicDisplay. sys C:\Windows\system32 \drivers\BasicRender.s ys C:\Windows\system32 \drivers\bcmfn2.sys C:\Windows\system32 \drivers\bowser.sys C:\Windows\system32 \drivers\BthAvrcpTg.s ys

Microsoft Windows

Running/System


Broadcom Corporation Microsoft Windows Microsoft Corporation

Microsoft Windows


Microsoft Windows

Windows (R) Win 7 DDK provider Microsoft Corporation

Microsoft Windows


Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\bthhfenum.sy s

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\BthHFHid.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\bthmodem.sy s

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\buttonconvert er.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation

Microsoft Windows

Running/Manual Stopped/Manual

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

15 / 38

Driver pro dotykovou obrazovku CapImg) cdfs (CD/DVD File System Reader) cdrom (Ovladač jednotky CD-ROM) circlass (Uživatelská infračervená zařízení) CLFS (Common Log (CLFS)) CmBatt (Ovladač baterie pro kontrolní metodu standardu ACPI společnosti Microsoft) CNG (CNG)

Status

Exe \drivers\capimg.sys

Company

Signer

Stopped/Disabled

C:\Windows\system32 \drivers\cdfs.sys C:\Windows\system32 \drivers\cdrom.sys C:\Windows\system32 \drivers\circlass.sys C:\Windows\system32 \drivers\clfs.sys C:\Windows\system32 \drivers\CmBatt.sys


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

cnghwassist (CNG Hardware Assist algorithm provider) CompositeBus (Ovladač rozpoznávacího modulu složené sběrnice)

Stopped/Disabled


Microsoft Windows


Microsoft Windows

condrv (Console Driver) CSC (Ovladač souborů pro režim offline) dam (Desktop Activity Moderator Driver) Dfsc (Ovladač klienta oboru názvů DFS) disk (Ovladač disku)

Running/Manual


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

dmvsc (dmvsc)

Stopped/Manual


Microsoft Windows

drmkaud (Ovladače zvuku považované společností Microsoft za důvěryhodné) DXGKrnl (LDDM Graphics Subsystem) e1iexpress (Intel(R) PRO/1000 PCI Express Network Connection Driver I) ebdrv (QLogic 10 Gigabit Ethernet – ovladač VBD adaptéru) EhStorClass (Enhanced Storage Filter Driver) EhStorTcgDrv (Ovladač společnosti Microsoft pro úložná zařízení podporující protokoly IEEE 1667 a TCG) ErrDev (Microsoft Hardware Error Device Driver)

Stopped/Manual

C:\Windows\system32 \drivers\cng.sys C:\Windows\system32 \DRIVERS\cnghwassis t.sys C:\Windows\system32 \DriverStore\FileRepo sitory\compositebus.in f_amd64_98334ba6e 76853ba\CompositeB us.sys C:\Windows\system32 \drivers\condrv.sys C:\Windows\system32 \drivers\csc.sys C:\Windows\system32 \drivers\dam.sys C:\Windows\system32 \drivers\dfsc.sys C:\Windows\system32 \drivers\disk.sys C:\Windows\system32 \drivers\dmvsc.sys C:\Windows\system32 \drivers\drmkaud.sys


Microsoft Windows

C:\Windows\system32 Microsoft Corporation \drivers\dxgkrnl.sys C:\Windows\system32 Intel Corporation \drivers\e1i63x64.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 QLogic Corporation \drivers\evbda.sys

Microsoft Windows

Running/Boot

C:\Windows\system32 Microsoft Corporation \drivers\EhStorClass.s ys C:\Windows\system32 Microsoft Corporation \drivers\EhStorTcgDr v.sys

Microsoft Windows

C:\Windows\system32 Microsoft Corporation \drivers\errdev.sys

Microsoft Windows

Running/System Stopped/Manual Running/Boot Running/Manual

Running/Boot

Running/Manual

Running/System Stopped/System Running/System Running/Boot

Running/Manual Running/Manual

Stopped/Manual

Stopped/Manual

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

Microsoft Windows

16 / 38

Driver fcvsc (fcvsc)


fdc (Ovladač řadiče disketové jednotky) FileCrypt (FileCrypt)

Running/Manual

FileInfo (File Information FS MiniFilter) Filetrace (FileTrace)

Running/Boot

Running/System

Stopped/Manual

flpydisk (Ovladač Running/Manual disketové jednotky) FltMgr (Správce filtrů) Running/Boot

FsDepends (File System Dependency Minifilter) fvevol (Ovladač filtru nástroje BitLocker Drive Encryption) gagp30kx (Filtr Microsoft Generic AGPv3.0 pro procesorovou platformu K8) gencounter (Microsoft Hyper-V – Čítač generací) genericusbfn (Obecná funkční třída USB)

Stopped/Manual




Microsoft Windows


Microsoft Windows


Microsoft Windows

C:\Windows\system32 \drivers\filetrace.sys C:\Windows\system32 \drivers\flpydisk.sys (unresolved) \SystemRoot\system3 2\drivers\fltmgr.sys C:\Windows\system32 \drivers\FsDepends.sy s C:\Windows\system32 \drivers\fvevol.sys


Microsoft Windows


Microsoft Windows

?

<no signature>

Microsoft Windows


Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\GAGP30KX.S YS

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\vmgencounte r.sys C:\Windows\system32 Microsoft Corporation \drivers\genericusbfn. sys C:\Windows\system32 Microsoft Corporation \drivers\msgpioclx.sys

Microsoft Windows

C:\Windows\system32 Microsoft Corporation \drivers\gpuenergydrv .sys C:\Windows\system32 Microsoft Corporation \drivers\HdAudio.sys

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\hdaudbus.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\hidbatt.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\hidbth.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\hidi2c.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\hidinterrupt.s ys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\hidir.sys

Microsoft Windows

Running/Boot

Stopped/Manual

Running/Manual

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

 check the origin of the driver


GPIOClx0101 Stopped/Manual (Microsoft GPIO Class Extension Driver) GpuEnergyDrv (GPU Running/System Energy Driver) HdAudAddService (Ovladač funkce Microsoft 1.1 UAA pro službu zvuku High Definition Audio) HDAudBus (Ovladač sběrnice Microsoft UAA pro zvuk High Definition Audio) HidBatt (Ovladač baterie zdroje UPS standardu HID) HidBth (Miniport Microsoft Bluetooth HID) hidi2c (Ovladač miniportu Microsoft I2C HID) hidinterrupt (Společný ovladač pro tlačítka standardu HID implementovaná s přerušeními) HidIr (Ovladač infračerveného portu HID Microsoft)

Exe C:\Windows\system32 \drivers\fcvsc.sys C:\Windows\system32 \drivers\fdc.sys C:\Windows\system32 \drivers\filecrypt.sys C:\Windows\system32 \drivers\fileinfo.sys

Microsoft Windows

Microsoft Windows

Microsoft Windows

17 / 38

Driver HidUsb (Ovladač třídy standardu HID Microsoft) HpSAMD (HpSAMD)

Status Running/Manual

Exe Company C:\Windows\system32 Microsoft Corporation \drivers\hidusb.sys


Stopped/Manual Running/Manual

Hewlett-Packard Company Microsoft Corporation

Microsoft Windows

HTTP (Služba protokolu HTTP) hwpolicy (Hardware Policy Driver) hyperkbd (hyperkbd)


Microsoft Windows


Microsoft Windows

HyperVideo (HyperVideo)

Stopped/Manual


Microsoft Windows

i8042prt (Ovladač portů klávesnice a myši PS/2) iaLPSSi_GPIO (Intel(R) Serial IO GPIO Controller Driver) iaLPSSi_I2C (Ovladač řadiče Intel(R) Serial IO I2C) iaStorAV (Řadič Intel(R) SATA diskového pole RAID – Windows) iaStorV (Řadič Intel diskového pole RAID – Windows 7) ibbus (Mellanox InfiniBand Bus/AL (ovladač filtru)) intelide (intelide)

Running/Manual

C:\Windows\system32 \drivers\HpSAMD.sys C:\Windows\system32 \drivers\http.sys C:\Windows\system32 \drivers\hwpolicy.sys C:\Windows\system32 \drivers\hyperkbd.sys C:\Windows\system32 \drivers\HyperVideo.s ys C:\Windows\system32 \drivers\i8042prt.sys


Microsoft Windows

intelpep (Ovladač modulu Intel(R) Power Engine Plug-in) intelppm (Ovladač procesoru Intel) IpFilterDriver (IP Traffic Filter Driver) IPMIDRV (IPMIDRV)

Stopped/Manual

IPNAT (IP Network Address Translator) IRENUM (IR Bus Enumerator) isapnp (isapnp)

Stopped/Manual

iScsiPrt (Ovladač iScsiPort) kbdclass (Keyboard Class Driver) kbdhid (Ovladač klávesnice standardu HID) kdnic (Miniport ladění jádra společnosti Microsoft (NDIS 6.20)) KSecDD (KSecDD)

Stopped/Manual

Stopped/Boot Stopped/Manual

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Intel Corporation \drivers\iaLPSSi_GPI O.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Intel Corporation \drivers\iaLPSSi_I2C. sys C:\Windows\system32 Intel Corporation \drivers\iaStorAV.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Intel Corporation \drivers\iaStorV.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Mellanox \drivers\ibbus.sys

Microsoft Windows

Running/Boot

C:\Windows\system32 Microsoft Corporation \drivers\intelide.sys C:\Windows\system32 Microsoft Corporation \drivers\intelpep.sys

Microsoft Windows

C:\Windows\system32 \drivers\intelppm.sys C:\Windows\system32 \drivers\ipfltdrv.sys C:\Windows\system32 \drivers\IPMIDrv.sys C:\Windows\system32 \drivers\ipnat.sys C:\Windows\system32 \drivers\irenum.sys C:\Windows\system32 \drivers\isapnp.sys C:\Windows\system32 \drivers\msiscsi.sys C:\Windows\system32 \drivers\kbdclass.sys C:\Windows\system32 \drivers\kbdhid.sys


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\kdnic.sys

Microsoft Windows

Running/Boot

C:\Windows\system32 Microsoft Corporation \drivers\ksecdd.sys

Microsoft Windows

Stopped/Manual

Running/Manual Stopped/Manual Stopped/Manual


Running/Manual Stopped/Manual

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

Microsoft Windows

18 / 38

Driver KSecPkg (KSecPkg)

Status Running/Boot

Exe C:\Windows\system32 \drivers\ksecpkg.sys C:\Windows\system32 \drivers\ksthunk.sys C:\Windows\system32 \drivers\lltdio.sys



ksthunk (Kernel Streaming Thunks) lltdio (Vstupněvýstupní ovladač mapovače zjišťování topologie linkové vrstvy) LSI_SAS (LSI_SAS)

Running/Manual


Microsoft Windows


Microsoft Windows

C:\Windows\system32 \drivers\lsi_sas.sys C:\Windows\system32 \drivers\lsi_sas2i.sys C:\Windows\system32 \drivers\lsi_sas3i.sys C:\Windows\system32 \drivers\lsi_sss.sys C:\Windows\system32 \drivers\luafv.sys

LSI Corporation

Microsoft Windows

LSI_SAS2i (LSI_SAS2i) LSI_SAS3i (LSI_SAS3i) LSI_SSS (LSI_SSS)

Stopped/Manual

LSI Corporation

Microsoft Windows

Avago Technologies

Microsoft Windows

LSI Corporation

Microsoft Windows

luafv (Virtualizace souborů nástroje Řízení uživatelských účtů) megasas (megasas)

Running/Auto


Microsoft Windows

C:\Windows\system32 Avago Technologies \drivers\megasas.sys C:\Windows\system32 LSI Corporation, Inc. \drivers\megasr.sys C:\Windows\system32 Mellanox \drivers\mlx4_bus.sys

Microsoft Windows

megasr (megasr)

Stopped/Manual

mlx4_bus (Enumerátor sběrnice Mellanox ConnectX) MMCSS (Multimedia Class Scheduler) Modem (Modem)

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\mmcss.sys C:\Windows\system32 Microsoft Corporation \drivers\modem.sys C:\Windows\system32 Microsoft Corporation \drivers\monitor.sys

Microsoft Windows

monitor (Služba ovladače funkce třídy monitorů Microsoft) mouclass (Mouse Class Driver) mouhid (Ovladač myši standardu HID) mountmgr (Správce přípojných bodů)

Running/Manual

C:\Windows\system32 \drivers\mouclass.sys C:\Windows\system32 \drivers\mouhid.sys C:\Windows\system32 \drivers\mountmgr.sy s C:\Windows\system32 \drivers\mpsdrv.sys


Microsoft Windows


Microsoft Windows


Microsoft Windows

mpsdrv (Windows Firewall Authorization Driver) MRxDAV (Ovladač přesměrovače klienta WebDav) mrxsmb (Obálka a jádro minipřesměrovačů SMB) mrxsmb10 (Minipřesměrovač SMB 1.x) mrxsmb20 (Minipřesměrovač SMB 2.0) MsBridge (Most MAC společnosti Microsoft) msgpiowin32 (Běžný ovladač pro tlačítka, dokovaný režim a indikátor přenosného

Running/Manual


Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\mrxdav.sys

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\mrxsmb.sys

Microsoft Windows

Running/Auto

C:\Windows\system32 \drivers\mrxsmb10.sy s C:\Windows\system32 \drivers\mrxsmb20.sy s C:\Windows\system32 \drivers\bridge.sys C:\Windows\system32 \drivers\msgpiowin32. sys


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Running/Auto

Running/Boot


Stopped/Manual

Running/Auto Stopped/Manual

Running/Manual Running/Manual Running/Boot

Running/Manual


W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation



19 / 38

Driver Status počítače nebo tabletu) mshidkmdf Stopped/Manual (mshidkmdf)

Exe

Company

Signer

C:\Windows\system32 Microsoft Corporation \drivers\mshidkmdf.sy s C:\Windows\system32 Microsoft Corporation \drivers\mshidumdf.sy s

Microsoft Windows

C:\Windows\system32 Microsoft Corporation \drivers\msisadrv.sys C:\Windows\system32 Microsoft Corporation \drivers\mskssrv.sys

Microsoft Windows

Running/Auto

C:\Windows\system32 Microsoft Corporation \DRIVERS\mslldp.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\mspclock.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\mspqm.sys

Microsoft Windows

Running/System

C:\Windows\system32 Microsoft Corporation \drivers\mssmbios.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\mstee.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\MTConfig.sys

Microsoft Windows

Running/Boot

C:\Windows\system32 \drivers\mup.sys C:\Windows\system32 \drivers\mvumis.sys C:\Windows\system32 \drivers\nwifi.sys C:\Windows\system32 \drivers\ndfltr.sys C:\Windows\system32 \drivers\ndis.sys


Microsoft Windows

Marvell Semiconductor, Inc. Microsoft Corporation

Microsoft Windows

Mellanox

Microsoft Windows


Microsoft Windows

C:\Windows\system32 Microsoft Corporation \drivers\ndiscap.sys C:\Windows\system32 Microsoft Corporation \drivers\NdisImPlatfor m.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\ndistapi.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\ndisuio.sys

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\NdisVirtualBu s.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\ndiswan.sys

Microsoft Windows

mshidumdf (Ovladač pro předávání dat ze zařízení HID do architektury UMDF) msisadrv (msisadrv)

Stopped/Manual

MSKSSRV (Server proxy služby datových proudů Microsoft) MsLldp (Protokol Microsoft LLDP (LinkLayer Discovery Protocol)) MSPCLOCK (Server proxy hodin datových proudů Microsoft) MSPQM (Server proxy správce kvality datových proudů Microsoft) mssmbios (Ovladač Microsoft System Management BIOS) MSTEE (Konvertor jímka-jímka typu T datových proudů Microsoft) MTConfig (Microsoft Input Configuration Driver) Mup (MUP)

Stopped/Manual

mvumis (mvumis)

Stopped/Manual

NativeWifiP (Filtr NativeWiFi) ndfltr (Služba NetworkDirect) NDIS (Systémový ovladač rozhraní NDIS) NdisCap (Microsoft NDIS Capture) NdisImPlatform (Protokol multiplexoru pro síťový adaptér od společnosti Microsoft) NdisTapi (Ovladač Remote Access NDIS TAPI) Ndisuio (NDIS Usermode I/O Protocol) NdisVirtualBus (Enumerátor virtuálního síťového adaptéru Microsoft) NdisWan (Ovladač Remote Access NDIS WAN)

Stopped/Manual

Running/Boot

Stopped/Manual Running/Boot


W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

Microsoft Windows

Microsoft Windows

Microsoft Windows

20 / 38

Driver ndiswanlegacy (Starší ovladač vzdáleného přístupu NDIS WAN) ndproxy (@ %SystemRoot %\system32\drivers\t odo.sys,-101;NDIS Proxy) Ndu (Windows Network Data Usage Monitoring Driver) NetBIOS (NetBIOS Interface) NetBT (NETBT)


Exe Company C:\Windows\system32 Microsoft Corporation \drivers\ndiswan.sys


Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\ndproxy.sys

Microsoft Windows

Running/Auto

C:\Windows\system32 Microsoft Corporation \drivers\Ndu.sys

Microsoft Windows

Running/System


Microsoft Windows


Microsoft Windows

netvsc (netvsc)

Stopped/Manual


Microsoft Windows

npsvctrig (Named pipe service trigger provider) nsiproxy (NSI Proxy Service Driver) nv_agp (Filtr sběrnice NVIDIA nForce AGP) nvraid (nvraid)

Running/System

C:\Windows\system32 \drivers\netbios.sys C:\Windows\system32 \drivers\netbt.sys C:\Windows\system32 \drivers\netvsc.sys C:\Windows\system32 \drivers\npsvctrig.sys


Microsoft Windows


Microsoft Windows


Microsoft Windows

NVIDIA Corporation

Microsoft Windows

nvstor (nvstor)

Stopped/Manual

NVIDIA Corporation

Microsoft Windows

Parport (Ovladač paralelního portu) partmgr (Správce oddílů) pci (Řadič sběrnice PCI) pciide (pciide)

Stopped/Manual


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

pcmcia (pcmcia)

Stopped/Manual

C:\Windows\system32 \drivers\nsiproxy.sys C:\Windows\system32 \drivers\NV_AGP.SYS C:\Windows\system32 \drivers\nvraid.sys C:\Windows\system32 \drivers\nvstor.sys C:\Windows\system32 \drivers\parport.sys C:\Windows\system32 \drivers\partmgr.sys C:\Windows\system32 \drivers\pci.sys C:\Windows\system32 \drivers\pciide.sys C:\Windows\system32 \drivers\pcmcia.sys C:\Windows\system32 \drivers\pcw.sys


Microsoft Windows


Microsoft Windows

C:\Windows\system32 \drivers\pdc.sys C:\Windows\system32 \drivers\PEAuth.sys C:\Windows\system32 \drivers\percsas2i.sys C:\Windows\system32 \drivers\percsas3i.sys C:\Windows\system32 \drivers\pnpmem.sys


Microsoft Windows


Microsoft Windows

LSI Corporation

Microsoft Windows

Avago Technologies

Microsoft Windows


Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\raspptp.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\processr.sys C:\Windows\system32 Microsoft Corporation \drivers\pacer.sys

Microsoft Windows

C:\Windows\system32 Microsoft Corporation \drivers\qwavedrv.sys C:\Windows\system32 Microsoft Corporation \drivers\rasacd.sys

Microsoft Windows

Running/System

Running/System Stopped/Manual Stopped/Manual

Running/Boot Running/Boot Stopped/Manual

pcw (Performance Running/Boot Counters for Windows Driver) pdc (Primární řadič Running/Boot domény) PEAUTH (PEAUTH) Running/Auto percsas2i (percsas2i)

Stopped/Manual

percsas3i (percsas3i)

Stopped/Manual

PNPMEM (Ovladač paměťového modulu Microsoft) PptpMiniport (Připojení WAN Miniport (PPTP)) Processor (Ovladač procesoru) Psched (Plánovač paketů technologie QoS) QWAVEdrv (Ovladač QWAVE) RasAcd (Remote Access Auto

Running/Manual

Running/System


W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

Microsoft Windows

21 / 38

Driver Connection Driver) RasAgileVpn (Připojení WAN Miniport (IKEv2)) Rasl2tp (Připojení WAN Miniport (L2TP)) RasPppoe (Ovladač pro vzdálený přístup PPPOE) RasSstp (Připojení WAN Miniport (SSTP)) rdbss (Podsystém přesměrovaného ukládání do vyrovnávací paměti) rdpbus (Remote Desktop Device Redirector Bus Driver) RDPDR (Remote Desktop Device Redirector Driver) RdpVideoMiniport (Remote Desktop Video Miniport Driver) rdyboost (ReadyBoost) rspndr (Respondér zjišťování topologie linkové vrstvy) s3cap (s3cap)

Status

Exe

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\agilevpn.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\rasl2tp.sys C:\Windows\system32 Microsoft Corporation \drivers\raspppoe.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\rassstp.sys

Microsoft Windows

Running/System

C:\Windows\system32 Microsoft Corporation \drivers\rdbss.sys

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\rdpbus.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\rdpdr.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\rdpvideominip ort.sys C:\Windows\system32 Microsoft Corporation \drivers\rdyboost.sys C:\Windows\system32 Microsoft Corporation \drivers\rspndr.sys

Microsoft Windows

Microsoft Windows

sbp2port (Ovladač sběrnice pro přenos dat zařízení podporujícího protokol SBP-2) scfilter (Ovladač filtru čipových karet třídy PnP) sdbus (sdbus)

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\vms3cap.sys C:\Windows\system32 Microsoft Corporation \drivers\sbp2port.sys

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\scfilter.sys

Microsoft Windows

Stopped/Manual

Microsoft Windows

sdstor (Ovladač portu úložiště SD) SensorsHIDClassDriv er (Služba Reflektor UMDF pro ovladač senzorů třídy HID) SerCx (Serial UART Support Library) SerCx2 (Serial UART Support Library) Serenum (Ovladač filtru Serenum) Serial (Ovladač sériového portu) sermouse (Ovladač sériové myši) sfloppy (Disketová jednotka s vysokou hustotou záznamu) SiSRaid2 (SiSRaid2)

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\sdbus.sys C:\Windows\system32 Microsoft Corporation \drivers\sdstor.sys C:\Windows\system32 Microsoft Corporation \drivers\WUDFRd.sys

C:\Windows\system32 \drivers\SerCx.sys C:\Windows\system32 \drivers\SerCx2.sys C:\Windows\system32 \drivers\serenum.sys C:\Windows\system32 \drivers\serial.sys C:\Windows\system32 \drivers\sermouse.sys C:\Windows\system32 \drivers\sfloppy.sys


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

SiSRaid4 (SiSRaid4)

Stopped/Manual

Stopped/Manual

Running/Boot Running/Auto

Stopped/Manual

Running/Manual

Stopped/Manual Stopped/Manual Running/Manual Running/Manual Stopped/Manual Stopped/Manual

Stopped/Manual

Company

C:\Windows\system32 Silicon Integrated \drivers\sisraid2.sys Systems Corp. C:\Windows\system32 Silicon Integrated

W10W / Windows 10 Pro / 2015-09-21 15:15

Signer

Recommendation

Microsoft Windows


Microsoft Windows



22 / 38

Driver

Status

Exe \drivers\sisraid4.sys C:\Windows\system32 \drivers\spaceport.sys C:\Windows\system32 \drivers\SpbCx.sys

Company Systems Microsoft Corporation

Signer

spaceport (Ovladač prostorů úložišť) SpbCx (Simple Peripheral Bus Support Library) srv (Ovladač pro server SMB 1.xxx) srv2 (Ovladač pro server SMB 2.xxx) srvnet (srvnet)

Running/Boot


Microsoft Windows

C:\Windows\system32 \drivers\srv.sys C:\Windows\system32 \drivers\srv2.sys C:\Windows\system32 \drivers\srvnet.sys C:\Windows\system32 \drivers\stexstor.sys C:\Windows\system32 \drivers\storahci.sys


Microsoft Windows


Microsoft Windows


Microsoft Windows

stexstor (stexstor)

Stopped/Manual

Promise Technology, Inc. Microsoft Corporation

Microsoft Windows

storahci (Standardní ovladač SATA AHCI společnosti Microsoft) storflt (Akcelerátor úložiště technologie Microsoft Hyper-V) stornvme (Ovladač Microsoft Standard NVM Express ) storqosflt (Ovladač filtru technologie QoS pro úložiště) storufs (Ovladač Microsoft Universal Flash Storage (UFS)) storvsc (storvsc)

Running/Boot

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\vmstorfl.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\stornvme.sys

Microsoft Windows

Running/Auto

C:\Windows\system32 Microsoft Corporation \drivers\storqosflt.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\storufs.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 \drivers\storvsc.sys C:\Windows\system32 \DriverStore\FileRepo sitory\swenum.inf_am d64_2a699e44676b7 781\swenum.sys C:\Windows\system32 \drivers\Synth3dVsc.s ys C:\Windows\system32 \drivers\tcpip.sys C:\Windows\system32 \drivers\tcpip.sys


Microsoft Windows

swenum (Softwarový ovladač sběrnice)

Running/Manual


Microsoft Windows

Synth3dVsc (Synth3dVsc)

Stopped/Manual


Microsoft Windows

Tcpip (Ovladač protokolu TCP/IP) Tcpip6 (@todo.dll,100;Microsoft IPv6 Protocol Driver) tcpipreg (TCP/IP Registry Compatibility) tdx (Ovladač pro podporu zastaralého rozhraní TDI NetIO) terminpt (Ovladač vstupního zařízení vzdálené plochy společnosti Microsoft) TPM (Čip TPM)

Running/Boot


Microsoft Windows


Microsoft Windows

C:\Windows\system32 Microsoft Corporation \drivers\tcpipreg.sys C:\Windows\system32 Microsoft Corporation \drivers\tdx.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\terminpt.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\tpm.sys C:\Windows\system32 Microsoft Corporation \drivers\TsUsbFlt.sys

Microsoft Windows

C:\Windows\system32 Microsoft Corporation \drivers\TsUsbGD.sys

Microsoft Windows

C:\Windows\system32 Microsoft Corporation \drivers\tunnel.sys

Microsoft Windows

Stopped/Manual

Running/Auto Running/Manual Running/Manual

Stopped/Manual

Running/Auto Running/System

TsUsbFlt (Remote Stopped/Manual Desktop USB Hub Class Filter Driver) TsUsbGD (Obecné Stopped/Manual zařízení USB vzdálené plochy) tunnel (Microsoft Running/Manual Tunnel Miniport Adapter Driver)

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

Microsoft Windows

Microsoft Windows

Microsoft Windows

23 / 38

Driver uagp35 (Filtr Microsoft AGPv3.5) UASPStor (Ovladač UAS (USB Attached SCSI)) UcmCx0101 (USB Connector Manager KMDF Class Extension) UcmUcsi (Klient UCSI Správce konektoru USB) Ucx01000 (USB Host Support Library)


Exe Company C:\Windows\system32 Microsoft Corporation \drivers\UAGP35.SYS C:\Windows\system32 Microsoft Corporation \drivers\uaspstor.sys


Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\UcmCx.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\UcmUcsi.sys

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\UCX01000.S YS C:\Windows\system32 ? \drivers\Udecx.sys

Microsoft Windows

UdeCx (USB Device Emulation Support Library) udfs (udfs)

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\udfs.sys C:\Windows\system32 Microsoft Corporation \drivers\uefi.sys C:\Windows\system32 Microsoft Corporation \drivers\ufx01000.sys

Microsoft Windows

UEFI (Ovladač Microsoft UEFI) Ufx01000 (USB Function Class Extension) UfxChipidea (Řadič USB – Chipidea)

Stopped/Manual

C:\Windows\system32 \drivers\UfxChipidea.s ys C:\Windows\system32 \drivers\ufxsynopsys.s ys C:\Windows\system32 \drivers\ULIAGPKX.S YS C:\Windows\system32 \drivers\umbus.sys


Microsoft Windows

ufxsynopsys (Řadič USB – Synopsys)

Stopped/Manual


Microsoft Windows


Microsoft Windows


Microsoft Windows

C:\Windows\system32 \drivers\umpass.sys C:\Windows\system32 \drivers\urschipidea.sy s C:\Windows\system32 \drivers\urscx01000.s ys C:\Windows\system32 \drivers\urssynopsys.s ys


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\usbccgp.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\usbcir.sys

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\usbehci.sys

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\usbhub.sys

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\USBHUB3.SY S

Microsoft Windows

Stopped/Manual

Stopped/Disabled

Stopped/Manual

Stopped/Manual

uliagpkx (Filtr sběrnice Stopped/Manual Uli AGP) umbus (Ovladač sběrnice UMBus Enumerator) UmPass (Ovladač Microsoft UMPass) UrsChipidea (Chipidea – ovladač USB pro přepínání rolí) UrsCx01000 (USB Role-Switch Support Library) UrsSynopsys (Synopsys – ovladač USB pro přepínání rolí) usbccgp (Obecný nadřazený ovladač Microsoft USB) usbcir (Infračervený přijímač eHome (USBCIR)) usbehci (Ovladač miniportu vylepšeného hostitelského řadiče Microsoft USB 2.0) usbhub (Ovladač standardního rozbočovače USB) USBHUB3 (Rozbočovač SuperSpeed)

Running/Manual


Stopped/Manual

Stopped/Manual

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

Microsoft Windows


24 / 38

Driver usbohci (Ovladač miniportu otevřeného hostitelského řadiče Microsoft USB) usbprint (Třída USB Printer) usbser (Sériový ovladač USB od společnosti Microsoft) USBSTOR (Ovladač velkokapacitního paměťového zařízení USB) usbuhci (Ovladač miniportu univerzálního hostitelského řadiče Microsoft USB) USBXHCI (Hostitelský řadič USB kompatibilní s rozhraním xHCI) vdrvroot (Enumerátor virtuální jednotky Microsoft) vhdmp (vhdmp)


Exe Company C:\Windows\system32 Microsoft Corporation \drivers\usbohci.sys


Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\usbprint.sys C:\Windows\system32 Microsoft Corporation \drivers\usbser.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\USBSTOR.SY S

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\usbuhci.sys

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\USBXHCI.SY S C:\Windows\system32 Microsoft Corporation \drivers\vdrvroot.sys

Microsoft Windows

Microsoft Windows

vhf (Ovladač VHF (Virtual HID Framework)) vm3dmp (vm3dmp)

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\vhdmp.sys C:\Windows\system32 Microsoft Corporation \drivers\vhf.sys VMware, Inc.

VMware, Inc.

vmbus (Virtual Machine Bus) VMBusHID (VMBusHID)

Stopped/Manual

C:\Windows\system32 \drivers\vm3dmp.sys C:\Windows\system32 \drivers\vmbus.sys C:\Windows\system32 \drivers\VMBusHID.sy s C:\Windows\system32 \drivers\vmci.sys C:\Windows\system32 \drivers\vmhgfs.sys


Microsoft Windows


Microsoft Windows

VMware, Inc.

VMware, Inc.

VMware, Inc.

VMware, Inc.

C:\Program Files\Common Files\VMware\Drivers\ memctl\vmmemctl.sys C:\Windows\system32 \drivers\vmmouse.sys C:\Program Files\VMware\VMware Tools\vmrawdsk.sys C:\Windows\system32 \drivers\vmusbmouse. sys C:\Windows\system32 \drivers\volmgr.sys C:\Windows\system32 \drivers\volmgrx.sys C:\Windows\system32 \drivers\volsnap.sys C:\Windows\system32 \drivers\vpci.sys

VMware, Inc.

VMware, Inc.

VMware, Inc.

VMware, Inc.

VMware, Inc.

VMware, Inc.

VMware, Inc.

VMware, Inc.


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Stopped/Manual

Running/Boot

Stopped/Manual

Running/Manual

Stopped/Manual

vmci (VMware VMCI Running/Boot Bus Driver) vmhgfs (VMware Host Running/System Guest Client Redirector) VMMEMCTL (Memory Running/Auto Control Driver)

vmmouse (VMware Pointing Device) vmrawdsk (VMware Vista Physical Disk Helper) vmusbmouse (VMware USB Pointing Device) volmgr (Ovladač správce svazků) volmgrx (Správce dynamických svazků) volsnap (Svazky úložiště) vpci (Virtuální sběrnice PCI technologie Microsoft Hyper-V) vsmraid (vsmraid)

Running/Manual Running/System

Running/Manual

Running/Boot Running/Boot Running/Boot Stopped/Manual

Stopped/Manual

C:\Windows\system32 VIA Technologies

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

Microsoft Windows

Microsoft Windows

Microsoft Windows

 quote ImagePath

 quote ImagePath

Microsoft Windows

25 / 38

Driver

Status

Exe \drivers\vsmraid.sys C:\Windows\system32 \drivers\vsock.sys C:\Windows\system32 \drivers\VSTXRAID.S YS

Company Inc.,Ltd VMware, Inc.

Signer

vsock (vSockets Driver) VSTXRAID (VIA – ovladač řadiče RAID úložiště StorX (Windows)) vwifibus (Ovladač sběrnice Virtual WiFi) vwififlt (Virtual WiFi Filter Driver) WacomPen (Ovladač Wacom Serial Pen HID) wanarp (Ovladač pro vzdálený přístup IP ARP) wanarpv6 (Ovladač pro vzdálený přístup IPv6 ARP) WdBoot (Spouštěcí ovladač programu Windows Defender) Wdf01000 (Služba Architektura ovladačů v režimu jádra) WdFilter (Ovladač minifiltru programu Windows Defender) wdiwifi (WDI Driver Framework) WdNisDrv (Systémový ovladač kontroly sítě programu Windows Defender) wfpcapture (Microsoft WFP Message Capture)

Running/Boot

VIA Corporation

Microsoft Windows

C:\Windows\system32 \drivers\vwifibus.sys C:\Windows\system32 \drivers\vwififlt.sys C:\Windows\system32 \drivers\wacompen.sy s C:\Windows\system32 \drivers\wanarp.sys


Microsoft Windows


Microsoft Windows


Microsoft Windows


Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\wanarp.sys

Microsoft Windows

Stopped/Boot

C:\Windows\system32 Microsoft Corporation \drivers\WdBoot.sys

Microsoft Windows

Running/Boot

C:\Windows\system32 Microsoft Corporation \drivers\Wdf01000.sy s C:\Windows\system32 Microsoft Corporation \drivers\WdFilter.sys

Microsoft Windows

C:\Windows\system32 Microsoft Corporation \drivers\WdiWiFi.sys C:\Windows\system32 Microsoft Corporation \drivers\WdNisDrv.sys

Microsoft Windows

(unresolved) ? \SystemRoot\System 32\drivers\wfpcapture .sys C:\Windows\system32 Microsoft Corporation \drivers\wfplwfs.sys

<no signature>

WFPLWFS (Microsoft Windows Filtering Platform) WIMMount (WIMMount)

Running/Boot

C:\Windows\system32 Microsoft Corporation \drivers\wimmount.sy s C:\Windows\system32 Microsoft Corporation \drivers\WindowsTrust edRT.sys

Microsoft Windows

WindowsTrustedRT (Windows Trusted Execution Environment Class Extension) WindowsTrustedRTPro xy (Microsoft Windows Trusted Runtime Secure Service) WinMad (Služba WinMad) WINUSB (Ovladač WinUsb) WinVerbs (Služba WinVerbs) WmiAcpi (Microsoft Windows Management Interface for ACPI)

Running/Boot

Running/Boot

C:\Windows\system32 Microsoft Corporation \drivers\WindowsTrust edRTProxy.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 \drivers\winmad.sys C:\Windows\system32 \drivers\winusb.sys C:\Windows\system32 \drivers\winverbs.sys C:\Windows\system32 \drivers\wmiacpi.sys

Mellanox

Microsoft Windows


Microsoft Windows

Mellanox

Microsoft Windows


Microsoft Windows

Stopped/Manual

Stopped/Manual Running/System Stopped/Manual

Stopped/Manual

Running/Boot

Stopped/Manual Running/Auto

Stopped/Manual

Stopped/Manual

Stopped/Manual Stopped/Manual Stopped/Manual

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

VMware, Inc.

Microsoft Windows

Microsoft Windows

 check the origin of the driver

Microsoft Windows

Microsoft Windows

26 / 38

Driver wpcfltr (Family Safety Filter Driver) WpdUpFltr (WPD Upper Class Filter Driver) ws2ifsl (Windows Socket 2.0 Non-IFS Service Provider Support Environment) WudfPf (User Mode Driver Frameworks Platform Driver) WUDFRd (Platforma WDF (Windows Driver Foundation) – reflektor architektury ovladače v uživatelském režimu) xboxgip (Xbox Game Input Protocol Driver) xinputhid (XINPUT HID Filter Driver)





Microsoft Windows


Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\WUDFPf.sys

Microsoft Windows

Running/Manual

C:\Windows\system32 Microsoft Corporation \drivers\WUDFRd.sys

Microsoft Windows

Stopped/Manual

C:\Windows\system32 Microsoft Corporation \drivers\xboxgip.sys C:\Windows\system32 Microsoft Corporation \drivers\xinputhid.sys

Microsoft Windows

Stopped/Manual

Running/System

Stopped/Manual

Exe C:\Windows\system32 \DRIVERS\wpcfltr.sys C:\Windows\system32 \drivers\WpdUpFltr.sy s C:\Windows\system32 \drivers\ws2ifsl.sys

[Computer W10W]

1.3.3

Recommendation

Microsoft Windows [Top][Summary][Explanatory notes]

[SVCS-03] Services and drivers access permissions

The check verifies access permissions (ACLs) of system services and drivers. The check fails if there is a service with non-std. owner, or there is a service whose configuration can be modified by non-privileged users, or there is a service which can be started/stopped by an anonymous user. Exceptions can be defined by check parameters if necessary. Services which fail to satisfy the above rules are shown in the results table together with detailed specifications of the problem. Check result: OK. [Computer W10W]

1.3.4


[SVCS-04] Service accounts

The check verifies privilege level of accounts, which are used to run system services. If the account of any service falls into one of the privilege levels defined by the check parameters, the overall result of the check is FAIL. Exceptions can be defined by other parameters if necessary. Results table lists the problematic services, the account under which they are executed and its privilege level. Check result: OK. [Computer W10W]

1.3.5


[SVCS-05] Other programs that run automatically

The check verifies access permissions for programs that are executed automatically, without direct user action. The permissions must not allow program to be modified by unprivileged users for a successful test result. Exceptions can be specified by check parameters if necessary. Check result: OK. [Computer W10W]

1.4

[SECP-xx] Security policy

1.4.1

[SECP-01] Passwords and account locking policy


Check verifies the given passwords and accounts locking parameters. Parameters not listed in the profile are not checked. Check result: FAIL.

W10W / Windows 10 Pro / 2015-09-21 15:15

27 / 38

We recommend to use the Group Policy to modify these settings. Domain-wide policy object (typically the Default Domain Policy) has to be modified to change the domain accounts policy; for the member servers and workstations local accounts, the policy objects linked to subordinate OU levels can be used as well. GPO settings path is Computer Configuration(/Policies)/Windows Settings/Security Settings/Account Policies (and further either Password Policy or Account Lockout Policy depending on the particular setting). Problematic values are given in the table below: Parameter name Min password length

Value 0

Recommendation

Max password age (d) Min password age (d)

42 0

Password history length

0

 min. 1  min. 5

Store passwords using reversible encryption Password must meet complexity requirements

0 0

1

Account lockout duration (min) Reset account lockout counter after (min) Account lockout threshold

30 30 no locking

 max. 10

 min. 8

[Computer W10W]

1.4.2


[SECP-02] Security settings

Check verifies the current settings of the specified system security options. Check result: FAIL. Using the Group Policy is recommended to modify these settings. The GPO settings path is Computer Configuration(/Policies)/Windows Settings/Security Settings/Local Policies/Security Options. Note: We strongly recommend thorough testing of the new settings before changing the values in production environment, especially in the case of the parameters affecting network traffic. Potentially the most problematic settings are indicated in table by "[!]". Security options, whose value does not match the requirements are listed in the table: Category Accounts

Parameter name Block Microsoft accounts

Value

Guest account status Limit local account use of blank passwords to console logon only Prevent users from installing printer drivers Do not require CTRL+ALT+DEL

Disabled Enabled

Recommendation

 users can't add or log on with microsoft accounts

Devices Interactive logon

Disabled

 enabled

10

 disabled  5-15 min  0 or 1

Machine inactivity limit

Microsoft network client

Microsoft network server

Network access

Number of previous logons to cache (in case domain controller is not available) Digitally sign communications (if server agrees) Send unencrypted password to third-party SMB servers Digitally sign communications (always) Digitally sign communications (if client agrees) Allow anonymous SID/Name translation Do not allow anonymous enumeration of SAM accounts Do not allow anonymous enumeration of SAM accounts and shares Do not allow storage of passwords

W10W / Windows 10 Pro / 2015-09-21 15:15

Enabled Disabled Disabled

 enabled [!]

Disabled

 enabled

Disabled Enabled Disabled

 enabled [!]

Disabled

 enabled [!] 28 / 38

Category

Network security

Parameter name and credentials for network authentication Let Everyone permissions apply to anonymous users Restrict anonymous access to Named Pipes and Shares Sharing and security model for local accounts Do not store LAN Manager hash value on next password change LAN Manager authentication level

Value

Require case insensitivity for nonWindows subsystems Admin Approval Mode for the Built-in Administrator account

Enabled

Recommendation

Disabled Enabled Classic: Local users authenticate as themselves Enabled

 [!]

System objects User Account Control

Disabled

 enabled

Allow UIAccess applications to Disabled prompt for elevation without using the secure desktop Behavior of the elevation prompt for administrators in Admin Approval Mode

Prompt for consent for nonWindows binaries

Only elevate executables that are signed and validated

Disabled

 prompt for consent/credentials on the secure desktop

Only elevate UIAccess applications Enabled that are installed in secure locations Run all administrators in Admin Approval Mode

Enabled

Switch to the secure desktop when prompting for elevation

Enabled

Virtualize file and registry write failures to per-user locations

Enabled

[Computer W10W]

1.4.3


[SECP-03] Audit settings

The check verifies if the configuration of the system security audit meets the minimum defined by parameters. The check is designed to test the audit settings by subcategories, which are supported on Windows 6.x (ie. Windows Vista and higher). Category-based settings used on older systems is not verified. Check result: FAIL. The use of Group policy is recommended to modify audit settings. The GPO settings path is Computer Configuration(/Policies)/Windows Settings/Security Settings/Advanced Audit Policy Configuration. Note: Although the audit subcategories are supported on Windows 6.0 (ie. Windows Vista and Windows Server 2008), these systems do not support audit subcategory management through Group Policy. Subcategory-based audit settings on these systems can only be changed locally using command line utility auditpol or using third-party solutions. Group Policy support is implemented only in Windows 6.1 systems (Windows 7, Windows Server 2008/R2) and higher. Audit subcategories with the audit level lower than required are listed in the table together with their current value. Category Account Logon

Account Management

Subcategory Credential Validation

Value No auditing

Kerberos Authentication Service Kerberos Service Ticket Operations Other Account Logon Events Application Group Management Computer Account Management

No auditing No auditing

Distribution Group Management

No auditing

W10W / Windows 10 Pro / 2015-09-21 15:15

No auditing No auditing No auditing

Recommendation

 Success + Failure

 Success + Failure 29 / 38

Category

Detailed Tracking

DS Access

Logon/Logof

Object Access

Policy Change

Privilege Use

System

Subcategory Other Account Management Events Security Group Management

Value No auditing

Recommendation

Success

User Account Management

Success

 Success + Failure  Success + Failure

DPAPI Activity Plug and Play Events Process Creation

No auditing No auditing No auditing

 min. Success

Process Termination RPC Events Detailed Directory Service Replication Directory Service Access Directory Service Changes Directory Service Replication Account Lockout

No auditing No auditing No auditing No auditing No auditing No auditing Success


Group Membership IPsec Extended Mode IPsec Main Mode IPsec Quick Mode Logof Logon

No auditing No auditing No auditing No auditing Success Success


Network Policy Server Other Logon/Logof Events Special Logon User / Device Claims Application Generated Central Access Policy Staging Certification Services Detailed File Share File Share File System

Success, Failure No auditing Success No auditing No auditing No auditing No auditing No auditing No auditing No auditing

 min. Failure

Filtering Platform Connection Filtering Platform Packet Drop Handle Manipulation Kernel Object Other Object Access Events Registry

No auditing No auditing No auditing No auditing No auditing No auditing

 min. Failure

Removable Storage SAM Audit Policy Change

No auditing No auditing Success

Authentication Policy Change

Success

Authorization Policy Change

No auditing

Filtering Platform Policy Change MPSSVC Rule-Level Policy Change Other Policy Change Events Non Sensitive Privilege Use Other Privilege Use Events Sensitive Privilege Use

No auditing No auditing No auditing No auditing No auditing No auditing

IPsec Driver

No auditing

Other System Events

Success, Failure

Security State Change

Success

Security System Extension

No auditing

System Integrity

Success, Failure

[Computer W10W]

W10W / Windows 10 Pro / 2015-09-21 15:15


 Success + Failure  Success + Failure  Success + Failure

 Success + Failure  Success + Failure  Success + Failure  Success + Failure [Top][Summary][Explanatory notes]

30 / 38

1.4.4

[SECP-04] Parameters of log files

Check performs validation of log files parameters. The check is only successful when all three standard logs (application, system, security) are rewritten as needed, their files are stored in the system directory subtree, and the minimal size of each log and its recording time window complies with the check parameters. Furthermore, the guest access to event logs is required to be disabled for systems older than Windows 2003, and the total size of all the logs should not exceed 300 MB for systems older than Windows Vista. Check result: OK WITH WARNING. These settings can be modified locally, by changing the relevant parameters in the properties of the EventLog using application (mmc snap-in) Event Viewer. But in the case of domain computers we rather recommend using Group Policy object (the path to the relevant settings in the GPO is Computer Configuration(/Policies)/Windows Settings/Security Settings/Event Log); however, this option is not available in the local GP object (eg. standalone machines). Problematic values are given in the table below: Log Application

Parameter Filename

Security

Retention Log size Filename

Value Recommendation %SystemRoot %\system32\winevt\Logs\Applicati on.evtx Overwrite as needed 20.0 MB %SystemRoot %\System32\winevt\Logs\Securit y.evtx Overwrite as needed 20.0 MB  min. 60 MB %SystemRoot %\system32\winevt\Logs\System. evtx

Retention Log size System

Filename

Retention

Overwrite as needed

Log size

20.0 MB

[Computer W10W]

1.4.5


[SECP-05] Other security settings

Check verifies various security parameters of the system not included in other chapters. It is checked whether the Autorun is disabled and if the Windows Error Reporting is disabled; also, correct processing of the Group Policy is verified on domain members. Check result: FAIL. Errors in Group Policy objects application are usually due to inadequate configuration of the system components or due to problems at the infrastructure level (server is inaccessible due to the filtration on network elements, permissions do not allow access to network share, etc.). The solution is therefore usually more complicated; system event log may be helpful under some circumstances. Autorun can be disabled either locally or through an Group Policy object (the GPO setting path is Computer Configuration/Administrative Templates/System [Win2003], or Computer Configuration(/Policies)/Administrative Templates/Windows Components/AutoPlay Policies [Vista+]) (related link: Autorun and autologon). Windows Error Reporting can be disabled either locally or through an Group Policy object (the GPO setting path is Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings [Win2003], or Computer Configuration(/Policies)/Administrative Templates/Windows Components/Windows Error Reporting [Vista+]) (related link: Error reporting). Problematic values are given in the table below: Parameter Autorun Diagnostic and usage data

Value Enabled (for computer), disabled in all 2 user profiles Full (locally)

Windows Defender: Cloud-based protection

Enabled (locally)

Windows Defender: Sample submission

Enabled (locally)

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

 disable  disable  disable  disable 31 / 38

[Computer W10W]

1.4.6


[SECP-06] Privacy

Check verifies several settings affecting the user privacy, which are available on Windows 10. Check result: OK WITH WARNING. Problematic values are given in the table below: Category Advertising ID usage

Parameter name State

Value enabled in 1 profiles (out of 2): W10W\Jane Doe

Recommendation

SmartScreen filter

State

enabled in 1 profiles (out of 2): W10W\Jane Doe

 consider globally disabling in all

Send info about writing

State

enabled in 1 profiles (out of 2): W10W\Jane Doe


Online search (Bing)

State

enabled in all 2 profiles


Speech, inking & typing

State


Location

State


Authorized applications

2 applications total: microsoft.windowscommunications apps (W10W\John Doe), Microsoft.WindowsMaps (W10W\John Doe) enabled in 1 profiles (out of 2): W10W\John Doe

 consider the necessity of

5 applications total: Microsoft.Appconnector (W10W\John Doe), Microsoft.BioEnrollment (W10W\John Doe), Microsoft.MicrosoftEdge (W10W\John Doe), Microsoft.Office.OneNote (W10W\John Doe), Microsoft.WindowsCamera (W10W\John Doe) enabled in 1 profiles (out of 2): W10W\John Doe



 consider globally disabling in all profiles profiles profiles profiles

 consider globally disabling in all profiles


Camera

State Authorized applications

Microphone


Account info

State

6 applications total: Microsoft.BioEnrollment (W10W\John Doe), Microsoft.MicrosoftEdge (W10W\John Doe), Microsoft.Windows.Cortana (W10W\John Doe), Microsoft.WindowsCamera (W10W\John Doe), Microsoft.WindowsSoundRecorder (W10W\John Doe), Microsoft.XboxApp (W10W\John Doe) enabled in all 2 profiles

Contacts

Authorized applications State

none enabled in all 2 profiles

authorized applications







W10W / Windows 10 Pro / 2015-09-21 15:15


profiles 5 applications total:  consider the necessity of Microsoft.Appconnector authorized applications (W10W\John Doe), Microsoft.People (W10W\John Doe), Microsoft.Windows.Cortana, Microsoft.Windows.ShellExperienc

32 / 38

Category

Parameter name

Calendar


Messaging

State

Value eHost, microsoft.windowscommunications apps enabled in 1 profiles (out of 2): W10W\John Doe

Recommendation

3 applications total: Microsoft.Appconnector (W10W\John Doe), Microsoft.Windows.Cortana (W10W\John Doe), microsoft.windowscommunications apps (W10W\John Doe) enabled in all 2 profiles






1 applications total: Microsoft.Windows.Cortana


Radios

State



Other devices

Authorized applications State

none enabled in all 2 profiles


none

authorized applications profiles


[Computer W10W]


1.5

[USER-xx] User accounts

1.5.1

[USER-01] System-wide privileges

The check verifies that the specified system privileges are not held by anybody outside the defined range of allowable holders. If there is a privilege held by unauthorized user or group, the overall outcome of the check is FAIL. Privilege holders are listed in the results table. Check result: FAIL. The unauthorized privilege holders can basically only be removed by using Group Policy (if we do not consider third party tools or eg. utilities from the Resource Kit). GPO path to the appropriate settings is Computer Configuration(/Policies)/Windows Settings/Security Settings/Local Policies/User Rights Assignment . The table shows the conflicting privileges and their unauthorized holders: Privilege Access Credential Manager as a trusted caller (SeTrustedCredManAccessPrivilege) Act as part of the operating system (SeTcbPrivilege) Allow log on locally (SeInteractiveLogonRight)

Holder(s)

Recommendation

W10W\Administrators, W10W\Backup Operators, W10W\Users W10W\Guest

 remove privilege holder(s)

Allow log on through Remote Desktop Services (SeRemoteInteractiveLogonRight) Back up files and directories (SeBackupPrivilege) Create a token object (SeCreateTokenPrivilege) Debug programs (SeDebugPrivilege)

W10W\Administrators, W10W\Remote Desktop Users W10W\Administrators, W10W\Backup Operators

W10W\Administrators

 remove privilege holder(s)

Deny access to this computer from the network (SeDenyNetworkLogonRight)

W10W\Guest (not assigned: built-in administrator account)

 assign privilege holder(s)

Deny log on locally (SeDenyInteractiveLogonRight) Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege) Force shutdown from a remote system

W10W\Guest

W10W\Administrators

W10W / Windows 10 Pro / 2015-09-21 15:15

33 / 38

Privilege (SeRemoteShutdownPrivilege) Impersonate a client after authentication (SeImpersonatePrivilege) Load and unload device drivers (SeLoadDriverPrivilege) Manage auditing and security log (SeSecurityPrivilege) Modify an object label (SeRelabelPrivilege) Restore files and directories (SeRestorePrivilege) Take ownership of files or other objects (SeTakeOwnershipPrivilege)

Holder(s)

Recommendation

W10W\Administrators, W10W\LOCAL SERVICE, W10W\NETWORK SERVICE, W10W\SERVICE W10W\Administrators W10W\Administrators

W10W\Administrators W10W\Backup Operators

[Computer W10W]

1.5.2

 remove privilege holder(s)

W10W\Administrators [Top][Summary][Explanatory notes]

[USER-02] Problematic active accounts

The check inspects security-related attributes of user accounts. The active accounts, for which any of the following conditions are true, are considered risky: an account's password does not expire, an account has a password older than one year, an account has a password older than policy limit, an account's password is empty or weak or it cannot be changed, account is locked, account has expired, account is marked trusted for delegation, account may authenticate without Kerberos pre-authentication, account has password stored under reversible encryption, or an account has not logged in during the last year. Problematic accounts are listed in the results table. Exceptions can be defined by the check parameters if necessary. Check result: FAIL. The table lists the problematic accounts, which have been detected: Problem No password expiration

Account W10W\Jane Doe W10W\John Doe W10W\John Doe

Password older than policy limit [Computer W10W]

1.5.3


[USER-03] Local groups membership

The check verifies whether groups specified by the parameters contain other than explicitly permitted members. The group membership is not evaluated transitively for the purpose of this inspection. Check result: FAIL. The listed group members should be removed from the respective groups. This can be done either by modifying the groups directly on the relevant computer or the Group Policy can be used to enforce group membership (Restricted Groups). The GPO settings path is Computer Configuration(/Policies)/Windows Settings/Security Settings/Restricted Groups. The table lists the groups with unauthorized members and the unauthorized members themselves: Group W10W\Administrators

Member(s) W10W\Administrator W10W\John Doe

Recommendation

 remove member(s)

W10W\Backup Operators W10W\Network Configuration Operators W10W\Power Users W10W\Remote Desktop Users [Computer W10W]

1.5.4


[USER-04] Logon cache

The check reviews the content of the logon cache. The overall result of the check is FAIL if there is password verifier recorded in the cache which belongs to a domain account with permissions outside of the current server/workstation. The logon cache entries are listed in the result table. W10W / Windows 10 Pro / 2015-09-21 15:15

34 / 38

Check result: OK. [Computer W10W]


1.6

[ACLS-xx] Access control

1.6.1

[ACLS-01] File system of local drives

The check verifies whether all local disks use NTFS as its filesystem. In the case there exists a local drive that does not meet this condition the overall check result is FAIL. The offending drives and their details are given in the results table. Check result: OK. Of course, the filesystem type cannot be changed centraly. The drive has to be reformatted directly on the given server/station. Mount point C:\

Volume label/Size -- / 29.5 GB

Filesystem NTFS

Recommendation

[Computer W10W]

1.6.2


[ACLS-02] File access permissions

The check verifies access permissions (ACLs) of important files and directories. For the successful outcome of the check there may be no file with non-std. owner, no file may have null DACL, and no file may be writable by unprivileged users. Exceptions can be defined by the check parameters if necessary. Files and folders not satisfying the above rules are listed in the results table together with the detailed problem specification. Check result: OK. [Computer W10W]


1.7

[NETW-xx] Network settings

1.7.1

[NETW-01] Global settings

The check verifies the setting of basic network parameters. For the check to be successful the following conditions must be true: NetBIOS has to be disabled on all network interfaces, IP routing has to be disabled, built-in firewall has to be enabled and system configuration files hosts a lmhosts.sam have to be empty (each of these tests can be disabled by the check parameters if necessary). Check result: FAIL. These settings (except for the built-in firewall configuration) cannot be managed centrally using Group Policy; values have to be set manually on each server/workstation. The GPO path for Windows built-in firewall settings is Computer Configuration(/Policies)/Administrative Templates/Network/Network Connections/Windows Firewall . Related links: • Disabling NetBIOS • Hosts and lmhosts.sam files Problematic values are given in the table below: Parameter NetBIOS

Value Enabled on 172.22.8.136

Built-in firewall IP Routing System 'hosts' file System 'lmhosts.sam' file Wi-Fi Sense: Open hotspots Wi-Fi Sense: Password sharing

Enabled Disabled Empty Empty (no Wi-Fi interface) (no Wi-Fi interface)

[Computer W10W]

W10W / Windows 10 Pro / 2015-09-21 15:15

Recommendation

 disable


35 / 38

1.7.2

[NETW-02] Problematic open TCP/UDP ports

Check verifies the open external (not loopback) ports, both TCP and UDP, against the specified set of rules. Check result: OK WITH WARNING. Disabling/limiting the accessibility of open ports usually means to stop the service, or to change its configuration (loopback binding), or to filter IP traffic eg. by using the built-in firewall or IPSec filters. It is usually local action that is difficult to centralize (but there are the exceptions - eg. firewall configuration). Important notice: Windows built-in firewall is enabled on the computer. Its state is not taken into account. The table lists the blacklisted TCP/UDP ports that are open on external interfaces: Protocol TCP TCP6 TCP

Port 135 135 139

Local address * * 172.22.8.136

Process 860 (svchost.exe - RpcSs) 860 (svchost.exe - RpcSs) 4 (System)

TCP TCP6 UDP

445 445 123

* * *

UDP6

123

*

UDP

137

172.22.8.136

4 (System) 4 (System) 1084 (svchost.exe W32Time) 1084 (svchost.exe W32Time) 4 (System)

UDP

138

172.22.8.136

4 (System)

UDP

1900

172.22.8.136

UDP6

1900

UDP

3544

FE80::8CEB:5768:714E:2 005%5 *

UDP

3702

*

UDP6

3702

*

632 (svchost.exe SSDPSRV) 632 (svchost.exe SSDPSRV) 508 (svchost.exe iphlpsvc) 632 (svchost.exe FDResPub) 1084 (svchost.exe EventSystem)

[Computer W10W]

1.7.3

Recommendation

 limit the access

 limit the access  limit the access


[NETW-03] System server components configuration

The check validates some basic parameters of the computer's server components. The two components to be checked are Terminal Server (security level, encryption, in-session password entering) and SNMP service (app-level IP filtering, authentication trap settings and defined communities). Check result: OK. [Computer W10W]

1.7.4


[NETW-04] Shared resources

The check examines permissions for shared drives. For successful outcome of the check the following conditions have to be true: share has to have std. owner, it has to have non-null DACL, it may not allow access to anonymous users and it may not allow writting to a large non-privileged group (Everyone, Authenticated Users, Users, Domain Users) at both the share and the file system level (however, file system permissions check is performed only for the top-level directory of sharing). Exceptions can be specified by check parameters if necessary. Check result: OK. [Computer W10W]

W10W / Windows 10 Pro / 2015-09-21 15:15


36 / 38

2

EXPLANATORY NOTES

2.1

Classification of findings in results tables

Informational line, no finding. Assessed parameter line, no finding (ok). Assessed parameter line, lower severity finding (warning). Assessed parameter line, important finding (error).

2.2

(no recommendation) (no recommendation)

 text of recommendation  text of recommendation

Abbreviations used

Services access permissions Null DACL Owner ChgCfgACE ExecACE

NULL DACL (no access restriction) Owned by non-std. privileged group Non-std. privileged group can change service config Anonymous can start/stop service

Security descriptor, the general structure SD D: O:

Security descriptor Discretionary access list (DACL) Owner

Security descriptor, ACL flags P AR AI

Protected Inheritance required Inherited

Security descriptor, ACE type A D U M OA OD OU

Allow Deny Audit Mandatory label Object Allow Object Deny Object Audit

Security descriptor, ACE flags CI OI IO NP ID SA FA

Container inherit Object inherit Inherit only Not propagate Inherited Success audit (SACL only) Failure audit (SACL only)

Security descriptor, ACE permissions FC WR RD EX [Gfc] [Gwr] [Grd] [Gex]

W10W / Windows 10 Pro / 2015-09-21 15:15

Full control (cumulative) Write (cumulative) Read (cumulative) Execute (cumulative) Full control (generic) Write (generic) Read (generic) Execute (generic)

37 / 38

[Delete] [Read_Ctrl] [Write_DAC] [Write_Owner] [Sync] [SACL]

Delete (standard) Read control (standard) Write DACL (standard) Write owner (standard) Synchronize (standard) Access SACL (standard)

Security descriptor, permission holders (well-known security principals) AN AO AU BA BG BO BU CG CO ED HI IS IU LS LU LW ME MU mAA mBL mCS mDA mDL mNA mOO mPX mRL mSA mTB mTL mTO mTS NO NS NU PO PS PU RC RD RE RU SI SO SU SY WD

W10W / Windows 10 Pro / 2015-09-21 15:15

Anonymous logon user Account operators Authenticated users Builtin (local) administrators Builtin (local) guests Backup operators Builtin (local) users Creator group Creator owner Enterprise domain controllers High mandatory level IUser Interactive logon user Local service Performance Log users Low mandatory level Medium mandatory level Performance Monitor users Windows Authorization Access Group Batch logon user Creator group server Digest Authentication Dialup logon user NTLM Authentication Other Organization Proxy Remote logon SChannel Authentication Incoming Forest Trust Builders Terminal Server License Servers This organization Terminal Server Network configuration operators (to manage configuration of networking features) Network service Nework logon user Printer operators Personal self Power users Restricted code Remote desktop users (for TS) Replicator Pre-windows 2000 compatible group System mandatory level Server operators Service logon user Local system Everyone (World)

38 / 38

CONFIGURATION AUDIT OF MICROSOFT WINDOWS

Recommend Documents