Aegis11 is a deterministic state enforcement engine for Windows systems.
It applies, validates, and continuously reconciles a desired system configuration across multiple OS subsystems, including the registry, services, scheduled tasks, and network filtering layers.
Rather than relying on one-time modifications, it implements a transactional Write-Ahead Log (WAL) and a drift reconciliation model, ensuring consistency across reboots, updates, and external interference.
The engine does not attempt to break or remove core system components.
Instead, it enforces control through:
- Deterministic state application (no blind writes)
- Continuous drift detection and reconciliation
- Transactional safety with full rollback capability
Windows is treated as a mutable system where state must be continuously enforced, not assumed.
- Write-Ahead Log (WAL) with append-only JSONL entries
- Deterministic transaction replay and rollback
- Drift-aware state reconciliation engine
- Cross-module execution coordination
- Multi-hive support (HKLM, HKCU, HKU, offline hives)
- Byte-level idempotence with strict type validation
- REG_EXPAND_SZ normalization and environment expansion
- Optional ACL snapshot and restoration
- Dependency graph resolution (
EnumDependentServicesW) - Circular dependency protection
- Adaptive shutdown with real-time status polling
- Recovery policy neutralization (
SERVICE_FAILURE_ACTIONS) - Trigger-based service awareness
- Full COM inspection of task definitions
- Extraction of execution targets (
IExecAction) - Authenticode validation via
WinVerifyTrust - Canonical path and argument verification
- Native interaction with Windows Filtering Platform
- Custom provider and sublayer isolation
- Filtering layers:
- ALE_AUTH_CONNECT (new connections)
- ALE_FLOW_ESTABLISHED (existing flows)
- IPv4 / IPv6 dual-stack support
- CIDR-based rule aggregation
- Selective cleanup via provider GUID
- Native WinRT-based Appx removal (
Windows.Management.Deployment) - No reliance on PowerShell or external scripts
- Post-removal validation via re-query
- Scheduled execution via
--reconcile - Drift detection against live system state
- Automatic re-application of desired configuration
- Jittered execution to avoid startup contention
The WAL guarantees transactional integrity:
- Append-only JSONL format with entry framing
- Per-entry integrity validation (hash/checksum)
- 4KB-aligned writes to prevent torn writes
- Explicit disk flush via
FlushFileBuffers
- PENDING
- COMMITTED
- ROLLED_BACK
- FAILED
- RECOVERY_APPLIED
On startup:
- Invalid or truncated entries are discarded
- Pending transactions are rolled back
- System state is deterministically reconstructed
Aegis11.exe
Profiles:
- [1] Light → minimal, non-intrusive enforcement
- [2] Balanced → registry + services + task mitigation
- [3] Aggressive → full enforcement (Appx + WFP)
- [R] Rollback → full state restoration via WAL
Aegis11.exe --reconcile
- Fully non-interactive
- Designed for scheduled execution
- Applies drift correction only
Measured on Windows 11 23H2 (Ryzen 7 / i7, 16GB RAM):
| Operation | API Layer | Memory | Time |
|---|---|---|---|
| Appx Removal | WinRT / COM | ~12MB | ~850ms |
| WFP Injection | fwpuclnt.dll | ~4MB | ~120ms |
| Task Validation | taskschd.dll | ~18MB | ~1.8s |
| Service Mitigation | advapi32.dll | <2MB | ~45ms |
| WAL Initialization | NTFS (aligned) | 4KB | ~12ms |
- CPU usage: <5% peak
- Disk I/O: bounded and aligned
- Windows 10/11 (22H2+)
- MSVC v143
- Windows SDK ≥ 10.0.22000
- CMake ≥ 3.21
cd C:\Path\To\Aegis11 cmake -B build -S . cmake --build build --config Release
This tool operates with elevated privileges and modifies critical OS subsystems.
Potential risks:
- Network disruption (WFP misconfiguration)
- Service dependency instability
- Windows Update conflicts
- Application compatibility issues
Intended for:
- advanced users
- system engineers
- security researchers
- Not an antivirus
- Not an EDR
- Not guaranteed to override Windows internals permanently
- Not safe for unattended use without validation
Provided “as is”, without warranty of any kind.
Modifying system services, registry policies, and network layers may significantly alter system behavior.
No responsibility is assumed for instability, data loss, or connectivity issues.
Genesis
Security Researcher & Lead Developer