Set-ProcessMitigation
Commands to enable and disable process mitigations or set them in bulk from an XML file.
Syntax
Set-ProcessMitigation
[[-Name] <String>]
[-Disable <String[]>]
[-Enable <String[]>]
[-EAFModules <String[]>]
[-Force <String>]
[-Reset]
[-Remove]
[<CommonParameters>] Set-ProcessMitigation
-PolicyFilePath <String>
[-IsValid]
[<CommonParameters>] Set-ProcessMitigation
[-Disable <String[]>]
[-Enable <String[]>]
[-EAFModules <String[]>]
[-System]
[-Force <String>]
[-Reset]
[-Remove]
[<CommonParameters>] Description
Used to turn on and off various process mitigation settings. Can also apply an XML file to apply settings for many processes at once.
Examples
Example 1
PS C:\> Set-ProcessMitigation -Name Notepad.exe -Enable SEHOP -Disable ForceRelocateImagesGets the current process mitigation for "notepad.exe" from the registry and then enables SEHOP, and disables ForceRelocateImages.
Example 2
PS C:\> Set-ProcessMitigation -PolicyFilePath settings.xmlApplies all settings inside settings.xml
Example 3
PS C:\> Set-ProcessMitigation -System -Enable DEPApplies DEP at the system level. To disable mitigations, you can replace -Enable with -Disable. However, for app-level mitigations, this will force the mitigation to be disabled only for that app.
Exmaple 4
PS C:\> Set-ProcessMitigation -System -Remove -Disable DEPIf you need to restore the mitigation back to the system default, you need to include the -Remove cmdlet as well, as in the above example:
Example 5
PS C:\> Set-ProcessMitigation -System -Enable SEHOPEnable SEHOP Component at the system level.
Example 6
PS C:\> Set-ProcessMitigation -System -Disable SEHOPDisable SEHOP Component at the system level.
Example 7
PS C:\> Set-ProcessMitigation -System -ResetReset Mitigation at the system level.
Parameters
-Disable
Comma separated list of mitigations to disable. Disable list takes priority over enable list. If specified in both, it will be disabled.
| Type: | String[] |
| Aliases: | d |
| Accepted values: | DEP, EmulateAtlThunks, SEHOP, ForceRelocateImages, RequireInfo, BottomUp, HighEntropy, StrictHandle, DisableWin32kSystemCalls, AuditSystemCall, DisableExtensionPoints, BlockDynamicCode, AllowThreadsToOptOut, AuditDynamicCode, CFG, SuppressExports, StrictCFG, MicrosoftSignedOnly, AllowStoreSignedBinaries, AuditMicrosoftSigned, AuditStoreSigned, EnforceModuleDependencySigning, DisableNonSystemFonts, AuditFont, BlockRemoteImageLoads, BlockLowLabelImageLoads, PreferSystem32, AuditRemoteImageLoads, AuditLowLabelImageLoads, AuditPreferSystem32, EnableExportAddressFilter, AuditEnableExportAddressFilter, EnableExportAddressFilterPlus, AuditEnableExportAddressFilterPlus, EnableImportAddressFilter, AuditEnableImportAddressFilter, EnableRopStackPivot, AuditEnableRopStackPivot, EnableRopCallerCheck, AuditEnableRopCallerCheck, EnableRopSimExec, AuditEnableRopSimExec, SEHOP, AuditSEHOP, SEHOPTelemetry, TerminateOnError, DisallowChildProcessCreation, AuditChildProcess |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EAFModules
Modules to be added to the EAF+ mitigation.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Enable
Comma separated list of mitigations to enable. Disable list takes priority over enable list. If specified in both, it will be disabled.
| Type: | String[] |
| Aliases: | e |
| Accepted values: | DEP, EmulateAtlThunks, SEHOP, ForceRelocateImages, RequireInfo, BottomUp, HighEntropy, StrictHandle, DisableWin32kSystemCalls, AuditSystemCall, DisableExtensionPoints, BlockDynamicCode, AllowThreadsToOptOut, AuditDynamicCode, CFG, SuppressExports, StrictCFG, MicrosoftSignedOnly, AllowStoreSignedBinaries, AuditMicrosoftSigned, AuditStoreSigned, EnforceModuleDependencySigning, DisableNonSystemFonts, AuditFont, BlockRemoteImageLoads, BlockLowLabelImageLoads, PreferSystem32, AuditRemoteImageLoads, AuditLowLabelImageLoads, AuditPreferSystem32, EnableExportAddressFilter, AuditEnableExportAddressFilter, EnableExportAddressFilterPlus, AuditEnableExportAddressFilterPlus, EnableImportAddressFilter, AuditEnableImportAddressFilter, EnableRopStackPivot, AuditEnableRopStackPivot, EnableRopCallerCheck, AuditEnableRopCallerCheck, EnableRopSimExec, AuditEnableRopSimExec, SEHOP, AuditSEHOP, SEHOPTelemetry, TerminateOnError, DisallowChildProcessCreation, AuditChildProcess |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Force
Overrides a system setting either on or off depending on the level this is set at. Will force "on"/"off" all mitigations provided in the -Enable list
| Type: | String |
| Aliases: | f |
| Accepted values: | on, off, notset |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-IsValid
Set to check the given XML file for validity. Requires local .xsd
| Type: | SwitchParameter |
| Aliases: | v |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Name
Name of the process to apply mitigation settings to. Can be in the format "notepad" or "notepad.exe"
| Type: | String |
| Position: | 0 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PolicyFilePath
Path to XML file containing mitigation settings.
| Type: | String |
| Aliases: | x |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Remove
Removes a mitigation entry from the registry.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Reset
Resets a specific mitigation entry to defer.
| Type: | SwitchParameter |
| Aliases: | r |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-System
Used to configure system defaults rather than individual apps.
| Type: | SwitchParameter |
| Aliases: | s |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |