A cross-platform local PC security auditor. 82 read-only checks (55 Windows · 15 Linux · 12 macOS) against your machine's actual state, with every finding mapped through a lookup table to a plain-English headline and the exact command to fix it.
Windows ships permissive by default. Linux distros leave plenty of knobs at "compatible" instead of "hardened". macOS has a dozen privacy/security toggles spread across five Settings panes. hostcheck checks all of it for you in 30-60 seconds and tells you the exact commands to flip the ones you need.
═══ hostcheck report ═══
[PASS ] Defender real-time protection [HARD-001-PASS] Windows Defender real-time protection is ON.
[PASS ] Windows Firewall (Public profile) [HARD-003-PASS] Windows Firewall is enabled for the Public profile.
[FAIL ] Legacy TLS (1.0 / 1.1) [HARD-007] Legacy TLS (1.0 / 1.1) is still enabled.
why it matters: Older TLS protocols have known weaknesses (BEAST, POODLE, etc.) ...
what to do: Open PowerShell as Administrator and run:
foreach ($v in '1.0','1.1') { ... }
Reboot.
· TLS1.0.Server.Enabled: absent
· TLS1.0.Client.Enabled: absent
[FAIL ] LLMNR / NetBIOS over TCP/IP [NET-003] LLMNR and/or NetBIOS name resolution is enabled.
why it matters: LLMNR (UDP 5355) and NBT-NS (UDP 137) are legacy name-resolution
protocols ... they let an attacker run a tool called Responder that
captures your Windows login hashes ...
what to do: Open PowerShell as Administrator and run:
New-Item -Path 'HKLM:\SOFTWARE\Policies\...
[WARN ] System Restore [BACK-001] System Restore is disabled.
✗ 9 issue(s), 11 advisor(ies), 0 errored, 29/55 pass, 6 skipped
Every result carries a short error code that maps to a plain-English headline, a one-paragraph why it matters, and a copy-paste fix command (PowerShell on Windows, shell on Linux/macOS). Power users get the raw observed values under each finding.
hostcheck auto-detects the host OS at startup and runs the right check set.
| OS | Checks | Coverage |
|---|---|---|
| Windows | 55 | Defender, Firewall, UAC, BitLocker, SMBv1, TLS, SmartScreen, Secure Boot, TPM, Autorun, PowerShell v2, AutoLogon, LSA Protection, Admin group, Reboot age, VBS, HVCI, Kernel DMA, Driver Signature Enforcement; listening services, RDP, LLMNR/NetBIOS, risky services, Print Spooler, WPAD, SMB signing, RestrictAnonymous, NULL session pipes, weak ciphers; pending updates, legacy plugins, pending reboot, Defender exclusions, browser versions, Office macros, .NET 3.5; hosts file, AppInit_DLLs, WMI subscriptions, unsigned drivers, suspicious auto-runs; password policy, empty passwords, cached logons, Wi-Fi profiles; telemetry, Recall, activity history, Ad ID; ExecutionPolicy, script block logging, event log retention; System Restore, Volume Shadow Copies |
| Linux | 15 | UFW/firewalld/nftables, SSH password auth, SSH root login, unattended-upgrades / dnf-automatic, ASLR, SELinux/AppArmor enforcing, LUKS disk encryption, fail2ban, last reboot age, auditd; listening services on 0.0.0.0, SSH publicly exposed; apt/dnf upgradable packages, pending reboot; empty-password local accounts |
| macOS | 12 | SIP, Gatekeeper, FileVault, Application Firewall + stealth mode, automatic security updates; Remote Login (SSH), Screen Sharing, File Sharing; pending macOS updates; auto-login; Time Machine |
Each platform uses native tools: PowerShell + canonical Get-* cmdlets on Windows, ufw/sshd -T/sysctl/ss/apt/dnf/getenforce/aa-status/lsblk on Linux, csrutil/spctl/fdesetup/socketfilterfw/launchctl/defaults/tmutil on macOS. No external Python dependencies, no agents, no telemetry.
Download hostcheck-setup-X.Y.Z.exe from the Releases page and run it. Inno Setup installer:
- Installs to
%ProgramFiles%\hostcheck\ - Adds a Start Menu shortcut (always) and Desktop shortcut (opt-in)
- Optional: prepend the install dir to system PATH so
hostcheck-guiruns from any terminal - Clean uninstaller in Apps & Features
- MIT license shown during the wizard
- No Python install required — the .exe bundles the runtime and CustomTkinter
pip install hostcheck # CLI only
pip install hostcheck[gui] # CLI + desktop GUI (hostcheck-gui)Then:
hostcheck # run all checks against the current host
hostcheck --json # machine-readable output for CI / automation
hostcheck --check uac,smbv1 # subset
hostcheck --skip pending_updates # skip the slow ones
hostcheck-gui # launch the CustomTkinter desktop appExit codes: 0 clean, 1 at least one FAIL, 2 at least one inconclusive (ERROR) with no FAILs.
Every finding maps to a code. Codes are stable across releases, indexable, runbook-friendly.
| Prefix | Category | Examples |
|---|---|---|
HARD-* |
OS hardening posture (20 checks) | HARD-001 Defender RT off · HARD-007 TLS 1.0/1.1 on · HARD-013 auto-login w/ stored password · HARD-017 VBS not running |
NET-* |
Network exposure (10) | NET-002 RDP accessible · NET-003 LLMNR enabled · NET-006 WPAD enabled · NET-007 SMB signing not required |
VULN-* |
Software vulns (7) | VULN-001 pending Windows updates · VULN-002 legacy plugins · VULN-004 Defender exclusions audit · VULN-005 browser version freshness |
PERS-* |
Persistence / malware indicators (5) | PERS-002 AppInit_DLLs configured · PERS-005 suspicious auto-run binary in %TEMP% |
CRED-* |
Credentials (4) | CRED-001 weak password policy · CRED-004 open Wi-Fi profile saved |
PRIV-* |
Privacy (4) | PRIV-001 high telemetry level · PRIV-002 Windows Recall enabled |
PSH-* |
PowerShell hygiene (3) | PSH-001 ExecutionPolicy permissive · PSH-002 script block logging off |
BACK-* |
Backup state (2) | BACK-001 System Restore disabled |
| Prefix | Category | Examples |
|---|---|---|
LH-* |
Hardening (10) | LH-001 no firewall · LH-002 SSH password auth on · LH-006 SELinux/AppArmor not enforcing · LH-007 no LUKS · LH-008 no fail2ban |
LN-* |
Network (2) | LN-001 services on 0.0.0.0 · LN-002 SSH publicly exposed |
LV-* |
Vulns (2) | LV-001 apt/dnf upgrades pending · LV-002 reboot pending |
LC-* |
Credentials (1) | LC-001 empty-password account in /etc/shadow |
| Prefix | Category | Examples |
|---|---|---|
MH-* |
Hardening (6) | MH-001 SIP disabled · MH-002 Gatekeeper disabled · MH-003 FileVault off · MH-004 Application Firewall off |
MN-* |
Network (3) | MN-001 Remote Login on · MN-002 Screen Sharing on · MN-003 File Sharing on |
MV-* |
Vulns (1) | MV-001 pending macOS updates |
MC-* |
Credentials (1) | MC-001 auto-login enabled |
MB-* |
Backup (1) | MB-001 no recent Time Machine backup |
Full lookup table with "why it matters" and "what to do" lines lives in src/hostcheck/codes.py.
For Windows users, two opt-in PowerShell scripts in scripts/ handle the four highest-impact lowest-risk fixes in one click:
scripts/apply-safe-fixes.ps1 |
Disables WPAD (NET-006), blocks anonymous SMB enumeration (NET-008), disables LLMNR (NET-003), disables Autorun for all drive types (HARD-011). Self-elevates via UAC. Universally safe on a personal PC. |
scripts/revert.ps1 |
Reverts every change apply-safe-fixes.ps1 makes, back to Windows defaults. Use if any change breaks something. |
Both scripts:
- Self-elevate via UAC when launched from a non-admin context
- Log every step to
scripts/<name>.logviaStart-Transcript - Pause at end so the elevated window stays visible
- Are fully idempotent (safe to re-run)
┌──────────────────────────────────────┐
│ hostcheck CLI / GUI │
│ picks check set based on OS │
└────────────────┬─────────────────────┘
│
┌────────────────────────────────────┼────────────────────────────────────┐
▼ ▼ ▼
┌─────────────┐ ┌──────────────┐ ┌──────────────┐
│ Windows │ │ Linux │ │ macOS │
│ 55 checks │ │ 15 checks │ │ 12 checks │
├─────────────┤ ├──────────────┤ ├──────────────┤
│ PowerShell │ │ subprocess + │ │ subprocess + │
│ + Get-* │ │ ufw, sshd, │ │ csrutil, │
│ cmdlets via │ │ sysctl, ss, │ │ spctl, │
│ ps_runner │ │ apt/dnf, │ │ fdesetup, │
│ │ │ aa-status, │ │ launchctl, │
│ │ │ etc. │ │ defaults, │
│ │ │ │ │ tmutil │
└──────┬──────┘ └──────┬───────┘ └──────┬───────┘
│ │ │
└──────────────┬───────────────────┴──────────────┬──────────────────┘
▼ ▼
┌───────────────┐ ┌───────────────────┐
│ codes.py │ │ report.py │
│ lookup table │ ──────────────► │ terminal / JSON │
│ (140+ codes) │ │ with code, head- │
│ headline + │ │ line, fix, raw │
│ meaning + │ │ observed values │
│ fix command │ └───────────────────┘
└───────────────┘
Every check is a pure function. Each returns a CheckResult with status (PASS/FAIL/WARN/SKIP/ERROR), code, summary, structured details, and duration_s. Network-touching / OS-touching code always wraps probes in graceful failure paths — exceptions never escape to top level.
- Canonical APIs only. PowerShell
Get-MpComputerStatus, not registry guessing.ufw status, not parsingiptables -Land pretending it's complete.csrutil status, not parsingnvramoutput. - Every result includes the raw observed value so you can verify the verdict yourself.
- SKIP rather than guess. BitLocker on Windows Home → SKIP, not FAIL. No TPM hardware → SKIP. Legacy BIOS → SKIP. Office not installed → SKIP. Defender exclusions need admin → SKIP. False positives kill trust.
- No heuristic flagging of legitimate-but-suspicious things (auto-runs in well-known locations, DNS settings, browser extensions). Excluded from v0.2 because the false-positive risk is high.
pytest tests/test_smoke.py # 83 deterministic tests, mocked PowerShell/shell, <1s
pytest tests/test_live_stress.py # 61 live tests against real Windows, ~7 min, manual only
pytest tests/test_live_linux.py # 17 live tests against real Linux, ~30s, manual onlyThe smoke suite never invokes live PowerShell or shell — it patches run_ps / run with synthetic responses so the parser logic is tested deterministically. The live-stress suites exist to validate against real OS state before each release.
pip install -e ".[gui,build]"
python build_exe.py # → dist\hostcheck-gui.exe (~29 MB)
iscc installer\hostcheck.iss # → installer\output\hostcheck-setup-X.Y.Z.exeRequires Inno Setup 6+ from https://jrsoftware.org/isdl.php for the wizard.
- Not an antivirus. It checks whether your AV is running and signatures are fresh; it doesn't scan files itself.
- Not an EDR. It's a one-shot snapshot, not a continuous behavioral monitor. Use Defender / CrowdStrike / etc. alongside.
- Not a packet capture / network sniffer. No root required for the detection logic.
- Not magic. Many security gaps are about user behavior (phishing-clicking, password hygiene) that no static scanner can detect. Threat-intelligence-driven indicators are out of scope.
- v0.3 — CIS Benchmark Level 1 mapping per code (~120 controls), compliance-grade reports
- v0.4 — Vulnerable-driver / known-bad-driver detection on Windows (Microsoft blocklist matching)
- v0.5 — macOS live verification + additional checks (Keychain audit, login items, persistence)
- v0.6 — Continuous mode: re-run on a schedule, alert on regressions (diff vs. last good)
MIT — see LICENSE.
Killian Miller — killianmiller6@gmail.com — github.com/KillianM00