Skip to content

SS-Sauron/Project-Oedipus

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
CameraBackup.ps1
CameraBackup.ps1
 
 
CameraRestore.ps1
CameraRestore.ps1
 
 
CameraService.ps1
CameraService.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

USB Camera Stealth Toolkit

Platform Language License Admin Required

Temporarily disable any UVC webcam on your own Windows machine — no policy keys, no "device disabled" flags, no Group Policy fingerprints.

The camera appears to have a broken driver. Device Manager shows a yellow triangle and a generic Code 39 error. When you're done, a single script brings everything back exactly as it was.

Use only on hardware you own or with explicit written permission. The author assumes no liability for misuse.

⚠️ Warning

This toolkit modifies protected system files and ACLs. Misuse can leave your webcam non-functional until you manually restore from backup, or re-install the driver via Windows Update.

  • Always run CameraBackup.ps1 before CameraService.ps1.
  • Always test with -WhatIf (disable and restore only) before a live run.
  • A reboot is required after every disable and every restore for changes to fully apply.

What's Inside

Script Purpose
CameraBackup.ps1 Snapshots all UVC driver components to an encrypted-manifest backup
CameraService.ps1 Disables the camera via driver corruption and ACL manipulation
CameraRestore.ps1 Restores every component from the backup, exactly as it was

Key Features

  • No visible policy changes — the camera simply looks like broken hardware, not a blocked device.
  • DPAPI-encrypted manifest — the backup index (index.bin) is encrypted and tied to your Windows user account. A machine-scope fallback (index.bin.machine) can be decrypted by any local administrator on the same machine, protecting against profile corruption.
  • Timestomping — backup files and modified system files have their timestamps overwritten to match those of ntfs.sys, blending them in with surrounding OS artifacts.
  • Portable — uses %SystemRoot% and %LOCALAPPDATA% throughout; works on any drive letter, not just C:\.
  • Self-elevating — all three scripts detect insufficient privileges and re-launch with a UAC prompt automatically.
  • Silent mode — all console output is suppressed when launched with -WindowStyle Hidden.
  • Safe restore — restores the runtime driver, PNF, and driver store folder(s); resets ACLs; cleans pending rename operations; returns folder ownership to TrustedInstaller.
  • Self-clean-SelfClean securely overwrites every file in the backup folder with 3 passes (random → zero → random) before deleting it.
  • Simulation mode-WhatIf on CameraService.ps1 and CameraRestore.ps1 previews every planned change without touching the system. (Note: CameraBackup.ps1 has no simulation mode — it performs real file copies.)

How It Works

[Backup] → [Disable] → (unplug & reboot) → camera dead → [Restore] → (unplug & reboot) → camera alive

Phase 1 — Backup (CameraBackup.ps1)

Copies three categories of driver component into a backup folder, then writes a DPAPI-encrypted JSON manifest tracking what was copied and each file's SHA256 hash.

What is copied Source path Backup name
Runtime driver %SystemRoot%\System32\drivers\usbvideo.sys net.dat
INF pre-compile file %SystemRoot%\INF\usbvideo.PNF cfg.dat
Driver store folder(s) %SystemRoot%\System32\DriverStore\FileRepository\usbvideo.inf_* drv_<sha256hex>/
Pending rename registry snapshot HKLM:\...\Session Manager\PendingFileRenameOperations inside index.bin

The backup folder is stored at %LOCALAPPDATA%\Microsoft\Windows\Caches\{derived-guid}. The GUID is deterministic: it is derived from SHA256(COMPUTERNAME + USERNAME + "cam"), so it can always be recalculated and does not need to be written down.

Important: Only the manifest files (index.bin, index.bin.machine) are DPAPI-encrypted. The driver files themselves (net.dat, cfg.dat, and the drv_* folders) are plaintext copies. The backup folder's security relies on its obscure derived path, timestomping, and the self-clean option — not file-level encryption.

After writing the backup, Set-Timestamp overwrites the creation, write, and access times of every file and the folder itself to match those of ntfs.sys, making the backup indistinguishable from ambient OS artifacts by timestamp alone.

Phase 2 — Disable (CameraService.ps1)

Corrupts the UVC driver in three ways, each targeting a different layer Windows uses to load it:

Driver store folder(s) Takes ownership, grants Administrators full control, empties the folder, replaces its contents with zero-byte usbvideo.inf and usbvideo.sys decoys, then applies Deny ACEs for NT AUTHORITY\SYSTEM and NT SERVICE\TrustedInstaller to prevent auto-repair.

PNF file Opens usbvideo.PNF via a file stream and sets its length to zero in-place, destroying its content without deleting the file entry.

Runtime driver (usbvideo.sys)

  • If the file can be opened for writing, it is truncated to zero bytes immediately and write-Deny ACEs are applied to prevent repair.
  • If the driver is in use (file locked), a zero-byte temp file is written to %TEMP% and a PendingFileRenameOperations entry is added to the Session Manager registry key, scheduling the swap on next boot. Deny ACEs are deliberately not applied in this case to avoid conflicts with the pending rename.

Policy cleanup If HKLM:\SOFTWARE\Policies\Microsoft\Camera\AllowCamera exists, it is removed. This prevents a conflicting policy entry from interfering with the hardware-failure illusion.

Stale temp file cleanup At startup, CameraService.ps1 scans %TEMP% for zero-byte files older than one hour whose names match the random-filename pattern it generates, and removes them. This cleans up orphaned temp files left by any previous aborted run.

After disable, unplug the webcam and reboot. Windows re-evaluates the driver on plug-in; the zero-byte or missing driver causes a Code 39 hardware error, with no policy or privacy-toggle fingerprints.

Phase 3 — Restore (CameraRestore.ps1)

Decrypts the manifest (tries CurrentUser scope first; falls back to LocalMachine if that fails), then reverses every change:

  • Reads the original driver source path and SHA256 hash from the manifest.
  • Removes Deny ACEs from the runtime driver, deletes the zero-byte stub, and copies net.dat back as usbvideo.sys.
  • Clears Deny ACEs and decoy files from the driver store folder(s), copies the originals back, and restores TrustedInstaller ownership.
  • Copies cfg.dat back as usbvideo.PNF.
  • Scans PendingFileRenameOperations for pairs involving usbvideo.sys and removes them, preserving all other pairs.
  • Optionally removes AllowCamera registry value (-CleanPolicy).
  • Optionally wipes the backup folder with a 3-pass secure erase (-SelfClean).

After restore, unplug the webcam and reboot.

Requirements

  • Windows 10 or Windows 11 (64-bit recommended)
  • PowerShell 5.1 or later (ships with Windows 10/11)
  • Administrator rights — scripts self-elevate via UAC, but UAC must be enabled
  • PowerShell execution policy must permit script execution:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
# or pass -ExecutionPolicy Bypass when launching

Quick Start

Always back up before disabling.

# Step 1: Back up the current driver state
.\CameraBackup.ps1

# Step 2: Disable the camera
.\CameraService.ps1

# Step 3: Unplug the webcam, then reboot

# Step 4: Restore the camera (run after the reboot)
.\CameraRestore.ps1 -SelfClean

Preview before committing (recommended for first run)

-WhatIf is available on the disable and restore scripts. Use it to verify what each script would do before any files are touched:

.\CameraService.ps1 -WhatIf
.\CameraRestore.ps1 -WhatIf

Silent, no-history run

Launching with -NonInteractive and -WindowStyle Hidden suppresses all console output and prevents the commands from appearing in PSReadLine history:

powershell.exe -NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -File ".\CameraBackup.ps1"
powershell.exe -NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -File ".\CameraService.ps1"
# reboot...
powershell.exe -NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -File ".\CameraRestore.ps1" -SelfClean

Parameter Reference

CameraBackup.ps1

Parameter Description
-BackupPath <path> Override the auto-derived backup location
-SkipDriverStore Skip backing up driver store folder(s)
-SkipRuntimeDriver Skip usbvideo.sys
-SkipPnf Skip usbvideo.PNF
-SkipRegistry Skip the PendingFileRenameOperations snapshot

No -WhatIf — this script always performs real file operations.

CameraService.ps1

Parameter Description
-BackupPath <path> Check for an existing backup at this path (warning only if absent)
-Force Continue even when no backup is found, without prompting
-WhatIf Preview all planned changes without modifying anything

CameraRestore.ps1

Parameter Description
-BackupPath <path> Location of the backup folder (auto-derived if omitted)
-CleanPolicy Also remove the AllowCamera registry value if present
-Force Suppress confirmation prompts
-WhatIf Preview all planned changes without modifying anything
-SelfClean Securely wipe the backup folder (3-pass overwrite) after a successful restore

Safety & Design Philosophy

  • No permanent system changes — a successful restore returns every modified file and permission to its exact original state.
  • No external processes — pure PowerShell and .NET APIs throughout. No icacls.exe, no takeown.exe, no spawned child processes.
  • Defensive by design-WhatIf lets you audit every planned operation before it runs; -Force is opt-in, not the default.
  • Self-cleaning-SelfClean ensures backup files don't linger after restore.
  • Timestomping — all created and modified files are given timestamps matching ntfs.sys to reduce visibility in casual forensic scans.
  • Dual-scope DPAPI — the manifest is encrypted twice: once with CurrentUser scope (tied to your login) and once with LocalMachine scope (recoverable by any local admin on the same machine, protecting against profile corruption).

Note on machine-scope backup: Any local administrator on the same machine can decrypt index.bin.machine. This is intentional — it protects you if your user profile is corrupted — but reduces confidentiality in multi-admin environments. Use -SelfClean after restore if that is a concern.

Limitations

  • UVC-only — integrated laptop cameras, proprietary vendor drivers (e.g. certain Logitech models), and IP cameras are not affected. This toolkit targets the standard usbvideo.sys UVC driver.
  • Reboot required — changes take effect when Windows re-enumerates the device on plug-in after a reboot. There is no live-apply path.
  • Windows Update can repair the driver — Windows Update and driver repair tools can restore usbvideo.sys from Windows Component Store. If that happens, run CameraService.ps1 again.
  • powershell.exe is visible in Task Manager — even with -WindowStyle Hidden, the process appears in Task Manager. Tools like ps2exe can reduce this footprint by compiling the script to a standalone .exe.
  • Not forensic-proof — a targeted analyst can detect zero-byte driver files, Deny ACEs, and the GUID backup folder. The design goal is to prevent detection by standard user-facing tools, not by a forensic investigation.

Contributing

Bug reports and thoughtful pull requests are welcome. Please open an issue first to discuss any changes before submitting a PR.

License

MIT License — Copyright (c) 2025 SS-Sauron. See LICENSE for full text.

About

Three PowerShell scripts to silently disable, backup, and restore standard USB webcams on Windows. No privacy flags, no group policy fingerprints – just a generic driver error.

github.com/SS-Sauron/Project-Oedipus

Topics

windows security privacy usb powershell driver windows-10 drivers webcam stealth uvc anti-forensics defensive-security windows-11 read-team

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0 – Initial release Latest
May 29, 2026

Packages

 
 
 

Contributors

Languages