This: It's much more useful than any other destructive method because sometimes I need to run some tests or experiments with Defender, but most of the time I want it completely paralyzed. Awesome. Thanks for your smart and useful work.
I had some free time, so I updated kvc to version 1.03 It's now fully functional Code: “kvc secengine disable” and Code: 'kvc secengine enable" work with all three processes. Additionally, it works regardless of the HVCI/SecureBoot status and doesn't require a reboot
Hi @wesmar, is there a way to use your tool to disable Windows Defender before OOBE? Maybe through setupcomplete.cmd or some other method. I want to disable Windows Defender during the installation process, from the time the desktop appears until the first restart.
Yes, several ways to do it. I've attached a zip with MsMpEng.reg, SetupComplete.cmd, and WinDefDisable.ps1 for methods 1 and 2. Method 1 — Bake MsMpEng.reg into the install image (offline, before first boot) Mount install.wim, load the SOFTWARE hive offline with reg load, and write the IFEO Debugger entry for MsMpEng.exe directly. Tamper Protection doesn't exist at that point — the hive is just a file on disk. Defender never gets a chance to start from the very first boot. The attached MsMpEng.reg contains exactly the state you want to reach. Method 2 — setupcomplete.cmd Place the attached files in %WINDIR%\Setup\Scripts\. SetupComplete.cmd runs as SYSTEM after OOBE completes, before the first user logon. Two options are included in the script: Option A: if WinDefCtl.exe is present alongside the cmd file, it calls WinDefCtl.exe kill directly (the full flow including kernel-kill via kvckiller.sys). Option B: no binary needed — WinDefDisable.ps1 does the same IFEO hive-swap entirely in PowerShell via P/Invoke (RegSaveKeyEx → RegLoadKey → modify in temp hive → RegRestoreKeyW with REG_FORCE_RESTORE). PowerShell is available at this point — the Win32 subsystem is fully up. Note: WinDefend is already running at this stage, so the hive-snapshot trick is needed to bypass Tamper Protection. Without the kernel driver the IFEO block will take effect on the next start of MsMpEng.exe — either after a restart, or immediately if you add a taskkill /F /IM MsMpEng.exe before the script exits (it'll be re-blocked by IFEO if it tries to restart). Worth testing empirically on your target Windows version. Method 3 — Native SMSS-phase loader (~6 KB, no dependencies) The most surgical option. Register a small native executable (pure ntdll, no Win32 layer) in: Code: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute This runs inside the SMSS session before any service starts — before WinDefend, before Tamper Protection is active. At that point IFEO is writable like any ordinary registry key; no snapshot tricks needed. The loader would: Write Debugger=systray.exe under IFEO\MsMpEng.exe Remove its own entry from BootExecute (it's REG_MULTI_SZ — careful not to clobber autochk autochk *) Delete itself from disk Exit After one boot the loader is completely gone, leaving only the IFEO entry. sfc /scannow has nothing to complain about — IFEO is not a protected file or key. The mechanism itself has been in Windows since NT 3.5, left in for backward compatibility — one team built Tamper Protection as a fortress, another team left the NT 3.5 IFEO debugger path untouched. They never talked to each other. The executable must live in \SystemRoot\System32\ (or use a full NT-namespace path in the BootExecute value), otherwise SMSS silently skips it. If there's interest I can write this loader. Method 4 — During setup, before the final restart There is a window during Windows Setup — after certain Defender processes have started initializing but before the full self-protection is locked in — where you can write directly to Code: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe without the hive-swap trick. The exact timing depends on the setup phase and Windows version and needs to be found empirically. Worth exploring if you're injecting into the setup process itself rather than hooking post-OOBE.
This is really cool; I’m going to start testing it. The guide you provided is very clear and easy to follow. Method 3 — SMSS phase loader. I’m really interested in trying it; thank you for your amazing effort.
To clear up some confusion regarding the scope of these projects, here is a quick breakdown of what each tool does and what the latest update brings: KvcKiller Purpose: A general-purpose tool designed for broad process neutralization. GUI+CLI Scope: It is capable of terminating/neutralizing almost any process, including various AV and EDR solutions. WinDefCtl Purpose: A specialized tool focused exclusively on Windows Defender and Tamper Protection. Mechanism: It demonstrates how to manipulate Defender settings and toggles directly from the console using APIs, or stop it entirely. Unified Workflow: You can now unload the Windows Defender kernel driver (Windefend), disable the tray notification icon (SecurityHealthSystray.exe), and stop the health aggregation service (SecurityHealthService.exe) all in a single, continuous flow. No Redundancy: You don't need to run multiple separate commands or tools anymore—everything is handled seamlessly together. This update was created to merge and simplify Defender manipulation functionality into a single tool. It provides a clean, elegant alternative for users who want to control or disable Defender components temporarily or via API, but do not want to use aggressive, irreversible stripping tools like Windows Defender Remover @IONUTTBARA.
Yes, that’s actually my favorite offensive technique since the late 90s - still very much alive, elegant, and leaves zero traces. When I get some free time, I'll write a native tool in C, maybe ASM with no standard entry point. It’ll execute the task and clean itself up automatically.
You can install anything without any interruptions. We don’t need Defender at this stage because we know that what we’re installing is safe and doesn’t require any checks that would just get in the way.
In newer Windows 11 builds, like from 23H2+ up, when the WinDefend service spins up and undergoes initialization, it activates Tamper Protection and registers its drivers, e.g., WdFilter.sys, WdBoot.sys, as ELAM (Early Launch Anti-Malware). If the service starts up: Registry changes (e.g., DisableAntiSpyware = 1) are ignored, and debloating scripts running post-OOBE, e.g., in SetupComplete.cmd, often hit a brick wall because the system treats Defender as a protected kernel component. If you kill it via IFEO: The service doesn't start at all, doesn't set Tamper Protection flags, and doesn't anchor itself in the kernel. Later scripts, e.g., those from MAS, NTLite, or other custom ones, can completely rip it out of the system—removing services, scheduled tasks, and WMI entries without fighting Windows' self-healing mechanisms. OOBE & Specialize Phases Besides, when you use $OEM$ folders, PowerShell scripts in AutoUnattend.xml, or drop activation/debloat tools onto the drive before the first login: Defender actively scans newly created profiles and files during the OOBE and Specialize phases. Scripts modifying the registry, removing telemetry, or KMS/MAS-type tools are flagged as HackTool or PUA (Potentially Unwanted Application) and silently deleted/quarantined. Blocking the scanning engine before it starts guarantees that your tools will survive the installation process. Smart App Control (SAC) and Telemetry During OOBE, Windows connects to Microsoft servers to initialize the signature database and the Smart App Control feature, which evaluates the reputation of files and scripts in the system in the background. If MsMpEng.exe isn't running, this initial cloud handshake doesn't happen the way Microsoft intended. You get a cleaner registry base and no initial telemetry entries linked to Cloud Protection. Disk I/O and Performance I/O performance will also slightly increase in a specific way. The Specialize phase and early OOBE are when the system configures tens of thousands of small files, creates user profiles, indexes basic directories, and applies updates (if network is available). Real-time protection (even in the background) is a massive hit on disk I/O, especially on slower NVMe/SATA drives or in virtual machines. Disabling Defender at this point cuts down on disk thrashing time and frees up CPU cycles. OOBE itself (loading screens, account creation) will feel noticeably snappier and smoother. WMI and Scheduled Tasks Cleanliness You also get clean WMI and scheduled tasks. When WinDefend starts up, it registers WMI (Windows Management Instrumentation) providers and creates hidden scheduled tasks (e.g., Windows Defender Scheduled Scan, Verification, Cache Maintenance). If the service boots up and you "kill" or remove it later, these entries often remain in the system as "orphans", which clutters the registry and can generate errors in Event Viewer on every system boot. IFEO prevents them from being created. So it makes sense, but already at the media phase—it's just one registry entry; you don't even need a reboot to unlock it because you can delete this entry since the protection is paralyzed.
thank you so much—your tools are incredibly useful. I usually log in to the forum every 2–3 days to check if you've updated anything. Hahaha
Code: PS C:\Projekty\WinDefCtl> .\WinDefCtl-v2.ps1 WinDefCtl v2.0 - Windows Defender Automation & Control Utility Author: Marek Wesolowski (WESMAR) - 2026 Usage: .\WinDefCtl-v2.ps1 <command> [action] Commands: rtp [on|off|status] Real-Time Protection slider (UI automation) tp [on|off|status] Tamper Protection slider (UI automation) kill IFEO block + kernel-kill MsMpEng / SecurityHealthSystray restore Remove IFEO block + start WinDefend / SecurityHealth status Print Defender state summary help Show this help (also: /?, -?, -h, --help) Examples: .\WinDefCtl-v2.ps1 status .\WinDefCtl-v2.ps1 rtp off .\WinDefCtl-v2.ps1 tp on .\WinDefCtl-v2.ps1 kill .\WinDefCtl-v2.ps1 restore Notes: * Requires full Administrator (elevated PowerShell). * UI toggle switch ops back up + restore UAC silently to skip prompts. * "kill" embeds Topaz signed driver (kvckiller.sys, IOCTL 0x22201C). * "kill" removes driver file + service after use (no persistent trace). === generator\build-ps.ps1 - You can customize the template
I have tested this on various versions: 10/11, 21H1/22H2/23H2/24H2/25H2—all of them worked. However, it hasn’t worked perfectly on 26H1 yet. I’m sure the third method you created can fix it.
● JACKPOT in MpSvc.dll Symbol Address Description aMpfcRtpenabled 0x1804B7CB0 "MpfcRtpenabled" — feature code for RTP state aTamperstate 0x1804F0220 TamperState aTamperstatesou 0x1804F0238 TamperStateSource aRealtimeMonito 0x1804D4D80 RealtimeMonitoring aSenseIsEnabled 0x1804CDDF0 Sense (MDE) aAllowrealtimem 0x180528390 AllowRealtimeMonitoring (GPO) CNriRealtimeConsumer 0x180550DE8 Network Real-time Inspection consumer (vftable) What did I find? TamperState / TamperStateSource – Addresses responsible for Tamper Protection. The mechanism that blocks disabling the antivirus (e.g. by malware or an admin without proper privileges). aRealtimeMonito / aAllowrealtimem – Variables controlling Real-Time Protection (RTP), i.e. continuous file scanning. Code: aAllowrealtimem is the GPO override. aSenseIsEnabled – Reference to Microsoft Defender for Endpoint (formerly Defender ATP) — advanced telemetry + EDR. CNriRealtimeConsumer – The Network Real-time Inspection module, a vftable intercepting network packets. After making such valuable discoveries while writing my own semantic scanner for all versions of Windows 10/11, I see that I’m able to disable this in memory, even though Microsoft claims it’s impossible. I wouldn’t touch Windows at all. I’ve figured out the timestamp, so the question isn’t “if,” but “when.”