Windows setup: fix Defender detection and add desktop shortcut option

* use Environment::Exit() to avoid PS process hanging * old-fashioned exceptions * try-catch-finally necessary * disable Windows Defender Task when Defender module not installed * cleanup script checks Defender module existence too * fixed uninstall of Start Menu LNK * use Command Prompt instead of Command Line wording + Desktop shortcut * iterate through PSMODULEPATH when looking for WD module JIRA IDFGH-2036
2025-08-03 12:44:33 +02:00 · 2019-11-22 11:55:42 +01:00
parent 989825908b
commit 880197307a
5 changed files with 389 additions and 304 deletions
--- a/tools/windows/tool_setup/idf_setup.iss.inc
+++ b/tools/windows/tool_setup/idf_setup.iss.inc
@@ -229,14 +229,14 @@ end;

 { ------------------------------ Start menu shortcut ------------------------------ }

-procedure CreateIDFCommandPromptShortcut();
+procedure CreateIDFCommandPromptShortcut(LnkString: String);
 var
  Destination: String;
  Description: String;
  Command: String;
 begin
-  ForceDirectories(ExpandConstant('{group}'));
-  Destination := ExpandConstant('{group}\{#IDFCmdExeShortcutFile}');
+  ForceDirectories(ExpandConstant(LnkString));
+  Destination := ExpandConstant(LnkString + '\{#IDFCmdExeShortcutFile}');  
  Description := '{#IDFCmdExeShortcutDescription}';
  { If cmd.exe command argument starts with a quote, the first and last quote chars in the command
    will be removed by cmd.exe; each argument needs to be surrounded by quotes as well. }
@@ -267,3 +267,42 @@ begin
  Log('Registering IDF Tools executables in Windows Defender: ' + CmdLine);
  DoCmdlineInstall('Finishing ESP-IDF installation', 'Registering IDF Tools executables in Windows Defender', CmdLine);
 end;
+
+
+<event('CurPageChanged')>
+procedure CheckWinDefenderAvailable(CurPageID: Integer);
+var
+  bHasWD: Boolean;
+  szHasWD: String;
+  szWDPath: String;
+  listPSModulePath: TStringList;
+  x: Integer;
+begin
+  if CurPageID = wpSelectTasks then
+  begin
+    listPSModulePath := TStringList.Create;
+    listPSModulePath.Delimiter := ';';
+    listPSModulePath.StrictDelimiter := True;
+    listPSModulePath.DelimitedText := GetEnv('PsModulePath');
+    
+    Log('Checking PSMODULEPATH for Windows Defender module...');
+    
+    for x:=0 to (listPSModulePath.Count-1) do
+    begin
+      szWDPath := listPSModulePath[x] + '\Defender'
+      bHasWD := DirExists(szWDPath);
+      if bHasWD then
+      begin
+        szHasWD := 'YES (' + szWDPath + ')';
+        Break;
+      end
+      else 
+        szHasWD := 'NO';
+    end;
+    
+    Log('CheckWinDefenderAvailable: ' + szHasWD);
+    
+    WizardForm.TasksList.ItemEnabled[1] := bHasWD;
+    WizardForm.TasksList.Checked[1] := bHasWD;
+  end;
+end;
--- a/tools/windows/tool_setup/idf_tool_setup.iss
+++ b/tools/windows/tool_setup/idf_tool_setup.iss
@@ -73,16 +73,18 @@ Type: filesandordirs; Name: "{app}\dist"
 Type: filesandordirs; Name: "{app}\releases"
 Type: filesandordirs; Name: "{app}\tools"
 Type: filesandordirs; Name: "{app}\python_env"
+Type: files; Name: "{autostartmenu}\Programs\ESP-IDF\{#IDFCmdExeShortcutFile}"
+Type: files; Name: "{autodesktop}\{#IDFCmdExeShortcutFile}"

 [Tasks]
-Name: createlnk; Description: "Create Desktop shortcut for ESP-IDF Tools Command Line";
-Name: wdexcl; Description: "Register ESP-IDF Tools executables as Windows Defender exclusions (improves compilation speed, requires elevation)";
+Name: createlnk; Description: "Create Start Menu shortcut for the ESP-IDF Tools Command Prompt";
+Name: createdsk; Description: "Create Desktop shortcut for the ESP-IDF Tools Command Prompt";
+Name: wdexcl; Description: "Register the ESP-IDF Tools executables as Windows Defender exclusions (improves compilation speed, requires elevation)";

 [Run]
 Filename: "{app}\dist\{#PythonInstallerName}"; Parameters: "/passive PrependPath=1 InstallLauncherAllUsers=0 Include_dev=0 Include_tcltk=0 Include_launcher=0 Include_test=0 Include_doc=0"; Description: "Installing Python"; Check: PythonInstallRequired
 Filename: "{app}\dist\{#GitInstallerName}"; Parameters: "/silent /tasks="""" /norestart"; Description: "Installing Git"; Check: GitInstallRequired
-Filename: "{group}\{#IDFCmdExeShortcutFile}"; Flags: postinstall shellexec; Description: "Run ESP-IDF Command Prompt (cmd.exe)"; Check: InstallationSuccessful
-
+Filename: "{autostartmenu}\Programs\ESP-IDF\{#IDFCmdExeShortcutFile}"; Flags: postinstall shellexec; Description: "Run ESP-IDF Command Prompt (cmd.exe)"; Check: InstallationSuccessful

 [UninstallRun]
 Filename: "powershell.exe"; \
--- a/tools/windows/tool_setup/main.iss.inc
+++ b/tools/windows/tool_setup/main.iss.inc
@@ -122,9 +122,14 @@ begin

  if WizardIsTaskSelected('createlnk') then
  begin
-    CreateIDFCommandPromptShortcut();
+    CreateIDFCommandPromptShortcut('{autostartmenu}\Programs\ESP-IDF');
  end;
   
+  if WizardIsTaskSelected('createdsk') then
+  begin
+    CreateIDFCommandPromptShortcut('{autodesktop}');
+  end;
+
  if WizardIsTaskSelected('wdexcl') then
  begin
    RegisterIDFToolsExecutablesInWD();
--- a/tools/windows/tool_setup/tools_WD_clean.ps1
+++ b/tools/windows/tool_setup/tools_WD_clean.ps1
@@ -15,152 +15,165 @@

 Param
 (
-	[String]$RmExclPath,
-	[String]$logFile
+  [String]$RmExclPath,
+  [String]$logFile
 )

-Import-Module Defender
-
 function Check-Command($cmdname)
 {
-    return [bool](Get-Command -Name $cmdname -ErrorAction SilentlyContinue)
+  return [bool](Get-Command -Name $cmdname -ErrorAction SilentlyContinue)
 }

 function Log-Msg($msg, $logF = $null)
 {
-	if( ![string]::IsNullOrEmpty($logF) ) { Write-Output $msg *>> $logF } 
-	else { Write-Output $msg }
-	[Console]::Out.Flush()
+  if( ![string]::IsNullOrEmpty($logF) ) { Write-Output $msg *>> $logF }
+  else { Write-Output $msg }
+  [Console]::Out.Flush()
 }

+$retVal = 1

 Try
-{	
-	#self-elevation support
-	$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
-	$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
-	$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator
+{ 
+  #check the Defender module availability
+  if (!(Get-Module "Defender")) {
+    Write-Output "Windows Defender module not available, aborting"
+    [Environment]::Exit(0)
+  }

-	if( -not $myWindowsPrincipal.IsInRole($adminRole) ) { 
-	   
-		 $params = ""
-		 foreach($key in $PSBoundParameters.keys) {
-			 $params = -join( $params, "-", $key, " `"", $PSBoundParameters[$key], "`"" )
-		 }
-		
-		#running elevated and logFile not set
-		if( [string]::IsNullOrEmpty($logFile) ) {
-			$tempFileName = Get-Date -UFormat "%Y%m%d%H%M%s"
-			$lf = Join-Path -Path $env:TEMP -ChildPath "WDEspLog$tempFileName.log"
-			#Write-Output "Logfile: $lf"
-		}
-		
-		$newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell"
-		$newProcess.Arguments = "-ExecutionPolicy ByPass -File " + $script:MyInvocation.MyCommand.Definition + " " + $params + " -logFile $lf"
-		$newProcess.Verb = "RunAs"
-		$newProcess.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden
-		
-		$proc = [System.Diagnostics.Process]::Start($newProcess)
-		$proc.WaitForExit()
+  Import-Module Defender

-		if (Test-Path -Path $lf ) {
-			foreach($line in Get-Content $lf) {
-				Log-Msg -msg $line
-			}
-			Remove-Item $lf
-		}
-		
-		#Write-Output "Process finished with code " $proc.ExitCode	
-		exit $proc.ExitCode
-	}
+  #self-elevation support
+  $myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
+  $myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
+  $adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator

-	Log-Msg -msg "Getting Windows Defender process exclusions..." -logF $logFile
-	
-	$Preferences = Get-MpPreference
+  if( -not $myWindowsPrincipal.IsInRole($adminRole) ) { 

-	#ExclusionProcess	
-	$cnt = $Preferences.ExclusionProcess.Count
-	$cntRemoved = 0
-	$cntRemovedTotal = 0
-	$cntMissed = 0
-	$cntMissedTotal = 0
+    $params = ""
+    foreach($key in $PSBoundParameters.keys) {
+      $params = -join( $params, "-", $key, " `"", $PSBoundParameters[$key], "`"" )
+    }

-	$bRmPath = ![string]::IsNullOrEmpty($RmExclPath)
-	if( $bRmPath ) { Log-Msg -msg "Exclusion path: $RmExclPath" -logF $logFile }
+    #running elevated and logFile not set
+    if( [string]::IsNullOrEmpty($logFile) ) {
+      $tempFileName = Get-Date -UFormat "%Y%m%d%H%M%s"
+      $lf = Join-Path -Path $env:TEMP -ChildPath "WDEspLog$tempFileName.log"
+      #Write-Output "Logfile: $lf"
+    }

-	Log-Msg -msg " Found total $cnt of ExclusionProcess items" -logF $logFile
+    $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell"
+    $newProcess.Arguments = "-ExecutionPolicy ByPass -File " + $script:MyInvocation.MyCommand.Definition + " " + $params + " -logFile $lf"
+    $newProcess.Verb = "RunAs"
+    $newProcess.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden
+    
+    $proc = [System.Diagnostics.Process]::Start($newProcess)
+    $proc.WaitForExit()

-	foreach( $pref in $Preferences.ExclusionProcess ) {	
+    if (Test-Path -Path $lf ) {
+      foreach($line in Get-Content $lf) {
+        Log-Msg -msg $line
+      }
+      Remove-Item $lf
+    }

-		if( $bRmPath ) { $bGoAhead = $pref.Contains($RmExclPath) }
-		else { $bGoAhead = $true }
-		
-		if( $bGoAhead ) {
-			Log-Msg -msg "  removing $pref" -logF $logFile
-			Try 
-			{ 
-				Remove-MpPreference -ExclusionProcess $pref
-				$cntRemoved++
-			} 
-			Catch 
-			{
-				if( ![string]::IsNullOrEmpty($logFile) ) { Write-Error -Exception $_.Exception *>> $logFile }
-				Write-Error -Exception $_.Exception
-				$cntMissed++
-			}
-		}
-	}
-	
-	if( $cntMissed -eq 0 ) { Log-Msg -msg " $cntRemoved relevant items removed from ExclusionProcess list" -logF $logFile }
-	else { Log-Msg -msg " WARNING: Only $cntRemoved out of $(cntRemoved+cntMissed) relevant items removed from ExclusionProcess list" -logF $logFile }
+    #Write-Output "Process finished with code " $proc.ExitCode  
+    exit $proc.ExitCode
+  }

-	#ExclusionPath
-	$cnt = $Preferences.ExclusionPath.Count
-	$cntRemovedTotal = $cntRemoved
-	$cntRemoved = 0	
-	$cntMissedTotal = $cntMissed
-	$cntMissed = 0
+  Log-Msg -msg "Getting Windows Defender process exclusions..." -logF $logFile

-	Log-Msg -msg " Found total $cnt of ExclusionPath items" -logF $logFile
+  $Preferences = Get-MpPreference

-	foreach( $pref in $Preferences.ExclusionPath ) {
+  #ExclusionProcess
+  $cnt = $Preferences.ExclusionProcess.Count
+  $cntRemoved = 0
+  $cntRemovedTotal = 0
+  $cntMissed = 0
+  $cntMissedTotal = 0

-		if( $bRmPath ) { $bGoAhead = $pref.Contains($RmExclPath) }
-		else { $bGoAhead = $true }
-		
-		if( $bGoAhead ) {
-			Log-Msg -msg "  removing $pref" -logF $logFile
-			Try 
-			{ 
-				Remove-MpPreference -ExclusionPath $pref
-				$cntRemoved++
-			} 
-			Catch 
-			{
-				if( ![string]::IsNullOrEmpty($logFile) ) { Write-Error -Exception $_.Exception *>> $logFile }
-				Write-Error -Exception $_.Exception
-				$cntMissed++
-			}				
-		}
-	}
+  $bRmPath = ![string]::IsNullOrEmpty($RmExclPath)
+  if( $bRmPath ) { Log-Msg -msg "Exclusion path: $RmExclPath" -logF $logFile }

-	if( $cntMissed -eq 0 ) { Log-Msg -msg " $cntRemoved relevant items removed from ExclusionPath list" -logF $logFile }
-	else { Log-Msg -msg " WARNING: Only $cntRemoved out of $(cntRemoved+cntMissed) relevant items removed from ExclusionPath list" -logF $logFile }
+  Log-Msg -msg " Found total $cnt of ExclusionProcess items" -logF $logFile

-	#TOTAL
-	$cntRemovedTotal += $cntRemoved
-	$cntMissedTotal += $cntMissed
-	
-	Log-Msg -msg "============================" -logF $logFile
-	if( $cntMissedTotal -eq 0 ) { Log-Msg -msg "OK: Processed all $cntRemovedTotal items" -logF $logFile }
-	else { Log-Msg -msg "WARNING: Processed only $cntRemovedTotal out of $(cntRemovedTotal+cntMissedTotal) relevat items" -logF $logFile }
+  foreach( $pref in $Preferences.ExclusionProcess ) { 

-	Log-Msg -msg  "`nDone" -logF $logFile
+    if( $bRmPath ) { $bGoAhead = $pref.Contains($RmExclPath) }
+    else { $bGoAhead = $true }
+
+    if( $bGoAhead ) {
+      Log-Msg -msg "  removing $pref" -logF $logFile
+      Try 
+      {
+        Remove-MpPreference -ExclusionProcess $pref
+        $cntRemoved++
+      }
+      Catch 
+      {
+        if( ![string]::IsNullOrEmpty($logFile) ) { Write-Error -Exception $_.Exception *>> $logFile }
+        Write-Error -Exception $_.Exception
+        $cntMissed++
+      }
+    }
+  }
+
+  if( $cntMissed -eq 0 ) { Log-Msg -msg " $cntRemoved relevant items removed from ExclusionProcess list" -logF $logFile }
+  else { Log-Msg -msg " WARNING: Only $cntRemoved out of $(cntRemoved+cntMissed) relevant items removed from ExclusionProcess list" -logF $logFile }
+
+  #ExclusionPath
+  $cnt = $Preferences.ExclusionPath.Count
+  $cntRemovedTotal = $cntRemoved
+  $cntRemoved = 0 
+  $cntMissedTotal = $cntMissed
+  $cntMissed = 0
+
+  Log-Msg -msg " Found total $cnt of ExclusionPath items" -logF $logFile
+
+  foreach( $pref in $Preferences.ExclusionPath ) {
+
+    if( $bRmPath ) { $bGoAhead = $pref.Contains($RmExclPath) }
+    else { $bGoAhead = $true }
+
+    if( $bGoAhead ) {
+      Log-Msg -msg "  removing $pref" -logF $logFile
+      Try 
+      {
+        Remove-MpPreference -ExclusionPath $pref
+        $cntRemoved++
+      } 
+      Catch
+      {
+        if( ![string]::IsNullOrEmpty($logFile) ) { Write-Error -Exception $_.Exception *>> $logFile }
+        Write-Error -Exception $_.Exception
+        $cntMissed++
+      }
+    }
+  }
+
+  if( $cntMissed -eq 0 ) { Log-Msg -msg " $cntRemoved relevant items removed from ExclusionPath list" -logF $logFile }
+  else { Log-Msg -msg " WARNING: Only $cntRemoved out of $(cntRemoved+cntMissed) relevant items removed from ExclusionPath list" -logF $logFile }
+
+  #TOTAL
+  $cntRemovedTotal += $cntRemoved
+  $cntMissedTotal += $cntMissed
+
+  Log-Msg -msg "============================" -logF $logFile
+  if( $cntMissedTotal -eq 0 ) { Log-Msg -msg "OK: Processed all $cntRemovedTotal items" -logF $logFile }
+  else { Log-Msg -msg "WARNING: Processed only $cntRemovedTotal out of $(cntRemovedTotal+cntMissedTotal) relevat items" -logF $logFile }
+
+  Log-Msg -msg  "`nDone" -logF $logFile
+
+  $retVal = 0
 }
 Catch
 {
-	if( ![string]::IsNullOrEmpty($logFile) ) { Write-Error -Exception $_.Exception *>> $logFile }
-	Write-Error -Exception $_.Exception
-	exit -1
+  if( ![string]::IsNullOrEmpty($logFile) ) { Write-Error -Exception $_.Exception *>> $logFile }
+  Write-Error -Exception $_.Exception
+  [Environment]::Exit($retVal)
+}
+Finally
+{
+  [Environment]::Exit($retVal)
 }

--- a/tools/windows/tool_setup/tools_WD_excl.ps1
+++ b/tools/windows/tool_setup/tools_WD_excl.ps1
@@ -4,235 +4,261 @@
 # Espressif Systems, 2019
 #
 ################################################################################
-# 	
-#	PS utility to add/remove PROCESS exceptions to/from MS WD real-time 
-#	scanning. Files (referenced by 'path' or 'path\filemask') are expected
-#	to be Windows process executables, for obvious reasons.
 #
-#	The script requires Administrator privileges to succeed -> self-elevation procedure is involved
+# PS utility to add/remove PROCESS exceptions to/from MS WD real-time 
+# scanning. Files (referenced by 'path' or 'path\filemask') are expected
+# to be Windows process executables, for obvious reasons.
+#
+# The script requires Administrator privileges to succeed -> self-elevation procedure is involved
 #
 # Usage:
 #
-# 	PowerShell -ExecutionPolicy ByPass -File tools_WD_excl.ps1 <ARGUMENTS>
+#   PowerShell -ExecutionPolicy ByPass -File tools_WD_excl.ps1 <ARGUMENTS>
 #
-#	ARGUMENTS:
-#		-AddExclPath <path | path\*.filemask>
-#			add all matching files in the path (recursive) to the WD exception list
-#	
-#		-AddExclFile <filepath>
-#			adds file to the WD exception list exactly as specified by 'filepath'
+# ARGUMENTS:
+#   -AddExclPath <path | path\*.filemask>
+#     add all matching files in the path (recursive) to the WD exception list
 #
-#		-RmExclPath <path | path\*.filemask>
-#			remove all matching files in the path (recursive) from WD exclusions
+#   -AddExclFile <filepath>
+#     adds file to the WD exception list exactly as specified by 'filepath'
 #
-#		-RmExclFile <filepath>
-#			adds file to the WD exception list exactly as specified by 'filepath'
+#   -RmExclPath <path | path\*.filemask>
+#     remove all matching files in the path (recursive) from WD exclusions
 #
-#		-logFile <filepath>
-#			stdout/stderr redirection file. Used internally for elevated process (generated in tempdir, deleted after the script finishing) 
-#			use manually at your own risk
+#   -RmExclFile <filepath>
+#     adds file to the WD exception list exactly as specified by 'filepath'
 #
-#	Returns 0 on success or -1 on failure
+#   -logFile <filepath>
+#     stdout/stderr redirection file. Used internally for elevated process (generated in tempdir, deleted after the script finishing) 
+#     use manually at your own risk
+#
+# Returns 0 on success or -1 on failure
 #
 #
-#	Example:
-#		PowerShell -ExecutionPolicy ByPass -File tools_WD_excl.ps1 -AddExclPath "C:\Program Files\Espressif\ESP-IDF Tools\*.exe"
+# Example:
+#   PowerShell -ExecutionPolicy ByPass -File tools_WD_excl.ps1 -AddExclPath "C:\Program Files\Espressif\ESP-IDF Tools\*.exe"
 #
-#	Notes:
-# 		 - default scenario is set to the following 
-#			-AddExclPath "$Env:ProgramFiles\Espressif\ESP-IDF Tools\*.exe"
-#			(eg when called with no params)
-#		 - only named parameters are supported, any other use-cases redirect to the default
-#		 - multiple paths/files in 1 parameter are not supported by this version
-#		 - minimum requirements: Windows XP SP3, PowerShell 2.0, Windows Defender with relevant PS cmdlets
+# Notes:
+#      - default scenario is set to the following 
+#     -AddExclPath "$Env:ProgramFiles\Espressif\ESP-IDF Tools\*.exe"
+#     (eg when called with no params)
+#    - only named parameters are supported, any other use-cases redirect to the default
+#    - multiple paths/files in 1 parameter are not supported by this version
+#    - minimum requirements: Windows XP SP3, PowerShell 2.0, Windows Defender with relevant PS cmdlets
 #
 ################################################################################


 Param
 (
-	[String]$AddExclPath,
-	[String]$AddExclFile,
-	[String]$RmExclPath,
-	[String]$RmExclFile,
-	[String]$logFile
+  [String]$AddExclPath,
+  [String]$AddExclFile,
+  [String]$RmExclPath,
+  [String]$RmExclFile,
+  [String]$logFile
 )

-Import-Module Defender

 function Check-Command($cmdname)
 {
-    return [bool](Get-Command -Name $cmdname -ErrorAction SilentlyContinue)
+  return [bool](Get-Command -Name $cmdname -ErrorAction SilentlyContinue)
 }

 function Log-Msg($msg, $logF = $null)
 {
-	if( ![string]::IsNullOrEmpty($logF) ) { Write-Output $msg *>> $logF } 
-	else { Write-Output $msg }
-	[Console]::Out.Flush()
+  if( ![string]::IsNullOrEmpty($logF) ) { Write-Output $msg *>> $logF } 
+  else { Write-Output $msg }
+  [Console]::Out.Flush()
 }

+$retVal = 1

 Try
-{	
-	#self-elevation support
-	$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
-	$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
-	$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator
+{ 
+  $bDebug = $false
+  
+  #parameter sanity check
+  if( $Args.Count -gt 0 ) {
+    if( $Args.Count -eq 1 -And $Args[0] -eq "Debug" ) {
+      $bDebug = $true
+    }
+    else {
+      $Exception = [ArgumentException]::new("Invalid parameters: $Args")
+      throw $Exception
+    }
+  }

-	if( -not $myWindowsPrincipal.IsInRole($adminRole) ) { 
-	   
-		 $params = ""
-		 foreach($key in $PSBoundParameters.keys) {
-			 $params = -join( $params, "-", $key, " `"", $PSBoundParameters[$key], "`"" )
-		 }
-		
-		#running elevated and logFile not set
-		if( [string]::IsNullOrEmpty($logFile) ) {
-			$tempFileName = Get-Date -UFormat "%Y%m%d%H%M%s"
-			$lf = Join-Path -Path $env:TEMP -ChildPath "WDEspLog$tempFileName.log"
-			#Write-Output "Logfile: $lf"
-		}
-		
-		$newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell"
-		$newProcess.Arguments = "-ExecutionPolicy ByPass -File " + $script:MyInvocation.MyCommand.Definition + " " + $params + " -logFile $lf"
-		$newProcess.Verb = "RunAs"
-		$newProcess.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden
-		
-		$proc = [System.Diagnostics.Process]::Start($newProcess)
-		$proc.WaitForExit()
+  #check the Defender module availability
+  $wdModuleDir = Join-Path -Path $env:SystemRoot -ChildPath "System32\WindowsPowerShell\v1.0\Modules\Defender"
+  if( -not (Test-Path -Path $wdModuleDir) ) {
+    Write-Output "Windows Defender module not found, aborting"
+    [Environment]::Exit($retVal)
+  }

-		if (Test-Path -Path $lf ) {
-			foreach($line in Get-Content $lf) {
-				Log-Msg -msg $line
-			}
-			Remove-Item $lf
-		}
-		
-		#Write-Output "Process finished with code " $proc.ExitCode	
-		exit $proc.ExitCode
-	}
-	
-	#parameter sanity check
-	if( $Args.Count -gt 0 ) {
-		$Exception = [ArgumentException]::new("Only named parameters are supported: $Args")
-		throw $Exception
-	}
+  Import-Module Defender

-	#check WinDefender cmdlets are available
-	if (!(Check-Command -cmdname 'Add-MpPreference')) {
-		$Exception = [NotSupportedException ]::new("Windows Defender cmdlets not available")
-		throw $Exception
-	}
+  #self-elevation support
+  $myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
+  $myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
+  $adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator

-	$pathsToExclude = New-Object 'System.Collections.Generic.List[String]'
-	$filesToExclude = New-Object 'System.Collections.Generic.List[String]'
-	$pathsToInclude = New-Object 'System.Collections.Generic.List[String]'
-	$filesToRemove = New-Object 'System.Collections.Generic.List[String]'
+  if( -not $myWindowsPrincipal.IsInRole($adminRole) ) { 

-	if( $PSBoundParameters.Count -gt 0 ) {
+    $params = ""
+    foreach($key in $PSBoundParameters.keys) {
+      $params = -join( $params, "-", $key, " `"", $PSBoundParameters[$key], "`"" )
+    }
+    
+    $arguments = ""
+    foreach($a in $Args) {
+      $arguments = -join( $arguments, "-", $a )
+    }

-		$bAddPath = ![string]::IsNullOrEmpty($AddExclPath)
-		$bAddFile = ![string]::IsNullOrEmpty($AddExclFile)
-		$bRmPath = ![string]::IsNullOrEmpty($RmExclPath)
-		$bRmFile = ![string]::IsNullOrEmpty($RmExclFile)
-		
-		if( !$bAddPath -And !$bAddFile -And !$bRmPath -And !$bRmFile ) {
-			$Exception = [ArgumentException]::new("Invalid parameter(s): $Args")
-			throw $Exception
-		}
+    #running elevated and logFile not set
+    $bOwnLogFile = [string]::IsNullOrEmpty($logFile)
+    if( $bOwnLogFile ) {
+      $tempFileName = Get-Date -UFormat "%Y%m%d%H%M%s"
+      $lf = Join-Path -Path $env:TEMP -ChildPath "WDEspLog$tempFileName.log"
+      Write-Output "Logfile: $lf"
+    }
+    else { $lf = $logFile }

-		#ADD exclusion paths
-		if( $bAddPath ) {
-			#foreach ($wdPath in $AddExclPath) {
-			#	$pathsToExclude.Add( $wdPath )
-			#}
-			$pathsToExclude.Add( $AddExclPath )
-		}
+    $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell"
+    $newProcess.Arguments = "-ExecutionPolicy ByPass -File " + $script:MyInvocation.MyCommand.Definition + " " + $params + " -logFile $lf " + $arguments
+    $newProcess.Verb = "RunAs"

-		#ADD exclusion files
-		if( $bAddFile ) {
-			#foreach ($wdFile in $AddExclFile) {
-			#	$filesToExclude.Add( $wdFile )
-			#}
-			$filesToExclude.Add( $AddExclFile )
-		}
+    #show the process window for -Debug
+    if( !$bDebug ) { $newProcess.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden }
+    
+    $proc = [System.Diagnostics.Process]::Start($newProcess)
+    $proc.WaitForExit()

-		#REMOVE exclusion paths
-		if( $bRmPath ) {
-			#foreach ($wdPath in $RmExclPath) {
-			#	$pathsToInclude.Add( $wdPath )
-			#}
-			$pathsToInclude.Add( $RmExclPath )
-		}
-
-		#ADD exclusion file
-		if( $bAddFile ) {
-			#foreach ($wdFile in $RmExclFile) {
-			#	$filesToRemove.Add( $wdFile )
-			#}
-			$filesToRemove.Add( $RmExclFile )
-		}
-	}
-	#default: throw exception
-	else {
-		$Exception = [ArgumentException]::new("Mandatory parameter missing")
-		throw $Exception
-	}
+    if (Test-Path -Path $lf ) {
+      foreach($line in Get-Content $lf) {
+        Log-Msg -msg $line
+      }
+    }
+    
+    if( $bDebug ) { Log-Msg -msg "Process finished with code " + $proc.ExitCode -logF $lf }
+        if( $bOwnLogFile -And !$bDebug) { Remove-Item $lf }
+        
+    [Environment]::Exit($proc.ExitCode)
+  }


-	#to exclude all files opened by a process including the process' binary, a record must be added to both Exclusions/Paths and Exclusions/Processes configurations, see
-	# https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus :
-	# "When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the file exclusion list.
-	#The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or on-demand scans."
+  $pathsToExclude = New-Object 'System.Collections.Generic.List[String]'
+  $filesToExclude = New-Object 'System.Collections.Generic.List[String]'
+  $pathsToInclude = New-Object 'System.Collections.Generic.List[String]'
+  $filesToRemove = New-Object 'System.Collections.Generic.List[String]'

-	Log-Msg -msg "Updating Windows Defender real-time scan exclusions:" -logF $logFile
+  if( $PSBoundParameters.Count -gt 0 ) {

-	$itemCount = 0
+    $bAddPath = ![string]::IsNullOrEmpty($AddExclPath)
+    $bAddFile = ![string]::IsNullOrEmpty($AddExclFile)
+    $bRmPath = ![string]::IsNullOrEmpty($RmExclPath)
+    $bRmFile = ![string]::IsNullOrEmpty($RmExclFile)
+    
+    if( !$bAddPath -And !$bAddFile -And !$bRmPath -And !$bRmFile ) {
+      throw (New-Object -TypeName System.ArgumentException -ArgumentList "Invalid parameter(s)")
+    }

-	#exclusions
-	foreach( $exclPath in $pathsToExclude ) {
-		$exclFiles = Get-ChildItem -Recurse -File -Path $exclPath | % { $_.FullName }
-		foreach ($exfile in $exclFiles) {
-			Log-Msg -msg " adding $exfile" -logF $logFile
-			Add-MpPreference -ExclusionProcess $exfile
-			Add-MpPreference -ExclusionPath $exfile
-			$itemCount++
-		}
-	}
+    #ADD exclusion paths
+    if( $bAddPath ) {
+      #foreach ($wdPath in $AddExclPath) {
+      # $pathsToExclude.Add( $wdPath )
+      #}
+      $pathsToExclude.Add( $AddExclPath )
+    }

-	### ! better run in separate, adding files to exclusion object array from above is very inefficient (forced reallocations)
-	foreach ($exfile1 in $filesToExclude) {
-		Log-Msg -msg " adding $exfile1" -logF $logFile
-		Add-MpPreference -ExclusionProcess $exfile1
-		Add-MpPreference -ExclusionPath $exfile1
-		$itemCount++
-	}
+    #ADD exclusion files
+    if( $bAddFile ) {
+      #foreach ($wdFile in $AddExclFile) {
+      # $filesToExclude.Add( $wdFile )
+      #}
+      $filesToExclude.Add( $AddExclFile )
+    }

-	#inclusions
-	foreach( $inclPath in $pathsToInclude ) {
-		$inclFiles = Get-ChildItem -Recurse -File -Path $inclPath | % { $_.FullName }
-		foreach ($infile in $inclFiles) {
-			Log-Msg -msg " removing $infile" -logF $logFile
-			Remove-MpPreference -ExclusionProcess $infile
-			Remove-MpPreference -ExclusionPath $infile
-			$itemCount++
-		}
-	}
+    #REMOVE exclusion paths
+    if( $bRmPath ) {
+      #foreach ($wdPath in $RmExclPath) {
+      # $pathsToInclude.Add( $wdPath )
+      #}
+      $pathsToInclude.Add( $RmExclPath )
+    }

-	### ! see exclusions
-	foreach ($infile1 in $filesToExclude) {
-		Log-Msg -msg " removing $infile1" -logF $logFile
-		Remove-MpPreference -ExclusionProcess $infile1
-		Remove-MpPreference -ExclusionPath $infile1
-		$itemCount++
-	}
+    #ADD exclusion file
+    if( $bAddFile ) {
+      #foreach ($wdFile in $RmExclFile) {
+      # $filesToRemove.Add( $wdFile )
+      #}
+      $filesToRemove.Add( $RmExclFile )
+    }
+  }
+  #default: throw exception
+  else {
+    throw (New-Object -TypeName System.ArgumentException -ArgumentList "Mandatory parameter(s) missing")
+  }

-	Log-Msg -msg "Done (processed $itemCount items)" -logF $logFile
+
+  #to exclude all files opened by a process including the process' binary, a record must be added to both Exclusions/Paths and Exclusions/Processes configurations, see
+  # https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus :
+  # "When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the file exclusion list.
+  #The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or on-demand scans."
+
+  Log-Msg -msg "Updating Windows Defender real-time scan exclusions:" -logF $logFile
+
+  $itemCount = 0
+
+  #exclusions
+  foreach( $exclPath in $pathsToExclude ) {
+    $exclFiles = Get-ChildItem -Recurse -File -Path $exclPath | % { $_.FullName }
+    foreach ($exfile in $exclFiles) {
+      Log-Msg -msg " adding $exfile" -logF $logFile
+      Add-MpPreference -ExclusionProcess $exfile
+      Add-MpPreference -ExclusionPath $exfile
+      $itemCount++
+    }
+  }
+
+  ### ! better run in separate, adding files to exclusion object array from above is very inefficient (forced reallocations)
+  foreach ($exfile1 in $filesToExclude) {
+    Log-Msg -msg " adding $exfile1" -logF $logFile
+    Add-MpPreference -ExclusionProcess $exfile1
+    Add-MpPreference -ExclusionPath $exfile1
+    $itemCount++
+  }
+
+  #inclusions
+  foreach( $inclPath in $pathsToInclude ) {
+    $inclFiles = Get-ChildItem -Recurse -File -Path $inclPath | % { $_.FullName }
+    foreach ($infile in $inclFiles) {
+      Log-Msg -msg " removing $infile" -logF $logFile
+      Remove-MpPreference -ExclusionProcess $infile
+      Remove-MpPreference -ExclusionPath $infile
+      $itemCount++
+    }
+  }
+
+  ### ! see exclusions
+  foreach ($infile1 in $filesToExclude) {
+    Log-Msg -msg " removing $infile1" -logF $logFile
+    Remove-MpPreference -ExclusionProcess $infile1
+    Remove-MpPreference -ExclusionPath $infile1
+    $itemCount++
+  }
+
+  Log-Msg -msg "Done (processed $itemCount items)" -logF $logFile
+
+  $retVal = 0
+  [Environment]::Exit($retVal)
 }
 Catch
 {
-	if( ![string]::IsNullOrEmpty($logFile) ) { Write-Error -Exception $_.Exception *>> $logFile }
-	Write-Error -Exception $_.Exception
-	exit -1
+  if( ![string]::IsNullOrEmpty($logFile) ) { Write-Error -Exception $_.Exception *>> $logFile }
+  Write-Error -Exception $_.Exception -ErrorAction Stop
+  [Environment]::Exit($retVal)
+}
+Finally
+{
+  [Environment]::Exit($retVal)
 }