When I open up task manager, I see windows processes(services) at the bottom. As a programmer, I want to create a windows process/service for security research(windows defender) but I have some questions,
when an executable is run as a windows service and as an administrator, does windows defender still scan it for threads?
Windows Defender, like nearly all antivirus/anti-malware software, runs with extremely privileged access and by default scans everything it can. That definitely includes Windows services, even those running as [LOCAL]SYSTEM (it would actually be somewhat weird to run a service as Administrator; Administrator is a user account, while SYSTEM is a service account. They have equivalent permissions, though.)
Defender also scans files that aren't being executed. That is, it would scan the binary when you either created (compiled) it, or when you moved it onto the system (by downloading, or copying from external storage, or whatever). It might be possible to safely pass the file scan but get caught by the executable scan, depending on the signatures it looks for in each case. It is even slightly possible that the reverse might be true, though that would be weird (and kind of pointless; if you can't pass the file scan you won't have the chance to execute).
As detailed here on this Microsoft KB page:
[...]By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account.
Emphasis mine.
Windows Defender's antimalware service runs under this SYSTEM user, essentially giving the service access to everything, including all other processes, whether they are running with administrative privileges or not.
If you still need to make sure what Windows Defender is scanning in real-time, I posted an answer to a Super User question here that tells you how to use Process Hacker to see what files are being read by the service.
Process Hacker can be used to view the files that are being scanned as well. Once installed, run the program as an Administrator, or click
Show details for all processesin the Hacker dropdown menu.From there, go to the Disk tab. All files that are being read or written to will be displayed; any file in that list that says it is being read by MsMpEng.exe (Defender's main executable) is being scanned. It's easier to see what is being scanned if you paste
MsMpEng.exeinto the search bar at the top right of the window and then click the File column to sort alphabetically, as this filters the list so that only the files being scanned by Defender appear.
Open the Run dialog box by pressing ‘Windows’ key and ‘R’ key Type ‘services.msc’ in the Open dialog box Press the Enter key or click on the OK button Check for ‘Security Center’ in the list of services Right-click on Security Center Click on Restart
