查明 Windows Defender 磁盘扫描是否正在运行 [英] Find out if Windows Defender disk scan is running
问题描述
Windows Defender 磁盘扫描会占用系统大量性能.C# 应用程序有没有办法确定磁盘扫描当前是否正在运行?
The Windows Defender disk scan takes a lot of performance from the system. Is there a way for a C# application to find out if the disk scan is currently running?
推荐答案
您可以检查 MsMpEng.exe(反恶意软件服务可执行文件)当前产生的处理器负载.在我的计算机上,它在观察安装时以 50% 的 CPU(一个 CPU 内核已完全占用)运行.
You can check for the processor load that MsMpEng.exe (Antimalware Service Executable) is currently producing. On my computer it runs with 50% CPU (one CPU core fully occupied) while observing an installation.
它会阻止我的安装程序写入磁盘的 EXE 或 DLL 文件长达 25 秒!(很明显,安装程序挂了.)
It blocks an EXE or DLL file that my installer writes to disk for up to 25 seconds! (The installer is hanging, obviously.)
请注意,MsMpEng.exe 甚至在控制面板中完全关闭 WindowsDefender 后仍在运行.所以仅仅检查服务是否正在运行是不够的.您必须检查其当前的 CPU 负载.
Note that MsMpEng.exe is even running after turning WindowsDefender completely off in the control panel. So just checking if the service is running is not enough. You must check for its current CPU load.
每次启动应用程序时,Windows Defender 都会重新扫描每个 EXE 和 DLL 文件 - 尽管在安装应用程序时它已经扫描了所有这些文件!因此,每次启动应用程序时都会有很大的延迟:应用程序加载的 DLL 文件越多,速度就越慢.
Windows Defender scans each EXE and DLL file every time anew when you start an application - ALTHOUGH it has already scanned all these files when the application has been installed! So each time you start an application you have a tremendous delay: the more DLL files your application loads, the slower.
特别是当您的应用程序使用 Themida 或 WinLicense 等反盗版保护时,Windows Defender 需要非常长的时间来检查这些文件.
Especially when your application uses anti-piracy protection like Themida or WinLicense, Windows Defender needs EXTREMELY long to check these files.
当您的应用程序只打开文件而不读取或写入单个字节时,Windows Defender 会扫描每个可执行文件(EXE、DLL),这会导致 CreateFile() 延迟长达 25 秒!
Windows Defender scans every executable file (EXE, DLL) when your application ONLY opens the file without reading or writing one single byte from it, which results in delaying CreateFile() for up to 25 seconds!
很明显,微软不具备编写快速高效的反恶意软件的知识.(我从未见过任何杀毒软件运行 25 秒扫描单个文件!)建议安装另一个杀毒程序,这会导致 Windows Defender 自动禁用.
It is completely clear that Microsoft has not the knowledge to write fast and efficient antimalware software. (I have never seen any antivirus software running 25 seconds to scan one single file!) It is recommended to install another antivirus program, which will result in Windows Defender being disabled automatically.
当用户打开/关闭 Windows Defender 时,以下注册表项会发生变化:
When the user has turned on/off Windows Defender the following Registry keys change:
Windows 8 关闭:
Windows 8 Off:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot
"Group"= "_Early-Launch"
"Start"= 3 // SERVICE_DEMAND_START
"ImagePath"= "\SystemRoot\system32\drivers\WdBoot.sys"
Windows 8 开启:
Windows 8 On:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot
"Group"= "Early-Launch"
"Start"= 0 // SERVICE_BOOT_START
"ImagePath"= "system32\drivers\WdBoot.sys"
请注意,当您检查 WdBoot 服务的状态时,它通常不会运行,即使已启用.它似乎只在启动 Windows 时运行(?).
Note that the WdBoot service is normally not running when you check its status, even if enabled. It seems it runs only while booting Windows(?).
Windows 7、Windows 8 和 Windows 10 关闭:
Windows 7, Windows 8 and Windows 10 Off:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
"DisableRealtimeMonitoring"=1
Windows 7、Windows 8 和 Windows 10 开启:
Windows 7, Windows 8 and Windows 10 On:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
"DisableRealtimeMonitoring"=0
// or the entry does not exist
管理员用户无法更改此密钥.写入权限仅授予用户SYSTEM"以及WinDefend"和TrustedInstaller"组.
This key cannot be changed by an administrator user. Write permission is only given to the user "SYSTEM" and the groups "WinDefend" and "TrustedInstaller".
自 Windows 10 起,无法再从以系统/NT 权限"用户(-> 拒绝访问)运行的服务写入此值.可能 Microsoft 会检查尝试写入此值的应用程序的数字签名.
Since Windows 10 it is no longer possible to write this value from a service that runs with the "System/NT AUTHORITY" user (-> Access Denied). Probably Microsoft checks the digital signature of the application that tries to write this value.
Windows 10 真正糟糕的是,您可以关闭 Windows Defender,重新启动计算机,然后它会再次启用!
And what really sucks on Windows 10 is that you can turn off Windows Defender, restart the computer and it will be enabled again!
还有一个影响Windows Defender的键(默认不存在,但是可以用普通管理员创建):
And there is another key affecting Windows Defender (by default it does not exist, but it can be created as a normal administrator):
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender
"DisableAntiSpyware" = 1
此键的作用是您在控制面板中单击Windows Defender",您会收到一个消息框,告诉您:此应用程序已被组策略关闭..... 要允许此应用程序运行,请联系您的安全管理员通过组策略启用程序."
The effect of this key is that you click "Windows Defender" in Control Panel and you get a message box telling: "This application is turned off by group policy..... To allow this application to run, contact your security administrator to enable the program via group policy."
请注意,此键不会关闭 Windows Defender.它仅禁止用户打开 Windows Defender 配置面板 (MsAscUi.exe).
Note, that this key does NOT turn off Windows Defender. It only forbids that a user can open the Windows Defender configuration panel (MsAscUi.exe).
这篇关于查明 Windows Defender 磁盘扫描是否正在运行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
