WMI Security Center productState clarification

I'm querying the WMI for "SELECT * FROM AntivirusProduct" 开发者_StackOverflowon SecurityCenter2 (I'm on Windows 7 at the moment).

I'm having a hard time trying to find what do the numbers on productState mean, including AntiSpyware and Firewall aswell. Is there any reference for this out there? I want to make sure I can get the correct product states on any Vista or 7 machine (In case these numbers vary from machine to machine).

---

There's no official documentation on the productState values. The only info I could find is this article which makes assumptions about the productState value meaning based on the byte-by-byte analysis of the value.

---

The productState values seem to be a bit set that is not documented except through an NDA with Microsoft. It should be possible to map the values returned with the products installed and their state. You could install a single AV product, record its state, then have its virus definitions go out of date, then check how the value changes. There seems to be a limited set of typical values.

Reference: https://bigfix.me/analysis/details/2998358

Here are the productState values I have found from 34 different AV products across over 10000 endpoints which could help reverse engineer the meaning:

( Decimal, Hex, Bit Set )

262144, 40000, 1000000000000000000

262160, 40010, 1000000000000010000

266240, 41000, 1000001000000000000

270336, 42000, 1000010000000000000

327680, 50000, 1010000000000000000

327696, 50010, 1010000000000010000

331776, 51000, 1010001000000000000

344064, 54000, 1010100000000000000

393216, 60000, 1100000000000000000

393232, 60010, 1100000000000010000

393472, 60100, 1100000000100000000

393488, 60110, 1100000000100010000

397312, 61000, 1100001000000000000

397328, 61010, 1100001000000010000

397568, 61100, 1100001000100000000

397584, 61110, 1100001000100010000

458752, 70000, 1110000000000000000

458768, 70010, 1110000000000010000

462848, 71000, 1110001000000000000

462864, 71010, 1110001000000010000

---

For anyone else, I've found that when converted to Hex, the third character pretty reliably indicates whether or not any particular antivirus product is enabled. (1 = Enabled, 0 = Disabled)

Here's a PowerShell one-liner I wrote to determine if Windows Defender is Enabled or not. You can replace the string to match whichever antivirus product you want.

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | ForEach-Object {if($($_.displayName) -eq "Windows Defender"){if("$($([Convert]::ToString($($_.productState), 16)).PadLeft(6,""0""))".Substring(2,1) -eq "1"){Write-Host "Windows Defender is Enabled"}else{Write-Host "Windows Defender is Disabled"}}}

I can't say for certain that every antivirus product correctly reports its product state, but I imagine all the mainstream ones must. I can confirm this also works with Symantec Endpoint Protection.