What WinSentinel Actually Audits: All 33 Modules Explained

When you run winsentinel --audit, the CLI executes 33 independent security modules against your live Windows configuration. Each module produces findings with severity levels (Critical, Warning, Info) and actionable remediation steps with one-click fix commands. Here's what's under the hood.

🛡️ Endpoint Protection

1. Windows Defender — Checks real-time protection, cloud-delivered protection, automatic sample submission, tamper protection, and signature freshness. A disabled Defender is the #1 finding on consumer machines.

2. Windows Firewall — Validates all three profiles (Domain, Private, Public) are enabled, checks for overly permissive inbound rules, and flags any rule allowing all traffic on the Public profile.

3. Windows Update — Detects pending critical/security updates, checks the last successful update date (critical if >30 days), validates automatic update settings, and flags paused updates.

🔐 Identity & Access

4. Account Security — Identifies guest accounts, checks password policies, flags accounts with "password never expires", detects local admin sprawl, and verifies UAC configuration.

5. Identity & Credential Hygiene — Audits local admin sprawl (Administrators group membership), stale accounts (90+ days inactive), LAPS deployment status, cached credentials count, LSA Protection (RunAsPPL), and Credential Guard.

6. Credential Exposure — Scans Windows Credential Manager, Git credential stores, SSH key security (passphrase-less keys, weak algorithms), plaintext credential files, saved RDP passwords, browser credential stores, and cloud credential configs.

7. Group Policy — Validates security-relevant GPO settings: account lockout policies, password complexity, audit logging, security options, and restricted software policies.

🌐 Network Security

8. Network Posture — Identifies open listening ports vs. known processes, audits firewall rules for gaps, checks SMBv1/LLMNR/NBT-NS status, and flags public profile exposure.

9. SMB Share Security — Detects SMBv1 enabled (WannaCry/NotPetya vector), SMB signing not required (NTLM relay risk), exposed administrative shares, and user-created shares with overly permissive ACLs.

10. DNS Security — Checks for insecure DNS servers, DNS-over-HTTPS not enabled, DNS cache poisoning exposure, LLMNR/NetBIOS spoofing risk, and hosts file tampering.

11. Wi-Fi Security — Detects saved profiles using weak/no encryption (Open, WEP, WPA-TKIP), auto-connect to insecure networks, cleartext password exposure, and MAC randomization status.

12. Remote Access — Validates RDP settings and NLA, SSH server exposure, VNC/TeamViewer/AnyDesk configurations, WinRM/PSRemoting exposure, Remote Registry, and Remote Assistance.

13. Bluetooth — Flags Bluetooth radio left enabled when unneeded, discoverable mode (BlueBorne/BlueSmack risk), paired devices with outdated profiles, and services exposing sensitive capabilities.

💻 System & Configuration

14. System Security — Checks Windows version (end-of-life detection), Secure Boot, TPM 2.0 presence, Kernel DMA protection, and Virtualization-Based Security (VBS).

15. Registry Security — Audits UAC disabled or weakened, Remote Desktop without NLA, AutoPlay/AutoRun not disabled, WDigest plain-text credential storage, and credential caching.

16. Environment Variables — Detects PATH hijacking via writable directories, secrets leaked in environment variables (API keys, tokens), dangerous PATHEXT entries, insecure proxy settings, and overly permissive TEMP/TMP ACLs.

17. Privacy & Telemetry — Checks advertising ID, location tracking, diagnostic data levels, activity history, feedback frequency, and speech recognition privacy settings.

🔒 Encryption & Storage

18. Encryption — Checks BitLocker status per volume, recovery key backup, encryption method strength, and drive encryption completeness.

19. Certificate Store — Detects expired certificates, soon-to-expire certs, weak signature algorithms (SHA-1, MD5), untrusted root CAs, and self-signed certs in trusted stores.

20. USB & Removable Media — Checks AutoRun/AutoPlay settings, USB write-protect policy, BitLocker-to-Go enforcement, device connection history, USBSTOR service status, and removable disk encryption requirements.

21. Backup & Recovery — Validates Volume Shadow Copy (VSS) service and shadow copies, System Restore configuration, File History, Windows Backup, ransomware resilience indicators, and recovery partition presence.

🏗️ Application & Service Security

22. Application Security — Checks UAC level, SmartScreen, exploit protection (DEP, ASLR, CFG), developer mode, sideloading policy, and .NET Framework security settings.

23. Browser Security — Audits Chrome/Edge/Firefox for dangerous extensions, SmartScreen settings, pop-up blocker, safe browsing, and password manager integration.

24. Service Security — Scans for unquoted service paths (privilege escalation), services running as SYSTEM from user-writable paths, disabled security services, auto-start services pointing at missing binaries, and suspicious cmd/PowerShell service wrappers.

25. Software Inventory — Detects unsigned/tampered executables, programs in suspicious locations, outdated software with known vulnerability indicators, PUPs via heuristic patterns, and orphaned installations.

26. Startup Programs — Analyzes Registry Run/RunOnce entries, Startup folder programs, scheduled task triggers, and service auto-start entries for persistence mechanisms.

27. Driver Security — Finds unsigned or self-signed drivers, drivers from user-writable paths, known vulnerable drivers used in BYOVD attacks, revoked certificates, and ancient unpatched drivers.

28. Virtualization — Validates Hyper-V isolation settings, WSL version and distribution security, Windows Sandbox availability, Docker daemon security, Credential Guard, VBS, and HVCI status.

⚡ Threat Detection & Forensics

29. Process Security — Analyzes running processes for SYSTEM-level execution, unsigned executables, processes from temp directories, and high-privilege process count.

30. Process Lineage Analysis — Maps parent-child process relationships to detect LOLBin abuse, Office macro execution spawning command interpreters, WMI lateral movement, deep interpreter nesting (obfuscation), and orphaned processes. References MITRE ATT&CK techniques.

31. Scheduled Task Security — Identifies persistence via tasks running as SYSTEM with suspicious actions, tasks executing from user-writable/temp directories, hidden tasks, and tasks using encoded PowerShell.

32. Event Log Analysis — Checks for brute force indicators (failed logins), privilege escalation events, audit policy completeness, log size/retention, and critical security events in the last 24 hours.

33. PowerShell Security — Validates execution policy, script block logging, module logging, transcription logging, AMSI status, PowerShell v2 engine (downgrade attack vector), and ConstrainedLanguageMode.

Getting started

dotnet tool install --global WinSentinel.Cli
winsentinel --audit

That's it. Two commands, zero configuration, 33 modules covering every attack surface on your Windows machine. Every finding includes a "why" explanation and a concrete fix — many of which the CLI can apply automatically with --fix.

Want to focus on a specific area? Use profiles: winsentinel --audit --profile network or winsentinel --audit --profile identity.