Skip to content

Instantly share code, notes, and snippets.

@dknoodle
Last active October 31, 2024 14:54
Show Gist options
  • Save dknoodle/5a66b8b8a3f2243f4ca5c855b323cb7b to your computer and use it in GitHub Desktop.
Save dknoodle/5a66b8b8a3f2243f4ca5c855b323cb7b to your computer and use it in GitHub Desktop.
Adds Windows Defender exclusions for Visual Studio 2017
$userPath = $env:USERPROFILE
$pathExclusions = New-Object System.Collections.ArrayList
$processExclusions = New-Object System.Collections.ArrayList
$pathExclusions.Add('C:\Windows\Microsoft.NET') > $null
$pathExclusions.Add('C:\Windows\assembly') > $null
$pathExclusions.Add($userPath + '\AppData\Local\Microsoft\VisualStudio') > $null
$pathExclusions.Add('C:\ProgramData\Microsoft\VisualStudio\Packages') > $null
$pathExclusions.Add('C:\Program Files (x86)\MSBuild') > $null
$pathExclusions.Add('C:\Program Files (x86)\Microsoft Visual Studio 14.0') > $null
$pathExclusions.Add('C:\Program Files (x86)\Microsoft Visual Studio 10.0') > $null
$pathExclusions.Add('C:\Program Files (x86)\Microsoft Visual Studio') > $null
$pathExclusions.Add('C:\Program Files (x86)\Microsoft SDKs\NuGetPackages') > $null
$pathExclusions.Add('C:\Program Files (x86)\Microsoft SDKs') > $null
$processExclusions.Add('devenv.exe') > $null
$processExclusions.Add('dotnet.exe') > $null
$processExclusions.Add('msbuild.exe') > $null
$processExclusions.Add('node.exe') > $null
$processExclusions.Add('node.js') > $null
$processExclusions.Add('perfwatson2.exe') > $null
$processExclusions.Add('ServiceHub.Host.Node.x86.exe') > $null
$processExclusions.Add('vbcscompiler.exe') > $null
Write-Host "This script will create Windows Defender exclusions for common Visual Studio 2017 folders and processes."
Write-Host ""
$projectsFolder = Read-Host 'What is the path to your Projects folder? (example: c:\projects)'
Write-Host ""
Write-Host "Adding Path Exclusion: " $projectsFolder
Add-MpPreference -ExclusionPath $projectsFolder
foreach ($exclusion in $pathExclusions)
{
Write-Host "Adding Path Exclusion: " $exclusion
Add-MpPreference -ExclusionPath $exclusion
}
foreach ($exclusion in $processExclusions)
{
Write-Host "Adding Process Exclusion: " $exclusion
Add-MpPreference -ExclusionProcess $exclusion
}
Write-Host ""
Write-Host "Your Exclusions:"
$prefs = Get-MpPreference
$prefs.ExclusionPath
$prefs.ExclusionProcess
Write-Host ""
Write-Host "Enjoy faster build times and coding!"
Write-Host ""
@metablaster
Copy link

Note that most of process exclusions are not necessary because excluding a folder recursively excludes all sub folders and all their contents.

For Visual Studio exclusions therefore only first 14 lines are needed, the rest of the script makes no sense except project directory.
That is my setup to speed up intelisense tested and it works.

@schroederactino
Copy link

Thank you . You're the man! Took me ages to find out that Windows Defender do sabotage my projects and builds (Access Denied to EXE and sources)! And then I found you're script.

@metablaster
Copy link

metablaster commented Sep 25, 2019

@nibor2004 just open up Windows defender and add folders to exclusion settings according to this script.

@dknoodle
Copy link
Author

@nibor2004 It's a PowerShell script so just run the script in a PowerShell window. You will need to run PowerShell as Administrator.

@jean-neveling
Copy link

Brilliant, thanks so much... major performance improvement

@robertbaker
Copy link

The process exclusions should be an absolute path, otherwise you might as well just turn off Windows Defender Real Time Protection.

@travisterrell
Copy link

travisterrell commented Jan 26, 2021

The process exclusions should be an absolute path, otherwise you might as well just turn off Windows Defender Real Time Protection.

@robertbaker Could you please explain why this is? My logic would assume that only 1 process will match the file name, regardless of whether it has the full path. I don't doubt your statement, but if you can elaborate, it will be helpful as I wasn't able to find any real sources online to help explain to me why using the filename only would be a risk.

Update: I have a thought. If another (malicious) program names its process devenv.exe (for example), then it would effectively exclude itself from monitoring due to the process name match. Is this what you were thinking?

@metablaster
Copy link

it will be helpful as I wasn't able to find any real sources online to help explain to me why using the filename only would be a risk.

Update: I have a thought. If another (malicious) program names its process devenv.exe (for example), then it would effectively exclude itself from monitoring due to the process name match. Is this what you were thinking?

@travisterrell

There is official MS documentation that confirms this, if you specify only file name (and extension) then it will match all processes with that name. (from different path locations ofc.)

exclusion based on directory is less of a risk but it depends on following:

  1. if path leads to secure locations (ex. Program Files) then it is safe because installing into this location requires privileges
  2. otherwise it is not safe because any user may copy executable to target location.

So conclusion is that specifying full path is the safest method.

@travisterrell
Copy link

travisterrell commented Jan 26, 2021 via email

@windhandel
Copy link

Additional list of executables in 2019:

$processExclusions.Add('ServiceHub.Host.Node.x64.exe') > $null
$processExclusions.Add('ServiceHub.Host.CLR.x86.exe') > $null
$processExclusions.Add('ServiceHub.Host.CLR.x64.exe') > $null
$processExclusions.Add('ServiceHub.RoslynCodeAnalysisService.exe') > $null
$processExclusions.Add('iisexpress.exe') > $null
$processExclusions.Add('Microsoft.VisualStudio.Web.Host.exe') > $null
$processExclusions.Add('ServiceHub.DataWarehouseHost.exe') > $null
$processExclusions.Add('ScriptedSandbox64.exe') > $null
$processExclusions.Add('ServiceHub.SettingsHost.exe') > $null
$processExclusions.Add('ServiceHub.IdentityHost.exe') > $null
$processExclusions.Add('conhost.exe') > $null
$processExclusions.Add('ServiceHub.VSDetouredHost.exe') > $null
$processExclusions.Add('vstest.console.exe') > $null

@Stampe77
Copy link

I'm having developers crippled by Defender, but MS do not recommend this action (see here)

@dknoodle
Copy link
Author

I created an updated script with more warnings, updates for VS 2022, and some other developer tools. Use at your own risk. This definitely opens up a number of potential security vulnerabilities.

https://gist.github.com/dknoodle/959d6e9d399e51cc28957f85d4b4417f

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment