排查一些Windows问题时,为了去除无关变量,建议做个快照后禁止defender和腾讯云平台组件,确认原因后再回滚快照
原创排查一些Windows问题时,为了去除无关变量,建议做个快照后禁止defender和腾讯云平台组件,确认原因后再回滚快照
原创
Windows技术交流
修改于 2024-04-29 12:05:49
修改于 2024-04-29 12:05:49
操作之前打快照,以备不时之需
脚本适用腾讯云≥2012R2的Windows Server系统的云服务器,其他情形没测试过,如果要试,先做备份。
正确的办法应该是提权后执行命令,完整的powershell命令如下(我提前把AdvancedRun.exe放到C:\Windows\了),提权参考我的这篇文档:https://cloud.tencent.com/developer/article/2285183
先在cmd执行这句命令,打开一个powershell窗口
提权有2种,可以2个级别都试试
【提权到trustedinstaller】
AdvancedRun.exe /Clear /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /StartDirectory "C:\" /CommandLine "" /RunAs 8 /Run
【提权到system】
AdvancedRun.exe /Clear /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /StartDirectory "C:\" /CommandLine "" /RunAs 4 /Run
然后上一步打开的powershell窗口里执行下面的命令
注意,执行代码后重启机器看效果
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v DisablePCA /t REG_DWORD /d 1 /f
Stop-Service -Name PcaSvc 2>$null
Set-Service -Name PcaSvc -StartupType Disabled 2>$null
Get-ScheduledTask | Where-Object { $_.TaskName -like "*ProgramDataUpdater*"}| Disable-ScheduledTask 2>$null
if((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").ProductName -match "2012 R2|Windows 8.1"){
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" /v "PreventPlatformUpdate" /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "FallbackOrder" /d "FileShares" /t REG_SZ /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d 8 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
}
if([System.Environment]::OSVersion.Version.Major -eq 10){
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Force 2>&1 >$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan" /v "ScheduleQuickScanTime" /f 2>$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleQuickScanTime" /f 2>$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "DefinitionUpdateFileSharesSources" /f 2>$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DefinitionUpdateFileSharesSources" /f 2>$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f 2>$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /va /f 2>&1 >$null
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
Get-ItemProperty -Path $registryPath | Remove-ItemProperty -Name * -ErrorAction SilentlyContinue
Get-ChildItem -Path $registryPath | Remove-Item -Recurse -Force -ErrorAction SilentlyContinue
reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /d 0 /t REG_DWORD /f
#Restart-Service WinDefend -Force -ErrorAction SilentlyContinue
#Restart-Service WdNisSvc -Force -ErrorAction SilentlyContinue
Start-Service WinDefend -ErrorAction SilentlyContinue
Start-Service WdNisSvc -ErrorAction SilentlyContinue
Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
Set-MpPreference -DisableIOAVProtection $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
Set-MpPreference -DisableArchiveScanning $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /d 1 /t REG_DWORD /f
Set-MpPreference -MAPSReporting 0 -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /d 0 /t REG_DWORD /f
Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /d 2 /t REG_DWORD /f
Set-MpPreference -EnableControlledFolderAccess Disabled -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /d 0 /t REG_DWORD /f
Set-MpPreference -PUAProtection Disabled -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /d 0 /t REG_DWORD /f
Set-MpPreference -SignatureFallbackOrder FileShares -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "FallbackOrder" /d "FileShares" /t REG_SZ /f
Set-MpPreference -SignatureScheduleDay Never -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d 8 /f
Set-MpPreference -SharedSignaturesPath c:\dummyPath -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SharedSignatureRoot" /d "c:\dummyPath" /t REG_SZ /f
Set-MpPreference -SignatureDefinitionUpdateFileSharesSources "\\unc1 | \\unc2" -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DefinitionUpdateFileSharesSources" /d "\\unc1 | \\unc2" /t REG_SZ /f
Set-MpPreference -CheckForSignaturesBeforeRunningScan $false -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /d 0 /t REG_DWORD /f
Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "LocalSettingOverrideDisableRealtimeMonitoring" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /d 0 /t REG_DWORD /f
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" /v "PreventPlatformUpdate" /t REG_DWORD /d 1 /f
Set-MpPreference -HighThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
Set-MpPreference -ModerateThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
Set-MpPreference -LowThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
Set-MpPreference -SevereThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
}
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d 1 /f
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Customer Experience Improvement Program\","\Microsoft\Windows\Data Integrity Scan\","\Microsoft\Windows\ApplicationData\","\Microsoft\Windows\Application Experience\","\Microsoft\Windows\Defrag\","\Microsoft\Windows\DiskCleanup\","\Microsoft\Windows\DiskDiagnostic\","\Microsoft\Windows\DiskFootprint\","\Microsoft\Windows\Windows Defender\","\Microsoft\Windows\Maintenance\" 2>$null | Disable-ScheduledTask 2>$null
Get-ScheduledTask | Where-Object { $_.TaskName -like "OneDrive*"}| Disable-ScheduledTask 2>$null
Get-Service MicrosoftEdge*, edgeupdate*|ft -auto
Get-Service GoogleChrome*, gupdate* | ft -auto
Get-Service MicrosoftEdge*, edgeupdate* | Set-Service -StartupType Disabled
Get-Service GoogleChrome*, gupdate* | Set-Service -StartupType Disabled
Get-ScheduledTask | Where-Object { $_.TaskName -like "MicrosoftEdgeUpdateTaskMachine*"} | Disable-ScheduledTask 2>&1 >$null
Get-ScheduledTask | Where-Object { $_.TaskName -like "GoogleUpdateTaskMachine*"} | Disable-ScheduledTask 2>$null
$services = @("*ssh*","*cron*","gse*","Tsys","tatsvc", "win-agent", "WinAgent", "YDLive", "YDService", "BaradAgentSvc", "StargateSvc", "WinDefend", "WdNisSvc")
Get-Service -Name $services 2>$null | Select-Object Name, DisplayName, Status
#$services = @("gse*","tatsvc", "win-agent", "WinAgent", "YDLive", "YDService", "BaradAgentSvc", "StargateSvc", "WinDefend", "WdNisSvc")
$services = @("win-agent", "WinAgent", "YDLive", "YDService", "BaradAgentSvc", "StargateSvc", "WinDefend", "WdNisSvc")
foreach ($service in $services) {
$currentService = Get-Service -Name $service -ErrorAction SilentlyContinue
if ($currentService -ne $null -and $currentService.Status -eq "Running") {
Stop-Service -Name $service 2>$null
Write-Host "已停止服务:$service"
} elseif ($currentService -eq $null) {
Write-Host "未找到服务:$service"
} else {
Write-Host "服务已停止:$service"
}
}
$services = @("win-agent", "WinAgent", "YDLive", "YDService", "BaradAgentSvc", "StargateSvc", "WinDefend", "WdNisSvc")
foreach ($service in $services) {
Set-Service -Name $service -StartupType Disabled -ErrorAction SilentlyContinue
}
$services = @("*ssh*","*cron*","gse*","Tsys","tatsvc", "win-agent", "WinAgent", "YDLive", "YDService", "BaradAgentSvc", "StargateSvc", "WinDefend", "WdNisSvc")
Get-Service -Name $services 2>$null | Select-Object Name, DisplayName, Status
Get-Process | Where-Object {$_.company -notlike '*Microsoft*' }|select Name,Description,Company|ft -auto
[System.Diagnostics.FileVersionInfo]::GetVersionInfo("C:\Windows\System32\drivers\viostor.sys")
[System.Diagnostics.FileVersionInfo]::GetVersionInfo("C:\Windows\System32\drivers\netkvm.sys")
代码中的这几句是禁止一些可能影响业务的计划任务的
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v DisablePCA /t REG_DWORD /d 1 /f
Stop-Service -Name PcaSvc 2>$null
Set-Service -Name PcaSvc -StartupType Disabled 2>$null
Get-ScheduledTask | Where-Object { $_.TaskName -like "*ProgramDataUpdater*"}| Disable-ScheduledTask 2>$null
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d 1 /f
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Customer Experience Improvement Program\","\Microsoft\Windows\Data Integrity Scan\","\Microsoft\Windows\ApplicationData\","\Microsoft\Windows\Application Experience\","\Microsoft\Windows\Defrag\","\Microsoft\Windows\DiskCleanup\","\Microsoft\Windows\DiskDiagnostic\","\Microsoft\Windows\DiskFootprint\","\Microsoft\Windows\Windows Defender\","\Microsoft\Windows\Maintenance\" 2>$null | Disable-ScheduledTask 2>$null除此之外,还有一些含有"Diagnos" 、"Application" 、"Disk" 、"Experience"、"Defender" 、"Update"等关键词的计划任务可以视业务表现而禁用,可参考我的另一篇文档https://cloud.tencent.com/developer/article/2367336
要禁用的话,powershell代码如下:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v DisablePCA /t REG_DWORD /d 1 /f
Stop-Service -Name PcaSvc 2>$null
Set-Service -Name PcaSvc -StartupType Disabled 2>$null
Get-ScheduledTask | Where-Object { $_.TaskName -like "*ProgramDataUpdater*"}| Disable-ScheduledTask 2>$null
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Power Efficiency Diagnostics\","\Microsoft\Windows\ApplicationData\","\Microsoft\Windows\Customer Experience Improvement Program\","\Microsoft\Windows\CloudExperienceHost\","\Microsoft\Windows\DiskFootprint\","\Microsoft\Windows\StateRepository\","\Microsoft\Windows\Application Experience\","\Microsoft\Windows\DiskDiagnostic\","\Microsoft\Windows\MemoryDiagnostic\","\Microsoft\Windows\WDI\","\Microsoft\Windows\UpdateOrchestrator\","\Microsoft\Windows\WindowsUpdate\","\Microsoft\Windows\Diagnosis\","\Microsoft\Windows\Network Controller\","\Microsoft\Windows\PI\","\Microsoft\Windows\DiskCleanup\","\Microsoft\Windows\TPM\","\Microsoft\Windows\Windows Defender\","\Microsoft\Windows\Maintenance\" 2>$null | Disable-ScheduledTask 2>$null | ft -auto
或者
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v DisablePCA /t REG_DWORD /d 1 /f
Stop-Service -Name PcaSvc 2>$null
Set-Service -Name PcaSvc -StartupType Disabled 2>$null
Get-ScheduledTask | Where-Object { $_.TaskName -like "*ProgramDataUpdater*"}| Disable-ScheduledTask 2>$null
$taskPaths = @(
"\Microsoft\Windows\Power Efficiency Diagnostics\",
"\Microsoft\Windows\ApplicationData\",
"\Microsoft\Windows\Customer Experience Improvement Program\",
"\Microsoft\Windows\CloudExperienceHost\",
"\Microsoft\Windows\DiskFootprint\",
"\Microsoft\Windows\StateRepository\",
"\Microsoft\Windows\Application Experience\",
"\Microsoft\Windows\DiskDiagnostic\",
"\Microsoft\Windows\MemoryDiagnostic\",
"\Microsoft\Windows\WDI\",
"\Microsoft\Windows\UpdateOrchestrator\",
"\Microsoft\Windows\WindowsUpdate\",
"\Microsoft\Windows\Diagnosis\",
"\Microsoft\Windows\Network Controller\",
"\Microsoft\Windows\PI\",
"\Microsoft\Windows\DiskCleanup\",
"\Microsoft\Windows\TPM\",
"\Microsoft\Windows\Windows Defender\",
"\Microsoft\Windows\Maintenance\"
)
foreach ($taskPath in $taskPaths) {
Get-ScheduledTask -TaskPath $taskPath 2>$null | Disable-ScheduledTask 2>$null | ft -auto
}请注意:禁用这些计划任务可能会影响系统的搜索性能、更新管理、安全引导、TPM 管理、应用程序启动性能、安全防护等方面。然而,对系统稳定性和正常使用的影响应该相对较小。在禁用这些任务之前,请确保了解这些操作可能带来的潜在影响,并确保有其他方法来检测和解决潜在问题。
update相关服务单独拎出来
#查询update相关服务
Get-Service "UsoSvc", "WUAUSERV", "WaaSMedicSvc" -ErrorAction SilentlyContinue
Stop-Service -Name UsoSvc -ErrorAction SilentlyContinue
Stop-Service -Name WUAUSERV -ErrorAction SilentlyContinue
Stop-Service -Name WaaSMedicSvc -ErrorAction SilentlyContinue
Get-Service "UsoSvc", "WUAUSERV", "WaaSMedicSvc" -ErrorAction SilentlyContinue
#禁用update相关服务
Set-Service -Name UsoSvc -StartupType Disabled -ErrorAction SilentlyContinue
Set-Service -Name WUAUSERV -StartupType Disabled -ErrorAction SilentlyContinue
Set-Service -Name WaaSMedicSvc -StartupType Disabled -ErrorAction SilentlyContinue
#禁用update相关计划任务
Get-ScheduledTask -TaskPath "\Microsoft\Windows\UpdateOrchestrator\","\Microsoft\Windows\WindowsUpdate\" 2>$null | Disable-ScheduledTask 2>$null | ft -auto
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
相关产品与服务
云服务器
云服务器(Cloud Virtual Machine,CVM)提供安全可靠的弹性计算服务。 您可以实时扩展或缩减计算资源,适应变化的业务需求,并只需按实际使用的资源计费。使用 CVM 可以极大降低您的软硬件采购成本,简化 IT 运维工作。