Cmdt doesn't work when trying to delete Windows Defender Log files. Result is access denied. GUI as well as Command prompts Code: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service>cmdt_x64.exe -cli del *.log
TrustedInstaller won't help at all here because the restriction is enforced directly in the kernel. I'm actually thinking about building a tool to bypass this. The way to do it is via a BYOVD approach, leveraging a signed driver like IObitUnlocker.sys to execute low-level deletion. The key is to construct a raw IRP packet and send it directly to the underlying file system device object (Ntfs.sys / ReFs.sys), completely bypassing the Filter Manager (FltMgr.sys). By routing the I/O request below the Anti-Malware altitude, you effectively blindsided WdFilter.sys and its pre-operation callbacks. Otherwise, you're not getting past it on a live system. P.S. I’ve actually written my own custom driver called kvcstrm which has god-mode privileges and covers all possible primitives. It’s unsigned, but since I can map/load it anyway, I’ll either use that or just leverage a signed vulnerable one.
Code: @echo off if /i "%UserName%" == "SYSTEM" (Goto GotAdmin) else (reg query "HKLM\SYSTEM\ControlSet001\Control\MiniNT" 1>nul 2>nul&&Goto GotAdmin) :BatchGotAdmin Set _Args=&Set Args=%* if `%1` neq `` Set "_Args=%Args:"=""%" if exist %WinDir%\System32\fltMC.exe fltMC 1>nul 2>nul||(echo CreateObject^("Shell.Application"^).ShellExecute "cmd.exe","/c """"%~f0"" %_Args%""",,"runas",1 >"%TEMP%\getAdmin.vbs"&(CScript 1>nul 2>nul&&CScript //nologo "%TEMP%\getAdmin.vbs" 1>nul 2>nul||"%TEMP%\getAdmin.vbs" 2>nul)&del /f /q "%TEMP%\getAdmin.vbs" 2>nul&Exit /b) :GotAdmin Pushd "%CD%"&cd /d "%~dp0" schtasks -create -f -sc onStart -ru "NT AUTHORITY\SYSTEM" -tn DWDH -tr "cmd /c cd /d 'C:\ProgramData\Microsoft\Windows Defender\Scans' & rd /s /q History\Service & del /f mpenginedb.db* & schtasks /delete /f /tn DWDH" >nul 2>nul Exit
Early ForceIO build I’m posting an early ForceIO build. It is a tiny standalone client for the signed IObit Unlocker driver and can remove Defender-protected quarantine/log files where TrustedInstaller elevation is not enough. The real code is small; most of the EXE is checksum padding. IObitUnlocker.sys verifies the caller EXE against hardcoded checksums from the original IObitUnlocker.exe, so I pad my binary to match them instead of patching the signed driver. The driver remains untouched and normally signed. Tomorrow I’ll publish a full write-up on my site and I’ll continue testing all IOCTL combinations. The goal is to polish ForceIO into a clean, fast replacement for the bloated original GUI, reproducing every useful operation with much less overhead. Treat it as an early test build for now. Use it only on files you really intend to remove.