Stop smartscreen.exe from starting up

Discussion in 'Windows 10' started by chblock, Feb 5, 2019.

  1. chblock

    chblock MDL Member

    Jan 9, 2017
    236
    133
    10
    Does anyone know of a way to stop smartscreen.exe from starting up? I have it shut off everywhere I can find a setting for it (below), but it still starts up and shows in task manager. If I can find what starts it maybe I can tell it not to start. This is for win10 1809.

    Code:
    [HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows\System]
    "EnableSmartScreen"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
    "SmartScreenEnabled"="Off"
    
    [HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter]
    "EnabledV9"=dword:00000000
    "PreventOverride"=dword:00000000
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost]
    "EnableWebContentEvaluation"=dword:00000000
    "PreventOverride"=dword:00000000
    
     
  2. TairikuOkami

    TairikuOkami MDL Addicted

    Mar 15, 2014
    767
    669
    30
    MS made it persistent, so malware could not simply disable it. I just remove exe.
     
  3. LiteOS

    LiteOS MDL Expert

    Mar 7, 2014
    1,581
    677
    60
    free version of ntlite have smartscreen available to be removed
     
  4. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,397
    1,967
    60
    #4 pf100, Feb 5, 2019
    Last edited: Feb 6, 2019
    I remove permissions from it so it can't run:
    Code:
    1) takeown /f "%systemroot%\System32\smartscreen.exe" /a
    2) icacls "%systemroot%\System32\smartscreen.exe" /reset
    3a) icacls "%systemroot%\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
    In 1809 and later, you have to do this as TrustedInstaller. So put NSudo in path or folder and replace line 3 with:
    3b) nsudoc -U:T -P:E "%systemroot%\System32\icacls.exe" %systemroot%\System32\smartscreen.exe /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
    
    To re-enable it:
    Code:
    takeown /f "%systemroot%\System32\smartscreen.exe" /a
    icacls "%systemroot%\System32\smartscreen.exe" /reset
    icacls "%systemroot%\System32\smartscreen.exe" /setowner *S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
     
  5. chblock

    chblock MDL Member

    Jan 9, 2017
    236
    133
    10
    Thanks, I saw where you posted that before and I tried it, but for some reason the permissions don't change on the file and it still runs.

    The other option is to delete or rename smartscreen.exe, but what I don't like about that is program calls to a file that doesn't exist. Would rather it does not get called to run at all.

    I found I can delete the CLSID entries in the registry and that keeps it from starting, but that's probably no better than deleting or renaming the file. In that case something is calling to a registry entry that does not exist instead of a file. Might be better that way, maybe not.

    Another option is to use a tool to remove it altogether, but I'm having an issue with Windows I'm trying to work and don't want to chop on the installation until I get this issue resolved.

    Was hoping someone knows the mechanics of how that exe starts, sort of just pull the plug on it.
     
  6. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,397
    1,967
    60
    #6 pf100, Feb 6, 2019
    Last edited: Feb 6, 2019
    In 1809 you have to remove permissions as TrustedInstaller, so I edited my post here.
     
  7. chblock

    chblock MDL Member

    Jan 9, 2017
    236
    133
    10
    Okay, I'll try it then. Thanks.
     
  8. Ultra Male

    Ultra Male MDL Expert

    May 30, 2014
    1,242
    620
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,397
    1,967
    60
  10. Ultra Male

    Ultra Male MDL Expert

    May 30, 2014
    1,242
    620
    60
    #10 Ultra Male, Feb 6, 2019
    Last edited: Feb 6, 2019
    thanks bro
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. cromulant

    cromulant MDL Novice

    Aug 12, 2015
    6
    0
    0
    Blocking permissions for TI is efficient but inelegant. There has to be another way.
    Is the same as Cortana, people rename the folder and Windows tends to spam error events.

    Now that I think of it, *there is* another way: The debugger value on the keys inside HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options