How to exclude scheduled task from Windows Defender?

Question

I have scheduled task that should run every two hours, with the following command line action:

• Program: mshta
• Arguments: vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -NoLogo -Command """"& 'X:\Path\To\Custom\powershellScript.ps1'"""""", 0 : window.close")

Every two hours, instead of the task getting run, i'm getting:

and in Defender history:

I don't want to stop Windows Defender, because of potential security implications of doing so. Is there a way to add exclusion in Defender to ignore the task?.

I tried adding both script path, folder, mshta.exe and powershell.exe to exclusions, also ps1 to file types. Nothing works.

By the way, Defender doesn't remove the task, or the script that should be run, just stops it from running.

Clarification:

• It must be run in background, no window should pop out when the task is run, it has to be run with the user if he's logged in, i don't want to store password/run with other user account or highest privileges.

• The script has to be executed as the logged in user. The purpose of it is to change the wallpaper for the logged in user to downloaded one ($picturePath variable). Excerpt:

    $registryPropertyPath = "HKCU:\Control Panel\Desktop\"
    $registryPropertyName = "Wallpaper"
    $wallpaperProperty = (Get-ItemProperty -Path $registryPropertyPath -Name $registryPropertyName).WallPaper
    if ($wallpaperProperty -ne $picturePath) {
        Set-ItemProperty -Path $registryPropertyPath -Name $registryPropertyName -Value $picturePath
        for ($i = 0; $i -lt 20; $i++) {
            RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True
        }
    }

Answer 1

As for this...

My script invokes RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True to update wallpaper, which must be executed when user is logged in, it won't work otherwise

You are trying to use a remote user context, to run in a local user context. This is a Windows security boundary, always has been. So, not a PowerShell issue.

PowerShell will not natively allow this, because of this Windows security boundary violation.

Also, there are other ways to do this, vs the method you are trying.

If you really need to do this, firstly, in an enterprise, that is what GPO's are for. There are hose that can't use GPO for whatever the reason. So, they try this approach and it does not work, because it's not designed to.

So, if you need to use a remote local user context, then you need to use a 3rdP option, like SysInternals PSExec as discussed here...

How to run a program for a remotely logged in user in Windows

You can do this with PsExec, be sure to have the right permissions to run applications for him. psexec \computer -u user -i -d command

-u means user, -i makes it interactive so the user sees it, -d makes sure the command doesn't wait

'superuser.com/questions/176249/how-to-run-a-program-for-a-remotely-logged-in-user-in-windows'

... or AutoIT.

You could also create a native .ps1 script, doing something like this...

cp "image.jpg" \\<IP>\C$
$RemoteReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', "<IP>")
$WallPaper= $RemoteReg.OpenSubKey("S-1-5-21-780093305-1579027723-3042286928-500\Control Panel\Desktop",$True)
$WallPaper.SetValue("Wallpaper","C:\image.jpg")

... and set it as a RunOnce option (Registry) for the user.

You could create a once time Scheduled Task to run once at logon for the user or other point in the day.

So, step back a bit and think about other options vs jamming this effort that is really not designed to get you where you are trying to go.

Answer 2

Again, as noted, if you do this, it's simply a virus type action and should be blocked.

As @HackSlash notes, that is the correct way to do this.

When you say a Windows pop-out because of this, and it should because you are starting a new shell and the shell has to launch and show as active. You can just add the WindowStyle property -minimize or -hidden switch to diminish that.

https://docs.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help?view=powershell-6

PowerShell[.exe] [-Command { - | [-args ] | [] } ] [-EncodedCommand ] [-ExecutionPolicy ] [-File []] [-InputFormat {Text | XML}] [-Mta] [-NoExit] [-NoLogo] [-NonInteractive] [-NoProfile] [-OutputFormat {Text | XML}] [-PSConsoleFile | -Version ] [-Sta] [-WindowStyle ]

PowerShell[.exe] -Help | -? | /?

-WindowStyle

Sets the window style for the session. Valid values are Normal, Minimized, Maximized and Hidden.

Or this approach, since even the above the window will still momentarily flash.

Howto hide a PowerShell prompt

http://jeffwouters.nl/index.php/2015/09/howto-hide-a-powershell-prompt

Or this one

Sneaky PowerShell Trick: Run Completely Without A Window

static void Main(string[] args) { var powershell = PowerShell.Create(); powershell.AddScript(@" Get-ChildItem -Path c:\temp | out-file c:\temp\shh.txt "); var handler = powershell.BeginInvoke(); while (!handler.IsCompleted) Thread.Sleep(200); powershell.EndInvoke(handler); powershell.Dispose(); }

https://workingsysadmin.com/sneaky-powershell-trick-run-completely-without-a-window

Answer 3

The detection event comes from your use of an unsafe method to call PowerShell. Don't use Wscript to call Powershell, only a virus would do that. ;-D

Try this method of calling your script:

• Program: powershell.exe
• Arguments: -ExecutionPolicy Bypass -NoLogo -NonInteractive -WindowStyle Hidden X:\Path\To\Custom\powershellScript.ps1