first untested version of Recall hardening #131

obsti8383 · obsti8383 · commit 19c8cf44cd55 · 2025-08-09T20:14:52.000+02:00
diff --git a/global_vars.go b/global_vars.go
@@ -49,6 +49,7 @@ var hardenSubjectsForPrivilegedUsers = append(hardenSubjectsForUnprivilegedUsers
 	LibreOfficeBlockUntrustedRefererLinks,
 	LibreOfficeUpdateCheck,
 	LibreOfficeDisableUpdateLink,
+	Recall,
 }...)
 
 var expertConfig map[string]bool
diff --git a/recall_feature.go b/recall_feature.go
@@ -0,0 +1,153 @@
+// Hardentools
+// Copyright (C) 2017-2025 Security Without Borders
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package main
+
+// Enable Recall Feature:
+// 	Enable-WindowsOptionalFeature -Online -FeatureName "Recall"
+// Disable and Remove Recall Feature:
+//  Disable-WindowsOptionalFeature -Online -FeatureName "Recall" -Remove
+// Get Status:
+//  Get-WindowsOptionalFeature -Online -FeatureName "Recall"
+// More details here:
+// - https://learn.microsoft.com/en-us/windows/client-management/manage-recall
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+)
+
+// RecallStruct ist the struct for HardenInterface implementation.
+type RecallStruct struct {
+	shortName       string
+	longName        string
+	description     string
+	hardenByDefault bool
+}
+
+// Recall contains Names for Recall Feature implementation of hardenInterface.
+var Recall = &RecallStruct{
+	shortName:       "Recall Windows Feature",
+	longName:        "Recall Windows Feature",
+	description:     `Recall Windows Feature`,
+	hardenByDefault: false,
+}
+
+var featureName = "recall"
+
+// Harden method.
+func (recall RecallStruct) Harden(harden bool) error {
+	psString := ""
+	if harden {
+		// save state
+		if recall.IsHardened() {
+			saveHardenState(featureName, "disabled")
+		} else {
+			saveHardenState(featureName, "enabled")
+		}
+
+		// set Powershell-Command
+		psString = fmt.Sprintf("Disable-WindowsOptionalFeature -Online -FeatureName \"Recall\" -Remove")
+	} else {
+		savedState, err := getSavedHardenState(featureName)
+		if err != nil {
+			// probably no saved state found, so will not restore
+			Info.Println("Recall: No saved state found, so will not restore")
+			return errors.New("No saved state found for Recall, so will not restore")
+		}
+
+		if savedState != "enabled" {
+			Info.Println("Recall: Was not in enabled state before hardening, so will not restore")
+			return errors.New("Recall was not enabled before hardening, so will not restore")
+		}
+
+		// set Powershell-Command
+		psString = fmt.Sprintf("Enable-WindowsOptionalFeature -Online -FeatureName \"Recall\"")
+	}
+
+	Info.Printf("Recall: Executing Powershell.exe with command \"%s\"", psString)
+	out, err := executeCommand("PowerShell.exe", "-noprofile", "-Command", psString)
+	if err != nil {
+		Info.Printf("ERROR: Recall: Executing Powershell.exe with command \"%s\" failed", psString)
+		Info.Printf("ERROR: Recall: Powershell Output was: %s", out)
+		return errors.New("Executing powershell command " + psString + " failed")
+	}
+
+	isHardened := recall.IsHardened()
+	if harden {
+		if !isHardened {
+			Info.Print("Recall: Hardening seems to have failed")
+			showInfoDialog("Recall has not been disabled!")
+			return errors.New("Recall has not been disabled")
+		}
+	} else {
+		if isHardened {
+			Info.Print("Recall: Reenabling seems to have failed")
+			showInfoDialog("Recall has not been enabled!")
+			return errors.New("Recall has not been enabled")
+		}
+		// Delete savedState in hardentools registry key
+		deleteSavedHardenState(featureName)
+	}
+
+	Info.Println("Recall: Process successfull")
+
+	return nil
+}
+
+// IsHardened checks if Recall is already hardened.
+func (recall RecallStruct) IsHardened() bool {
+	psStringTest := "Get-WindowsOptionalFeature -Online -FeatureName \"Recall\" | Select-Object -ExpandProperty State"
+	Info.Printf("Recall: Executing Powershell.exe with command \"%s\"", psStringTest)
+	out, err := executeCommand("PowerShell.exe", "-noprofile", "-Command", psStringTest)
+	if err != nil {
+		Info.Printf("ERROR: Recall: Executing Powershell.exe with command \"%s\" failed", psStringTest)
+		Info.Printf("ERROR: Recall: Powershell Output was: %s", out)
+		return false
+	}
+
+	Info.Printf("Recall: Powershell output for test of status was:\n%s", out)
+	out = strings.ReplaceAll(out, "\r\n", "")
+	// Output should start with "Disabled", e.g. it should be "DisabledWithPayloadRemoved"
+	if strings.HasPrefix(out, "Disabled") {
+		Info.Print("Recall: Is hardened")
+		return true
+	} else {
+		Info.Print("Recall: Not hardened")
+		return false
+	}
+}
+
+// Name returns Name.
+func (recall RecallStruct) Name() string {
+	return recall.shortName
+}
+
+// LongName returns Long Name.
+func (recall RecallStruct) LongName() string {
+	return recall.longName
+}
+
+// Description returns description.
+func (recall RecallStruct) Description() string {
+	return recall.description
+}
+
+// HardenByDefault returns if subject should be hardened by default.
+func (recall RecallStruct) HardenByDefault() bool {
+	return recall.hardenByDefault
+}
diff --git a/registry_utils.go b/registry_utils.go
@@ -624,3 +624,59 @@ func restoreSavedRegistryKeys() error {
 
 	return err
 }
+
+// saveHardenState is a helper method for saving non-registry-based harden status
+func saveHardenState(feature, stateToSafe string) error {
+	// Open hardentools root key.
+	hardentoolsKey, _, err := registry.CreateKey(registry.CURRENT_USER,
+		hardentoolsKeyPath, registry.ALL_ACCESS)
+	if err != nil {
+		return err
+	}
+	defer hardentoolsKey.Close()
+
+	// save value
+	Trace.Println("Saving value for feature: " + feature + " with " + stateToSafe)
+	err = hardentoolsKey.SetStringValue("SavedStateNonReg_"+feature, stateToSafe)
+	if err != nil {
+		Info.Println("Could not save state due to error: " + err.Error())
+	}
+
+	return nil
+}
+
+// getSavedHardenState is a helper method for saving non-registry-based harden status
+func getSavedHardenState(feature string) (savedState string, err error) {
+	// Open hardentools root key.
+	hardentoolsKey, err := registry.OpenKey(registry.CURRENT_USER, hardentoolsKeyPath, registry.QUERY_VALUE)
+	if err != nil {
+		return "", err
+	}
+	defer hardentoolsKey.Close()
+
+	// Open registry key.
+	savedState, _, err = hardentoolsKey.GetStringValue("SavedStateNonReg_" + feature)
+	if err != nil {
+		Trace.Println("Could not retrieve saved state for feature " + feature + " due to error: " + err.Error())
+		return "", err
+	} else {
+		Trace.Println("Retreived saved state for feature " + feature + ":" + savedState)
+		return savedState, nil
+	}
+}
+
+func deleteSavedHardenState(feature string) error {
+	// Open hardentools root key.
+	hardentoolsKey, err := registry.OpenKey(registry.CURRENT_USER, hardentoolsKeyPath, registry.QUERY_VALUE)
+	if err != nil {
+		return err
+	}
+	defer hardentoolsKey.Close()
+
+	err = hardentoolsKey.DeleteValue("SavedStateNonReg_" + feature)
+	if err != nil {
+		Info.Printf("Could not delete saved state for feature %s due to error %s",
+			feature, err.Error())
+	}
+	return err
+}
diff --git a/windows_asr.go b/windows_asr.go
@@ -62,7 +62,7 @@ var actionsArrayHardended = []bool{true, true, true, true, true, true, true,
 var actionsArrayNotHardended = []bool{false, false, false, false, false, false,
 	false, false, false, false, false, false, false, false, false}
 
-// WindowsASRStruct ist the struct for HardenInterface implementation.
+// WindowsASRStruct is the struct for HardenInterface implementation.
 type WindowsASRStruct struct {
 	shortName       string
 	longName        string
