Can MinSudo operate beyond the privileges of Windows Defender?

Question

Can MinSudo operate beyond the privileges of Windows Defender?

Closed this issue 10 months ago · 2 comments

I'm building a set of scripts to auto-configure Windows post-installation, and I need to modify certain registry values which seem to be locked by the Windows Defender process.

Example:

# sudo --privileged --system --nologo ^
  reg ^
    add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" ^
    /v "C:\tmp" ^
    /t REG_DWORD ^
    /d 0
    
ERROR: Access is denied.

But the Windows Security UWP app itself can access and modify these values no problem.

Am I unable to modify these entries nor force kill the Defender process because of the Defender Driver that loads at boot?

Without the access to the source code one can only speculate but it could be enforcing extra security checks in the userland code.

All Windows Security processes run under the SYSTEM user as shown by the Task Manager:

But despite being the the nt authority\system user under MinSudo, I am incapable of affecting any Defender entries. I wonder how Group Policy does it, I suppose it writes to a different key.

Answer 1 · 2023-11-13T13:23:51.000Z

I think you need TrustedInstaller mode in MinSudo.

Kenji Mouri

Answer 2 · 2023-11-14T06:25:30.000Z

That solved the issue. Thanks!