Antivirus

Enumerate

sc queryex type= service | find /i "Antivirus"

Lists services related to antivirus.

net start | find "Antivirus"

Lists started services filtering for "Antivirus".

tasklist | findstr /i "antivirus"

Lists processes and filters for antivirus.

Get-Service | Where-Object {$_.DisplayName -like "*antivirus*"}

Filters services with "antivirus" in their name.

Get-Process | Where-Object {$_.ProcessName -like "*antivirus*"}

Filters processes related to antivirus by name.

Retrieves antivirus name and state:

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List

Gets antivirus info via PowerShell and Get-CimInstance:

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct

Runs PowerShell command in CMD to get antivirus info using Get-WmiObject.

powershell "Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct"

Retrieve antivirus product name and state using WMIC from the SecurityCenter2 namespace.

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List
wmic /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get displayname /format:list

Lists the antispywareproduct class from the root/security instance (Can't get this to work...):

Get-CimInstance -Namespace root\\securitycenter2 -ClassName antispywareproduct

Registry Location

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Contains information about all installed software, including antivirus applications. Each application has its own subkey with details about the installation.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

On 64-bit Windows, this key contains information about 32-bit applications installed on the system, including 32-bit antivirus software.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av

Used by older versions of Windows to store information about registered antivirus products.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Providers

In newer versions of Windows, this key and its subkeys contain information about security providers, including antivirus software.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Holds information about all system services, including those related to antivirus software. Each antivirus service will have a subkey here with configuration details.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

May contain entries for antivirus software that is set to run at startup. This location is often used for applications to configure themselves to start with Windows.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Similar to the HKCU version, this key is used to launch programs automatically at startup, including potentially antivirus software, but applies to all users on the system.

PreviousPageNextFirewall

Last updated

Was this helpful?