Version 2.0 • Last Updated: February 2026 • Applies to VBS Disabler v3.0+
This script intentionally disables Windows security features to enable VMware Workstation CPL0 mode. Please understand the security implications before running this script.
-
Virtualization-Based Security (VBS)
- Purpose: Isolates critical Windows processes
- Impact: Medium security reduction
-
Hypervisor-Protected Code Integrity (HVCI / Memory Integrity)
- Purpose: Prevents malicious code from running
- Impact: Medium security reduction
-
Device Guard
- Purpose: Restricts code execution to trusted sources
- Impact: Low to medium security reduction
-
Credential Guard
- Purpose: Protects credentials from theft
- Impact: Low security reduction (requires physical access)
-
DMA Protection (BIOS setting)
- Purpose: Prevents DMA attacks via external ports
- Impact: Low security reduction (requires physical access)
- ✅ Memory-based malware attacks
- ✅ Kernel-level exploits
- ✅ DMA attacks (via Thunderbolt/USB-C)
- ✅ Credential theft attacks
- ✅ Some zero-day exploits
- ✅ Standard malware (Windows Defender still active)
- ✅ Network attacks (Firewall still active)
- ✅ Phishing attacks (SmartScreen still active)
- ✅ Most common threats
⚠️ Advanced persistent threats (APTs)⚠️ Kernel-level malware⚠️ Physical DMA attacks (requires physical access + specialized hardware)⚠️ Memory-based exploits⚠️ Some sophisticated attacks
| Factor | Risk Level | Notes |
|---|---|---|
| Home users in secure environments | LOW | Physical security is good, low exposure |
| Laptops in public places | MEDIUM | Higher exposure to physical attacks |
| Corporate/managed devices | HIGH | May violate security policies |
| High-value targets | HIGH | APTs and sophisticated attacks more likely |
| Development/testing machines | LOW | Acceptable trade-off for functionality |
-
Strong Passwords
- Minimum 15 characters
- Mix of upper/lower/numbers/symbols
- Unique (not used elsewhere)
- Use a password manager
-
BitLocker Encryption
- Encrypt C: drive at minimum
- Use strong recovery key
- Store recovery key securely
# Enable BitLocker Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly
-
Physical Security
- Lock laptop when away (Win + L)
- Don't leave unattended in public
- Use cable lock in public spaces
- Store in secure location
-
Windows Defender
- Keep real-time protection ON
- Enable cloud-delivered protection
- Enable automatic sample submission
- Keep definitions updated
-
Windows Firewall
- Keep enabled
- Use default settings minimum
- Consider custom rules for extra protection
-
BIOS/UEFI Password
- Set supervisor password in BIOS
- Prevents unauthorized BIOS changes
- Adds boot-time protection
-
Windows Update
- Keep Windows fully updated
- Enable automatic updates
- Install security patches promptly
-
Multi-Factor Authentication (MFA)
- Enable on all accounts
- Use authenticator app
- Backup codes stored securely
-
Regular Backups
- 3-2-1 backup strategy
- Cloud backup (OneDrive, Google Drive)
- External drive backup
- Test restores periodically
-
Limited User Accounts
- Don't use admin account daily
- Use standard user for daily tasks
- Elevate only when needed
- ❌ You work for government/defense/intelligence
- ❌ You handle classified information
- ❌ You're a high-value target (executive, celebrity, politician)
- ❌ Your company has strict security policies
- ❌ You frequently work in hostile/public environments
- ❌ You handle sensitive customer/client data
- ❌ Your device is managed by corporate IT
- ❌ You're required to maintain compliance (HIPAA, PCI-DSS, etc.)
- Use Hyper-V instead of VMware (Microsoft's native hypervisor)
- Accept ULM mode (slower but secure)
- Use a separate physical machine for VMs
- Dual-boot configuration (VBS enabled/disabled boot entries)
What it is: Attacker plugs malicious device into Thunderbolt/USB-C port
Requirements:
- Physical access to your unlocked laptop
- 2-5 minutes unsupervised
- Specialized hardware ($100-500)
Protection with DMA Protection: ✅ Blocked Protection without DMA Protection: ❌ Vulnerable Compensating control: Physical security, BitLocker
Reality: Extremely rare for home users
What it is: Malware that operates entirely in RAM
Requirements:
- Malware execution (phishing, exploit, etc.)
- Sophisticated attack code
Protection with HVCI: ✅ Blocks most attempts
Protection without HVCI:
Reality: Uncommon, but increasing
What it is: Stealing Windows login credentials
Requirements:
- Physical access OR sophisticated malware
Protection with Credential Guard: ✅ Credentials isolated
Protection without Credential Guard:
Reality: Rare without physical access
- ✅ Use for legitimate development/testing purposes
- ✅ Implement compensating security controls
- ✅ Understand what you're disabling
- ✅ Accept the security trade-off consciously
- ✅ Keep a System Restore point
- ✅ Monitor your system for unusual activity
- ❌ Use to bypass corporate security policies
- ❌ Use on devices with sensitive data
- ❌ Use without implementing compensating controls
- ❌ Share your password after disabling protections
- ❌ Leave laptop unattended in public
- ❌ Ignore Windows Defender warnings
-
Monitor System Activity
# Check for unusual processes Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 # Check network connections Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} # Check startup items Get-CimInstance Win32_StartupCommand | Select-Object Name, Command
-
Regular Security Audits
- Review installed programs monthly
- Check browser extensions
- Audit user accounts
- Review firewall rules
-
Incident Response Plan
- Know how to restore from System Restore
- Have backup of important files
- Know how to re-enable VBS if needed
- Have recovery media ready
-
Stay Informed
- Follow security news
- Subscribe to Microsoft Security Response Center
- Join r/sysadmin or r/netsec communities
- Watch for new vulnerabilities
If you discover a security vulnerability in this script:
- ❌ Open a public GitHub issue
- ❌ Discuss publicly on social media
- ❌ Share exploit code publicly
- ✅ Email: [Your security email if you want]
- ✅ Use GitHub Security Advisory (private disclosure)
- ✅ Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- 24 hours: Acknowledgment of report
- 7 days: Initial assessment
- 30 days: Fix developed and tested
- 60 days: Public disclosure (coordinated)
Even with VBS/HVCI disabled, you still have multiple security layers:
- Laptop locked when away
- Secure storage location
- Cable lock in public
- Strong passwords
- Windows Hello (still works!)
- MFA on online accounts
- BitLocker (full disk encryption)
- Encrypted backups
- HTTPS for websites
- Windows Defender (still active!)
- Firewall (still active!)
- SmartScreen (still active!)
- VPN for public WiFi
- Router firewall
- DNS filtering
- Don't click suspicious links
- Verify email senders
- Check website URLs
- Use safe browsing habits
Use of this script is at your own risk.
The author (ZACODEC) and contributors:
- ❌ Are NOT responsible for security breaches
- ❌ Are NOT responsible for data loss
- ❌ Are NOT responsible for system instability
- ❌ Are NOT responsible for policy violations
- ❌ Do NOT provide warranty of any kind
This script is provided "AS IS" without warranty.
By using this script, you acknowledge:
- ✅ You understand the security implications
- ✅ You accept the risks involved
- ✅ You will implement compensating controls
- ✅ You are using it for legitimate purposes
- ✅ You comply with applicable laws and policies
-
Immediate Actions:
# Disconnect from internet Disable-NetAdapter -Name "*" # Lock your account # Win + L immediately
-
Assessment:
- Check for unusual processes
- Check network connections
- Review recent file changes
- Check Event Viewer for anomalies
-
Response:
- Change all passwords
- Re-enable VBS if needed
- Run full antivirus scan
- Restore from clean backup if necessary
-
Report:
- Contact your IT department (if corporate)
- Report to relevant authorities if serious
- Document everything
To restore full security features:
# Re-enable VBS
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" `
-Name "EnableVirtualizationBasedSecurity" -Value 1 -Force
# Re-enable HVCI
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" `
-Name "Enabled" -Value 1 -Force
# Re-enable hypervisor
bcdedit /set hypervisorlaunchtype auto
# Enable Memory Integrity via GUI
# Windows Security → Device security → Core isolation → Memory integrity: ON
# Restart
Restart-ComputerAlso re-enable in BIOS:
- Secure Boot: Enabled
- DMA Protection: Enabled (if available)
Before running this script, verify:
- I understand what VBS/HVCI/Device Guard do
- I accept the security trade-off
- I will implement compensating controls
- I have BitLocker enabled or will enable it
- I use strong, unique passwords
- I will maintain physical security
- I keep Windows Defender enabled
- I keep my system updated
- I have a backup strategy
- I understand how to revert changes
- My use case justifies the risk
- I'm not violating any policies
Created by: ZACODEC Last Updated: February 2026 Version: 2.0