Disabling SmartScreen causes the OS to open apps very slowly (Solution)

[Nub865]

On Windows 11 Enterprise LTSC IoT (latest updates), after disabling MS Defender (including SmartScreen), rebooting, then running sfc /scannow the issue starts to happen after a reboot

Solution: DCOM cannot start smartscreen under this key {a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}
Open regedit and navigate to HKEY_CLASSES_ROOT\AppID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}
Take ownership of that key and delete it

Navigate to HKEY_CLASSES_ROOT\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d} and do the same and delete the key.

Would be good if this was incorporated into the scripts

[undergroundwires]

Hi,
Thank you for the report. It's great when a solution is provided.
HKCR is virtual, so we should modify HKLM\Software\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d} which is the real COM registration.

I have some questions:

1. Would soft-deleting work? Let me explain:

I see that it includes 3 keys and 2 values:

C:\Users\undergroundwires>reg query "HKLM\SOFTWARE\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}"

HKLM\SOFTWARE\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}
    (Default)    REG_SZ    SmartScreen
    AppID    REG_SZ    {a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}

HKLM\SOFTWARE\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\LocalServer32

We can potentially store this default values and add them back on revert.
But an easier way would be soft-deleting it by renaming the GUID.
So if we rename HKLM\SOFTWARE\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d} to HKLM\SOFTWARE\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}_OLD and then rename it back on revert, is it same behavior as removing it?

2. The last patch added disabling execution of SmartScreen.exe via [Bug]: Defender is not completely disabled #385. So this is probably caused by that, but I could not reproduce it.

Can you provide me steps to reproduce it? Which version of Windows do you have? Which app did start slowly? How did you observe it?

Something like:

1. Install Windows 11 Pro 23H2
2. Install Notepad++
3. Disable SmartScreen via privacy.sexy
4. Reboot computer
5. Open Notepad++ (it takes 4-5 seconds)

Because for me the flow above works fine.

[Nub865]

Hi, I think that it should have the same effect as to renaming it. I was just troubleshooting and saw what was happening in the event viewer and searched for that key and removed it in the HKCR directory and it worked fine after that. I wouldn't bother renaming it since I never ever want back the M$ Defender, but taking ownership of the keys in those locations takes a bit time to figure it since you have to replace the same ownership into the subkeys and etc.

How it happened to me:

1. Install W11 Enterprise LTSC IoT from here https://massgrave.dev/windows_ltsc_links
2. Update after installation update it with the latest updates
3. Disable M$ Defender with privacy.sexy
4. Boot from PE or linux live usb and delete the last pieces of it located in C:\ProgramData\Microsoft\Windows Defender\Platform\ (Remove any folder that starts with numbers for example 4.8.2211.5-0)
5. Run sfc /scannow and reboot
6. Now you should see the slowdown happen, basically any app delays to open, from cmd to Notepad to MS Word, the system settings and file explorer seems to be unaffected. sfc /scannow will also restore smartscreen.exe and smartscreenps.dll but those are not a problem

Also it would be good if Step 4 could be incorporated within the scripts, those files/folder in that location can be seen after running Windows Update and it installs some definition updates for M$ Defender

[undergroundwires]

Thank you for the info. I will research a bit more, do tests and add the fix.

privacy.sexy gives Windows instruction to prevent executing smartscreen.exe, so even though the file is there, the execution is stopped by OS, but probably sfc /scannow re-enables smartscreen but does not remove the prevention policy, causing this error.

[Nub865]

You're welcome! I just forgot to add that in privacy.sexy I ticked the whole Disable M$ Defender box EXCEPT the Windows Firewall because that is needed for later if you want to bring back the M$ Store to the LTSC OSes since they are missing it

[undergroundwires]

I was not able to take ownership of this key. However, running the script as TrustedInstaller works as they're owned by it. So I will do this operation as TrustedInstaller. Renaming key is better than deleting as it would then keep the original permissions on revert. But the way privacy.sexy runs stuff as TrustedInstaller is very limited to some batch commands. I will do some refactorings to enable running more complex PowerShell as TrustedInstaller.

[undergroundwires]

Update:

I have been working extensively on this.

It was painful to be able to rename keys and get these values back as trusted installer. Renaming functions do not preserve the original permissions for some reason. But this revert and do code should successfully rename a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d CLSID key with .OLD suffix then rename it back the original on revert, preserving all original ACLs (permissions):

Do:

PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName "^""$($scriptFile.BaseName).ps1"^"" -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = 'privacy' + '.sexy invoke'; schtasks.exe /delete /tn "^""$taskName"^"" /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed to execute with exit code: $result."^""; } } finally { schtasks.exe /delete /tn "^""$taskName"^"" /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = 'function Rename-KeyWithAcl($Old, $New) {'+"^""`r`n"^""+'    $acl = $null'+"^""`r`n"^""+'    try {'+"^""`r`n"^""+'        $acl = Get-Acl `'+"^""`r`n"^""+'            -Path $Old `'+"^""`r`n"^""+'            -ErrorAction Stop'+"^""`r`n"^""+'        $rule = $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])[0]'+"^""`r`n"^""+'        $acl.RemoveAccessRuleAll($rule)'+"^""`r`n"^""+'        $acl.AddAccessRule($rule)'+"^""`r`n"^""+'    } catch {'+"^""`r`n"^""+'        Write-Warning "^""Failed to read ACL: $_"^""'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    try {'+"^""`r`n"^""+'        Copy-Item `'+"^""`r`n"^""+'            -LiteralPath $Old `'+"^""`r`n"^""+'            -Destination $New `'+"^""`r`n"^""+'            -Recurse `'+"^""`r`n"^""+'            -Force `'+"^""`r`n"^""+'            -ErrorAction Stop'+"^""`r`n"^""+'    } catch {'+"^""`r`n"^""+'        throw "^""Failed to copy: $_"^""'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    try {'+"^""`r`n"^""+'        Remove-Item `'+"^""`r`n"^""+'            -LiteralPath $Old `'+"^""`r`n"^""+'            -Force `'+"^""`r`n"^""+'            -Recurse `'+"^""`r`n"^""+'            -ErrorAction Stop `'+"^""`r`n"^""+'            | Out-Null'+"^""`r`n"^""+'    } catch {'+"^""`r`n"^""+'        try {'+"^""`r`n"^""+'            Remove-Item `'+"^""`r`n"^""+'                -LiteralPath $New `'+"^""`r`n"^""+'                -Force `'+"^""`r`n"^""+'                -Recurse `'+"^""`r`n"^""+'                -ErrorAction Stop `'+"^""`r`n"^""+'                | Out-Null'+"^""`r`n"^""+'        } catch {'+"^""`r`n"^""+'            Write-Warning "^""Failed to clean: $_"^""'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'        throw "^""Failed to remove: $_"^""'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    if ($acl) {'+"^""`r`n"^""+'        try {'+"^""`r`n"^""+'            Set-Acl `'+"^""`r`n"^""+'                -Path $New `'+"^""`r`n"^""+'                -AclObject $acl `'+"^""`r`n"^""+'                -ErrorAction Stop'+"^""`r`n"^""+'        } catch {'+"^""`r`n"^""+'            Write-Warning "^""Failed to set ACL: $_"^""'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'}'+"^""`r`n"^""+'$rawPath=''HKLM\SOFTWARE\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}'''+"^""`r`n"^""+'$suffix=''.OLD'''+"^""`r`n"^""+'$global:ok = 0'+"^""`r`n"^""+'$global:skip = 0'+"^""`r`n"^""+'$global:fail = 0'+"^""`r`n"^""+'function Rename-KeyTree($Path) {'+"^""`r`n"^""+'    Write-Host "^""Processing key: $Path"^""'+"^""`r`n"^""+'    if (-Not (Test-Path -LiteralPath $Path)) {'+"^""`r`n"^""+'        Write-Host ''Skipping: Key does not exist.'''+"^""`r`n"^""+'        $global:skip++'+"^""`r`n"^""+'        return'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    $values = (Get-Item -LiteralPath $Path -ErrorAction Stop | Select-Object -ExpandProperty Property)'+"^""`r`n"^""+'    foreach ($value in $values) {'+"^""`r`n"^""+'        Write-Host "^""Renaming ''$value''"^""'+"^""`r`n"^""+'        if ($value.EndsWith($suffix)) {'+"^""`r`n"^""+'            Write-Host ''Skipping: Has suffix.'''+"^""`r`n"^""+'            $global:skip++'+"^""`r`n"^""+'            continue'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'        $backupName = $value + $suffix'+"^""`r`n"^""+'        Write-Host "^""Renaming to ''$backupName''."^""'+"^""`r`n"^""+'        try {'+"^""`r`n"^""+'            Rename-ItemProperty `'+"^""`r`n"^""+'                -LiteralPath $Path `'+"^""`r`n"^""+'                -Name $value `'+"^""`r`n"^""+'                -NewName $backupName `'+"^""`r`n"^""+'                -ErrorAction Stop'+"^""`r`n"^""+'            Write-Host ''Successfully renamed.'''+"^""`r`n"^""+'            $global:ok++'+"^""`r`n"^""+'        } catch {'+"^""`r`n"^""+'            Write-Warning "^""Failed to rename value: $_"^""'+"^""`r`n"^""+'            $global:fail++'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    $subkeys = Get-ChildItem -LiteralPath $Path -ErrorAction SilentlyContinue'+"^""`r`n"^""+'    foreach ($key in $subkeys) {'+"^""`r`n"^""+'        Rename-KeyTree $key.PSPath'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    Write-Host "^""Renaming key ''$Path''."^""'+"^""`r`n"^""+'    if ($Path.EndsWith($suffix)) {'+"^""`r`n"^""+'        Write-Host ''Skipping: Has suffix.'''+"^""`r`n"^""+'        $global:skip++'+"^""`r`n"^""+'    } else {'+"^""`r`n"^""+'        $backupPath = $Path + $suffix'+"^""`r`n"^""+'        while (Test-Path -LiteralPath $backupPath) {'+"^""`r`n"^""+'            $backupPath += $suffix'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'        Write-Host "^""Renaming to ''$backupPath''."^""'+"^""`r`n"^""+'        try {'+"^""`r`n"^""+'            Rename-KeyWithAcl `'+"^""`r`n"^""+'                -Old $Path `'+"^""`r`n"^""+'                -New $backupPath `'+"^""`r`n"^""+'                -ErrorAction Stop'+"^""`r`n"^""+'            Write-Host ''Successfully renamed.'''+"^""`r`n"^""+'            $global:ok++'+"^""`r`n"^""+'        } catch {'+"^""`r`n"^""+'            Write-Warning "^""Failed to rename: $_"^""'+"^""`r`n"^""+'            $global:fail++'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'}'+"^""`r`n"^""+'Write-Host "^""Soft deleting registry key ''$rawPath'' recursively."^""'+"^""`r`n"^""+'$hive = $rawPath.Split(''\'')[0]'+"^""`r`n"^""+'$path = $hive + '':'' + $rawPath.Substring($hive.Length)'+"^""`r`n"^""+'Rename-KeyTree $path'+"^""`r`n"^""+'$totalItems = $global:ok + $global:skip + $global:fail'+"^""`r`n"^""+'Write-Host "^""Total items: $totalItems, Renamed: $global:ok, Skipped: $global:skip, Failed: $global:fail"^""'+"^""`r`n"^""+'if (($totalItems -eq 0) -or ($totalItems -eq $global:skip)) {'+"^""`r`n"^""+'    Write-Host ''No items were processed. The operation had no effect.'''+"^""`r`n"^""+'} elseif ($global:fail -eq $totalItems) {'+"^""`r`n"^""+'    throw "^""Operation failed. All $global:fail items could not be processed."^""'+"^""`r`n"^""+'} elseif ($global:ok) {'+"^""`r`n"^""+'    Write-Host "^""Successfully processed $global:ok item(s)."^""'+"^""`r`n"^""+'}'; Invoke-AsTrustedInstaller $cmd"

Revert:

PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName "^""$($scriptFile.BaseName).ps1"^"" -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = 'privacy' + '.sexy invoke'; schtasks.exe /delete /tn "^""$taskName"^"" /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed to execute with exit code: $result."^""; } } finally { schtasks.exe /delete /tn "^""$taskName"^"" /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = 'function Rename-KeyWithAcl($Old, $New) {'+"^""`r`n"^""+'    $acl = $null'+"^""`r`n"^""+'    try {'+"^""`r`n"^""+'        $acl = Get-Acl `'+"^""`r`n"^""+'            -Path $Old `'+"^""`r`n"^""+'            -ErrorAction Stop'+"^""`r`n"^""+'        $rule = $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])[0]'+"^""`r`n"^""+'        $acl.RemoveAccessRuleAll($rule)'+"^""`r`n"^""+'        $acl.AddAccessRule($rule)'+"^""`r`n"^""+'    } catch {'+"^""`r`n"^""+'        Write-Warning "^""Failed to read ACL: $_"^""'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    try {'+"^""`r`n"^""+'        Copy-Item `'+"^""`r`n"^""+'            -LiteralPath $Old `'+"^""`r`n"^""+'            -Destination $New `'+"^""`r`n"^""+'            -Recurse `'+"^""`r`n"^""+'            -Force `'+"^""`r`n"^""+'            -ErrorAction Stop'+"^""`r`n"^""+'    } catch {'+"^""`r`n"^""+'        throw "^""Failed to copy: $_"^""'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    try {'+"^""`r`n"^""+'        Remove-Item `'+"^""`r`n"^""+'            -LiteralPath $Old `'+"^""`r`n"^""+'            -Force `'+"^""`r`n"^""+'            -Recurse `'+"^""`r`n"^""+'            -ErrorAction Stop `'+"^""`r`n"^""+'            | Out-Null'+"^""`r`n"^""+'    } catch {'+"^""`r`n"^""+'        try {'+"^""`r`n"^""+'            Remove-Item `'+"^""`r`n"^""+'                -LiteralPath $New `'+"^""`r`n"^""+'                -Force `'+"^""`r`n"^""+'                -Recurse `'+"^""`r`n"^""+'                -ErrorAction Stop `'+"^""`r`n"^""+'                | Out-Null'+"^""`r`n"^""+'        } catch {'+"^""`r`n"^""+'            Write-Warning "^""Failed to clean: $_"^""'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'        throw "^""Failed to remove: $_"^""'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    if ($acl) {'+"^""`r`n"^""+'        try {'+"^""`r`n"^""+'            Set-Acl `'+"^""`r`n"^""+'                -Path $New `'+"^""`r`n"^""+'                -AclObject $acl `'+"^""`r`n"^""+'                -ErrorAction Stop'+"^""`r`n"^""+'        } catch {'+"^""`r`n"^""+'            Write-Warning "^""Failed to set ACL: $_"^""'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'}'+"^""`r`n"^""+'$rawPath=''HKLM\SOFTWARE\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}'''+"^""`r`n"^""+'$suffix =''.OLD'''+"^""`r`n"^""+'$global:fail = 0'+"^""`r`n"^""+'$global:ok = 0'+"^""`r`n"^""+'function Get-Real($s) {'+"^""`r`n"^""+'    while ($s.EndsWith($suffix)) {'+"^""`r`n"^""+'        $s = $s.Substring(0, $s.Length - $suffix.Length)'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    return $s'+"^""`r`n"^""+'}'+"^""`r`n"^""+'function Restore-KeyTree($Path) {'+"^""`r`n"^""+'    Write-Host "^""Restoring key: ''$Path''"^""'+"^""`r`n"^""+'    $dest = Get-Real $Path'+"^""`r`n"^""+'    $src = $Path'+"^""`r`n"^""+'    if (-Not $src.EndsWith($suffix)) {'+"^""`r`n"^""+'        $src += $suffix'+"^""`r`n"^""+'        if (-Not (Test-Path -LiteralPath $src)) {'+"^""`r`n"^""+'            Write-Host ''Skipping: No data.'''+"^""`r`n"^""+'            Restore-Children $dest'+"^""`r`n"^""+'            return'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    if (Test-Path -LiteralPath $dest) {'+"^""`r`n"^""+'        Write-Host ''Skipping to avoid data loss. Key already exists.'''+"^""`r`n"^""+'        Write-Warning "^""Manual intervention may be required to fully restore from ''$src''."^""'+"^""`r`n"^""+'    } else {'+"^""`r`n"^""+'        Write-Host "^""Restoring key from ''$src''."^""'+"^""`r`n"^""+'        try {'+"^""`r`n"^""+'            Rename-KeyWithAcl `'+"^""`r`n"^""+'                -Old $src `'+"^""`r`n"^""+'                -New $dest `'+"^""`r`n"^""+'                -ErrorAction Stop'+"^""`r`n"^""+'            Write-Host ''Successfully restored.'''+"^""`r`n"^""+'            $global:ok++'+"^""`r`n"^""+'        } catch {'+"^""`r`n"^""+'            Write-Warning "^""Failed: $_"^""'+"^""`r`n"^""+'            $global:fail++'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    Restore-Children $dest'+"^""`r`n"^""+'}'+"^""`r`n"^""+'function Restore-Children($Path) {'+"^""`r`n"^""+'    Write-Host "^""Restoring values in ''$Path''"^""'+"^""`r`n"^""+'    if (-Not (Test-Path -LiteralPath $Path)) {'+"^""`r`n"^""+'        Write-Host ''Skipping: Key does not exist. No action needed.'''+"^""`r`n"^""+'        return'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    $values = ( `'+"^""`r`n"^""+'        Get-Item `'+"^""`r`n"^""+'            -LiteralPath $Path `'+"^""`r`n"^""+'            -ErrorAction Stop `'+"^""`r`n"^""+'            | Select-Object -ExpandProperty Property `'+"^""`r`n"^""+'    )'+"^""`r`n"^""+'    foreach ($value in $values) {'+"^""`r`n"^""+'        Write-Host "^""Restoring value ''$value''"^""'+"^""`r`n"^""+'        if (-Not $value.EndsWith($suffix)) {'+"^""`r`n"^""+'            Write-Host ''Skipping: No action needed.'''+"^""`r`n"^""+'            continue'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'        $real = Get-Real $value'+"^""`r`n"^""+'        Write-Host "^""Renaming to ''$real''."^""'+"^""`r`n"^""+'        try {'+"^""`r`n"^""+'            Rename-ItemProperty `'+"^""`r`n"^""+'                -LiteralPath $Path `'+"^""`r`n"^""+'                -Name $value `'+"^""`r`n"^""+'                -NewName $real `'+"^""`r`n"^""+'                -ErrorAction Stop'+"^""`r`n"^""+'            Write-Host ''Successfully restored.'''+"^""`r`n"^""+'            $global:ok++'+"^""`r`n"^""+'        } catch {'+"^""`r`n"^""+'            Write-Warning "^""Failed: $_"^""'+"^""`r`n"^""+'            $global:fail++'+"^""`r`n"^""+'        }'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'    $keys = Get-ChildItem `'+"^""`r`n"^""+'        -LiteralPath $Path `'+"^""`r`n"^""+'        -ErrorAction SilentlyContinue'+"^""`r`n"^""+'    foreach ($key in $keys) {'+"^""`r`n"^""+'        Restore-KeyTree $key.PSPath'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'}'+"^""`r`n"^""+'Write-Host "^""Restoring registry key ''$rawPath'' recursively."^""'+"^""`r`n"^""+'$hive = $rawPath.Split(''\'')[0]'+"^""`r`n"^""+'$path = $hive + '':'' + $rawPath.Substring($hive.Length)'+"^""`r`n"^""+'Restore-KeyTree $path'+"^""`r`n"^""+'if ($global:fail) {'+"^""`r`n"^""+'    Write-Error ''Failed to restore'''+"^""`r`n"^""+'    Exit 1'+"^""`r`n"^""+'}'; Invoke-AsTrustedInstaller $cmd"

Feel free to test this.

This issue also inspired me to do things.

We should probably delete all registry keys related to smart screen based on this. Do you agree @Nub865 ?

I also see that there are hundreds of other CLSIDs (other similar COM registrations) related to Defender and its component, I may add them all at once too.

[Nub865]

Hi, I tested it and now it works as it should. Good job! The MsMpEng.exe is still running so I guess I will have to boot from live linux distro to delete the folder with the numbers in C:\ProgramData\Microsoft\Windows Defender\Platform but that's okay, I can manage it (from step 4)

Edit: I also know that there are other registry keys with the same name, in the beginning when I saw there were hundreds of them I figured that it would be pointless to delete them all except the 2 that I mentioned in here

[maximilien1990]

• hey im having the same problem im getting bsod's with the dcom server registering event id 11010 and i tried deleting and renaming the keys but im unable to do so. i tried with psexec, i tried in recovery in cmd but it tells me it cant find the key when i do reg delete. how can i fix this because im getting random crashes and its starting to annoy me quite a bit. any help would be appreciated. i tried the sript a few comments up its not working for me

edit: i was able to rename the one in appid but not in clsid even after taking owenrship