Find Folder Exclusions

Peeking Behind the Curtain: Finding Defender’s ExclusionsSecurity Friends' Research Blog

"C:\Program Files\Windows Defender\MpCmdRun.exe -Scan -ScanType 3 -File "C:\pathe\to\folder\*""

& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\path\to\folder\|*"

Tool designed to find folder exclusions

GitHub - Friends-Security/SharpExclusionFinder: Tool designed to find folder exclusions using Windows Defender using command line utility MpCmdRun.exe as a low privileged user, without relying on event logsGitHub

In powershell

$logName = "Microsoft-Windows-Windows Defender/Operational"
$eventID = 5007

$events = Get-WinEvent -LogName $logName | Where-Object { $_.Id -eq $eventID }

$exclusionEvents = $events | Where-Object { $_.Message -match "Exclusions" }

$pattern = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\[^\s]+"

$exclusionEvents | ForEach-Object {
    if ($_.Message -match $pattern) {
        $matches[0]
    }
}

Ref: https://x.com/miltinh0c/status/1844374550873768434?t=LtuDBOsnwRGKQ1oLH__0Dw&s=03