3

I am trying to query the local machine for information about the status of the different services in windows security, such as windows defender and the firewall, using WMI from system.management. For testing purposes I am working in a console project and I am just trying to access MSFT_MpComputerStatus and properties like AMServiceEnabled, but no matter what i do an exception is thrown when a try to foreach through the collection.

I am a very new to WMI so it might just be something i have missed but I have been trying to get this to work for a few days now.Through my search i found a few different code examples showing how to access properties of classes, such as: (For finding everything in a class)

(For accessing properties on a specific ManagementObject instance)

(Using the WMI code creator tool was suggested here)

I tried all of these using the namespace: root\\Microsoft\\Windows\\Defender and class: MSFT_MpComputerStatus but nothing worked.

Below is the code the tool made and even this fails in both my console application and the tool itself. 

        try
        {
            ManagementObjectSearcher searcher =
                new ManagementObjectSearcher("root\\Microsoft\\Windows\\Defender",
                    "SELECT * FROM MSFT_MpComputerStatus");

            foreach (ManagementObject queryObj in searcher.Get())
            {
                Console.WriteLine("-----------------------------------");
                Console.WriteLine("MSFT_MpComputerStatus instance");
                Console.WriteLine("-----------------------------------");
                Console.WriteLine("AMServiceEnabled: {0}", queryObj["AMServiceEnabled"]);
                Console.WriteLine("AntispywareEnabled: {0}", queryObj["AntispywareEnabled"]);
            }
        }
        catch (Exception e)
        {
            Console.WriteLine(e);
            throw;
        }

This should return some bool values indicating whether the services are on or off but once it reaches the foreach loop this exception is thrown "System.Management.ManagementException: This method is not implemented in any class". Am i missing something here? Is there some other way to get information i need using WMI?

Edit: After some more searching i also found that MSFT_MpComputerStatusalso exists in the root\\Microsoft\\protectionManagement, but using this namespace produces the same result.

Edit 2: It is a settings problem. Tested the above code on 3 company development pc's and one non development pc, and the code worked fine on the non development pc. If i find what is the culprit is will post it here.

Edit 3: It is our anti virus system (bitdefender) that is the root of the problem. Working on finding a workaround, if any.

Edit 4: See my own anwser.

FrederikTG
  • 41
  • 6
  • your code is fine(also tested win 10 machine). Please check that you are meeting the minimum requirements for this class. **From MSDN** Minimum supported client Windows 8.1 [desktop apps only] Minimum supported server Windows Server 2012 R2 [desktop apps only] – styx Mar 28 '19 at 07:35
  • hey @styx , my pc is running windows 10 Enterprise V 1809. The console application is targeting .NET Framework 4.6.1 and I am developing in Visual studio 2017 (Run as admin). – FrederikTG Mar 28 '19 at 08:18
  • have you changed any Defender properties on this machine? – styx Mar 28 '19 at 09:48
  • You can use the **WMI code creator** to view the available namespaces/classes etc on your computer, you can do this via the Browse the namespaces on this computer and check that your desired namespace is there – styx Mar 28 '19 at 10:00
  • @styx nothing at all. The machine is less than a moth old so i have barely customised the machine. It is however a work pc, so maybe they have changed something when they first set up the machine. Did you have any settings in mind that might be causing my problem? – FrederikTG Mar 28 '19 at 10:05
  • @styx When I look at the namespace and class through the WMI code creator they show up as expected, but when i try to search for property values through the program the same error occurs (written to the "Results" part next to the "Search for Property Values" button). – FrederikTG Mar 28 '19 at 10:17
  • @styx So i just tested the code block from my post on my as a released application on my own pc, two of my colleagues' pc's and a clean non development pc. The app only worked on the non development pc meaning there is something about the setup of our development pc's that prevents checking the status of Defender. Right now i do not know what but if i figure that out later i will post here. – FrederikTG Mar 28 '19 at 10:37
  • please try to check any other class under the same namespace (like `MSFT_MpThreat` ) to see if the problem still occurs – styx Mar 28 '19 at 10:56
  • @styx I tried MSFT_MpThreat as you suggested and it does not throw an exception. It does come back empty since there is no current threats. MSFT_MpPreference returns values as expected. – FrederikTG Mar 28 '19 at 11:38

1 Answers1

1

When windows defender is completely disabled (which most AV software seem to do when it is installed) access to that class is lost but it is still visible. To get the status of windows security in general other methods must be used, such as the SecurityCenter2 namespace (not officially supported), the wscapi (c++) or through some powershell commands.

FrederikTG
  • 41
  • 6