Installing WindHawk causes the SentinelOne antivirus to report shell commands as suspicious.

[glorifyday]

I have a Windows 11 Pro PC with the SentinelOne (S1) antivirus installed.

The S1 allows the WindHawk (WH) to be installed and run and it does not report it as a threat. However, as soon as WH is installed, the S1 starts being oversensitive when shell commands are run in the console (e.g. cmd, powershell) in an admistrative mode.

Namely, it reports certain commands as suspicious and it even sometimes quarantines system components.

Here is the list of commands that I found out to be treated as suspicious (I doubt it is complete, though): fsutil dirty set C: chkdsk /F C: sfc /scannow DISM /Online /Cleanup-Image /CheckHealth DISM /Online /Cleanup-Image /ScanHealth DISM /Online /Cleanup-Image /RestoreHealth ipconfig /flushdns gpupdate /force

I don't know why this happens and how can this be resolved. I cannot use WH and this is a bad news for me, because I loved the tweaks.

I described the problem in more detail on ServerFault: https://serverfault.com/questions/1162325/can-sentinelone-act-in-a-different-way-on-a-windows-10-than-on-windows-11/1162752#1162752

[m417z]

There's not much Windhawk can do here. Windhawk is known not to play along with some antiviruses, as Windhawk injects code into all running processes, which is not something an average program does, and is a technique that's often misused.

You can try excluding some processes in Windhawk, such as cmd.exe, powershell.exe, and the processes you listed, or maybe all C:\Windows\System32\*.

Also, depending on the mods that you're using, you can exclude all processes but the ones you want to customize. You can configure it in the advanced settings. You can set * - all processes - in the exclusion list, and e.g. explorer.exe in the inclusion list. Note that this will cause mods to be injected with a slight delay, which may break some mods, therefore I'd suggest to only use this option as a last resort.

[glorifyday]

Hi, thanks for your answer.

I wanted ONLY:

• the Taskbar to be thin, like in Windows 10 with small icons,
• the windows without rounded corners. So all my mods were related just to the UI, nothing more.

I achieved this with two or three plugins and was quite happy with the results, but then I found that I had problems with executing shell commands and with installing certain software, for instance OpenVPN. Sentinel was blocking certain actions. At the beginning I didn't think this was related to WindHawk at all... Sentinel never reported any problem related to the WindHawk itself.

What you suggest about excluding all processes and including only the ones I need seems promising, although I'm not sure if I want to risk bricking my system again, should anything go wrong. I'll think.

Maybe the default WindHawk setting should be to exclude everything and the plugins should publish their inclusion lists in their documentation?

I was also thinking that the problem could be reported to Sentinel for analysis. Maybe they could do something about it?

[m417z]

The reason for injecting code into all processes is to be able to intercept the creation of new processes, and load mods before a new target process starts running.

Maybe the default WindHawk setting should be to exclude everything and the plugins should publish their inclusion lists in their documentation?

I addressed this in a recent release blog post. I agree that it's not ideal, but it's tricky to find a balance between compatibility and functionality that works for everybody.