You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was able to build the Samples/AmsiProvider in VS 2017 after adding runtimeobject.lib as a linker dependency. It registered fine and added the AMSI reference registry key successfully. I followed the steps for logging and can get ETL file, and then dump the XML using tracerpt. However, I'm only seeing the Close session logs, and nothing from the Scan function, like Scan Start or Attributes. I've run a variety of PowerShell commands, including Mimikatz, and other things that Windows Defender alerts on, as well as some benign Write-Host commands and calc.exe. Any idea why Scan wouldn't get invoked or trace log? Thanks!
The text was updated successfully, but these errors were encountered:
I suspect that your system has other providers that are taking priority. Look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers / HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AMSI\Providers and see if there are any providers other than the sample one. If you see others, then temporarily rename them out of the way in order to let the sample provider be the one to do the scanning.
I suspect that your system has other providers that are taking priority. Look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers / HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\AMSI\Providers and see if there are any providers other than the sample one. If you see others, then temporarily rename them out of the way in order to let the sample provider be the one to do the scanning.
@oldnewthing
hello
About AMSI PROVIDERS priority
I found that on the high version of Win10, Win11, multiple AMSI Providers can coexist (all AMSI Providingrs Dll's iantimalwareProvider :: scan can be called))
I want to consult, which Windows version has the ability to coexist multiple AMSI Providers from the earliest Windows version?
I was able to build the Samples/AmsiProvider in VS 2017 after adding
runtimeobject.lib
as a linker dependency. It registered fine and added the AMSI reference registry key successfully. I followed the steps for logging and can get ETL file, and then dump the XML usingtracerpt
. However, I'm only seeing theClose session
logs, and nothing from the Scan function, likeScan Start
orAttributes
. I've run a variety of PowerShell commands, including Mimikatz, and other things that Windows Defender alerts on, as well as some benignWrite-Host
commands and calc.exe. Any idea why Scan wouldn't get invoked or trace log? Thanks!The text was updated successfully, but these errors were encountered: