Flagged as malware because files are improperly installed to %WinDir%

[JW0914]

Before reporting your issue

• I have confirmed that this issue does not happen when ExplorerPatcher is not installed
• I do not have "register as shell extension" enabled
• I have tried my best to check existing issues

Repro ExplorerPatcher versions

Relating to documentation here

Repro Windows Versions

Relating to documentation here

3rd party tweak software installed

Relating to documentation here

Describe the bug

Per this, several things are installed into %WinDir%, which is off liimits to all installers, except driver installers. This is likely why ExplorerPatcher is flagged as malware, because it's acting like malware by doing this.

There are several reasons why %WinDir% is off limits to developers' installers, one of which is any modification done to %WinDir% is seen as corruption to %WinDir% (excl. Registry hives, drivers, the etc directory) and will be undone upon running SFC (which is recommended to be regularly run). I cover this in more depth here.

Expected outcome

Software needs to be corrected to install in sane locations within any of the following:

• %LocalAppData%
• %AppData%
• %ProgramData%
• %ProgramFiles%
• %ProgramFiles(x86)%

Actual outcome

Doing this should stop the program being flagged as malware once corrected and submitted for review to have it no longer flagged as malware

Additional info

No response

Crash Dumps

No response

Media

No response

[github-actions]

Caution

Microsoft and other major antivirus vendors have flagged ExplorerPatcher as "malware". This is likely due to Microsoft's hatred against ExplorerPatcher, not because it contains a virus or such. Flags from Microsoft usually spread to other antivirus vendors.

Please include the following files and folders in your antivirus' exclusion list to prevent issues due to antivirus detections:

C:\Program Files\ExplorerPatcher
%APPDATA%\ExplorerPatcher
C:\Windows\dxgi.dll
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy

For Defender, you can run the following script in PowerShell as an administrator:

Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"

Failure to exclude ExplorerPatcher's files may result in inability to install/uninstall ExplorerPatcher and explorer.exe being unable to start.

If you do not trust this process, please refrain from using ExplorerPatcher and look for alternatives instead.

Microsoft, if you are reading this, please reconsider the detections as there are a lot of users who trust this program and that risks from future EP developers are a thing.

This issue was closed automatically. You want to discuss this in #3670.

[JW0914]

This isn't a duplicate, it's addressing where the actual issue is with the program and the way to solve the issue of the program being incorrectly compiled.

[pyrates999]

You say not to install anything to %WinDir%. But then where should the file dxgi.dll be installed to so that explorer.exe loads it? You can move that file to the locations where you say it should be installed to, to check if explorer.exe actually loads it.

[JW0914]

You say not to install anything to %WinDir%. But then where should the file dxgi.dll be installed to so that explorer.exe loads it? You can move that file to the locations where you say it should be installed to, to check if explorer.exe actually loads it.

I'm not a software programmer, that's something for the developer to figure out, however nothing should ever be installed to %WinDir% except for drivers, and Microsoft covers this at length for developers within Microsoft Learn.

This program has been improperly coded/compiled and it's why this issue likely exists; it's acting like malware by installing to a known off limits OS system directory [%WinDir%], which also creates trust issues for potential users when it's closed source.

[pyrates999]

All builds of EP are done by github build servers against the source code in the repo. Only binary is the reimplemented windows 10 taskbar and windows 10 start menu files. There is no third party build servers.

[JW0914]

Regarding closed source, I was going off this comment on issue 3670.

The installer/code has to be modified to install files in the only five locations software is allowed to be installed to in Windows - there really is content on Microsoft Learn in the developer/OEM section that explicitly states this.

• There are ways to implement UI modifications to the Windows Shell [explorer.exe], as Stardock does so in minor ways with Start11 and major ways with WindowBlinds, but software cannot be installed to %WinDir%.

EP is a great idea, it's simply installing files to a directory it has to stay out of

[pyrates999]

Understood, and that comment refers to the EP implemented windows 10 taskbar.

Thank you for your suggestion.

If you can, please add this under discussion and specifically say where it should be installed to like you did with this one, as this one triggered the automatic bot reply.

[JW0914]

Will do - what option do I choose to get it tagged as Discussion when creating a new issue? It gives me options for bug report, questions, feature requests, showcase, and wiki - I'm assuming questions?

[pyrates999]

feature request I believe.