1

I can detect through code whether or not Antivirus is installed and/or running, through code similar to:

    public static bool IsAntivirusInstalled()
    {
        // Note: Windows 10 and Windows Server use different methods. I must take that into account in a future version. \root\SecurityCenter2 does not exist on server editions.

        // https://stackoverflow.com/questions/1331887/detect-antivirus-on-windows-using-c-sharp
        string wmipathstr = @"\\" + Environment.MachineName + @"\root\SecurityCenter2";
        try
        {
            ManagementObjectSearcher searcher = new ManagementObjectSearcher(wmipathstr, "SELECT * FROM AntivirusProduct");
            ManagementObjectCollection instances = searcher.Get();
            //foreach (ManagementObject virusChecker in wmiData)
            //{
            //    var virusCheckerName = virusChecker["displayName"];
            //}

            return instances.Count > 0;
        }

        catch (Exception e)
        {
            Console.WriteLine(e.Message);
        }

        return false;
    }

I want to be able through code to display the Windows Security Center Virus and Threat Protections area if the user has antivirus protection turned off. My application requires antivirus to be running and I am required to check for its presence.

One method was to open gpedit.msc but that is to dangerous, so the task is to display the appropriate Settings area for the user, not to change it, just to display it.

Response to Comment

The answer produces this screen, still I do not believe that the a user should see key actions independent of my desktop.

My Start Menu

Sarah Weinberger
  • 15,041
  • 25
  • 83
  • 130
  • Any antivirus or only Windows Security Center Virus and Threat Protections? – Sudip Shrestha Jul 11 '20 at 15:03
  • @SudipShrestha The Windows Security Center includes administration of other antivirus software, such as McAfee. To answer your question, I just wanted to open the WSC applet for the user and bring that to the front. – Sarah Weinberger Jul 11 '20 at 15:34

2 Answers2

0

We can check the registry for the status.

  1. Add Microsoft.Win32.Registry from NuGet.
  2. Check for registry status.

`

using Microsoft.Win32;
...
    static bool IsWindowsVirusProtectionEnabledAsync()
    {
        var subKey = Registry.LocalMachine.OpenSubKey(
            @"SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status", false);

        return (subKey != null && 
                subKey.GetValueNames().Contains("OnboardingState") &&
                subKey.GetValue("OnboardingState").Equals(1));
    }

Also please read this. There might be other keys you might need to watch out for such as DisableAntiSpyware and DisableAntiVirus. I am not 100% sure about this.

Edit 2: I was unable to find a shortcut or cmd line to open "Virus & Threat Window", however, I can manually start it:

Manually start the app

So, a bit of a hack method would be to start it manually by emulating the keyboard to start the "Virus & Threat Window": (it is a bit of a hack but it does work for me).

[DllImport("user32.dll", SetLastError = true)]
static extern void keybd_event(byte bVk, byte bScan, int dwFlags, int dwExtraInfo);

const int KEYEVENTF_KEYDOWN = 0x0000; // New definition
const int KEYEVENTF_EXTENDEDKEY = 0x0001; //Key down flag
const int KEYEVENTF_KEYUP = 0x0002; //Key up flag

const int VK_ESCAPE = 0x1B;

const int VK_0 = 0x30;
const int VK_1 = 0x31;
const int VK_2 = 0x32;
const int VK_3 = 0x33;
const int VK_4 = 0x34;
const int VK_5 = 0x35;
const int VK_6 = 0x36;
const int VK_7 = 0x37;
const int VK_8 = 0x38;
const int VK_9 = 0x39;

const int VK_A = 0x41;
const int VK_B = 0x42;
const int VK_C = 0x43;
const int VK_D = 0x44;
const int VK_E = 0x45;
const int VK_F = 0x46;
const int VK_G = 0x47;
const int VK_H = 0x48;
const int VK_I = 0x49;
const int VK_J = 0x4A;
const int VK_K = 0x4B;
const int VK_L = 0x4C;
const int VK_M = 0x4D;
const int VK_N = 0x4E;
const int VK_O = 0x4F;
const int VK_P = 0x50;
const int VK_Q = 0x51;
const int VK_R = 0x52;
const int VK_S = 0x53;
const int VK_T = 0x54;
const int VK_U = 0x55;
const int VK_V = 0x56;
const int VK_W = 0x57;
const int VK_X = 0x58;
const int VK_Y = 0x59;
const int VK_Z = 0x5A;

const int VK_LCONTROL = 0xA2; //Left Control key code
const int VK_SHIFT = 0x10;
const int VK_SPACE = 0x20;
const int VK_RETURN = 0x0D;

static void StartVirusAndThreatProtectionUI()
{
    Console.WriteLine("Starting...");

    keybd_event(VK_LCONTROL, 0, KEYEVENTF_KEYDOWN, 0);
    keybd_event(VK_ESCAPE, 0, KEYEVENTF_KEYDOWN, 0);
    keybd_event(VK_ESCAPE, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_LCONTROL, 0, KEYEVENTF_KEYUP, 0);
    Thread.Sleep(1000); // in case the computer is slow
    keybd_event(VK_V, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_V, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_I, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_I, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_R, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_R, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_U, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_U, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_S, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_S, 0, KEYEVENTF_KEYUP, 0);

    keybd_event(VK_SPACE, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_SPACE, 0, KEYEVENTF_KEYUP, 0);

    keybd_event(VK_SHIFT, 0, KEYEVENTF_KEYDOWN, 0);
    keybd_event(VK_7, 0, KEYEVENTF_KEYDOWN, 0);
    keybd_event(VK_7, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_SHIFT, 0, KEYEVENTF_KEYUP, 0);
    
    keybd_event(VK_SPACE, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_SPACE, 0, KEYEVENTF_KEYUP, 0);

    keybd_event(VK_T, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_T, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_H, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_H, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_R, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_R, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_E, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_E, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_A, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_A, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_T, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_T, 0, KEYEVENTF_KEYUP, 0);

    keybd_event(VK_SPACE, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_SPACE, 0, KEYEVENTF_KEYUP, 0);

    keybd_event(VK_P, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_P, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_R, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_R, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_O, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_O, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_T, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_T, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_E, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_E, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_C, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_C, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_T, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_T, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_I, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_I, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_O, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_O, 0, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_N, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_N, 0, KEYEVENTF_KEYUP, 0);

    Thread.Sleep(1000); // In case the search takes time...

    keybd_event(VK_RETURN, 0, KEYEVENTF_KEYDOWN, 0); keybd_event(VK_RETURN, 0, KEYEVENTF_KEYUP, 0);

    Console.WriteLine("Hopefully Done.");
}
Sudip Shrestha
  • 441
  • 4
  • 12
  • I will add this method to my class, as it is nice to know and your version might work with Windows Server 2016/9, which would be nice to know, but I already have function to tell me if antivirus is installed and/or enabled. What I want is to be able to open the WSC virus and threat area, which your answer does not do. – Sarah Weinberger Jul 11 '20 at 15:37
  • Are you saying you want to open up Windows Security => Virus and Threat Protection tab UI? – Sudip Shrestha Jul 11 '20 at 15:55
  • I am not finding any CMD line or programmatic way open Virus and Threat Protection window (or even Windows Security window). Sorry :( We could emulate keypress => Start button, "virus & threat protection", enter button... (Please see the update above). – Sudip Shrestha Jul 11 '20 at 17:04
  • @SudipShreshtha Interestingly enough, manually pressing "Start Button" and then typing in "Virus..." does not bring that up. – Sarah Weinberger Jul 11 '20 at 17:05
  • The answer can be classified as a good college try, but fails for 2 reasons. 1) It brings up Windows Photos of "agt_virus-off.png", which is a picture of a syringe. 2) It literally emulates keyboard presses. I saw the start menu and everything. It should bring up the WSC applet like a message box gets displayed using `MessageBox.Show(...)`, just appears, no keyboard. – Sarah Weinberger Jul 11 '20 at 17:19
  • Hmmm... I only typed "Virus &" in the last answer coz I was lazy. I have the entire "Virus & threat protection" in this example. Btw, when you manually press the flag icon button on keyboard and type "Virus & threat protection" does the search find the app? (See image in my edit). – Sudip Shrestha Jul 11 '20 at 19:13
0

It's like magic incantations, unfortunately.

On this page, they mention start windowsdefender: from command line. Yes, the colon at the end is mandatory! And yes, it works, even programmatically.

Here from Python:

import os
os.system("start windowsdefender:")

The windowsdefender:// url scheme also supports links to sub-pages. The links come from this currently defunct page.

URL Target
windowsdefender:// Windows Security dashboard
windowsdefender://account/ Account Protection
windowsdefender://accountprotection/ Account Protection
windowsdefender://allowappthroughfolder/ Allow an app through Controlled Folder Access
windowsdefender://appbrowser/ App & browser control
windowsdefender://appguardsettings/ Application Guard settings
windowsdefender://coreisolation/ Core Isolation
windowsdefender://coreisolationreboot/ Reboots Windows immediately without warning
windowsdefender://customscan Scan Options
windowsdefender://dataencryption/ Device security *Windows 11 only.
windowsdefender://devicesecurity/ Device security
windowsdefender://enableandupdate/ Enable Real-time protection and Update the definitions
windowsdefender://enablertp/ Enable Real-time protection
windowsdefender://exclusions/ Exclusions – Add or remove items to scan exclusions
windowsdefender://exploitprotection/ Exploit protection
windowsdefender://family/ Family options
windowsdefender://freshstart/ Fresh start. *Since Windows 10 v2004, Fresh start has been moved to Reset this PC.
windowsdefender://fullhistory/ Protection History
windowsdefender://fullscan/ Start a Full scan (Scan Options)
windowsdefender://hardware/ Device security
windowsdefender://history Protection History
windowsdefender://network/ Firewall & network protection
windowsdefender://perfhealth/ Device performance & health
windowsdefender://protectedfolders/ Protected folders (Controlled Folder Access)
windowsdefender://providers/ Security providers
windowsdefender://quarantinehistory/ Protection history, filtered by quarantined items.
windowsdefender://quickscan/ Start a quick scan (Scan Options)
windowsdefender://ransomwareprotection/ Ransomware protection
windowsdefender://reboot/ Reboots Windows without warning
windowsdefender://samples Virus & threat protection dashboard
windowsdefender://securityprocessor/ Security processor details (TPM)
windowsdefender://securityprocessortroubleshooting/ Security processor troubleshooting (TPM)
windowsdefender://settings/ Windows Security Notification settings
windowsdefender://smartapp/ Smart App Control. *Windows 11 only.
windowsdefender://smartscreenpua/ Reputation-based protection
windowsdefender://threat/ Virus & threat protection dashboard
windowsdefender://threatsettings/ Virus & threat protection settings
windowsdefender://update/ Update the definitions immediately (Protection updates)
windowsdefender://updateandquickscan/ Update the definitions immediately and run a quick scan.
windowsdefender://wdoscan/ Start Windows Defender Offline Scan.

There's also a URL scheme for the entirety of the Settings app, ms-settings:. That scheme does not accept // after the colon! No, I have no idea why. windowsdefender: requires // after the colon, ms-settings: rejects it.

Documentation for the ms-settings: url scheme

Kuba hasn't forgotten Monica
  • 95,931
  • 16
  • 151
  • 313