Does 0patch Agent include any tamper protection against local administrators?

Some security software running with elevated privileges includes "tamper protection" to prevent local users - even those with administrative privileges - from disabling features, changing configuration, or even uninstalling the product.

While 0patch Agent is tamper-proof against non-administrative users by design, it includes no tamper protection against users with administrative privileges. We have two reasons for this:

1. Administrative tamper protection can never be more than security through obscurity on Windows. Whatever mechanism the application is hoping to set up for preventing administrators from doing what they are determined to do can always be subverted by users with administrative privileges. If 0patch Console required a password to get launched, an administrator could just bypass it and make changes to our registry settings directly. If we added a kernel driver to prevent that, the administrator could stop or remove such driver. Such is the security design of Windows and adding administrative tamper protection would only add complexity without adding real security.
   
   It is worth noting in this context that when a local administrator makes any changes to 0patch configuration on a centrally-managed 0patch Agent (e.g., disables 0patch Agent or disables individual patches), their changes will be automatically reverted upon the next agent sync to align with its configuration in 0patch Central. This allows a local admin to temporarily disable our patches for troubleshooting reasons, but even if they forget to re-enable them, they will get re-enabled upon the next sync.
   
   
2. In contrast to some other security products, which monitor and block post-exploitation activities of a local attacker who managed to obtain administrative privileges, disabling 0patch does not benefit such an attacker at all. They already have privileges that our patches are designed to prevent them from obtaining. In other words, if an attacker is already an administrator on the computer with 0patch, they no longer have a need to exploit vulnerabilities that 0patch is patching.

In summary, non-administrative local user on a Windows computer with 0patch cannot make any changes to 0patch configuration and also cannot disable or uninstall it. An administrator, on the other hand, can do all of that - as is also true for every other security product.