# Antivirus ## Enumerate
CommandDescription
sc queryex type= service | find /i "Antivirus"Lists services related to antivirus.
net start | find "Antivirus"Lists started services filtering for "Antivirus".
tasklist | findstr /i "antivirus"Lists processes and filters for antivirus.
Get-Service | Where-Object {$_.DisplayName -like "*antivirus*"}Filters services with "antivirus" in their name.
Get-Process | Where-Object {$_.ProcessName -like "*antivirus*"}Filters processes related to antivirus by name.
Retrieves antivirus name and state: {% code overflow="wrap" %} ```powershell wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List ``` {% endcode %} Gets antivirus info via PowerShell and Get-CimInstance: ```powershell Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct ``` Runs PowerShell command in CMD to get antivirus info using Get-WmiObject. {% code overflow="wrap" %} ```powershell powershell "Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct" ``` {% endcode %} Retrieve antivirus product name and state using WMIC from the SecurityCenter2 namespace. {% code overflow="wrap" %} ```powershell wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List ``` {% endcode %} {% code overflow="wrap" %} ```powershell wmic /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get displayname /format:list ``` {% endcode %} Lists the antispywareproduct class from the root/security instance (Can't get this to work...): ```powershell Get-CimInstance -Namespace root\\securitycenter2 -ClassName antispywareproduct ``` ## Registry Location HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Contains information about all installed software, including antivirus applications. Each application has its own subkey with details about the installation. HKEY\_LOCAL\_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall On 64-bit Windows, this key contains information about 32-bit applications installed on the system, including 32-bit antivirus software. HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av Used by older versions of Windows to store information about registered antivirus products. HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Providers In newer versions of Windows, this key and its subkeys contain information about security providers, including antivirus software. HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Services Holds information about all system services, including those related to antivirus software. Each antivirus service will have a subkey here with configuration details. HKEY\_CURRENT\_USER\Software\Microsoft\Windows\CurrentVersion\Run May contain entries for antivirus software that is set to run at startup. This location is often used for applications to configure themselves to start with Windows. HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Similar to the HKCU version, this key is used to launch programs automatically at startup, including potentially antivirus software, but applies to all users on the system.