Set-ProcessMitigation

Module:: ProcessMitigations Module

Commands to enable and disable process mitigations or set them in bulk from an XML file.

Syntax

ProcessPolicy

Set-ProcessMitigation
    [[-Name] <String>]
    [-Disable <String[]>]
    [-Enable <String[]>]
    [-EAFModules <String[]>]
    [-Force <String>]
    [-Reset]
    [-Remove]
    [<CommonParameters>]

FullPolicy

Set-ProcessMitigation
    -PolicyFilePath <String>
    [-IsValid]
    [<CommonParameters>]

SystemMode

Set-ProcessMitigation
    [-Disable <String[]>]
    [-Enable <String[]>]
    [-EAFModules <String[]>]
    [-System]
    [-Force <String>]
    [-Reset]
    [-Remove]
    [<CommonParameters>]

Description

Used to turn on and off various process mitigation settings. Can also apply an XML file to apply settings for many processes at once.

Examples

Example 1

PS C:\>  Set-ProcessMitigation -Name Notepad.exe -Enable SEHOP -Disable ForceRelocateImages

Gets the current process mitigation for "notepad.exe" from the registry and then enables SEHOP, and disables ForceRelocateImages.

Example 2

PS C:\> Set-ProcessMitigation -PolicyFilePath settings.xml

Applies all settings inside settings.xml

Example 3

PS C:\> Set-ProcessMitigation -System -Enable DEP

Applies DEP at the system level. To disable mitigations, you can replace -Enable with -Disable. However, for app-level mitigations, this will force the mitigation to be disabled only for that app.

Exmaple 4

PS C:\> Set-ProcessMitigation -System -Remove -Disable DEP

If you need to restore the mitigation back to the system default, you need to include the -Remove cmdlet as well, as in the above example:

Example 5

PS C:\> Set-ProcessMitigation -System -Enable SEHOP

Enable SEHOP Component at the system level.

Example 6

PS C:\> Set-ProcessMitigation -System -Disable SEHOP

Disable SEHOP Component at the system level.

Example 7

PS C:\> Set-ProcessMitigation -System -Reset

Reset Mitigation at the system level.

Parameters

-Disable

Comma separated list of mitigations to disable. Disable list takes priority over enable list. If specified in both, it will be disabled.

Parameter properties

Type:	String[]
Default value:	None
Accepted values:	DEP, EmulateAtlThunks, SEHOP, ForceRelocateImages, RequireInfo, BottomUp, HighEntropy, StrictHandle, DisableWin32kSystemCalls, AuditSystemCall, DisableExtensionPoints, BlockDynamicCode, AllowThreadsToOptOut, AuditDynamicCode, CFG, SuppressExports, StrictCFG, MicrosoftSignedOnly, AllowStoreSignedBinaries, AuditMicrosoftSigned, AuditStoreSigned, EnforceModuleDependencySigning, DisableNonSystemFonts, AuditFont, BlockRemoteImageLoads, BlockLowLabelImageLoads, PreferSystem32, AuditRemoteImageLoads, AuditLowLabelImageLoads, AuditPreferSystem32, EnableExportAddressFilter, AuditEnableExportAddressFilter, EnableExportAddressFilterPlus, AuditEnableExportAddressFilterPlus, EnableImportAddressFilter, AuditEnableImportAddressFilter, EnableRopStackPivot, AuditEnableRopStackPivot, EnableRopCallerCheck, AuditEnableRopCallerCheck, EnableRopSimExec, AuditEnableRopSimExec, SEHOP, AuditSEHOP, SEHOPTelemetry, TerminateOnError, DisallowChildProcessCreation, AuditChildProcess
Supports wildcards:	False
DontShow:	False
Aliases:	d

Parameter sets

ProcessPolicy

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

SystemMode

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-EAFModules

Modules to be added to the EAF+ mitigation.

Parameter properties

Type:	String[]
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ProcessPolicy

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

SystemMode

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Enable

Comma separated list of mitigations to enable. Disable list takes priority over enable list. If specified in both, it will be disabled.

Parameter properties

Type:	String[]
Default value:	None
Accepted values:	DEP, EmulateAtlThunks, SEHOP, ForceRelocateImages, RequireInfo, BottomUp, HighEntropy, StrictHandle, DisableWin32kSystemCalls, AuditSystemCall, DisableExtensionPoints, BlockDynamicCode, AllowThreadsToOptOut, AuditDynamicCode, CFG, SuppressExports, StrictCFG, MicrosoftSignedOnly, AllowStoreSignedBinaries, AuditMicrosoftSigned, AuditStoreSigned, EnforceModuleDependencySigning, DisableNonSystemFonts, AuditFont, BlockRemoteImageLoads, BlockLowLabelImageLoads, PreferSystem32, AuditRemoteImageLoads, AuditLowLabelImageLoads, AuditPreferSystem32, EnableExportAddressFilter, AuditEnableExportAddressFilter, EnableExportAddressFilterPlus, AuditEnableExportAddressFilterPlus, EnableImportAddressFilter, AuditEnableImportAddressFilter, EnableRopStackPivot, AuditEnableRopStackPivot, EnableRopCallerCheck, AuditEnableRopCallerCheck, EnableRopSimExec, AuditEnableRopSimExec, SEHOP, AuditSEHOP, SEHOPTelemetry, TerminateOnError, DisallowChildProcessCreation, AuditChildProcess
Supports wildcards:	False
DontShow:	False
Aliases:	e

Parameter sets

ProcessPolicy

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

SystemMode

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Force

Overrides a system setting either on or off depending on the level this is set at. Will force "on"/"off" all mitigations provided in the -Enable list

Parameter properties

Type:	String
Default value:	None
Accepted values:	on, off, notset
Supports wildcards:	False
DontShow:	False
Aliases:	f

Parameter sets

ProcessPolicy

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

SystemMode

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-IsValid

Set to check the given XML file for validity. Requires local .xsd

Parameter properties

Type:	SwitchParameter
Default value:	False
Supports wildcards:	False
DontShow:	False
Aliases:	v

Parameter sets

FullPolicy

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Name

Name of the process to apply mitigation settings to. Can be in the format "notepad" or "notepad.exe"

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ProcessPolicy

Position:	0
Mandatory:	False
Value from pipeline:	True
Value from pipeline by property name:	True
Value from remaining arguments:	False

-PolicyFilePath

Path to XML file containing mitigation settings.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	x

Parameter sets

FullPolicy

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Remove

Removes a mitigation entry from the registry.

Parameter properties

Type:	SwitchParameter
Default value:	False
Supports wildcards:	False
DontShow:	False

Parameter sets

ProcessPolicy

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

SystemMode

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Reset

Resets a specific mitigation entry to defer.

Parameter properties

Type:	SwitchParameter
Default value:	False
Supports wildcards:	False
DontShow:	False
Aliases:	r

Parameter sets

ProcessPolicy

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

SystemMode

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-System

Used to configure system defaults rather than individual apps.

Parameter properties

Type:	SwitchParameter
Default value:	False
Supports wildcards:	False
DontShow:	False
Aliases:	s

Parameter sets

SystemMode

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Share via

Set-ProcessMitigation

Syntax

ProcessPolicy

FullPolicy

SystemMode

Description

Examples

Example 1

Example 2

Example 3

Exmaple 4

Example 5

Example 6

Example 7

Parameters

-Disable

Parameter properties

Parameter sets

-EAFModules

Parameter properties

Parameter sets

-Enable

Parameter properties

Parameter sets

-Force

Parameter properties

Parameter sets

-IsValid

Parameter properties

Parameter sets

-Name

Parameter properties

Parameter sets

-PolicyFilePath

Parameter properties

Parameter sets

-Remove

Parameter properties

Parameter sets

-Reset

Parameter properties

Parameter sets

-System

Parameter properties

Parameter sets

CommonParameters

Inputs

String

Outputs

Object

Feedback