-
Notifications
You must be signed in to change notification settings - Fork 0
/
killAV.ps1
142 lines (125 loc) · 4.39 KB
/
killAV.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
<#
.SYNOPSIS
Stop all Anti-Virus processes and services, optionally disable the services.
.DESCRIPTION
For those times when you need to temporarily stop Anti-Virus programs in order
to complete other tasks, such as installing software. This script filters
running processes and services using a master list of Anti-Virus products path names.
Optionally, you can choose to disable the filtered services as well.
.NOTES
File Name : killAV.ps1
Author : Jasmine English - jengl003@fiu.edu
Requires : PowerShell V2, AVListMaster.txt
.LINK
https://github.com/theRedmage/ITAuto-KillAV
#>
#--------------------------------------------------------------------------------------------
# SOURCES:
#--------------------------------------------------------------------------------------------
# Microsoft TechNet Library <technet.microsoft.com>
# Hey, Scripting Guy! <http://blogs.technet.com/b/heyscriptingguy/>
#--------------------------------------------------------------------------------------------
#--------------------------------------------------------------------------------------------
# Variables - Please redefine them as needed, or use the defaults
#--------------------------------------------------------------------------------------------
$ErrorActionPreference = "SilentlyContinue"
$WorkDir = "F:\Documents\School\IT Automation\KillAV\" # Directory of script
$AVListExclude = "*Program Files*\PowerGUI\*" # List of AV paths to exclude
$DisableAVService = $false # Disable AV services to stop them
# from loading on reboot
$AVListMaster = Get-Content -Path ($WorkDir+"AVListMaster_a.txt") # Master list of AV paths
$AVServs = @()
$AVProcs = @()
#--------------------------------------------------------------------------------------------
# Functions...
#--------------------------------------------------------------------------------------------
Write-Host -ForegroundColor Blue "Starting KillAV script..."
##Get AV processes and services
#
ForEach($line in $AVListMaster)
{
$tempProcs += Get-WmiObject -Class Win32_Process |
Where-Object {$_.Path -like $line}
}
ForEach($line in $AVListMaster)
{
$tempServs += Get-WmiObject -Class Win32_Service |
Where-Object {$_.PathName -like $line}
}
#
##
##Remove exclusions
#
if ($AVListExclude -ne "")
{
ForEach($line in $AVListExclude)
{
$AVProcs = @($tempProcs | Where-Object {$_.Path -notlike $line})
}
ForEach($line in $AVListExclude)
{
$AVServs = @($tempServs | Where-Object {$_.Path -notlike $line})
}
}
#
##
##Stop AV service (Modified from Source (1))
#
foreach ($Service in $AVServs)
{
$ServName = $Service.Name
$ServStatus = $Service.Status
Write-Host -ForegroundColor DarkBlue "Service $ServName status is $ServStatus"
if ($Service.AcceptStop)
{
Write-Host -ForegroundColor DarkBlue "Stopping the $ServName service now ..."
$rtn = $Service.StopService()
Switch ($rtn.Returnvalue)
{
0 {Write-Host -foregroundcolor green "Service $ServName stopped"}
2 {Write-Host -foregroundcolor red "Service $ServName reports access denied"}
5 {Write-Host -ForegroundColor red "Service $ServName cannot accept control at this time"}
10 {Write-Host -ForegroundColor red "Service $ServName is already stopped"}
DEFAULT {Write-Host -ForegroundColor red "Service $ServName service reports ERROR $($rtn.ReturnValue)"}
}
}
else
{
Write-Host -ForegroundColor magenta "$ServName will not accept a stop request"
}
}
#
##
##Stop AV process (Modified from Sources (2), (3))
#
foreach ($Process in $AVProcs)
{
$Process | ForEach-Object {
$ProcName = $Process.Name
$rtn = $Process.Terminate()
switch ($rtn.ReturnValue)
{
0 {Write-Host -foregroundcolor green "Process $ProcName stopped"}
2 {Write-Host -foregroundcolor red "Process $ProcName reports access denied"}
3 {Write-Host -foregroundcolor red "Process $ProcName reports insufficient privilege"}
8 {Write-Host -foregroundcolor red "Process $ProcName reports unknown failure"}
9 {Write-Host -foregroundcolor red "Path not found for $ProcName"}
21 {Write-Host -foregroundcolor red "Invalid WMI parameter"}
}
}
}
#
##
##Prevent stopped AV service from starting up again after system restart
#
if ($DisableAVService)
{
foreach ($Service in $AVServs)
{
$Service.ChangeStartMode("Disabled")
Write-Host -foregroundcolor green "Service $ServName disabled."
}
}
#
##
Write-Host -ForegroundColor Blue "Finished!"