ConvertTo-ProcessMitigationPolicy ConvertTo ProcessMitigationPolicy Converts an mitigation policy file formats. Converts an EMET policy file or pinning rule file to a new Windows 10 format. ConvertTo-ProcessMitigationPolicy EMETFilePath File that either contains cert pinning rules or an existing EMET process mitigation configuration file. String String None OutputFilePath Resulting new Windows10 process mitigation/pinning rules format. String String None EMETFilePath File that either contains cert pinning rules or an existing EMET process mitigation configuration file. String String None OutputFilePath Resulting new Windows10 process mitigation/pinning rules format. String String None System.String System.Object Example 1 PS C:\> ConvertTo-ProcessMitigationPolicy -EMETFile policy.xml -Output result.xml Converts EMET file policy.xml to result.xml, may also generate a CI file CI-result.xml if necessary. Get-ProcessMitigation Get ProcessMitigation Gets the current process mitigation settings, either from the registry, from a running process, or saves all to a XML. Gets all process mitigation settings either by process name (either running or from -Registry), or by process ID. Can also save all settings to an XML file. Get-ProcessMitigation FullPolicy Returns every processes' current mitigation settings in the registry SwitchParameter False Get-ProcessMitigation Id Process Id to retrieve current running process mitigation settings from Int32[] Int32[] None Get-ProcessMitigation Name Current process name to get current running (Or from registry) process mitigation settings from one (Can be more than one instance) String String None RunningProcesses Pull the current process mitigation settings from a running instance instead of the registry. SwitchParameter False Get-ProcessMitigation RegistryConfigFilePath File to save the current registry process mitigation configuration to String String None Get-ProcessMitigation System Pulls the current system defaults for process mitigations. SwitchParameter False FullPolicy Returns every processes' current mitigation settings in the registry SwitchParameter SwitchParameter False Id Process Id to retrieve current running process mitigation settings from Int32[] Int32[] None Name Current process name to get current running (Or from registry) process mitigation settings from one (Can be more than one instance) String String None RegistryConfigFilePath File to save the current registry process mitigation configuration to String String None RunningProcesses Pull the current process mitigation settings from a running instance instead of the registry. SwitchParameter SwitchParameter False System Pulls the current system defaults for process mitigations. SwitchParameter SwitchParameter False System.Int32[] System.Object Example 1 PS C:\> Get-ProcessMitigation -Name notepad.exe -RunningProcess Gets the current settings on all running instances of notepad.exe Example 2 PS C:\> Get-ProcessMitigation -Name notepad.exe Gets the current settings in the registry for notepad.exe Example 3 PS C:\> Get-ProcessMitigation -Id 1304 Gets the current settings for the running process with pid 1304 Example 4 PS C:\> Get-ProcessMitigation -RegistryConfigFilePath settings.xml Gets the all process mitigation settings from the registry and saves them to the xml file settings.xml Example 5 PS C:\> Get-ProcessMitigation -FullPolicy Gets all policies for all processes set in the registry. Example 6 PS C:\> Get-ProcessMitigation -System Gets the current system process mitigation defaults stored in the registry. Example 7 PS C:\> Get-Process notepad | Get-ProcessMitigation Gets the current process mitigation settings for all running instances of notepad.exe Set-ProcessMitigation Set ProcessMitigation Commands to enable and disable process mitigations or set them in bulk from an XML file. Used to turn on and off various process mitigation settings. Can also apply (Or Validate) an XML file to apply settings for many processes at once. Set-ProcessMitigation Name Name of the process to apply mitigation settings to. Can be in the format "notepad" or "notepad.exe" String String None Disable Comma separated list of mitigations to disable. Disable list takes priority over enable list. If specified in both, it will be disabled. DEP EmulateAtlThunks SEHOP ForceRelocate RequireInfo BottomUp HighEntropy StrictHandle DisableWin32kSystemCalls AuditSystemCall ExtensionPoint DynamicCode AuditDynamicCode CFG SuppressExports StrictCFG BlockNonMicrosoftSigned AllowStoreSigned AuditMicrosoftSigned AuditStoreSigned EnforceModuleDepencySigning DisableNonSystemFonts FontAuditOnly AuditFont BlockRemoteImages BlockLowLabel PreferSystem32 AuditImageLoad EnableExportAddressFilter AuditEnableExportAddressFilter EnableExportAddressFilterPlus AuditEnableExportAddressFilterPlus EnableImportAddressFilter AuditEnableImportAddressFilter EnableRopStackPivot AuditEnableRopStackPivot EnableRopCallerCheck AuditEnableRopCallerCheck EnableRopSimExec AuditEnableRopSimExec SEHOP AuditSEHOP SEHOPTelemetry TerminateOnHeapError DisallowChildProcessCreation AuditChildProcess UserShadowStack UserShadowStackStrictMode AuditUserShadowStack String[] String[] None EAFModules Modules to be added to the EAF+ mitigation. String[] String[] None Enable Comma separated list of mitigations to enable. Disable list takes priority over enable list. If specified in both, it will be disabled. DEP EmulateAtlThunks SEHOP ForceRelocate RequireInfo BottomUp HighEntropy StrictHandle DisableWin32kSystemCalls AuditSystemCall ExtensionPoint DynamicCode AuditDynamicCode CFG SuppressExports StrictCFG BlockNonMicrosoftSigned AllowStoreSigned AuditMicrosoftSigned AuditStoreSigned EnforceModuleDepencySigning DisableNonSystemFonts FontAuditOnly AuditFont BlockRemoteImages BlockLowLabel PreferSystem32 AuditImageLoad EnableExportAddressFilter EnableExportAddressFilterPlus EnableImportAddressFilter EnableRopStackPivot EnableRopCallerCheck EnableRopSimExec SEHOP AuditSEHOP SEHOPTelemetry TerminateOnHeapError DisallowChildProcessCreation AuditChildProcess UserShadowStack UserShadowStackStrictMode AuditUserShadowStack String[] String[] None Force Overrides a system setting either on or off depending on the level this is set at. Will force "on"/"off" all mitigations provided in the -Enable list on off notset String String None Remove Removes a mitigation entry from the registry. SwitchParameter False Reset Resets a specific mitigation entry to defer. SwitchParameter False Set-ProcessMitigation Disable Comma separated list of mitigations to disable. Disable list takes priority over enable list. If specified in both, it will be disabled. DEP EmulateAtlThunks SEHOP ForceRelocate RequireInfo BottomUp HighEntropy StrictHandle SystemCall AuditSystemCall ExtensionPoint DynamicCode AuditDynamicCode CFG SuppressExports StrictCFG BlockNonMicrosoftSigned AllowStoreSigned AuditMicrosoftSigned AuditStoreSigned EnforceModuleDepencySigning DisableNonSystemFonts FontAuditOnly AuditFont BlockRemoteImages BlockLowLabel PreferSystem32 AuditImageLoad EnableExportAddressFilter EnableExportAddressFilterPlus EnableImportAddressFilter EnableRopStackPivot EnableRopCallerCheck EnableRopSimExec SEHOP AuditSEHOP SEHOPTelemetry TerminateOnHeapError DisallowChildProcessCreation AuditChildProcess UserShadowStack UserShadowStackStrictMode AuditUserShadowStack String[] String[] None EAFModules Modules to be added to the EAF+ mitigation. String[] String[] None Enable Comma separated list of mitigations to enable. Disable list takes priority over enable list. If specified in both, it will be disabled. DEP EmulateAtlThunks SEHOP ForceRelocate RequireInfo BottomUp HighEntropy StrictHandle SystemCall AuditSystemCall ExtensionPoint DynamicCode AuditDynamicCode CFG SuppressExports StrictCFG BlockNonMicrosoftSigned AllowStoreSigned AuditMicrosoftSigned AuditStoreSigned EnforceModuleDepencySigning DisableNonSystemFonts FontAuditOnly AuditFont BlockRemoteImages BlockLowLabel PreferSystem32 AuditImageLoad EnableExportAddressFilter EnableExportAddressFilterPlus EnableImportAddressFilter EnableRopStackPivot EnableRopCallerCheck EnableRopSimExec SEHOP AuditSEHOP SEHOPTelemetry TerminateOnHeapError DisallowChildProcessCreation AuditChildProcess UserShadowStack UserShadowStackStrictMode AuditUserShadowStack String[] String[] None Force Overrides a system setting either on or off depending on the level this is set at. Will force "on"/"off" all mitigations provided in the -Enable list on off notset String String None Remove Removes a mitigation entry from the registry. SwitchParameter False Reset Resets a specific mitigation entry to defer. SwitchParameter False System Used to configure system defaults rather than individual apps. SwitchParameter False Set-ProcessMitigation IsValid Set to check the given XML file for validity. Requires local .xsd SwitchParameter False PolicyFilePath An XML file with mitigation settings for many processes that is applied to the registry String String None Disable Comma separated list of mitigations to disable. Disable list takes priority over enable list. If specified in both, it will be disabled. String[] String[] None EAFModules Modules to be added to the EAF+ mitigation. String[] String[] None Enable Comma separated list of mitigations to enable. Disable list takes priority over enable list. If specified in both, it will be disabled. String[] String[] None Force Overrides a system setting either on or off depending on the level this is set at. Will force "on"/"off" all mitigations provided in the -Enable list String String None IsValid Set to check the given XML file for validity. Requires local .xsd SwitchParameter SwitchParameter False Name Name of the process to apply mitigation settings to. Can be in the format "notepad" or "notepad.exe" String String None PolicyFilePath An XML file with mitigation settings for many processes that is applied to the registry String String None Remove Removes a mitigation entry from the registry. SwitchParameter SwitchParameter False Reset Resets a specific mitigation entry to defer. SwitchParameter SwitchParameter False System Used to configure system defaults rather than individual apps. SwitchParameter SwitchParameter False System.String System.Object Example 1 PS C:\> set-ProcessMitigation -Name Notepad.exe -Enable SEHOP -Disable MandatoryASLR Gets the current process mitigation for "notepad.exe" from the registry and then enables SEHOP, and disables MandatoryASLR. Example 2 PS C:\> set-ProcessMitigation -PolicyFilePath settings.xml Applies all settings inside settings.xml Example 3 PS C:\> set-ProcessMitigation -PolicyFilePath settings.xml -IsValid Checks if the given file is a valid settings.xml, requires local .xsd