2017年2月23日 星期四

[研究] MSMpEng.exe 在登錄 (Registry) 中的值

[研究] MSMpEng.exe 在登錄 (Registry) 中的值

2017-02-23

********************************************************************************
(1)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe]
"CFGOptions"=dword:00000001

"CFGOptions" site:microsoft.com 找不到,不清楚 CFGOptions 用途。
CFG 有可能是 Configuration 的意思。
********************************************************************************
(2)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe]
"CFGOptions"=dword:00000001


********************************************************************************
(3)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System]
"WindowsDefender-1"="v2.0|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=443|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Allow SSL Out traffic from WinDefend|"
"WindowsDefender-2"="v2.0|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=80|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Allow Out http traffic from WinDefend|"
"WindowsDefender-3"="v2.0|Action=Block|Active=TRUE|Dir=In|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Block All In traffic to WinDefend|"
"WindowsDefender-4"="v2.0|Action=Block|Active=TRUE|Dir=Out|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Block All Out traffic from WinDefend|"

這部分似乎是防火牆相關。
********************************************************************************
(4)
這部分似乎是 "服務" 中有關 WinDefend 的設定,或許有可能把 MSMpEng.exe 從 RAM 中測底移除。
ControlSet、ControlSet001、ControlSet002 似乎是不同組態。

ServiceSidType 列舉

https://msdn.microsoft.com/zh-tw/library/microsoft.sqlserver.management.ui.connectiondlg.servicesidtype.aspx

Protecting Anti-Malware Services
https://msdn.microsoft.com/zh-tw/library/windows/desktop/dn313124(v=vs.85).aspx
(有些技術說明和 Code )




C:\Program Files\Windows Defender 目錄中有

ConfigSecurityPolicy.exe  ==>  Microsoft Security Client Policy Configuration Tool
MpCmdRun.exe  ==> Microsoft Malware Protection Command Line Utility
MpUXSrv.exe ==> WD modern host server
MSASCui.exe   ==> Windows Defender User Interface ==> Windows Defender 應用程式
MSASCuiL.exe  ==> Windows Defender notification icon
MsMpEng.exe  ==> Antimalware Service Executable
NisSrv.exe  ==> Microsoft Network Realtime Inspection Service


其中 ImagePath 值會被編碼



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDefend]
"DisplayName"="@%ProgramFiles%\\Windows Defender\\MpAsDesc.dll,-310"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
  69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
  00,20,00,44,00,65,00,66,00,65,00,6e,00,64,00,65,00,72,00,5c,00,4d,00,73,00,\
  4d,00,70,00,45,00,6e,00,67,00,2e,00,65,00,78,00,65,00,22,00,00,00
"Start"=dword:00000002
"Type"=dword:00000010
"Description"="@%ProgramFiles%\\Windows Defender\\MpAsDesc.dll,-240"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"ObjectName"="LocalSystem"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,4c,00,6f,00,61,00,64,00,44,00,72,00,69,\
  00,76,00,65,00,72,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,\
  00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,\
  65,00,42,00,61,00,63,00,6b,00,75,00,70,00,50,00,72,00,69,00,76,00,69,00,6c,\
  00,65,00,67,00,65,00,00,00,53,00,65,00,52,00,65,00,73,00,74,00,6f,00,72,00,\
  65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,\
  00,44,00,65,00,62,00,75,00,67,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,\
  00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
  65,00,00,00,53,00,65,00,53,00,65,00,63,00,75,00,72,00,69,00,74,00,79,00,50,\
  00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,53,00,\
  68,00,75,00,74,00,64,00,6f,00,77,00,6e,00,50,00,72,00,69,00,76,00,69,00,6c,\
  00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,63,00,72,00,65,00,61,00,\
  73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,00,69,00,76,00,69,00,6c,\
  00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,\
  50,00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,\
  00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,54,00,\
  63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,\
  00,65,00,53,00,79,00,73,00,74,00,65,00,6d,00,45,00,6e,00,76,00,69,00,72,00,\
  6f,00,6e,00,6d,00,65,00,6e,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,01,00,00,00,03,00,00,00,14,00,00,\
  00,03,00,00,00,64,00,00,00,00,00,00,00,64,00,00,00,00,00,00,00,64,00,00,00
"LaunchProtected"=dword:00000003
"FeaturesCount"=dword:00000048
"LastFeaturesQuery"="2017/02/07/09:07:27"
"FailureCommand"="C:\\Windows\\system32\\mrt.exe /EHB /ServiceFailure \"CAMP=4.10.14393.0;approximate-> Engine=1.1.13407.0;AVSIG=1.235.3328.0;ASSIG=1.235.3328.0\" /StartService /Defender /q"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Roles]
"NetFx4ServerFeatures"=dword:00000000
"NetFx4"=dword:00000001
"MicrosoftWindowsPowerShellRoot"=dword:00000002
"MicrosoftWindowsPowerShell"=dword:00000003
"KeyDistributionService-PSH-Cmdlets"=dword:00000004
"TlsSessionTicketKey-PSH-Cmdlets"=dword:00000005
"Tpm-PSH-Cmdlets"=dword:00000006
"MicrosoftWindowsPowerShellV2"=dword:00000007
"Server-Psh-Cmdlets"=dword:00000008
"MicrosoftWindowsPowerShellISE"=dword:00000009
"WCF-Services45"=dword:0000000a
"WCF-TCP-PortSharing45"=dword:0000000b
"ServerCore-WOW64"=dword:0000000c
"Printing-Client"=dword:0000000d
"Printing-Client-Gui"=dword:0000000e
"ServerCore-EA-IME-WOW64"=dword:0000000f
"Server-Shell"=dword:00000010
"Internet-Explorer-Optional-amd64"=dword:00000011
"Server-Gui-Mgmt"=dword:00000012
"RSAT"=dword:00000013
"WindowsServerBackupSnapin"=dword:00000014
"Windows-Defender-Gui"=dword:00000015
"MediaPlayback"=dword:00000016
"WindowsMediaPlayer"=dword:00000017
"Microsoft-Hyper-V-Common-Drivers-Package"=dword:00000018
"Microsoft-Hyper-V-Guest-Integration-Drivers-Package"=dword:00000019
"Microsoft-Windows-NetFx-VCRedist-Package"=dword:0000001a
"Microsoft-Windows-Printing-PrintToPDFServices-Package"=dword:0000001b
"Microsoft-Windows-Printing-XPSServices-Package"=dword:0000001c
"Microsoft-Windows-Client-EmbeddedExp-Package"=dword:0000001d
"Printing-PrintToPDFServices-Features"=dword:0000001e
"Printing-XPSServices-Features"=dword:0000001f
"SMB1Protocol"=dword:00000020
"SmbDirect"=dword:00000021
"Windows-Defender-Features"=dword:00000022
"Windows-Defender"=dword:00000023
"ServerCore-EA-IME"=dword:00000024
"Server-Drivers-General"=dword:00000025
"Server-Drivers-Printers"=dword:00000026
"SearchEngine-Client-Package"=dword:00000027
"FileAndStorage-Services"=dword:00000028
"Storage-Services"=dword:00000029
"ServerCore-Drivers-General"=dword:0000002a
"ServerCore-Drivers-General-WOW64"=dword:0000002b
"NetFx4Extended-ASPNET45"=dword:0000002c
"NetFx3"=dword:0000002d
"NetFx3ServerFeatures"=dword:0000002e
"ServerMediaFoundation"=dword:0000002f
"IIS-ApplicationDevelopment"=dword:00000030
"IIS-ApplicationInit"=dword:00000031
"IIS-ASPNET"=dword:00000032
"IIS-ASPNET45"=dword:00000033
"IIS-CommonHttpFeatures"=dword:00000034
"IIS-DefaultDocument"=dword:00000035
"IIS-DirectoryBrowsing"=dword:00000036
"IIS-HealthAndDiagnostics"=dword:00000037
"IIS-HttpCompressionStatic"=dword:00000038
"IIS-HttpErrors"=dword:00000039
"IIS-HttpLogging"=dword:0000003a
"IIS-ISAPIExtensions"=dword:0000003b
"IIS-ISAPIFilter"=dword:0000003c
"IIS-ManagementConsole"=dword:0000003d
"IIS-NetFxExtensibility"=dword:0000003e
"IIS-NetFxExtensibility45"=dword:0000003f
"IIS-Performance"=dword:00000040
"IIS-RequestFiltering"=dword:00000041
"IIS-Security"=dword:00000042
"IIS-StaticContent"=dword:00000043
"IIS-WebServer"=dword:00000044
"IIS-WebServerManagementTools"=dword:00000045
"IIS-WebServerRole"=dword:00000046
"IIS-IPSecurity"=dword:00000047

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Security]
"Security"=hex:01,00,14,80,f4,00,00,00,00,01,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,c4,00,07,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,21,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,\
  12,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
  02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
  14,00,9d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,28,00,ff,01,0f,\
  00,01,06,00,00,00,00,00,05,50,00,00,00,b5,89,fb,38,19,84,c2,cb,5c,6c,23,6d,\
  57,00,77,6e,c0,02,64,87,00,00,28,00,ff,01,0f,00,01,06,00,00,00,00,00,05,50,\
  00,00,00,bf,55,08,72,3b,e0,28,d0,89,79,4b,f8,91,89,6e,7c,40,25,ec,f4,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

********************************************************************************
(5)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System]
"WindowsDefender-1"="v2.0|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=443|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Allow SSL Out traffic from WinDefend|"
"WindowsDefender-2"="v2.0|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=80|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Allow Out http traffic from WinDefend|"
"WindowsDefender-3"="v2.0|Action=Block|Active=TRUE|Dir=In|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Block All In traffic to WinDefend|"
"WindowsDefender-4"="v2.0|Action=Block|Active=TRUE|Dir=Out|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Block All Out traffic from WinDefend|"

********************************************************************************
(6)



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WinDefend]
"DisplayName"="@%ProgramFiles%\\Windows Defender\\MpAsDesc.dll,-310"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
  69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
  00,20,00,44,00,65,00,66,00,65,00,6e,00,64,00,65,00,72,00,5c,00,4d,00,73,00,\
  4d,00,70,00,45,00,6e,00,67,00,2e,00,65,00,78,00,65,00,22,00,00,00
"Start"=dword:00000002
"Type"=dword:00000010
"Description"="@%ProgramFiles%\\Windows Defender\\MpAsDesc.dll,-240"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"ObjectName"="LocalSystem"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,4c,00,6f,00,61,00,64,00,44,00,72,00,69,\
  00,76,00,65,00,72,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,\
  00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,\
  65,00,42,00,61,00,63,00,6b,00,75,00,70,00,50,00,72,00,69,00,76,00,69,00,6c,\
  00,65,00,67,00,65,00,00,00,53,00,65,00,52,00,65,00,73,00,74,00,6f,00,72,00,\
  65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,\
  00,44,00,65,00,62,00,75,00,67,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,\
  00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
  65,00,00,00,53,00,65,00,53,00,65,00,63,00,75,00,72,00,69,00,74,00,79,00,50,\
  00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,53,00,\
  68,00,75,00,74,00,64,00,6f,00,77,00,6e,00,50,00,72,00,69,00,76,00,69,00,6c,\
  00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,63,00,72,00,65,00,61,00,\
  73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,00,69,00,76,00,69,00,6c,\
  00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,\
  50,00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,\
  00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,54,00,\
  63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,\
  00,65,00,53,00,79,00,73,00,74,00,65,00,6d,00,45,00,6e,00,76,00,69,00,72,00,\
  6f,00,6e,00,6d,00,65,00,6e,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,01,00,00,00,03,00,00,00,14,00,00,\
  00,03,00,00,00,64,00,00,00,00,00,00,00,64,00,00,00,00,00,00,00,64,00,00,00
"LaunchProtected"=dword:00000003
"FeaturesCount"=dword:00000048
"LastFeaturesQuery"="2017/02/07/09:07:27"
"FailureCommand"="C:\\Windows\\system32\\mrt.exe /EHB /ServiceFailure \"CAMP=4.10.14393.0;approximate-> Engine=1.1.13407.0;AVSIG=1.235.3207.0;ASSIG=1.235.3207.0\" /StartService /Defender /q"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WinDefend\Roles]
"NetFx4ServerFeatures"=dword:00000000
"NetFx4"=dword:00000001
"MicrosoftWindowsPowerShellRoot"=dword:00000002
"MicrosoftWindowsPowerShell"=dword:00000003
"KeyDistributionService-PSH-Cmdlets"=dword:00000004
"TlsSessionTicketKey-PSH-Cmdlets"=dword:00000005
"Tpm-PSH-Cmdlets"=dword:00000006
"MicrosoftWindowsPowerShellV2"=dword:00000007
"Server-Psh-Cmdlets"=dword:00000008
"MicrosoftWindowsPowerShellISE"=dword:00000009
"WCF-Services45"=dword:0000000a
"WCF-TCP-PortSharing45"=dword:0000000b
"ServerCore-WOW64"=dword:0000000c
"Printing-Client"=dword:0000000d
"Printing-Client-Gui"=dword:0000000e
"ServerCore-EA-IME-WOW64"=dword:0000000f
"Server-Shell"=dword:00000010
"Internet-Explorer-Optional-amd64"=dword:00000011
"Server-Gui-Mgmt"=dword:00000012
"RSAT"=dword:00000013
"WindowsServerBackupSnapin"=dword:00000014
"Windows-Defender-Gui"=dword:00000015
"MediaPlayback"=dword:00000016
"WindowsMediaPlayer"=dword:00000017
"Microsoft-Hyper-V-Common-Drivers-Package"=dword:00000018
"Microsoft-Hyper-V-Guest-Integration-Drivers-Package"=dword:00000019
"Microsoft-Windows-NetFx-VCRedist-Package"=dword:0000001a
"Microsoft-Windows-Printing-PrintToPDFServices-Package"=dword:0000001b
"Microsoft-Windows-Printing-XPSServices-Package"=dword:0000001c
"Microsoft-Windows-Client-EmbeddedExp-Package"=dword:0000001d
"Printing-PrintToPDFServices-Features"=dword:0000001e
"Printing-XPSServices-Features"=dword:0000001f
"SMB1Protocol"=dword:00000020
"SmbDirect"=dword:00000021
"Windows-Defender-Features"=dword:00000022
"Windows-Defender"=dword:00000023
"ServerCore-EA-IME"=dword:00000024
"Server-Drivers-General"=dword:00000025
"Server-Drivers-Printers"=dword:00000026
"SearchEngine-Client-Package"=dword:00000027
"FileAndStorage-Services"=dword:00000028
"Storage-Services"=dword:00000029
"ServerCore-Drivers-General"=dword:0000002a
"ServerCore-Drivers-General-WOW64"=dword:0000002b
"NetFx4Extended-ASPNET45"=dword:0000002c
"NetFx3"=dword:0000002d
"NetFx3ServerFeatures"=dword:0000002e
"ServerMediaFoundation"=dword:0000002f
"IIS-ApplicationDevelopment"=dword:00000030
"IIS-ApplicationInit"=dword:00000031
"IIS-ASPNET"=dword:00000032
"IIS-ASPNET45"=dword:00000033
"IIS-CommonHttpFeatures"=dword:00000034
"IIS-DefaultDocument"=dword:00000035
"IIS-DirectoryBrowsing"=dword:00000036
"IIS-HealthAndDiagnostics"=dword:00000037
"IIS-HttpCompressionStatic"=dword:00000038
"IIS-HttpErrors"=dword:00000039
"IIS-HttpLogging"=dword:0000003a
"IIS-ISAPIExtensions"=dword:0000003b
"IIS-ISAPIFilter"=dword:0000003c
"IIS-ManagementConsole"=dword:0000003d
"IIS-NetFxExtensibility"=dword:0000003e
"IIS-NetFxExtensibility45"=dword:0000003f
"IIS-Performance"=dword:00000040
"IIS-RequestFiltering"=dword:00000041
"IIS-Security"=dword:00000042
"IIS-StaticContent"=dword:00000043
"IIS-WebServer"=dword:00000044
"IIS-WebServerManagementTools"=dword:00000045
"IIS-WebServerRole"=dword:00000046
"IIS-IPSecurity"=dword:00000047

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WinDefend\Security]
"Security"=hex:01,00,14,80,f4,00,00,00,00,01,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,c4,00,07,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,21,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,\
  12,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
  02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
  14,00,9d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,28,00,ff,01,0f,\
  00,01,06,00,00,00,00,00,05,50,00,00,00,b5,89,fb,38,19,84,c2,cb,5c,6c,23,6d,\
  57,00,77,6e,c0,02,64,87,00,00,28,00,ff,01,0f,00,01,06,00,00,00,00,00,05,50,\
  00,00,00,bf,55,08,72,3b,e0,28,d0,89,79,4b,f8,91,89,6e,7c,40,25,ec,f4,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

********************************************************************************
(7)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System]
"WindowsDefender-1"="v2.0|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=443|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Allow SSL Out traffic from WinDefend|"
"WindowsDefender-2"="v2.0|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=80|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Allow Out http traffic from WinDefend|"
"WindowsDefender-3"="v2.0|Action=Block|Active=TRUE|Dir=In|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Block All In traffic to WinDefend|"
"WindowsDefender-4"="v2.0|Action=Block|Active=TRUE|Dir=Out|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Block All Out traffic from WinDefend|"

********************************************************************************
(8)



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"DisplayName"="@%ProgramFiles%\\Windows Defender\\MpAsDesc.dll,-310"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
  69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
  00,20,00,44,00,65,00,66,00,65,00,6e,00,64,00,65,00,72,00,5c,00,4d,00,73,00,\
  4d,00,70,00,45,00,6e,00,67,00,2e,00,65,00,78,00,65,00,22,00,00,00
"Start"=dword:00000002
"Type"=dword:00000010
"Description"="@%ProgramFiles%\\Windows Defender\\MpAsDesc.dll,-240"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"ObjectName"="LocalSystem"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,4c,00,6f,00,61,00,64,00,44,00,72,00,69,\
  00,76,00,65,00,72,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,\
  00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,\
  65,00,42,00,61,00,63,00,6b,00,75,00,70,00,50,00,72,00,69,00,76,00,69,00,6c,\
  00,65,00,67,00,65,00,00,00,53,00,65,00,52,00,65,00,73,00,74,00,6f,00,72,00,\
  65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,\
  00,44,00,65,00,62,00,75,00,67,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,\
  00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
  65,00,00,00,53,00,65,00,53,00,65,00,63,00,75,00,72,00,69,00,74,00,79,00,50,\
  00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,53,00,\
  68,00,75,00,74,00,64,00,6f,00,77,00,6e,00,50,00,72,00,69,00,76,00,69,00,6c,\
  00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,63,00,72,00,65,00,61,00,\
  73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,00,69,00,76,00,69,00,6c,\
  00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,\
  50,00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,\
  00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,54,00,\
  63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,\
  00,65,00,53,00,79,00,73,00,74,00,65,00,6d,00,45,00,6e,00,76,00,69,00,72,00,\
  6f,00,6e,00,6d,00,65,00,6e,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,01,00,00,00,03,00,00,00,14,00,00,\
  00,03,00,00,00,64,00,00,00,00,00,00,00,64,00,00,00,00,00,00,00,64,00,00,00
"LaunchProtected"=dword:00000003
"FeaturesCount"=dword:00000048
"LastFeaturesQuery"="2017/02/07/09:07:27"
"FailureCommand"="C:\\Windows\\system32\\mrt.exe /EHB /ServiceFailure \"CAMP=4.10.14393.0;approximate-> Engine=1.1.13407.0;AVSIG=1.235.3328.0;ASSIG=1.235.3328.0\" /StartService /Defender /q"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend\Roles]
"NetFx4ServerFeatures"=dword:00000000
"NetFx4"=dword:00000001
"MicrosoftWindowsPowerShellRoot"=dword:00000002
"MicrosoftWindowsPowerShell"=dword:00000003
"KeyDistributionService-PSH-Cmdlets"=dword:00000004
"TlsSessionTicketKey-PSH-Cmdlets"=dword:00000005
"Tpm-PSH-Cmdlets"=dword:00000006
"MicrosoftWindowsPowerShellV2"=dword:00000007
"Server-Psh-Cmdlets"=dword:00000008
"MicrosoftWindowsPowerShellISE"=dword:00000009
"WCF-Services45"=dword:0000000a
"WCF-TCP-PortSharing45"=dword:0000000b
"ServerCore-WOW64"=dword:0000000c
"Printing-Client"=dword:0000000d
"Printing-Client-Gui"=dword:0000000e
"ServerCore-EA-IME-WOW64"=dword:0000000f
"Server-Shell"=dword:00000010
"Internet-Explorer-Optional-amd64"=dword:00000011
"Server-Gui-Mgmt"=dword:00000012
"RSAT"=dword:00000013
"WindowsServerBackupSnapin"=dword:00000014
"Windows-Defender-Gui"=dword:00000015
"MediaPlayback"=dword:00000016
"WindowsMediaPlayer"=dword:00000017
"Microsoft-Hyper-V-Common-Drivers-Package"=dword:00000018
"Microsoft-Hyper-V-Guest-Integration-Drivers-Package"=dword:00000019
"Microsoft-Windows-NetFx-VCRedist-Package"=dword:0000001a
"Microsoft-Windows-Printing-PrintToPDFServices-Package"=dword:0000001b
"Microsoft-Windows-Printing-XPSServices-Package"=dword:0000001c
"Microsoft-Windows-Client-EmbeddedExp-Package"=dword:0000001d
"Printing-PrintToPDFServices-Features"=dword:0000001e
"Printing-XPSServices-Features"=dword:0000001f
"SMB1Protocol"=dword:00000020
"SmbDirect"=dword:00000021
"Windows-Defender-Features"=dword:00000022
"Windows-Defender"=dword:00000023
"ServerCore-EA-IME"=dword:00000024
"Server-Drivers-General"=dword:00000025
"Server-Drivers-Printers"=dword:00000026
"SearchEngine-Client-Package"=dword:00000027
"FileAndStorage-Services"=dword:00000028
"Storage-Services"=dword:00000029
"ServerCore-Drivers-General"=dword:0000002a
"ServerCore-Drivers-General-WOW64"=dword:0000002b
"NetFx4Extended-ASPNET45"=dword:0000002c
"NetFx3"=dword:0000002d
"NetFx3ServerFeatures"=dword:0000002e
"ServerMediaFoundation"=dword:0000002f
"IIS-ApplicationDevelopment"=dword:00000030
"IIS-ApplicationInit"=dword:00000031
"IIS-ASPNET"=dword:00000032
"IIS-ASPNET45"=dword:00000033
"IIS-CommonHttpFeatures"=dword:00000034
"IIS-DefaultDocument"=dword:00000035
"IIS-DirectoryBrowsing"=dword:00000036
"IIS-HealthAndDiagnostics"=dword:00000037
"IIS-HttpCompressionStatic"=dword:00000038
"IIS-HttpErrors"=dword:00000039
"IIS-HttpLogging"=dword:0000003a
"IIS-ISAPIExtensions"=dword:0000003b
"IIS-ISAPIFilter"=dword:0000003c
"IIS-ManagementConsole"=dword:0000003d
"IIS-NetFxExtensibility"=dword:0000003e
"IIS-NetFxExtensibility45"=dword:0000003f
"IIS-Performance"=dword:00000040
"IIS-RequestFiltering"=dword:00000041
"IIS-Security"=dword:00000042
"IIS-StaticContent"=dword:00000043
"IIS-WebServer"=dword:00000044
"IIS-WebServerManagementTools"=dword:00000045
"IIS-WebServerRole"=dword:00000046
"IIS-IPSecurity"=dword:00000047

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend\Security]
"Security"=hex:01,00,14,80,f4,00,00,00,00,01,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,c4,00,07,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,21,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,\
  12,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
  02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
  14,00,9d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,28,00,ff,01,0f,\
  00,01,06,00,00,00,00,00,05,50,00,00,00,b5,89,fb,38,19,84,c2,cb,5c,6c,23,6d,\
  57,00,77,6e,c0,02,64,87,00,00,28,00,ff,01,0f,00,01,06,00,00,00,00,00,05,50,\
  00,00,00,bf,55,08,72,3b,e0,28,d0,89,79,4b,f8,91,89,6e,7c,40,25,ec,f4,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

********************************************************************************

********************************************************************************
(待研究)

沒有留言:

張貼留言