From specialize Code: === WinDefCtl v2 - kill status === [*] Extracting kvckiller.sys from embedded CAB... [+] kvckiller.sys deployed to drivers\ (38816 B) [*] Applying IFEO block (MsMpEng + SecurityHealth*)... [*] Installing wsftprm service... [*] Issuing IOCTL kill... [+] MsMpEng.exe (PID 4740) terminated [*] Cleanup: stop + delete service, remove driver file... [*] Done. Defender is blocked. End of SetupComplete Code: === WinDefCtl v2 - restore status === [*] Removing IFEO block... [*] Starting WinDefend... [*] Starting SecurityHealthService... [*] Launching SecurityHealthSystray... [*] Done. Defender is restored. Work great. MAS is now running smoothly. Thank you.
V2 only! It disables and stops it; during the shutdown, there is a deliberate intro that masks the pop-up window with sliders. The stopping is handled by the driver. Defender becomes defenseless.
Version 1.1.2 isn't newer, it's just completely different. Unlike the GitHub release, this version doesn't use any driver or external overlays. It works entirely from within, injecting into the process and invisibly flipping the toggle by moving the mouse deep under the hood. The goal was to debunk Microsoft's marketing claim that disabling this protection outside of their official GUI/UX or Intune portal is impossible.