Stop smartscreen.exe from starting up

Discussion in 'Windows 10' started by Krager, Feb 5, 2019.

  1. Krager

    Krager MDL Senior Member

    Jan 9, 2017
    395
    224
    10
    Does anyone know of a way to stop smartscreen.exe from starting up? I have it shut off everywhere I can find a setting for it (below), but it still starts up and shows in task manager. If I can find what starts it maybe I can tell it not to start. This is for win10 1809.

    Code:
    [HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows\System]
    "EnableSmartScreen"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
    "SmartScreenEnabled"="Off"
    
    [HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter]
    "EnabledV9"=dword:00000000
    "PreventOverride"=dword:00000000
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost]
    "EnableWebContentEvaluation"=dword:00000000
    "PreventOverride"=dword:00000000
    
     
  2. TairikuOkami

    TairikuOkami MDL Addicted

    Mar 15, 2014
    829
    740
    30
    MS made it persistent, so malware could not simply disable it. I just remove exe.
     
  3. LiteOS

    LiteOS MDL Expert

    Mar 7, 2014
    1,629
    694
    60
    free version of ntlite have smartscreen available to be removed
     
  4. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,587
    2,248
    60
    #4 pf100, Feb 5, 2019
    Last edited: Feb 6, 2019
    I remove permissions from it so it can't run:
    Code:
    1) takeown /f "%systemroot%\System32\smartscreen.exe" /a
    2) icacls "%systemroot%\System32\smartscreen.exe" /reset
    3a) icacls "%systemroot%\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
    In 1809 and later, you have to do this as TrustedInstaller. So put NSudo in path or folder and replace line 3 with:
    3b) nsudoc -U:T -P:E "%systemroot%\System32\icacls.exe" %systemroot%\System32\smartscreen.exe /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
    
    To re-enable it:
    Code:
    takeown /f "%systemroot%\System32\smartscreen.exe" /a
    icacls "%systemroot%\System32\smartscreen.exe" /reset
    icacls "%systemroot%\System32\smartscreen.exe" /setowner *S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
     
  5. Krager

    Krager MDL Senior Member

    Jan 9, 2017
    395
    224
    10
    Thanks, I saw where you posted that before and I tried it, but for some reason the permissions don't change on the file and it still runs.

    The other option is to delete or rename smartscreen.exe, but what I don't like about that is program calls to a file that doesn't exist. Would rather it does not get called to run at all.

    I found I can delete the CLSID entries in the registry and that keeps it from starting, but that's probably no better than deleting or renaming the file. In that case something is calling to a registry entry that does not exist instead of a file. Might be better that way, maybe not.

    Another option is to use a tool to remove it altogether, but I'm having an issue with Windows I'm trying to work and don't want to chop on the installation until I get this issue resolved.

    Was hoping someone knows the mechanics of how that exe starts, sort of just pull the plug on it.
     
  6. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,587
    2,248
    60
    #6 pf100, Feb 6, 2019
    Last edited: Feb 6, 2019
    In 1809 you have to remove permissions as TrustedInstaller, so I edited my post here.
     
  7. Krager

    Krager MDL Senior Member

    Jan 9, 2017
    395
    224
    10
    Okay, I'll try it then. Thanks.
     
  8. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,587
    2,248
    60
  9. Ultra Male

    Ultra Male MDL Expert

    May 30, 2014
    1,317
    677
    60
    #10 Ultra Male, Feb 6, 2019
    Last edited: Feb 6, 2019
    thanks bro
     
  10. cromulant

    cromulant MDL Novice

    Aug 12, 2015
    8
    0
    0
    Blocking permissions for TI is efficient but inelegant. There has to be another way.
    Is the same as Cortana, people rename the folder and Windows tends to spam error events.

    Now that I think of it, *there is* another way: The debugger value on the keys inside HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options