HKLM\SYSTEM\CurrentControlSet\Services\ekrn Important values:
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\SelfDefense Enabled = 0 (requires reboot or service restart) ⚠️ Disabling self-defense weakens protection. Do this only in isolated, controlled environments. While most settings are machine-wide, GUI preferences are stored per user: eset registry keys
HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Settings\Exclusions\ Path0 = "C:\Program Files\MyApp\*" Path1 = "D:\Backup\*.tmp" ... Count = 2 ⚠️ Editing exclusions directly via regedit is possible but ESET’s GUI or egui.exe /export-settings is preferred to avoid CRC mismatches. | Key | Value | Purpose | |------|--------|---------| | HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Settings\Updates | UpdateServerURL | Custom mirror / internal update server | | | UpdateMode | 0 = automatic, 1 = pre-release, 2 = delayed | | | LastUpdateCheck | Timestamp (FILETIME format) | | | LastSuccessfulUpdate | Timestamp | 2.5 Web & Email Protection HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Settings\WebAccess\ Enabled = 1 HttpPortsScan = 80,8080,3128 SslFiltering = 1 HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Settings\Email Pop3Scan = 1 SmtpScan = 1 ImapScan = 1 3. Service Control & Driver Parameters ekrn Service (ESET Kernel Service) The core scanning engine runs as ekrn.exe . Its service configuration is under: Count = 2 ⚠️ Editing exclusions directly via
Introduction ESET endpoint security products (NOD32 Antivirus, ESET Internet Security, ESET Endpoint Security) are among the most widely deployed Windows-based security solutions. Behind their user-friendly GUI lies a complex configuration stored almost entirely in the Windows Registry. For system administrators, malware analysts, and forensic investigators, understanding ESET’s registry footprint is critical for deployment automation, troubleshooting, security validation, and incident response. even by administrators.
| Registry Path | Alert if modified by non-ESET process | |---------------|----------------------------------------| | HKLM\SOFTWARE\ESET\*\Settings\RealtimeFS\Enabled | Potential disable attempt | | HKLM\SOFTWARE\ESET\*\Settings\Exclusions\* | Ransomware adding its path | | HKLM\SYSTEM\CurrentControlSet\Services\ekrn\Start | Service disable attempt | | *\SelfDefense\Enabled | Tampering with protection |
Using Sysmon event ID 13 (RegistryValueSet) or 14 (RegistryKeyCreate) with filters on ESET paths is highly effective. ESET’s registry keys form the backbone of its configuration, self-defense, and operational state. While not intended for direct daily editing, they offer deep insight for deployment automation, troubleshooting, and forensic investigations. Understanding their layout—especially real-time protection, exclusions, updates, and self-defense—empowers IT professionals to manage ESET securely and respond effectively to evasion attempts.
| Value | Meaning | |--------|---------| | Start | 2 = auto-start, 4 = disabled | | Type | 0x10 (own process) | | ErrorControl | 1 = normal error handling | | ImagePath | Path to ekrn.exe | | Parameters\HeapSize | Memory allocated to ekrn (advanced) | | Parameters\MaxThreads | Max concurrent scan threads | 🔐 Malware often tries to modify Start to 4 or delete the service key entirely to disable protection. A monitored ESET installation will restore it via self-defense. 4. Self-Defense & Anti-Tampering Keys ESET includes a self-defense driver ( ehdrv.sys ) that protects its registry keys from unauthorized modification, even by administrators.