Keys — Eset Registry

Introduction ESET endpoint security products (NOD32 Antivirus, ESET Internet Security, ESET Endpoint Security) are among the most widely deployed Windows-based security solutions. Behind their user-friendly GUI lies a complex configuration stored almost entirely in the Windows Registry. For system administrators, malware analysts, and forensic investigators, understanding ESET’s registry footprint is critical for deployment automation, troubleshooting, security validation, and incident response.

HKLM\SYSTEM\CurrentControlSet\Services\ekrn Important values: eset registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\SelfDefense Enabled = 0 (requires reboot or service restart) ⚠️ Disabling self-defense weakens protection. Do this only in isolated, controlled environments. While most settings are machine-wide, GUI preferences are stored per user: A monitored ESET installation will restore it via

| Value | Meaning | |--------|---------| | Start | 2 = auto-start, 4 = disabled | | Type | 0x10 (own process) | | ErrorControl | 1 = normal error handling | | ImagePath | Path to ekrn.exe | | Parameters\HeapSize | Memory allocated to ekrn (advanced) | | Parameters\MaxThreads | Max concurrent scan threads | 🔐 Malware often tries to modify Start to 4 or delete the service key entirely to disable protection. A monitored ESET installation will restore it via self-defense. 4. Self-Defense & Anti-Tampering Keys ESET includes a self-defense driver ( ehdrv.sys ) that protects its registry keys from unauthorized modification, even by administrators. even by administrators.