-
-
Save dknoodle/5a66b8b8a3f2243f4ca5c855b323cb7b to your computer and use it in GitHub Desktop.
$userPath = $env:USERPROFILE | |
$pathExclusions = New-Object System.Collections.ArrayList | |
$processExclusions = New-Object System.Collections.ArrayList | |
$pathExclusions.Add('C:\Windows\Microsoft.NET') > $null | |
$pathExclusions.Add('C:\Windows\assembly') > $null | |
$pathExclusions.Add($userPath + '\AppData\Local\Microsoft\VisualStudio') > $null | |
$pathExclusions.Add('C:\ProgramData\Microsoft\VisualStudio\Packages') > $null | |
$pathExclusions.Add('C:\Program Files (x86)\MSBuild') > $null | |
$pathExclusions.Add('C:\Program Files (x86)\Microsoft Visual Studio 14.0') > $null | |
$pathExclusions.Add('C:\Program Files (x86)\Microsoft Visual Studio 10.0') > $null | |
$pathExclusions.Add('C:\Program Files (x86)\Microsoft Visual Studio') > $null | |
$pathExclusions.Add('C:\Program Files (x86)\Microsoft SDKs\NuGetPackages') > $null | |
$pathExclusions.Add('C:\Program Files (x86)\Microsoft SDKs') > $null | |
$processExclusions.Add('devenv.exe') > $null | |
$processExclusions.Add('dotnet.exe') > $null | |
$processExclusions.Add('msbuild.exe') > $null | |
$processExclusions.Add('node.exe') > $null | |
$processExclusions.Add('node.js') > $null | |
$processExclusions.Add('perfwatson2.exe') > $null | |
$processExclusions.Add('ServiceHub.Host.Node.x86.exe') > $null | |
$processExclusions.Add('vbcscompiler.exe') > $null | |
Write-Host "This script will create Windows Defender exclusions for common Visual Studio 2017 folders and processes." | |
Write-Host "" | |
$projectsFolder = Read-Host 'What is the path to your Projects folder? (example: c:\projects)' | |
Write-Host "" | |
Write-Host "Adding Path Exclusion: " $projectsFolder | |
Add-MpPreference -ExclusionPath $projectsFolder | |
foreach ($exclusion in $pathExclusions) | |
{ | |
Write-Host "Adding Path Exclusion: " $exclusion | |
Add-MpPreference -ExclusionPath $exclusion | |
} | |
foreach ($exclusion in $processExclusions) | |
{ | |
Write-Host "Adding Process Exclusion: " $exclusion | |
Add-MpPreference -ExclusionProcess $exclusion | |
} | |
Write-Host "" | |
Write-Host "Your Exclusions:" | |
$prefs = Get-MpPreference | |
$prefs.ExclusionPath | |
$prefs.ExclusionProcess | |
Write-Host "" | |
Write-Host "Enjoy faster build times and coding!" | |
Write-Host "" |
Note that most of process exclusions are not necessary because excluding a folder recursively excludes all sub folders and all their contents.
For Visual Studio exclusions therefore only first 14 lines are needed, the rest of the script makes no sense except project directory.
That is my setup to speed up intelisense tested and it works.
Thank you . You're the man! Took me ages to find out that Windows Defender do sabotage my projects and builds (Access Denied to EXE and sources)! And then I found you're script.
@nibor2004 just open up Windows defender and add folders to exclusion settings according to this script.
@nibor2004 It's a PowerShell script so just run the script in a PowerShell window. You will need to run PowerShell as Administrator.
Brilliant, thanks so much... major performance improvement
The process exclusions should be an absolute path, otherwise you might as well just turn off Windows Defender Real Time Protection.
The process exclusions should be an absolute path, otherwise you might as well just turn off Windows Defender Real Time Protection.
@robertbaker Could you please explain why this is? My logic would assume that only 1 process will match the file name, regardless of whether it has the full path. I don't doubt your statement, but if you can elaborate, it will be helpful as I wasn't able to find any real sources online to help explain to me why using the filename only would be a risk.
Update: I have a thought. If another (malicious) program names its process devenv.exe (for example), then it would effectively exclude itself from monitoring due to the process name match. Is this what you were thinking?
it will be helpful as I wasn't able to find any real sources online to help explain to me why using the filename only would be a risk.
Update: I have a thought. If another (malicious) program names its process devenv.exe (for example), then it would effectively exclude itself from monitoring due to the process name match. Is this what you were thinking?
There is official MS documentation that confirms this, if you specify only file name (and extension) then it will match all processes with that name. (from different path locations ofc.)
exclusion based on directory is less of a risk but it depends on following:
- if path leads to secure locations (ex. Program Files) then it is safe because installing into this location requires privileges
- otherwise it is not safe because any user may copy executable to target location.
So conclusion is that specifying full path is the safest method.
Additional list of executables in 2019:
$processExclusions.Add('ServiceHub.Host.Node.x64.exe') > $null
$processExclusions.Add('ServiceHub.Host.CLR.x86.exe') > $null
$processExclusions.Add('ServiceHub.Host.CLR.x64.exe') > $null
$processExclusions.Add('ServiceHub.RoslynCodeAnalysisService.exe') > $null
$processExclusions.Add('iisexpress.exe') > $null
$processExclusions.Add('Microsoft.VisualStudio.Web.Host.exe') > $null
$processExclusions.Add('ServiceHub.DataWarehouseHost.exe') > $null
$processExclusions.Add('ScriptedSandbox64.exe') > $null
$processExclusions.Add('ServiceHub.SettingsHost.exe') > $null
$processExclusions.Add('ServiceHub.IdentityHost.exe') > $null
$processExclusions.Add('conhost.exe') > $null
$processExclusions.Add('ServiceHub.VSDetouredHost.exe') > $null
$processExclusions.Add('vstest.console.exe') > $null
I'm having developers crippled by Defender, but MS do not recommend this action (see here)
I created an updated script with more warnings, updates for VS 2022, and some other developer tools. Use at your own risk. This definitely opens up a number of potential security vulnerabilities.
https://gist.github.com/dknoodle/959d6e9d399e51cc28957f85d4b4417f
Thanks for this! I was going to write my own, so thanks for sharing and saving us all the hassle!
BTW - I added 4 more processes to exclude:
$processExclusions.Add('testhost.exe') > $null
$processExclusions.Add('datacollector.exe') > $null
$processExclusions.Add('IntelliTrace.exe') > $null
$processExclusions.Add('CodeCoverage.exe') > $null
Thanks again!