Beta  •  Documentation for a pre-release build. Details may change between beta builds.
WinSecMon by ScaryByte Download
Documentation

WinSecMon documentation

Everything you need to run your first assessment — from system requirements and publisher trust to reading the forensic evidence each scan produces.

Requirements

Supported Windows versions, PowerShell and privilege needs.

Install & trust

Establish publisher trust for the signed package.

Running a scan

Run elevated, choose a profile, and go offline if needed.

Reports & evidence

Outputs, scoring and the tamper-evident manifest.

Requirements

  • OS: Windows 10 / Windows Server 2016 or newer (tested up to Windows 11 / Server 2025). Best-effort legacy support back to Windows 7 / Server 2008 R2 with WMF 5.1.
  • Shell: Windows PowerShell 5.1 (PowerShell 7 supported for Windows-only APIs).
  • Privileges: Administrator recommended — a handful of checks are admin-only. The scan is always read-only.
  • Network: optional. Cloud / M365 checks automatically skip when the host is offline or air-gapped.

Install & establish trust

The beta package is Authenticode-signed with a ScaryByte self-signed certificate. To let Windows recognise it as a known publisher, import the bundled certificate once:

:: From an elevated prompt, inside the extracted package
INSTALL-TRUST.cmd

This adds the ScaryByte code-signing certificate to Trusted Root Certification Authorities and Trusted Publishers. Until a publicly trusted certificate ships with the GA release, importing this certificate is what clears SmartScreen / publisher prompts.

Always verify the published SHA-256 of the download before importing any certificate or running the tool.

Running a scan

The simplest path is to double-click WINSECMON.exe — it self-elevates and runs a thorough assessment with the profile that best matches the host. From a shell you have more control: 

:: Default assessment (auto profile)
.\WINSECMON.exe scan

:: Pick a host profile explicitly
.\scarybyte.ps1 scan -Profile workstation
.\scarybyte.ps1 scan -Profile server
.\scarybyte.ps1 scan -Profile domaincontroller

:: Air-gapped / offline (skip cloud checks)
.\scarybyte.ps1 scan -NetworkMode offline -Offline

Host profiles

  • workstation — endpoint hardening, local accounts, exposed services and legacy protocols.
  • server — member-server roles, exposure and service posture.
  • domaincontroller — full AD, ADCS and attack-path coverage in addition to host checks.

Reports & forensic evidence

Each run writes a timestamped report set plus an evidence manifest:

  • HTML — a summary and a detailed report for analysts and stakeholders.
  • CSV / JSON — machine-readable findings for pipelines and ticketing.
  • Evidence manifest — a SHA-256 manifest over every output file, with per-file sidecars.

Findings are graded Pass, Fail, Warn, Info or NotApplicable, each carrying a severity, the supporting evidence, and a remediation recommendation. The tool re-verifies its own manifest at the end of a run and reports INTACT when nothing has been altered.

Reading the exit code

  • 0 — completed, no failing findings.
  • 2 / 3 / 4 — completed with Low / High / Critical findings present on the host (this is expected on un-hardened systems, not a tool error).

Scope & honesty

WinSecMon reports posture; it does not change configuration and it does not assert that any third-party security control (such as Microsoft Defender or SmartScreen) will or won't react to it. During the beta, AD / ADCS / Entra / M365 / Graph checks are implemented and exercised in the field but are not yet independently lab-validated across every edge case — always confirm a finding before acting on it in production.

Start your first assessment

Download the beta, import the publisher certificate, and run your first read-only scan in minutes.

Download the beta About the beta