WMI Security Center productState clarification
I'm querying the WMI for "SELECT * FROM AntivirusProduct" 开发者_StackOverflowon SecurityCenter2 (I'm on Windows 7 at the moment).
I'm having a hard time trying to find what do the numbers on productState mean, including AntiSpyware and Firewall aswell. Is there any reference for this out there? I want to make sure I can get the correct product states on any Vista or 7 machine (In case these numbers vary from machine to machine).
There's no official documentation on the productState
values. The only info I could find is this article which makes assumptions about the productState
value meaning based on the byte-by-byte analysis of the value.
The productState
values seem to be a bit set that is not documented except through an NDA with Microsoft. It should be possible to map the values returned with the products installed and their state. You could install a single AV product, record its state, then have its virus definitions go out of date, then check how the value changes. There seems to be a limited set of typical values.
Reference: https://bigfix.me/analysis/details/2998358
Here are the productState
values I have found from 34 different AV products across over 10000 endpoints which could help reverse engineer the meaning:
( Decimal, Hex, Bit Set )
262144, 40000, 1000000000000000000
262160, 40010, 1000000000000010000
266240, 41000, 1000001000000000000
270336, 42000, 1000010000000000000
327680, 50000, 1010000000000000000
327696, 50010, 1010000000000010000
331776, 51000, 1010001000000000000
344064, 54000, 1010100000000000000
393216, 60000, 1100000000000000000
393232, 60010, 1100000000000010000
393472, 60100, 1100000000100000000
393488, 60110, 1100000000100010000
397312, 61000, 1100001000000000000
397328, 61010, 1100001000000010000
397568, 61100, 1100001000100000000
397584, 61110, 1100001000100010000
458752, 70000, 1110000000000000000
458768, 70010, 1110000000000010000
462848, 71000, 1110001000000000000
462864, 71010, 1110001000000010000
For anyone else, I've found that when converted to Hex, the third character pretty reliably indicates whether or not any particular antivirus product is enabled. (1 = Enabled, 0 = Disabled)
Here's a PowerShell one-liner I wrote to determine if Windows Defender is Enabled or not. You can replace the string to match whichever antivirus product you want.
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | ForEach-Object {if($($_.displayName) -eq "Windows Defender"){if("$($([Convert]::ToString($($_.productState), 16)).PadLeft(6,""0""))".Substring(2,1) -eq "1"){Write-Host "Windows Defender is Enabled"}else{Write-Host "Windows Defender is Disabled"}}}
I can't say for certain that every antivirus product correctly reports its product state, but I imagine all the mainstream ones must. I can confirm this also works with Symantec Endpoint Protection.
精彩评论