Windows Defender - Add exclusion folder programmatically

Asked 25/10, 2016 at 6:47 Answered 8/7, 2021 at 14:11

Solved windows windows-10 windows-defender

I was checking out different keyloggers for research purposes and stumbled upon Refog:

https://www.refog.com/keylogger/

This program could catch a lot of system events, but what really caught my attention was something else. The program created a hidden folder called Mpk, path C:\Windows\SysWOW64\Mpk. It was marked as an operating system files folder, because it was not visible until I unmarked Hide protected operating system files (recommended). This, I guess, can be done via the attrib command like this attrib +s +h "C:\Windows\SysWOW64\Mpk" so nothing revolutionary.

However they also added an exclusion to Windows Defender for this folder. How can they do this programmatically? I'm running Windows 10 Pro x64.

Cammack answered 25/10, 2016 at 6:47 Comment(0)

The correct way to do this is using the Add-MpPreference PowerShell cmdlet. Use this cmdlet to add exclusions for file name extensions, paths, and processes, and to add default actions for high, moderate, and low threats.

You can easily perform this from the elevated cmd shell in Windows 10 using the following command line:

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\Mpk"

Volant answered 27/7, 2017 at 0:18 Comment(5)

Worked perfectly, however if you have a space in your file path the command needs to be escaped, like this:

powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\sysconfig'"

– Cammack 10/7, 2018 at 13:48

How can I do this with more than one path please? @Volant – Maledict 9/1, 2019 at 14:26

A comma separated list (with no spaces around the comma) should do it, e.g -ExclusionPath 'path1','path2' – Volant 10/1, 2019 at 20:25

Use the following to confirm the changes: powershell -inputformat none -outputformat text -NonInteractive -Command Get-MpPreference – Volant 10/1, 2019 at 20:29

.. or check Windows Defender settings configuration in it to see the changes. – Bukovina 20/5, 2019 at 14:52

Run in elevated shell (search cmd in Start menu and hit Ctrl+Shift+Enter).

powershell -Command Add-MpPreference -ExclusionPath "C:\tmp"
powershell -Command Add-MpPreference -ExclusionProcess "java.exe"
powershell -Command Add-MpPreference -ExclusionExtension ".java"

powershell -Command Remove-MpPreference -ExclusionExtension ".java"

Jereme answered 29/4, 2019 at 0:7 Comment(5)

Consider the risk it may cause: if you really exclude all the Temp folder, every app can download suspicious files and you won't get notified anymore. – Bukovina 17/5, 2019 at 8:17

You are right. As soon as it's not a system temp folder, it's fine. – Bukovina 20/5, 2019 at 14:51

adding java.exe exclusion is a serious security threat! – Vermeil 19/3, 2021 at 14:28

I like how you show both adding and removing an exclusion and also point to the correct documentation. I've used this to install NirLauncher from chocolatey, temporarily excluding the chocolatey directory (which is under the %TEMP% of the current user: not a location to permanently allow. Exclude: powershell -Command Add-MpPreference -ExclusionPath "%TEMP%\chocolatey\NuGetScratch" Install: choco update --yes nirlauncher Remove exclusion: powershell -Command Remove-MpPreference -ExclusionPath "%TEMP%\chocolatey\NuGetScratch"` – Aperiodic 12/6, 2021 at 11:19

For those who complains about security risks: those are just examples! Useful because it reports the three cases and the remove case. – Andersonandert 16/12, 2021 at 14:23

After some digging I found the following folder:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

I cannot add a key there with my user. I get the following error: Cannot create key: You do not have the requisite permissions to create a new key under Paths

However SYSTEM, WinDefend and TrustedInstaller all have Full Control. The best guess is that they have used something like DevxExec devxexec.exe /user:TrustedInstaller cmd and written the key to the registry.

Cammack answered 25/10, 2016 at 7:23 Comment(2)

No. Each user has its own registry. – Jansson 19/4, 2021 at 4:6

If you vote down please say why. Hard to improve answers otherwise – Cammack 22/2, 2023 at 18:48

Go to powershell

Add-MpPreference -ExclusionPath "C:\Temp"

Reference: https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=win10-ps

Azzieb answered 8/1, 2019 at 21:28 Comment(1)

Consider the risk it may cause: if you really exclude all the Temp folder, every app can download suspicious files and you won't get notified anymore. – Bukovina 17/5, 2019 at 8:16

The easiest way to do this is using PowerShell from CMD with elevated privileges (like balrob's answer), but you can also use the PowerShell environment variables to make your life easier; for example:

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:USERPROFILE\Downloads

which will add current user's Downloads folder, eg. C:\Users\Susana\Downloads.

To get the list of environment variables provided by PowerShell, you can use this PowerShell command:

Get-ChildItem Env: | Sort Name

As you can see, there is the windir variable. They could use that in addition with the subfolders you mentioned.

Ainslee answered 10/4, 2018 at 22:1 Comment(0)

Just thought that I would post this as it did take me a few seconds to figure out how to do this in C# but here is the code that is working for me:

        var elevated = new ProcessStartInfo("powershell")
        {
            UseShellExecute = false,
            CreateNoWindow = true,
            Verb = "runas",
            Arguments = " -Command Add-MpPreference -ExclusionPath '" + directory + "'"
        };
        Process.Start(elevated);

Edvard answered 8/7, 2021 at 14:11 Comment(0)

Recommended topics

Hot tags