C++ Windows Security Tools
71+ native C++ tools for Windows security auditing, forensics, and monitoring
Overview
These tools are written in native C++20/23 for maximum performance and minimal dependencies. Unlike Python-based tools, they run directly on Windows without requiring a runtime environment - ideal for incident response on locked-down systems.
All tools target Windows 10/11 and Windows Server 2019/2022.
Categories
Windows Security Auditing
| Tool | Description | |——|————-| | ADAccountLockout | Audits AD account lockout policies and detects lockout storms | | ADCertificateAudit | AD Certificate Services auditor - detects ESC1-8 misconfigurations | | DefenderConfigAuditor | Microsoft Defender configuration auditor against CIS benchmarks | | WindowsUpdateComplianceScanner | Identifies missing patches and Windows Update policy violations | | SecureBootTPMAuditor | Validates Secure Boot chain and TPM 2.0 configuration | | PowerShellConstrainedLanguageAuditor | Verifies PowerShell CLM enforcement across the domain |
Digital Forensics and Artifact Analysis
| Tool | Description | |——|————-| | BamDamForensics | Parses Windows BAM/DAM registry keys for execution evidence | | AmcacheForensics | Extracts program execution artifacts from Amcache.hve | | PrefetchAnalyzer | Parses Windows Prefetch (.pf) files with decompression support | | RecycleBinForensics | Recovers metadata from Recycle.Bin ($I/$R file pairs) | | NTFSJournalParser | Parses $UsnJrnl for file system change history | | ShimCacheDatabaseParser | Extracts AppCompatCache (ShimCache) execution artifacts | | UserAssistDecoder | Decodes ROT-13 UserAssist registry entries for GUI execution history | | RegistryTransactionLogParser | Parses Windows registry transaction logs for forensic analysis | | SuperTimelineBuilder | Correlates artifacts from multiple sources into a unified timeline |
Memory and Process Analysis
| Tool | Description | |——|————-| | YaraMemoryScanner | Scans live process memory with YARA rules for malware detection | | VirtualAllocTracker | Monitors VirtualAlloc calls to detect shellcode injection | | ThreadCallStackAnalyzer | Analyzes thread call stacks for suspicious code injection patterns | | TokenPrivilegeForensics | Audits Windows token privileges for escalation indicators |
Network Security and Monitoring
| Tool | Description | |——|————-| | TcpSnooper | Real-time TCP connection monitor with process attribution | | TcpPortFuzzer | TCP port fuzzer for testing service resilience | | DNSTunnelDetector | Detects DNS tunneling by analyzing query entropy and frequency | | HttpHeaderInspector | Audits HTTP security headers (CSP, HSTS, X-Frame-Options) | | SMBSessionForensics | Analyzes SMB sessions for lateral movement indicators | | SmbShareScanner | Enumerates SMB share permissions for access control auditing | | UdpReflectorCheck | Checks for UDP amplification vulnerability on exposed services |
Active Directory and Authentication
| Tool | Description | |——|————-| | KerberosScanner | Kerberos infrastructure security scanner | | NTLMAudit | Detects NTLM downgrade attacks and weak authentication configurations | | GPOChangeTracker | Tracks Group Policy Object changes for unauthorized modifications | | ADReplicationInspector | Monitors AD replication health and detects DCSync-style anomalies | | SmartCardLogonTracker | Tracks smart card authentication events for compliance auditing |
Build Requirements
Compiler: GCC 13+ or MSVC 2022 (v143+)
Standard: C++20 / C++23
CMake: 3.20+
OS: Windows 10/11, Windows Server 2019/2022
Building a Tool
git clone https://github.com/ayinedjimi/TOOL-NAME.git
cd TOOL-NAME
mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Release
cmake --build . --config Release
| Back to Home | 2026 Ayi NEDJIMI |