AmsiProvider example doesn't log any scan events

[mvbrock]

I was able to build the Samples/AmsiProvider in VS 2017 after adding runtimeobject.lib as a linker dependency. It registered fine and added the AMSI reference registry key successfully. I followed the steps for logging and can get ETL file, and then dump the XML using tracerpt. However, I'm only seeing the Close session logs, and nothing from the Scan function, like Scan Start or Attributes. I've run a variety of PowerShell commands, including Mimikatz, and other things that Windows Defender alerts on, as well as some benign Write-Host commands and calc.exe. Any idea why Scan wouldn't get invoked or trace log? Thanks!

[oldnewthing]

I suspect that your system has other providers that are taking priority. Look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers / HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AMSI\Providers and see if there are any providers other than the sample one. If you see others, then temporarily rename them out of the way in order to let the sample provider be the one to do the scanning.

[ch1990421]

I suspect that your system has other providers that are taking priority. Look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers / HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AMSI\Providers and see if there are any providers other than the sample one. If you see others, then temporarily rename them out of the way in order to let the sample provider be the one to do the scanning.

@oldnewthing
hello
About AMSI PROVIDERS priority
I found that on the high version of Win10, Win11, multiple AMSI Providers can coexist (all AMSI Providingrs Dll's iantimalwareProvider :: scan can be called))

I want to consult, which Windows version has the ability to coexist multiple AMSI Providers from the earliest Windows version?