Windows PowerShell command on Get-command Set-ProcessMitigation
NAME
Set-ProcessMitigation
SYNOPSIS
Commands to enable and disable process mitigations or set them in bulk from an XML file.
SYNTAX
Set-ProcessMitigation [[-Name] ] [-Disable {DEP | EmulateAtlThunks | SEHOP | ForceRelocate | RequireInfo |
BottomUp | HighEntropy | StrictHandle | DisableWin32kSystemCalls | AuditSystemCall | ExtensionPoint | DynamicCode
| AuditDynamicCode | CFG | SuppressExports | StrictCFG | BlockNonMicrosoftSigned | AllowStoreSigned |
AuditMicrosoftSigned | AuditStoreSigned | EnforceModuleDepencySigning | DisableNonSystemFonts | FontAuditOnly |
AuditFont | BlockRemoteImages | BlockLowLabel | PreferSystem32 | AuditImageLoad | EnableExportAddressFilter |
AuditEnableExportAddressFilter | EnableExportAddressFilterPlus | AuditEnableExportAddressFilterPlus |
EnableImportAddressFilter | AuditEnableImportAddressFilter | EnableRopStackPivot | AuditEnableRopStackPivot |
EnableRopCallerCheck | AuditEnableRopCallerCheck | EnableRopSimExec | AuditEnableRopSimExec | SEHOP | AuditSEHOP |
SEHOPTelemetry | TerminateOnHeapError | DisallowChildProcessCreation | AuditChildProcess}] [-EAFModules
] [-Enable {DEP | EmulateAtlThunks | SEHOP | ForceRelocate | RequireInfo | BottomUp | HighEntropy |
StrictHandle | DisableWin32kSystemCalls | AuditSystemCall | ExtensionPoint | DynamicCode | AuditDynamicCode | CFG
| SuppressExports | StrictCFG | BlockNonMicrosoftSigned | AllowStoreSigned | AuditMicrosoftSigned |
AuditStoreSigned | EnforceModuleDepencySigning | DisableNonSystemFonts | FontAuditOnly | AuditFont |
BlockRemoteImages | BlockLowLabel | PreferSystem32 | AuditImageLoad | EnableExportAddressFilter |
EnableExportAddressFilterPlus | EnableImportAddressFilter | EnableRopStackPivot | EnableRopCallerCheck |
EnableRopSimExec | SEHOP | AuditSEHOP | SEHOPTelemetry | TerminateOnHeapError | DisallowChildProcessCreation |
AuditChildProcess}] [-Force {on | off | notset}] [-Remove] [-Reset] []
Set-ProcessMitigation [-Disable {DEP | EmulateAtlThunks | SEHOP | ForceRelocate | RequireInfo | BottomUp |
HighEntropy | StrictHandle | SystemCall | AuditSystemCall | ExtensionPoint | DynamicCode | AuditDynamicCode | CFG
| SuppressExports | StrictCFG | BlockNonMicrosoftSigned | AllowStoreSigned | AuditMicrosoftSigned |
AuditStoreSigned | EnforceModuleDepencySigning | DisableNonSystemFonts | FontAuditOnly | AuditFont |
BlockRemoteImages | BlockLowLabel | PreferSystem32 | AuditImageLoad | EnableExportAddressFilter |
EnableExportAddressFilterPlus | EnableImportAddressFilter | EnableRopStackPivot | EnableRopCallerCheck |
EnableRopSimExec | SEHOP | AuditSEHOP | SEHOPTelemetry | TerminateOnHeapError | DisallowChildProcessCreation |
AuditChildProcess}] [-EAFModules ] [-Enable {DEP | EmulateAtlThunks | SEHOP | ForceRelocate |
RequireInfo | BottomUp | HighEntropy | StrictHandle | SystemCall | AuditSystemCall | ExtensionPoint | DynamicCode
| AuditDynamicCode | CFG | SuppressExports | StrictCFG | BlockNonMicrosoftSigned | AllowStoreSigned |
AuditMicrosoftSigned | AuditStoreSigned | EnforceModuleDepencySigning | DisableNonSystemFonts | FontAuditOnly |
AuditFont | BlockRemoteImages | BlockLowLabel | PreferSystem32 | AuditImageLoad | EnableExportAddressFilter |
EnableExportAddressFilterPlus | EnableImportAddressFilter | EnableRopStackPivot | EnableRopCallerCheck |
EnableRopSimExec | SEHOP | AuditSEHOP | SEHOPTelemetry | TerminateOnHeapError | DisallowChildProcessCreation |
AuditChildProcess}] [-Force {on | off | notset}] [-Remove] [-Reset] [-System] []
Set-ProcessMitigation [-IsValid] -PolicyFilePath []
DESCRIPTION
Used to turn on and off various process mitigation settings. Can also apply (Or Validate) an XML file to apply
settings for many processes at once.
PARAMETERS
-Disable
Comma separated list of mitigations to disable. Disable list takes priority over enable list. If specified in
both, it will be disabled.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-EAFModules
Modules to be added to the EAF+ mitigation.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Enable
Comma separated list of mitigations to enable. Disable list takes priority over enable list. If specified in
both, it will be disabled.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Force
Overrides a system setting either on or off depending on the level this is set at. Will force "on"/"off" all
mitigations provided in the -Enable list
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-IsValid []
Set to check the given XML file for validity. Requires local .xsd
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-Name
Name of the process to apply mitigation settings to. Can be in the format "notepad" or "notepad.exe"
Required? false
Position? 0
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-PolicyFilePath
An XML file with mitigation settings for many processes that is applied to the registry
Required? true
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Remove []
Removes a mitigation entry from the registry.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-Reset []
Resets a specific mitigation entry to defer.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-System []
Used to configure system defaults rather than individual apps.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String
OUTPUTS
System.Object
NOTES
Example 1
PS C:\> set-ProcessMitigation -Name Notepad.exe -Enable SEHOP -Disable MandatoryASLR
Gets the current process mitigation for "notepad.exe" from the registry and then enables SEHOP, and disables
MandatoryASLR.
Example 2
PS C:\> set-ProcessMitigation -file settings.xml
Applies all settings inside settings.xml
Example 3
PS C:\> set-ProcessMitigation -file settings.xml -IsValid
Checks if the given file is a valid settings.xml, requires local .xsd
RELATED LINKS