Does anyone know of a way to stop smartscreen.exe from starting up? I have it shut off everywhere I can find a setting for it (below), but it still starts up and shows in task manager. If I can find what starts it maybe I can tell it not to start. This is for win10 1809. Code: [HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows\System] "EnableSmartScreen"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer] "SmartScreenEnabled"="Off" [HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter] "EnabledV9"=dword:00000000 "PreventOverride"=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost] "EnableWebContentEvaluation"=dword:00000000 "PreventOverride"=dword:00000000
I remove permissions from it so it can't run: Code: 1) takeown /f "%systemroot%\System32\smartscreen.exe" /a 2) icacls "%systemroot%\System32\smartscreen.exe" /reset 3a) icacls "%systemroot%\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18 In 1809 and later, you have to do this as TrustedInstaller. So put NSudo in path or folder and replace line 3 with: 3b) nsudoc -U:T -P:E "%systemroot%\System32\icacls.exe" %systemroot%\System32\smartscreen.exe /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18 To re-enable it: Code: takeown /f "%systemroot%\System32\smartscreen.exe" /a icacls "%systemroot%\System32\smartscreen.exe" /reset icacls "%systemroot%\System32\smartscreen.exe" /setowner *S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
Thanks, I saw where you posted that before and I tried it, but for some reason the permissions don't change on the file and it still runs. The other option is to delete or rename smartscreen.exe, but what I don't like about that is program calls to a file that doesn't exist. Would rather it does not get called to run at all. I found I can delete the CLSID entries in the registry and that keeps it from starting, but that's probably no better than deleting or renaming the file. In that case something is calling to a registry entry that does not exist instead of a file. Might be better that way, maybe not. Another option is to use a tool to remove it altogether, but I'm having an issue with Windows I'm trying to work and don't want to chop on the installation until I get this issue resolved. Was hoping someone knows the mechanics of how that exe starts, sort of just pull the plug on it.
Blocking permissions for TI is efficient but inelegant. There has to be another way. Is the same as Cortana, people rename the folder and Windows tends to spam error events. Now that I think of it, *there is* another way: The debugger value on the keys inside HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options