问题
The Windows Defender disk scan takes a lot of performance from the system. Is there a way for a C# application to find out if the disk scan is currently running?
回答1:
You can check for the processor load that MsMpEng.exe (Antimalware Service Executable) is currently producing. On my computer it runs with 50% CPU (one CPU core fully occupied) while observing an installation.
It blocks an EXE or DLL file that my installer writes to disk for up to 25 seconds! (The installer is hanging, obviously.)
Note that MsMpEng.exe is even running after turning WindowsDefender completely off in the control panel. So just checking if the service is running is not enough. You must check for its current CPU load.
Windows Defender scans each EXE and DLL file every time anew when you start an application - ALTHOUGH it has already scanned all these files when the application has been installed! So each time you start an application you have a tremendous delay: the more DLL files your application loads, the slower.
Especially when your application uses anti-piracy protection like Themida or WinLicense, Windows Defender needs EXTREMELY long to check these files.
Windows Defender scans every executable file (EXE, DLL) when your application ONLY opens the file without reading or writing one single byte from it, which results in delaying CreateFile() for up to 25 seconds!
It is completely clear that Microsoft has not the knowledge to write fast and efficient antimalware software. (I have never seen any antivirus software running 25 seconds to scan one single file!) It is recommended to install another antivirus program, which will result in Windows Defender being disabled automatically.
When the user has turned on/off Windows Defender the following Registry keys change:
Windows 8 Off:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot
"Group"= "_Early-Launch"
"Start"= 3 // SERVICE_DEMAND_START
"ImagePath"= "\SystemRoot\system32\drivers\WdBoot.sys"
Windows 8 On:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot
"Group"= "Early-Launch"
"Start"= 0 // SERVICE_BOOT_START
"ImagePath"= "system32\drivers\WdBoot.sys"
Note that the WdBoot service is normally not running when you check its status, even if enabled. It seems it runs only while booting Windows(?).
Windows 7, Windows 8 and Windows 10 Off:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
"DisableRealtimeMonitoring"=1
Windows 7, Windows 8 and Windows 10 On:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
"DisableRealtimeMonitoring"=0
// or the entry does not exist
This key cannot be changed by an administrator user. Write permission is only given to the user "SYSTEM" and the groups "WinDefend" and "TrustedInstaller".
Since Windows 10 it is no longer possible to write this value from a service that runs with the "System/NT AUTHORITY" user (-> Access Denied). Probably Microsoft checks the digital signature of the application that tries to write this value.
And what really sucks on Windows 10 is that you can turn off Windows Defender, restart the computer and it will be enabled again!
And there is another key affecting Windows Defender (by default it does not exist, but it can be created as a normal administrator):
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender
"DisableAntiSpyware" = 1
The effect of this key is that you click "Windows Defender" in Control Panel and you get a message box telling: "This application is turned off by group policy..... To allow this application to run, contact your security administrator to enable the program via group policy."
Note, that this key does NOT turn off Windows Defender. It only forbids that a user can open the Windows Defender configuration panel (MsAscUi.exe).
回答2:
Example using Internet Explorer:
Process[] ProcInfo = System.Diagnostics.Process.GetProcessesByName("iexplore");
来源:https://stackoverflow.com/questions/862776/find-out-if-windows-defender-disk-scan-is-running