Make sure you have latest windows update or install them after (professional and on or enterprise versions are suggested) before applying or flash bios, turn off computer, replace hard drive, or reinstall windows
Go offline

With RUN WINDOW or COMMAND PROMPT write regedit.exe and start it (pressing ctrl and r keys at same time or searching and executing RUN or COMMAND PROMPT in
start menu or cortana, can start COMMAND PROMPT via RUN too by cmd.exe)

Set these registry keys permissions (optional)

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
All users / Administrators read-only

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer
All users / Administrators read-only

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
All users / Administrators read-only

Set primary key / this key only permission to these HKEY_CLASSES_ROOT (optional)
And same to HKEY_CURRENT_USER plus NETWORK and NETWORK SERVICE
Access control assistance operators
Offer remote assistance helpers
Remote management users
Remote desktop users
Remote interactive logon
Terminal server user
WDAGUtilityaccount
Hyper-v administrators
Distributed COM users
Anonymous logon
Defaultaccount
Dialup
Guest
Guests
Administrator
Power users
IUSR


Press Ctrl + E, open file explorer go to your computer main list of drives, right click your drives and go to properties and deny these same security permissions (optional)
Access control assistance operators
Offer remote assistance helpers
Remote management users
Remote desktop users
Remote interactive logon
Terminal server user
WDAGUtilityaccount
Hyper-v administrators
Distributed COM users
Anonymous logon
Dialup
Guests
Power users
IUSR


Open gpedit.msc

Computer configuration / name resolution policy
Create rule for any with microsoft root certificate authority 2011 certificate
Just enable DNSSEC do not select any other options in DNSSEC tab
Add your local IPv4 address to DIRECTACCESS (can be found in ipconfig /all command prompt command)
Use this web proxy, select use the default web proxy
Use IPsec in communication between the DNS client and DNS server, select low 3DES
Add these DNS servers to GENERIC DNS tab
8.26.56.26
8.20.247.20
216.146.35.35
216.146.36.36
Select encoding tab, enable and select UTF-8 with mapping

Computer configuration / security settings
Right click on security settings and apply, import "User rights assignment.INF" file
Check if Computer configuration / security settings / local policies / user rights assignment Check if they are as in screenshot "UserRightsAssignmentExample.JPG"

Computer configuration / security settings / security options

Enable audit: audit the access of global system objects
Enable audit: force the use of backup and restore privilege

DCOM: Machine access restrictions in security descriptor definition language (SDDL) syntax
Everyone deny remote access
Unknown account deny all
All application packages deny remote access
Dialup deny all
Terminal server user deny remote access
Remote interactive logon deny all
Iusr deny all
Local service deny remote access
Network deny remote access
Network service deny remote access
Batch deny remote access
Guests deny all
Batch deny remote access
Power users deny all
Remote desktop users deny all
Performance log users deny all
Performance monitor users deny all
Network configuration operators deny all
System managed group deny all
Access control assistance operators deny all
IIS_IUSRS deny all
Event log readers deny all
Distributed COM users deny remote access
Hyper-V administrators deny all
Remote management users deny all
Service deny remote access
System deny remote access
Interactive deny remote acess
Console logon deny remote access
Authenticated users deny remote access
Anonymous logon deny all

DCOM: Machine launch restrictions in security descriptor definition language (SDDL) syntax
Unknown account deny all
Dialup deny all
Remote interactive logon deny all
Iusr deny all
Network deny remote launch and remote activation
Netweork service deny remote launch and remote activation
Guests deny all
Power users deny all
Remote desktop users deny all
Network configuration operators deny all
Performance monitor users deny all
Distributed COM users deny remote launch and remote activation
IIS_IUSRS deny all
Event log readers deny all
Hyper-V administrators deny all
Access control assistance operators deny all
Remote management users deny all
System managed group deny all
Anonymous logon deny all
Authentication authority asserted identity deny all
Service asserted identity deny all
This organization certificate
Local account and member of administrators group deny remote launch and remote activation
Local account deny remote launch and remote activation
Cryptographic operators deny remote launch and remote activation

Devices: allowed to format and eject removable media
Administrators

Enable devices: prevent users from installing printer drivers
(Administrators still can install and run them)

Enable devices: restrict CD_ROM access to locally logged on users only

Enable: restrict floppy access to locally logged-on user only

Domain controller: LDAP server signing requirements
Require signing

Enable domain controller: refuse machine account password changes

Disable domain controller: digitally encrypt or sign secure channel data (always)

Enable domain member: disable machine account password changes

Set to two interactive logon: machine account lockout threshold
(Doesn't work on microsoft account)

Set to zero interactive logon: number of previous logons to cache (in case domain controller is not available)

Interactive logon: smart card removal behavior
Force logoff

Microsoft network server: amount of idle time required before suspending session
1 minute

Disable microsoft network server: attempt S4U2Self to obtain claim information

Set microsoft network server: server SPN target name validation level
Required from client

Enable network access: do not allow storage of password and credentials for network authentication

Remove all entries from network access: Remotely accessible registry paths and subpaths and network access: Remotely accessible registry paths

Deny access to for network access: Restrict clients allowed to make remote calls to SAM
Everyone
All application packages
Network
Network service
Creator owner
Creator group
Remote interactive logon
Terminal server user
This organization certificate
Service asserted identity
Authentication authority asserted identity
Interactive
Console logon
Local account
Local account and member of administrators group
System
Local service
Service
Batch
Anonymous logon
Dialup
IUSR

Select guest only - local users authenticate as Guest for network access: Sharing and security model for local accounts

Disable network security: allow local system to use computer identity for NTLM

Disable network security: allow localsystem NULL session fallback

Disable network security: allow PKU2U authentication requests to this computer to use online identities

Network security: configure encryption types allowed for kerberos
Future encryption types

Network security: LAN manager authentication level
Send NTLMv2 response only and refuse LM and NTLM

Network security: LDAP client signing requirements
Require signing

Require NTLMv2 session security for both network security: Minimum session security for NTLM SSP based (including secure RPC) clients and servers

Audit all for network security: Restrict NTLM: Audit Incoming NTLM Traffic and network security: Restrict NTLM: Audit NTLM authentication in this domain


Network security: restrict NTLM: Incoming NTLM traffic
Deny all accounts

Network security: restrict NTLM: NTLM authentication in this domain
Deny all

Network security: restrict NTLM: Outgoing NTLM traffic to remote servers
Deny all

Disable recovery console: allow floppy copy and access to all drives and all folders

System cryptography: force strong key protection for user keys stored on the computer
User must enter a password each time they use a key

Disable system objects: require case insensitivity for non-windows subsystems

Enable system settings: Use certificate rules on windows executables for software restriction policies

User account control: behavior of the elevation prompt for administrators in Admin Approval Mode
Prompt for fucking credentials (not on secure desktop)

Computer configuration / security settings / local policies / audit policy
Check if all audits are enabled on success and failure

Computer configuration / security settings / Windows defender firewall with advanced security
Right click on Windows defender firewall with advanced security and apply, import "Windows firewall.WFW"

Computer configuration / security settings / Network list manager policies
Select private for unidentified networks, identifying networks
Connect to your network or internet restart gpedit management console - close the editor and start it again, open this same page and select the network you have connected to and select as private

Computer configuration / security settings / public key policies
Certificate path validation settings, stores define these policy settings 
disable allow user trusted root CAs to be used to validate certificates and disable allow users to trust peer trust certificates
Select CAs must also be compliant with User principal name constraints
Trusted publishers define allow only all administrators to manage trusted publishers
Select verify that the publisher certificate is not revoked
Select verify that the timestamp certificate is not revoked
Define network retrieval and leave as is
Enable certificates services client - auto-enrollment
Select renew expired certificates, update pending certificates, and remove revoked certificates
Select update certificates that use certificate templates

Computer configuration / security settings / software restriction policies
Right click and select new software restriction policies
Enforcement all software files, all users, enforce certificate rules
Trusted publishers allow only all administrators to manage trusted publishers
Select verify that the publisher certificate is not revoked
Select verify that the timestamp certificate is not revoked
Additional rules
Add all network zone rules disallowed
Add new path rules ?:\perflogs, ?:\users\public disallowed, ?:\users\(user)\documents basic user, hidden folder in (user) directory appdata local, roaming all browser software folders set to basic user

Computer configuration / security settings / application control policies
Configure rule enforcement
Enforce all
Right click on all rule categories and create default rules

Computer configuration / security settings / IP security policies and local computer
Right click on IP security policies and local computer and apply, import "IPsec policy.IPSEC"

Computer configuration / security settings / advanced audit policy configuration
Right click on IP security policies and local computer and apply, import "Audits.CSV"

Computer configuration / Administrative templates / network / lanman server
Enable and leave blank cipher suite order
Enable honor cipher suite order

Computer configuration / Administrative templates / network / lanman workstation
Enable and leave blank cipher suite order
Disable insecure guest logons

Computer configuration / Administrative templates / network / fonts
Disable font providers

Computer configuration / Administrative templates / network / DirectAccess client experience settings
Disable corporate resources

Computer configuration / Administrative templates / network / microsoft peer-to-peer networking services
Disable, secure password strength validation for peer grouping
Enable turn off multicast bootstrap for all clouds

Computer configuration / Administrative templates / network / network connections
Enable state for route all traffic through the internal network

Computer configuration / Administrative templates / network / network connections / windows defender firewall
Disable windows defender firewall: allow authenticated IPsec bypass

Computer configuration / Administrative templates / network / network connections / windows defender firewall / domain and standard profile
Disable windows defender firewall: allow inbound remote desktop, remote administration, file and printer sharing
Enable windows defender firewall: protect all network connections
For both profiles

Computer configuration / Administrative templates / network / network provider
Enable hardened UNC paths and scroll down select show
Add value name RequirePrivacy and value 1
Add value name 1 and value RequirePrivacy

Computer configuration / Administrative templates / network / SNMP
Enable specify communities
Add value None
Disable specify permitted managers
Disable traps for public community

Computer configuration / Administrative templates / network / SSL configuration settings
Enable and leave SSL cipher suite order

Computer configuration / Administrative templates / network / Windows connection manager
Enable minimize the number of simultaneous connections to the internet or a windows domain
Value 1 = minimize simultaneous connections

Computer configuration / Administrative templates / network / Wireless display
Enable require pin pairing

Computer configuration / Administrative templates / system / access-denied assistance
Enable customize message for access denied errors
Uncheck all email settings 
Enable access-denied assistance on client for all file types


Computer configuration / Administrative templates / system / credentials delegation
Enable encryption oracle remedtiation and force updated clients
Disable remote host allows delegation of non-exportable credentials

Computer configuration / Administrative templates / system / device guard
Careful
Depending do you use UEFI system or non-UEFI
Enable virtualization based security
Secure boot and DMA protection for platform security level
Code integrity and credential guard configuration - depends do you use UEFI or not - with or without lock
Enable secure launch configuration

Computer configuration / Administrative templates / system / device installation
Disable allow remote access to the plug and play interface

Computer configuration / Administrative templates / system / display
Enable and leave blank configure per-process system DPI settings
Enable and enter "*" turn off GdiDPIscaling for applications

Computer configuration / Administrative templates / system / driver installation
Disable allow non-administrators to install drivers for these device setup classes

Computer configuration / Administrative templates / system / boot-start driver initialization policy
For old systems and very infected this may not work, but with updated windows 10 shouldn't be an issue
Enable good only drivers

Computer configuration / Administrative templates / system / file share shadow copy provider
Enable allow or disallow use of encryption to protect the RPC protocol messages between file share shadow copy provider running on application server and file share shadow copy agent running on the file servers

Computer configuration / Administrative templates / system / filesystem
Disable win32 long paths
Enable and leave blank selectively allow the evaluation of a symbolic link

Computer configuration / Administrative templates / system / filesystem / NTFS
Enable NTFS pagefile encryption
Enable short name creation options and disable on all volumes
Disable TXF deprecated features

Computer configuration / Administrative templates / system / folder redirection
Enable redirect folders on primary computers only

Computer configuration / Administrative templates / system / group policy
Enable all policy processing and select allow processing across a slow network connection, process even if the group policy objects have not changed
Disable interactive users determination to generate resultant set of policy data
Disable turn off background refresh of group policy
Disable turn off local group policy objects processing
Enable set group policy refresh interval for computers to 1 minute
Disable configure direct access connections as a fast network connection
Enable configure user group policy loopback processing mode to merge

Computer configuration / Administrative templates / system / internet communication settings
Enable turn off printing over HTTP
Enable turn off downloading of print drivers over HTTP
Enable turn off windows network connectivity status indicator active tests

Computer configuration / Administrative templates / system / iSCSI / General iSCSI
Enable do not allow additional session logins

Computer configuration / Administrative templates / system / iSCSI / iSCSI security
Enable do not allow connections, sessions without one way, mutual CHAP and IPsec


Computer configuration / Administrative templates / system / KDC
Enable KDC support for claims, compound authentication and kerberos armoring and fail unarmored authentication requests
Disable request compound authentication
Enable provide information about previous logons to client computers

Computer configuration / Administrative templates / system / kerberos
Enable fail authentication requests when kerberos armoring is not available
Disable kerberos client support for claims, compound authentication and kerberos armoring
Enable specify KDC proxy servers for kerberos clients set value name and value 0.0.0.1
Disable support compound authentication
Enable require strict target SPN match on remote procedure calls
Require strict KDC validation

Computer configuration / Administrative templates / system / kernel DMA protection
Enable enumeration policy for external devices incompatible with kernel DMA protection select block all

Computer configuration / Administrative templates / system / logon
Disable always wait for the network at computer startup and logon

Computer configuration / Administrative templates / system / mitigation options
Enable untrusted font blocking and select block untrusted fonts and log events
Enable process mitigation options select show and enter these values
Value name PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE value 1
Value name 0x00000001 value 1
Value name PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE value 1
Value name 0x00000002 value 1
Value name PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE value 1
Value name 0x00000004 value 1
Value name PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON value 1
Value name 0x00000100 value 1
Value name PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON value 1
Value name 0x00020000 value 1

Computer configuration / Administrative templates / system / net logon
Disable allow cryptography algorithms compatible with Windows NT 4.0
Disable Contact PDC on logon failure
Disable set netlogon share compatibility
Enable specify name and enter none
Disable set SYSVOL share compatibility

Computer configuration / Administrative templates / system / remote assistance
Enable allow only windows vista or later connections
Enable configure solicited remote assistance, allow helpers to only view the computer, maximum ticket time 1 minute, method for sending email is mailto
Enable configure offer remote assistance, allow helpers to only view the computer, select show helpers enter value none

Computer configuration / Administrative templates / system / remote procedure call
Disable RPC endpoint mapper client authentication
Enable restrict unauthenticated RPC clients, select authenticated without exceptions

Computer configuration / Administrative templates / system / user profiles
Disable detection of slow network connections
Enable do not log users with temporary profiles
Disable wait for remote user profile
Enable set maximum wait time for the network if a user has a roaming user profile or remote home directory, set one second




Computer configuration / Administrative templates / windows components / activex installer service
Enable approved installation sites for activex controls set value name and value 0

Computer configuration / Administrative templates / windows components / application compatibility
Enable prevent access to 16-bit applications
Enable turn off steps recorder

Computer configuration / Administrative templates / windows components / autoplay policies
Enable turn off autoplay

Computer configuration / Administrative templates / windows components / biometrics / facial features
Enable configure enchanced anti-spoofing for arm, smell, face, blood, urin, sperm, voice together

Computer configuration / Administrative templates / windows components / bitlocker drive encryption
Disable new DMA devices when this computer is locked

Computer configuration / Administrative templates / windows components / bitlocker drive encryption / operating system drives
Enable allow secure boot for integrity validation
Disable allow network unlock at startup

Computer configuration / Administrative templates / windows components / connect
Enable do not allow this PC to be projected to

Computer configuration / Administrative templates / windows components / credential user interface
Enable do not display the password reveal button
Enable require trusted path for credential entry
Enable enumerate administrator accounts on elevation

Computer configuration / Administrative templates / windows components / device and driver compatibility
Enable device compatibility settings
Enable driver compatibility settings

Computer configuration / Administrative templates / windows components / device registration
Enable register domain joined computers as devices

Computer configuration / Administrative templates / windows components / event log service / application
Enable back up log automatically when full for all

Computer configuration / Administrative templates / windows components / file explorer
Disable turn off data execution prevention for explorer
Disable turn off shell protocol protected mode
Enable configure windows defender smartscreen select warn and prevent bypass
Disable binding directly to IPropertysetstorage without intermediate layers

Computer configuration / Administrative templates / windows components / Netmeeting
Disable remote desktop sharing

Computer configuration / Administrative templates / windows components / Online assistance
Enable turn off active help

Computer configuration / Administrative templates / windows components / Windows remote shell
Disable allow remote shell access

Computer configuration / Administrative templates / windows components / internet explorer / internet, local machine zone and locked-down with intranet too
Disable allow opensearch queries in file explorer




User configuration / administrative templates / network
Enable prohibit connecting and disconnecting remote access connection
Disable prohibit deletion of remote access connections

User configuration / administrative templates / shared folders
Disable allow shared folders to be published
Disable allow DFS roots to be published

User configuration / administrative templates / windows components / network sharing
Enable prevent users from sharing files within their profile
(Onedrive would still work, only WORKGROUP / LAN domain sharing wouldn't partially)

User configuration / administrative templates / system / driver installation
Set warn to code signing for device drivers

User configuration / administrative templates / system / user profiles
Disable connect home directory to root of the share

User configuration / administrative templates / control panel / personalization
Enable and leave blank force a specific visual style file or force windows classic

(You won't be needing to look at these snap-ins of management user interfaces)
User configuration / administrative templates / windows components / microsoft management console / restricted - permitted snap-ins
Disable routing and remote access
Disable remote desktops

User configuration / administrative templates / windows components / microsoft management console / restricted - permitted snap-ins / extension snap-ins
Disable remote access

User configuration / administrative templates / windows components / microsoft management console / restricted - permitted snap-ins / group policy / group policy snap-in extensions
Disable remote installation services

User configuration / administrative templates / windows components / remote desktop services / rd gateway
Enable set rd gateway authentication method select use smart-card
Disable connection through rd gateway


These WINDOWS features with control Panel\Programs\Programs and Features
Enable all of .NET framework 3.5 (includes .NET 2.0 and 3.0)
Enable all of .NET framework 4.7 advanced services
Enable all device lockdown (If applicable)
Enable all legacy components
Enable all MICROSOFT message queue (MSMQ) Server
Disable uncheck remote differential compression API support
Enable RIP Listener
Enable simple network management protocol
Enable Simple TCPIP services (i.e. echo, daytime etc)
Enable all for windows identity foundation 3.5
Enable all for windows process activation service
Enable windows defender application guard (Then after restart go into windows defender and enable ransomware protection, controlled folder access and add System volume information, NET 4.5 and NET 4.5 classic folders and go to app and browser control click application guard settings and enable all features there. If you don't see it try installing VS community disabling COMODO and using Administrative profile. In exploit / program settings these executables by name as Will (see first letter capital not all) follow. Device security, core isolation details enable memory integrity)

Runtimebroker.exe enable all restrictions and audit win32k calls
Dwm.exe enable all restrictions and audit arbitary code, win32k calls, code integrity guard. Do not use strict CFG
Ntoskrnl.exe enable all restrictions
Smss.exe enable all restrictions and audit win32k calls, child process audit, import address filtering audit, export address filtering audit and validate access for modules
Csrss.exe enable all restrictions and audit win32k calls, import address filtering audit, export address filtering audit and validate access for modules
Svchost.exe enable all restrictions and audit import address filtering, audit win32k calls, audit child processes
Runtimebroker.exe enable all restrictions and audit win32k calls
Dwm.exe enable all restrictions and audit arbitary code, win32k calls, code integrity guard. Do not use strict CFG
Ntoskrnl.exe enable all restrictions
Smss.exe enable all restrictions and audit win32k calls, child process audit, import address filtering audit, export address filtering audit and validate access for modules
Csrss.exe enable all restrictions and audit win32k calls, import address filtering audit, export address filtering audit and validate access for modules
Svchost.exe enable all restrictions and audit import address filtering, audit win32k calls, audit child processes
write.exe enable all restrictions and audit win32k calls
audiodg.exe enable all restrictions and audit win32k calls
explorer.exe enable all restrictions and audit child process, audit win32k calls
hh.exe enable all restrictions and audit win32k calls
winhlp32.exe enable all restrictions and audit win32k calls
bfsvc.exe enable all restrictions and audit win32k calls
notepad.exe enable all restrictions and audit win32k calls, audit code integrity guard
regedit.exe enable all restrictions and audit win32k calls, audit code integrity guard
taskhostw.exe enable all restrictions and audit win32k calls
dllhost.exe enable all restrictions and audit win32k calls
services.exe 
sihost.exe enable all restrictions and audit win32k cal

Restart computer

Disable and set logon to Guest these services by opening services.msc 
Windows remote management (WS-management)
User experience virtualization service
Shared PC account manager
Routing and remote access
Remote registry
Remote procedure call (RPC) locator
Remote desktop services
Remote access connection manager
OpenSSH authentication agent
Microsoft App-V client
Auto time zone updater

Enable multiplexor for your network - please install OpenVPN or Softether VPN client or VMware player or use Vethernet or your real ethernet adapter in network connections to bridge the connection by selecting the adapters and right clicking and selecting bridge and go in network bridge adapter settings and set your IPv4 configuration of routers or modems you connect to.
You may have Vethernet adapter cause you enabled windows features, please bridge with it first after that search Vethernet in regedit and set to READ-ONLY including everyone to all found master keys of vethernet. The adapter will disable itself after restart (The adapter reinstalls itself and resets configuration on each restart, it is useless. If network bridge does not show bridge router icon, delete your Wi-Fi, ethernet, bridge devices in devmgmt.msc and restart computer and bridge again, do this anyway if you just installed WINDOWS. If it doesn't work do it while connected to internet your Wi-Fi or ethernet)
Multiplexor bridge advanced configuration
Adaptive inter-frame spacing enabled
Enable PME enabled
Energy efficient ethernet enabled
Flow control Rx and Tx enabled
Gigabit master slave mode force master mode
Interrupt moderation
Interrupt moderation rate adaptive
Jumo packet 9014 bytes
Large send offload V2 (IPv4 and Ipv6) enabled
Legacy switch compatability mode disabled
Link speed battery saver disabled
Log link state event enabled
Maximum number of RSS queues 2 queues
Packet priority and VLAn enabled
Protocol ARP and NS offload enabled
Receive buffers 256
Receive side scaling enabled
Reduce speed on power down enabled
Speed and duplex 1 Gigabyte full duplex
System idle power saver disabled
TCP checksum offload IPv4 and IPv6 Rx and Tx enabled
Transmit buffers 512
UDP checksum offload IPv4 and IPv6 Rx and Tx enabled
Wait for link auto detect
Wake on link settings disabled
Wake on magic packet enabled
Wake on pattern match enabled
Disable all features except IPv4 and Microsoft MAC bridge

Uncheck all file types in indexing and check to index properties only

Go to control panel - network and internet - internet options - advanced
Disable Native XMLHTTP support, integrated windows authentication, DOM storage, TLS 1.1, TLS 1.0
Enable Enchanced protected mode, enable windows defender smartscreen, block unsecured images, do not save encrypted pages to disk
At privacy of internet options go to advanced and disable always allowing session cookies and third party cookies
Go to security tab and select local intranet and set to highest

Go to ?:/Windows/system32/drivers change all region folder for example "en-US" and "UMDF" folder ownership to administrator and permission entries all to deny including everyone
Change current permission to these drivers to denied and add everyone denied too if driver is present (optional)
3ware.SYS
afunix.SYS
agilevpn.SYS
appvstrm.SYS
asyncmac.SYS
btampm.SYS
bthenum.SYS
bthhfenum.SYS
bthmini.SYS
bthmodem.SYS
bthpan.SYS
bthport.SYS
bthusb.SYS
bttflt.SYS
cdrom.SYS
cht4dx64.SYS
cht4sx64.SYS
cht4vfx.SYS
cht4vx64.SYS
circlass.SYS
classpnp.SYS
dxgkrnl.SYS
dxgmms1.SYS
dxgmms2.SYS
hidir.SYS
hypervideo.SYS
ibtusb.SYS
intelhaxm.SYS
irda.SYS
irenum.SYS
ksthunk.SYS
microsoft.bluetooth.avrcptransport.SYS
microsoft.bluetooth.legacy.leenumerator.SYS
msiscsi.SYS
mlx4_bus.SYS
monitor.SYS
npfs.SYS
nwifi.SYS
processr.SYS
rasacd.SYS
rasl2tp.SYS
raspppoe.SYS
raspptp.SYS
rassstp.SYS
rdpbus.SYS
rdpdr.SYS
rdpvideominiport.SYS
rfcomm.SYS
rfxvmt.SYS
rmcast.SYS
rndismp.SYS
scsiport.SYS
sfloppy.SYS
stream.SYS
synth3dvsc.SYS
tdi.SYS
tdx.SYS
tsusbflt.SYS
tsusbgd.SYS
tsusbhub.SYS
tunnel.SYS
udecx.SYS
usb8023.SYS
usbcir.SYS
usbpmapi.SYS
wanarp.SYS
winmad.SYS
winverbs.SYS
Without these drivers most software cannot manipulate your computer. Bill Gates bases all software off them (most programming languages), without them - harmful things are useless
Useless first infrared, remote desktop, remote accesses, direct hardware access, bluetooth are disabled from for example virus control. Disabling these in group policy was just to prevent inbound, this prevents outbound to more harmful 'false digital objects.
Check if any of these drivers are present later to deny if missing.

Replace Windows folder in ?:\Windows with my Windows folder

Please use SSD and Bitlocker for drive you install windows on
Please do take screenshots of your computer
Please check your system for unidentified, unknown profiles Control Panel\System and Security\System - advanced system settings
Please enable DEP for all software Control Panel\System and Security\System - advanced system settings
Please set your computer name to your first and last name adding MICROSOFT.COM suffix at the end of it Control Panel\System and Security\System - advanced system settings
Set your WORKGROUP to alt code turning on num lock and holding down alt and writing on numpad for example 01511
Please use your work or business domain suffix for your connections by adding it to IPv4 configuration in network bridge
Please use wired devices, wireless can be exception
Please do not install most things to your root directory which is "?:\Here", if it's a driver - sure. For example "RIOT GAMES / League of legends", "XAMPP"
Please do not launch applications after installation because they will most likely launch with administrative rights, launch them separately as user outside of installation.
Please keep "Flush DNS and renew.bat" running
Please try attaching plastic and wool on top of your computer hardware and case to prevent electric and, or magnetic interferences from outside. You can also isolate your room.
Please make standard user account and use it by default

Go online

Suggested third party software:
VMWARE Workstation player, VBOX or THINCAST (For virtual machine)
DR.WEB CUREIT (Can prevent applications from using low-level direct hard drive access and clean most viruses)
SPYBOY search and destroy (Immunize your system)
TCPOPTIMIZER (Use windows default settings and you can refresh your winsocks and TCP/IP. With network bridge configuration and TCPOPTIMIZER network speed can go up to 100mbps plus for download and upload for slow, infested, bugged networks as 10-20mbps after using TWEAKBIT PCREPAIRKIT internet optimizer and all windows updates)
TEAMVIEWER (To replace remote desktop protocols, remote managements, remote logons, please disable teamviewer service and set logon to Guest every way after installation)
PROCESS LASSO (Apply my "ProcessLasso.INF" for extra security layer)
NETLIMITER (Will manage your network. Can create block rules which are not advised for usage. Critical 100 % / 100 % adaptive, high 100 %, normal 100 % priorities are suggested and critical priority on all running objects)
ASTRILL VPN (Not only a company, but a corporation. Best VPN provider. Within web astrill.com generate OpenVPN certificate and download all files or use Astrill VPN software. Please pay for subscription of astrill and share OpenVPN software adapter connection with network bridge and enter your routers or and modems local IPv4 as second address besides 192.168.137.1 in network bridge. You can use empty adapter. Installing network drivers will not work due to NETWORK and NETWORK SERVICE permission on HKEY_CURRENT_USERS. Set one and only preffered DNS - your local address, but leave name resolution policy with same DNS. This will secure your adapter. It is recommended to disable IPV6 and location services because most places they do not wear every way)
INTEL EXTREME TUNING UTILITY (If you are using Intel hardware)
VISUAL STUDIO COMMUNITY (Install all run-times, intel performance, debuggers, communications)
HWINFO (To monitor system temperature and perhaps you can even lower it by adjusting fan speed, install its driver as persistent)
7-ZIP (Archive software, speaks for itself)
CCproxy (If you can open your own ports and have dedicated internet protocol address we suggest going behind your own proxy on any of 443, 8443, 995, 993, 465, 587, 25 port. You can also not port forward and connect to your local address which looks like this 192.168.1.1-253, but then you won't be able to connect from VPN server to web if you connect to VPN. If you host web on your machine, this can completely protect from DDoS attacks. Or use VPN local address on host and as your proxy which can be found by ipconfig /all command prompt command says IPv4 address without opening ports. Ports would still appear open if they are. Sadly you cannot select which local addresses to bypass in internet options. Add "do not use proxy for addresses beginning with" - *)
TWEAKBIT PCREPAIRKIT
COMODO Internet security

Dangerous third party software:
COMODO Internet security (Import configuration "COMODO ENTIREALL.CFGX". You can also just install Internet security essentials for extra certificatation security. If anything doesn't work disable HIPS. Windows defender ransomware and real time protection and memory integrity protection will not function - not needed if you use COMODO. Optional)
BITDEFENDER
AVAST
BEETHINK Ddos protection (and all other ddos protection software)
10KHITS exchanger (and all other traffic exchange software)
Many registry and junk file cleaning softwares and speed boost softwares for example as "IOLO SYSTEM MECHANICS"
Lots of games, but you're well protected


Note that anything won't be able to connect to you via remote desktop protocols,
but you will be able to connect to others. Inbound, outbound MICROSOFT WINDOWS specific 
remote managements, remote logons also will not work. Everything, anything else will go smoothly
Don't wonder if your computer performance increases by 50-100 percent
You may have to repeat some of these steps as for example registry, gpedit user rights assignments while Windows 10 keeps updating keeping same accounts and same interactive accesses, same interface
You may not be able to add more than one account to Windows 8-10 mail application
That's all. Surely now you can visit WHITEHOUSE.GOV online website internet