Windows Defender-以编程方式添加排除文件夹 [英] Windows Defender - Add exclusion folder programmatically

问题描述

出于研究目的，我正在检查不同的键盘记录器，偶然发现Refog:

I was checking out different keyloggers for research purposes and stumbled upon Refog:

https://www.refog.com/keylogger/

该程序可以捕获很多系统事件，但真正引起我注意的是其他事情.该程序创建了一个名为Mpk的隐藏文件夹，路径为C:\ Windows \ SysWOW64 \ Mpk.它被标记为操作系统文件文件夹，因为直到我未标记Hide protected operating system files (recommended)，它才可见.我想这可以通过attrib命令来完成，例如attrib +s +h "C:\Windows\SysWOW64\Mpk"，所以没有什么革命性的事情.

This program could catch a lot of system events, but what really caught my attention was something else. The program created a hidden folder called Mpk, path C:\Windows\SysWOW64\Mpk. It was marked as an operating system files folder, because it was not visible until I unmarked Hide protected operating system files (recommended). This, I guess, can be done via the attrib command like this attrib +s +h "C:\Windows\SysWOW64\Mpk" so nothing revolutionary.

但是，他们还为该文件夹向Windows Defender添加了排除项.他们如何以编程方式做到这一点?我正在运行Windows 10 Pro x64.

However they also added an exclusion to Windows Defender for this folder. How can they do this programmatically? I'm running Windows 10 Pro x64.

推荐答案

经过一番挖掘，我发现了以下文件夹:

After some digging I found the following folder:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

我无法在其中向用户添加密钥.我收到以下错误:Cannot create key: You do not have the requisite permissions to create a new key under Paths

I cannot add a key there with my user. I get the following error: Cannot create key: You do not have the requisite permissions to create a new key under Paths

但是SYSTEM，WinDefend和TrustedInstaller都具有完全控制.最好的猜测是他们使用了DevxExec devxexec.exe /user:TrustedInstaller cmd之类的东西，并将密钥写入了注册表.

However SYSTEM, WinDefend and TrustedInstaller all have Full Control. The best guess is that they have used something like DevxExec devxexec.exe /user:TrustedInstaller cmd and written the key to the registry.

这篇关于Windows Defender-以编程方式添加排除文件夹的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！