Antivirus

Enumerate

sc queryex type= service | find /i "Antivirus"

Lists services related to antivirus.

net start | find "Antivirus"

Lists started services filtering for "Antivirus".

tasklist | findstr /i "antivirus"

Lists processes and filters for antivirus.

Get-Service | Where-Object {$_.DisplayName -like "*antivirus*"}

Filters services with "antivirus" in their name.

Get-Process | Where-Object {$_.ProcessName -like "*antivirus*"}

Filters processes related to antivirus by name.

Retrieves antivirus name and state:

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List

Gets antivirus info via PowerShell and Get-CimInstance:

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct 

Runs PowerShell command in CMD to get antivirus info using Get-WmiObject.

powershell "Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct"

Retrieve antivirus product name and state using WMIC from the SecurityCenter2 namespace.

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List
wmic /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get displayname /format:list

Lists the antispywareproduct class from the root/security instance (Can't get this to work...):

Get-CimInstance -Namespace root\\securitycenter2 -ClassName antispywareproduct

Registry Location

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Contains information about all installed software, including antivirus applications. Each application has its own subkey with details about the installation.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

On 64-bit Windows, this key contains information about 32-bit applications installed on the system, including 32-bit antivirus software.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av

Used by older versions of Windows to store information about registered antivirus products.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Providers

In newer versions of Windows, this key and its subkeys contain information about security providers, including antivirus software.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Holds information about all system services, including those related to antivirus software. Each antivirus service will have a subkey here with configuration details.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

May contain entries for antivirus software that is set to run at startup. This location is often used for applications to configure themselves to start with Windows.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Similar to the HKCU version, this key is used to launch programs automatically at startup, including potentially antivirus software, but applies to all users on the system.

Last updated