HKLM\SYSTEM\CurrentControlSet\Services\ekrn Important values:
| Value | Meaning | |--------|---------| | Start | 2 = auto-start, 4 = disabled | | Type | 0x10 (own process) | | ErrorControl | 1 = normal error handling | | ImagePath | Path to ekrn.exe | | Parameters\HeapSize | Memory allocated to ekrn (advanced) | | Parameters\MaxThreads | Max concurrent scan threads | 🔐 Malware often tries to modify Start to 4 or delete the service key entirely to disable protection. A monitored ESET installation will restore it via self-defense. 4. Self-Defense & Anti-Tampering Keys ESET includes a self-defense driver ( ehdrv.sys ) that protects its registry keys from unauthorized modification, even by administrators. eset registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\SelfDefense Enabled = 0 (requires reboot or service restart) ⚠️ Disabling self-defense weakens protection. Do this only in isolated, controlled environments. While most settings are machine-wide, GUI preferences are stored per user: While most settings are machine-wide, GUI preferences are
| Registry Path | Alert if modified by non-ESET process | |---------------|----------------------------------------| | HKLM\SOFTWARE\ESET\*\Settings\RealtimeFS\Enabled | Potential disable attempt | | HKLM\SOFTWARE\ESET\*\Settings\Exclusions\* | Ransomware adding its path | | HKLM\SYSTEM\CurrentControlSet\Services\ekrn\Start | Service disable attempt | | *\SelfDefense\Enabled | Tampering with protection | While most settings are machine-wide
HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Settings\Exclusions\ Path0 = "C:\Program Files\MyApp\*" Path1 = "D:\Backup\*.tmp" ... Count = 2 ⚠️ Editing exclusions directly via regedit is possible but ESET’s GUI or egui.exe /export-settings is preferred to avoid CRC mismatches. | Key | Value | Purpose | |------|--------|---------| | HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Settings\Updates | UpdateServerURL | Custom mirror / internal update server | | | UpdateMode | 0 = automatic, 1 = pre-release, 2 = delayed | | | LastUpdateCheck | Timestamp (FILETIME format) | | | LastSuccessfulUpdate | Timestamp | 2.5 Web & Email Protection HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Settings\WebAccess\ Enabled = 1 HttpPortsScan = 80,8080,3128 SslFiltering = 1 HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Settings\Email Pop3Scan = 1 SmtpScan = 1 ImapScan = 1 3. Service Control & Driver Parameters ekrn Service (ESET Kernel Service) The core scanning engine runs as ekrn.exe . Its service configuration is under: