Command-line utility to turn on/off Windows Defender and Tamper Protection

Discussion in 'MDL Projects and Applications' started by wesmar, Dec 9, 2025.

  1. BetaTesta

    BetaTesta MDL Senior Member

    Aug 6, 2022
    325
    111
    10
    This:
    It's much more useful than any other destructive method because sometimes I need to run some tests or experiments with Defender, but most of the time I want it completely paralyzed.
    Awesome. Thanks for your smart and useful work.
     
  2. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    #22 wesmar, May 3, 2026
    Last edited: May 3, 2026
    (OP)
    I had some free time, so I updated kvc to version 1.03
    It's now fully functional
    Code:
    “kvc secengine disable”
    and
    Code:
    'kvc secengine enable"
    work with all three processes. Additionally, it works regardless of the HVCI/SecureBoot status and doesn't require a reboot
     
  3. BetaTesta

    BetaTesta MDL Senior Member

    Aug 6, 2022
    325
    111
    10
    When can we expect new releases? TIA
     
  4. Low Level Perform

    Low Level Perform MDL Member

    Jul 21, 2024
    154
    124
    10
    Hi @wesmar, is there a way to use your tool to disable Windows Defender before OOBE? Maybe through setupcomplete.cmd or some other method.

    I want to disable Windows Defender during the installation process, from the time the desktop appears until the first restart.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    Yes, several ways to do it. I've attached a zip with MsMpEng.reg, SetupComplete.cmd, and WinDefDisable.ps1 for methods 1 and 2.

    Method 1 — Bake MsMpEng.reg into the install image (offline, before first boot)
    Mount install.wim, load the SOFTWARE hive offline with reg load, and write the IFEO Debugger entry for MsMpEng.exe directly. Tamper Protection doesn't exist at that point — the hive is just a file on disk. Defender never gets a chance to start from the very first boot. The attached MsMpEng.reg contains exactly the state you want to reach.

    Method 2 — setupcomplete.cmd
    Place the attached files in %WINDIR%\Setup\Scripts\. SetupComplete.cmd runs as SYSTEM after OOBE completes, before the first user logon.
    Two options are included in the script:
    • Option A: if WinDefCtl.exe is present alongside the cmd file, it calls WinDefCtl.exe kill directly (the full flow including kernel-kill via kvckiller.sys).
    • Option B: no binary needed — WinDefDisable.ps1 does the same IFEO hive-swap entirely in PowerShell via P/Invoke (RegSaveKeyEx → RegLoadKey → modify in temp hive → RegRestoreKeyW with REG_FORCE_RESTORE). PowerShell is available at this point — the Win32 subsystem is fully up.
    Note: WinDefend is already running at this stage, so the hive-snapshot trick is needed to bypass Tamper Protection. Without the kernel driver the IFEO block will take effect on the next start of MsMpEng.exe — either after a restart, or immediately if you add a taskkill /F /IM MsMpEng.exe before the script exits (it'll be re-blocked by IFEO if it tries to restart). Worth testing empirically on your target Windows version.


    Method 3 — Native SMSS-phase loader (~6 KB, no dependencies)
    The most surgical option. Register a small native executable (pure ntdll, no Win32 layer) in:
    Code:
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
    This runs inside the SMSS session before any service starts — before WinDefend, before Tamper Protection is active. At that point IFEO is writable like any ordinary registry key; no snapshot tricks needed.
    The loader would:
    1. Write Debugger=systray.exe under IFEO\MsMpEng.exe
    2. Remove its own entry from BootExecute (it's REG_MULTI_SZ — careful not to clobber autochk autochk *)
    3. Delete itself from disk
    4. Exit
    After one boot the loader is completely gone, leaving only the IFEO entry. sfc /scannow has nothing to complain about — IFEO is not a protected file or key. The mechanism itself has been in Windows since NT 3.5, left in for backward compatibility — one team built Tamper Protection as a fortress, another team left the NT 3.5 IFEO debugger path untouched. They never talked to each other.
    The executable must live in \SystemRoot\System32\ (or use a full NT-namespace path in the BootExecute value), otherwise SMSS silently skips it. If there's interest I can write this loader.

    Method 4 — During setup, before the final restart
    There is a window during Windows Setup — after certain Defender processes have started initializing but before the full self-protection is locked in — where you can write directly to
    Code:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe
    without the hive-swap trick. The exact timing depends on the setup phase and Windows version and needs to be found empirically. Worth exploring if you're injecting into the setup process itself rather than hooking post-OOBE.
     

    Attached Files:

  6. BetaTesta

    BetaTesta MDL Senior Member

    Aug 6, 2022
    325
    111
    10
    Is there any advantage doing this during the installation process?
    TIA
     
  7. Low Level Perform

    Low Level Perform MDL Member

    Jul 21, 2024
    154
    124
    10
    This is really cool; I’m going to start testing it.

    The guide you provided is very clear and easy to follow.

    Method 3 — SMSS phase loader. I’m really interested in trying it; thank you for your amazing effort.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    To clear up some confusion regarding the scope of these projects, here is a quick breakdown of what each tool does and what the latest update brings:

    KvcKiller
    Purpose: A general-purpose tool designed for broad process neutralization. GUI+CLI
    Scope: It is capable of terminating/neutralizing almost any process, including various AV and EDR solutions.

    WinDefCtl
    Purpose: A specialized tool focused exclusively on Windows Defender and Tamper Protection.
    Mechanism: It demonstrates how to manipulate Defender settings and toggles directly from the console using APIs, or stop it entirely.
    Unified Workflow: You can now unload the Windows Defender kernel driver (Windefend), disable the tray notification icon (SecurityHealthSystray.exe), and stop the health aggregation service (SecurityHealthService.exe) all in a single, continuous flow.
    No Redundancy: You don't need to run multiple separate commands or tools anymore—everything is handled seamlessly together.

    This update was created to merge and simplify Defender manipulation functionality into a single tool. It provides a clean, elegant alternative for users who want to control or disable Defender components temporarily or via API, but do not want to use aggressive, irreversible stripping tools like Windows Defender Remover @IONUTTBARA.
     
  9. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    Yes, that’s actually my favorite offensive technique since the late 90s - still very much alive, elegant, and leaves zero traces. When I get some free time, I'll write a native tool in C, maybe ASM with no standard entry point. It’ll execute the task and clean itself up automatically.
     
  10. BetaTesta

    BetaTesta MDL Senior Member

    Aug 6, 2022
    325
    111
    10
    @wesmar
    Is there any advantage disabling WDefender during the installation process, before OOBE?
    TIA
     
  11. Low Level Perform

    Low Level Perform MDL Member

    Jul 21, 2024
    154
    124
    10
    You can install anything without any interruptions. We don’t need Defender at this stage because we know that what we’re installing is safe and doesn’t require any checks that would just get in the way.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    In newer Windows 11 builds, like from 23H2+ up, when the WinDefend service spins up and undergoes initialization, it activates Tamper Protection and registers its drivers, e.g., WdFilter.sys, WdBoot.sys, as ELAM (Early Launch Anti-Malware).

    • If the service starts up: Registry changes (e.g., DisableAntiSpyware = 1) are ignored, and debloating scripts running post-OOBE, e.g., in SetupComplete.cmd, often hit a brick wall because the system treats Defender as a protected kernel component.

    • If you kill it via IFEO: The service doesn't start at all, doesn't set Tamper Protection flags, and doesn't anchor itself in the kernel. Later scripts, e.g., those from MAS, NTLite, or other custom ones, can completely rip it out of the system—removing services, scheduled tasks, and WMI entries without fighting Windows' self-healing mechanisms.
    OOBE & Specialize Phases
    Besides, when you use $OEM$ folders, PowerShell scripts in AutoUnattend.xml, or drop activation/debloat tools onto the drive before the first login:

    Defender actively scans newly created profiles and files during the OOBE and Specialize phases. Scripts modifying the registry, removing telemetry, or KMS/MAS-type tools are flagged as HackTool or PUA (Potentially Unwanted Application) and silently deleted/quarantined. Blocking the scanning engine before it starts guarantees that your tools will survive the installation process.

    Smart App Control (SAC) and Telemetry
    During OOBE, Windows connects to Microsoft servers to initialize the signature database and the Smart App Control feature, which evaluates the reputation of files and scripts in the system in the background. If MsMpEng.exe isn't running, this initial cloud handshake doesn't happen the way Microsoft intended. You get a cleaner registry base and no initial telemetry entries linked to Cloud Protection.

    Disk I/O and Performance
    I/O performance will also slightly increase in a specific way. The Specialize phase and early OOBE are when the system configures tens of thousands of small files, creates user profiles, indexes basic directories, and applies updates (if network is available).

    Real-time protection (even in the background) is a massive hit on disk I/O, especially on slower NVMe/SATA drives or in virtual machines. Disabling Defender at this point cuts down on disk thrashing time and frees up CPU cycles. OOBE itself (loading screens, account creation) will feel noticeably snappier and smoother.

    WMI and Scheduled Tasks Cleanliness
    You also get clean WMI and scheduled tasks. When WinDefend starts up, it registers WMI (Windows Management Instrumentation) providers and creates hidden scheduled tasks (e.g., Windows Defender Scheduled Scan, Verification, Cache Maintenance).

    If the service boots up and you "kill" or remove it later, these entries often remain in the system as "orphans", which clutters the registry and can generate errors in Event Viewer on every system boot. IFEO prevents them from being created.

    So it makes sense, but already at the media phase—it's just one registry entry; you don't even need a reboot to unlock it because you can delete this entry since the protection is paralyzed.
     
  13. betakernel

    betakernel MDL Novice

    Nov 29, 2017
    38
    11
    0
    Can version 2.0 provide PS scripts? Thank you.
     
  14. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    I'll post it soon!
     
  15. betakernel

    betakernel MDL Novice

    Nov 29, 2017
    38
    11
    0
    thank you so much—your tools are incredibly useful. I usually log in to the forum every 2–3 days to check if you've updated anything. Hahaha
     
  16. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    #38 wesmar, May 29, 2026
    Last edited: May 29, 2026
    (OP)
    Code:
    PS C:\Projekty\WinDefCtl> .\WinDefCtl-v2.ps1
    
      WinDefCtl v2.0  -  Windows Defender Automation & Control Utility
      Author: Marek Wesolowski (WESMAR) - 2026
    
      Usage:
        .\WinDefCtl-v2.ps1 <command> [action]
    
      Commands:
        rtp [on|off|status]   Real-Time Protection slider (UI automation)
        tp  [on|off|status]   Tamper Protection slider    (UI automation)
        kill                  IFEO block + kernel-kill MsMpEng / SecurityHealthSystray
        restore               Remove IFEO block + start WinDefend / SecurityHealth
        status                Print Defender state summary
        help                  Show this help (also: /?, -?, -h, --help)
    
      Examples:
        .\WinDefCtl-v2.ps1 status
        .\WinDefCtl-v2.ps1 rtp off
        .\WinDefCtl-v2.ps1 tp  on
        .\WinDefCtl-v2.ps1 kill
        .\WinDefCtl-v2.ps1 restore
    
      Notes:
        * Requires full Administrator (elevated PowerShell).
        * UI toggle switch ops back up + restore UAC silently to skip prompts.
        * "kill" embeds Topaz signed driver (kvckiller.sys, IOCTL 0x22201C).
        * "kill" removes driver file + service after use (no persistent trace).
    ===
    generator\build-ps.ps1 - You can customize the template
     

    Attached Files:

  17. Low Level Perform

    Low Level Perform MDL Member

    Jul 21, 2024
    154
    124
    10
    I have tested this on various versions: 10/11, 21H1/22H2/23H2/24H2/25H2—all of them worked.
    However, it hasn’t worked perfectly on 26H1 yet.
    I’m sure the third method you created can fix it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    ● JACKPOT in MpSvc.dll

    Symbol Address Description
    aMpfcRtpenabled 0x1804B7CB0 "MpfcRtpenabled" — feature code for RTP state
    aTamperstate 0x1804F0220 TamperState
    aTamperstatesou 0x1804F0238 TamperStateSource
    aRealtimeMonito 0x1804D4D80 RealtimeMonitoring
    aSenseIsEnabled 0x1804CDDF0 Sense (MDE)
    aAllowrealtimem 0x180528390 AllowRealtimeMonitoring (GPO)
    CNriRealtimeConsumer 0x180550DE8 Network Real-time Inspection consumer (vftable)
    What did I find?

    • TamperState / TamperStateSource – Addresses responsible for Tamper Protection. The mechanism that blocks disabling the antivirus (e.g. by malware or an admin without proper privileges).
    • aRealtimeMonito / aAllowrealtimem – Variables controlling Real-Time Protection (RTP), i.e. continuous file scanning.
      Code:
      aAllowrealtimem
      is the GPO override.
    • aSenseIsEnabled – Reference to Microsoft Defender for Endpoint (formerly Defender ATP) — advanced telemetry + EDR.
    • CNriRealtimeConsumer – The Network Real-time Inspection module, a vftable intercepting network packets.
    After making such valuable discoveries while writing my own semantic scanner for all versions of Windows 10/11, I see that I’m able to disable this in memory, even though Microsoft claims it’s impossible. I wouldn’t touch Windows at all. I’ve figured out the timestamp, so the question isn’t “if,” but “when.”