Hello everyone, here I am again, this time with a question about the Microsoft.Windows.SecHealthUI?

[Necrosaro]

These are all kernel tweaks for page memory randomization (to prevent buffer overflows from working, since the pages for a given process are in stored in random order instead of being consecutive).

While they can be addressed by reg tweaks, there is no other UI function for the user.

I was thinking the exact thing and plan on doing some reg settings tweaks. I have turned off DEP but have not checked the rest of these little ones yet.

Could be interesting or could be a waste of clicks. Later on today after kiddo is pooped out I will take a look.

Would like to say this SHOULDN'T be done for the average user.

 

[francis11]

I would say no, I do not have defender or security center on my system(those are usually the first I purge from my system)

Will see if I have any of these left and see if they do just in case for sc

Is smartscreen removed as well?

 

[Necrosaro]

Is smartscreen removed as well?

No not removed with defender or security center. Mine is still running and showing up in NTLITE.

 

[francis11]

No not removed with defender or security center. Mine is still running and showing up in NTLITE.

As I thought - it's built into EDGE

 

[crypticus]

if u remove smartscreen component, you won't be able to install appx packages manually. don't remove component just disable it via reg.

 

[Necrosaro]

if u remove smartscreen component, you won't be able to install appx packages manually. don't remove component just disable it via reg.

Does the reg disable still work? Heard it still runs in the background with it disabled. I was worried purging this was what caused me issues in my past.

That was why I left it well alone

 

[Hellbovine]

DEP:

A quick sidenote for any gamers/lurkers reading this thread, disabling DEP can result in you being banned from some games.

Here's an official Steam article on games and DEP:
https://help.steampowered.com/en/faqs/view/22C0-03D0-AE4B-04E8

Also, unless you explicitly enable PAE (physical address extension), by turning off DEP it also turns off PAE in some circumstances (32-bit OS). I haven't tested how PAE works on the modern and/or 64-bit OS now when it comes to 32-bit programs/drivers though. Just be awares of that if you are someone that needs PAE.

 

[Necrosaro]

DEP:

A quick sidenote for any gamers/lurkers reading this thread, disabling DEP can result in you being banned from some games.

Here's an official Steam article on games and DEP:
https://help.steampowered.com/en/faqs/view/22C0-03D0-AE4B-04E8

Also, unless you explicitly enable PAE (physical address extension), by turning off DEP it also turns off PAE in some circumstances (32-bit OS). I haven't tested how PAE works on the modern and/or 64-bit OS now when it comes to 32-bit programs/drivers though. Just be awares of that if you are someone that needs PAE.

Well it's a good thing I don't game at all on multiplayer server's anymore. Lone wolf here is if I ever game

That's for the tib bit of knowledge.

 

[francis11]

if u remove smartscreen component, you won't be able to install appx packages manually. don't remove component just disable it via reg.

Why have to do if Store already do that in a quicker way after go online after install and don't need apps other than already installed?
If just want disable component via reg why use NTL?

 

[crypticus]

People may remove store

 

[crypticus]

purely by chance i was testing something today. For remote working my company uses "pulse secure vpn" that enables us to join work domain to access server files etc... pulse secure demands windows defender or any 3rd party AV that is updated and real time scanner enabled...

But today i learned that, pulse secure vpn (possibly other apps that want same information) can't read AV's status (if its enabled or disabled or realtime scan is active or not) if windows security is not installed. I experienced other issuess in the past regarding windows security for exp in apex or fifa 2022 game sometimes crashes because it cannot verify if my computer is safe or not.... For this case "pulse secure" if i want to use 3rd party AV, I can safely remove windows defender but i cannot touch security center.... (for now)

This is getting ridiculus, i have been using ntlite for many years now but with each windows update. i am forced to keep some other component. The only thing I can do safe and future proof are now reg tweaks really..

 

[Necrosaro]

People may remove store

Remove store..........blasphemy

purely by chance i was testing something today. For remote working my company uses "pulse secure vpn" that enables us to join work domain to access server files etc... pulse secure demands windows defender or any 3rd party AV that is updated and real time scanner enabled...

But today i learned that, pulse secure vpn (possibly other apps that want same information) can't read AV's status (if its enabled or disabled or realtime scan is active or not) if windows security is not installed. I experienced other issuess in the past regarding windows security for exp in apex or fifa 2022 game sometimes crashes because it cannot verify if my computer is safe or not.... For this case "pulse secure" if i want to use 3rd party software i can safely remove windows defender but i cannot touch security center....

This is getting ridiculus, i have been using ntlite for many years now but with each windows update. i am forced to keep some other component. The only thing I can do safe and future proof are now reg tweaks really..

They got your computer balls in a vice and just drag you around with a leash because they can.

 

[Hellbovine]

...This is getting ridiculus, i have been using ntlite for many years now but with each windows update. i am forced to keep some other component. The only thing I can do safe and future proof are now reg tweaks really..

Yeah, I've been saying this same thing lately and get the side eye from a lot of people here. I don't mean it negatively though, which is how it must be getting interpreted, rather this is something that I think we as a collective here on this forum, and Nuhi/NTLite need to start considering sooner than later. The future of NTLite will probably be almost exclusively reg key manipulation with fewer and fewer component removal capability.

It's why I built my optimized image purely without removing components, and only using 500+ reg keys. Because there are so many things that break when components (even seemingly harmless stuff) are removed. It's become safer and faster (at least for me) to research and test keys, even hundreds of them, then to figure out blindly what will break after removing a component. Or worse, to figure out which component removal is responsible when you try to remove dozen+ simultaneously.

 

[crypticus]

Yeah, I've been saying this same thing lately and get the side eye from a lot of people here. I don't mean it negatively though, which is how it must be getting interpreted, rather this is something that I think we as a collective here on this forum, and Nuhi/NTLite need to start considering sooner than later. The future of NTLite will probably be almost exclusively reg key manipulation with fewer and fewer component removal capability.

It's why I built my optimized image purely without removing components, and only using 500+ reg keys. Because there are so many things that break when components (even seemingly harmless stuff) are removed. It's become safer and faster (at least for me) to research and test keys, even hundreds of them, then to figure out blindly what will break after removing a component. Or worse, to figure out which component removal is responsible when you try to remove dozen+ simultaneously.

yeah i agree with some, but ntlite for most people are still going to be usefull since lots of people just create images and deploy them to their companies that are tailor made for their softwares only so they won't have any problems.

 

[francis11]

People may remove store

Maybe - but then it also removes all the other crap they want. So I don't understand your argument? Without knowing it, I think most people use NTL privately, although it is often discussed on a professional level related to company-connected machines. Maybe once in a while should just get down to a level where ordinary users can join. Thanks.

 

[garlin]

Why don't we settle the original question by actual testing?

1. Clean install of 21H2 RTM.

2. Run install_wim_tweak.exe, or another tool to unhide Windows packages.

dism /online /get-packages | findstr /i defender
Package Identity : Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1
Package Identity : Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1
Package Identity : Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.662
Package Identity : Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.746
Package Identity : Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1
Package Identity : Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.844
Package Identity : Windows-Defender-ApplicationGuard-Inbox-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1
Package Identity : Windows-Defender-ApplicationGuard-Inbox-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746
Package Identity : Windows-Defender-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.964
Package Identity : Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1202
Package Identity : Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.964
Package Identity : Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1202
Package Identity : Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1023
Package Identity : Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1023
Package Identity : Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1
Package Identity : Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.746
Package Identity : Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1
Package Identity : Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1
Package Identity : Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1
Package Identity : Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1
Package Identity : Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1
Package Identity : Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1

3. Remove the obvious first choices: Group Policy, MDM Group and Powershell modules.

dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1023 /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1023 /packagename:Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1 /packagename:Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1 /packagename:Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1 /packagename:Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1

My Start Menu stopped working after removals, so I rebooted.

4. Remove ApplicationGuard or WDAG.

Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1
Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.844
Windows-Defender-ApplicationGuard-Inbox-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1
Windows-Defender-ApplicationGuard-Inbox-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746

5. Remove Defender AV definitions.

Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1
Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.

Reboot required.

6. Remove Defender-Core. DISM isn't allowed, unless I disable Tamper Protection

Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.964
Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1202

Reboot required. That's the real Defender Platform, and removing it hides the Virus protection panel.

7. Remove Defender-NIS (Network Inspection Service).

Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1
Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1

8. Remove Defender-AppLayer.

Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.662
Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.746

Not sure what that disabled.

9. Remove Defender-Client.

Windows-Defender-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.964
Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1202

Not sure what that disabled.

10. Conclusion:
Removing the Defender feature packages removes Defender from the Security Center, while keeping non-Defender features (firewall, VBS isolation, application security) visible. If NTLite isn't separating the packages this way, then it should.

The one glitch is Protection areas doesn't hide "Virus & threat protection".

 

[Hellbovine]

Why don't we settle the original question by actual testing?...

Removing the Defender feature packages removes Defender from the Security Center, while keeping non-Defender features (firewall, VBS isolation, application security) visible. If NTLite isn't separating the packages this way, then it should.

Thank you so much. This is exactly what devilink and I were asking for and assuming was possible, and indeed it is. Yes, NTLite currently destroys the entire Security Center, and it shouldn't be.

 

[devilink]

Microsoft-OneCoreUAP-AppRuntime-RemoteAppLifetimeManager-Package
Microsoft-Windows-HVSI-Components-Package
Microsoft-Windows-HVSI-Components-WOW64-Package
Microsoft-Windows-SenseClient-Package
Windows-Defender-ApplicationGuard-Inbox-Package
Windows-Defender-ApplicationGuard-Inbox-WOW64-Package
Windows-Defender-Client-Package
Windows-Defender-Group-Policy-Package

Currently I'm cleaning the defender with dism.

It can be seen from the picture that some components are included, do they need to be processed additionally?

But if you delete

Microsoft-Windows-HVSI-Package
Microsoft-Windows-HVSI-WOW64-Package

will delete the container，Is there any influences?

Containers-ApplicationGuard-Package、
Containers-ApplicationGuard-WOW64-Package、
Containers-Guest-Gated-Package、
Containers-Guest-Gated-WOW64-Package、
Containers-OptionalFeature-DisposableClientVM-Package。

 

[Hellbovine]

Garlin, I think your write up here is awesome. Maybe it would be worth also copying your write up into a new thread, as an example of how to test something like this, for learning purposes. I plan on retracing your steps here just so I can learn, and apply this to future issues of this nature.

 

[garlin]

It's a modder's trade secret that Windows hides the full list of installed packages from DISM, to prevent removals by stupid users.

install_wim_tweak and other apps (or scripts) will change the reg keys and unhide packages. Before anyone thinks they don't need NTLite for removals, DISM still works on the package level. NTLite works on the component level below a package.

Most Windows modding tool kits know the reg hack.

After that, you need to have a testing plan to record changes. It's not just the removals, but what items are you checking to see if they're affected by the change. Otherwise your answers will be half-correct.