The best option I found until now is using WinNTSetup by the brilliant "JFX". In the "Tweaks" options screen you can select "Disable Defender", this will change the registry of the applied install.wim before the setup phase is started. It works with 26100, to my surprise and delight I'm trying to replicate what the does to the Registry hives in my own apply scripts, but I'm not quite there yet, so @retest, thanks for your links, I hope they will help me find the last remaining changes needed. When I use my own scripts, Defender is disabled after Setup, but the system is hopefully slow and unresponsive, so there must be some service running somewhere, or at least something in the system is not happy that most of the Defender exe files are hard-blocked with "Image Execution Options" set to "Debugger=NULL".
Thanks. Nice to have options (WinAeroTweaker, WinNTSetup), but of course, it would be nice to share some tips/ knowledge here as well. As we all know, some of these tools sometimes are not developed further when the developer finds something better to do Here are the reg files I'm testing at the moment for the (offline) SOFTWARE and SYSTEM hives, haven't tested the latest additions, if anyone has suggestions, let me know. Spoiler: SOFTWARE Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdge.exe] "Debugger"="NUL" [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe] "Debugger"="NUL" [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe] "Debugger"="NUL" [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe] "Debugger"="NUL" [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows\CurrentVersion\Explorer] "SmartScreenEnabled"="Off" [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows\CurrentVersion\Run] "SecurityHealth"=- [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 "DisableAntiVirus"=dword:00000001 [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows Defender\Features] "TamperProtection"=dword:00000000 [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows Defender\Real-Time Protection] "DisableAntiSpywareRealtimeProtection"=dword:00000001 "DisableBehaviorMonitoring"=dword:00000001 "DisableOnAccessProtection"=dword:00000001 "DisableRealtimeMonitoring"=dword:00000001 "DisableScanOnRealtimeEnable"=dword:00000001 "DpaDisabled"=dword:00000001 [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows\System] "EnableSmartScreen"=dword:00000000 [HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 "DisableAntiVirus"=dword:00000001 "DisableRealtimeMonitoring"=dword:00000001 "DisableRoutinelyTakingAction"=dword:00000001 "DisableSpecialRunningModes"=dword:00000001 "ServiceKeepAlive"=dword:00000001 [HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender\Signature Updates] "ForceUpdateFromMU"=dword:00000001 [HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender\SmartScreen] "ConfigureAppInstallControlEnabled"=dword:00000001 "ConfigureAppInstallControl"=dword:00000001 [HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender\Spynet] "DisableBlockAtFirstSeen"=dword:00000001 [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows\CurrentVersion\ReserveManager] "ShippedWithReserves"=dword:00000000 Spoiler: SYSTEM Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\SecurityHealthService] "Start"=dword:00000000 [HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WdFilter] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WdNisDrv] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WdNisSvc] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WinDefend] "Start"=dword:00000004
Well isn't that something... One of the last additions I did to the reg files in the previous posts seems to have done the trick... And I even have some weekend left to spare. But seriously, it looks like it works with the reg files I mentioned (for now...) @retest, Thank you so very very much for your tips, together with JFX's directions and code examples it seems we have tamed this (ugly) beast for now. So at least now I can run my .ahk scripts and hotkeys without that lovely 5 second delay
This is what I used after applying install.wim to drive M..Before even first boot. EDIT : W11 Ent LTSC 2024. I think it needs to be run as TI. For this : echo reg.exe add "HKLM\_SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0 /f You need to set the drive in the script. Spoiler: BAT FILE TO OFFLINE DISABLE dEFENDER Code: @echo off SET "TARGET=M:" cls echo This batch will windows_defender_disable (set drive) to the drive %TARGET%. echo Press ENTER to continue. echo. pause echo Loading registry Hive SOFTWARE to _SOFTWARE echo. reg.exe load HKLM\_SOFTWARE %TARGET%\Windows\system32\config\SOFTWARE echo. echo hive loaded, not modified. if you want to check ... pause echo Modifying registry settings. echo. echo reg.exe add "HKLM\_SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0 /f reg.exe add "HKLM\_SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0 /f echo reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f echo reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d 1 /f reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d 1 /f echo reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f echo reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f echo reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f echo reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f echo reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f echo reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f echo reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d 1 /f reg.exe add "HKLM\_SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d 1 /f echo. echo hive modified. if you want to check or make any changes ... pause echo. echo Unloading registry Hive. echo. reg.exe unload HKLM\_SOFTWARE echo. rem -------------------------------------------- echo Loading registry Hive SYSTEM to _SYSTEM echo. reg.exe load HKLM\_SYSTEM %TARGET%\Windows\system32\config\SYSTEM echo. echo hive loaded, not modified. if you want to check ... echo check if CurrentControlSet or ControlSet001 ... pause echo Modifying registry settings. echo. echo reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d 4 /f reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d 4 /f echo reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d 4 /f reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d 4 /f echo reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d 4 /f reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d 4 /f echo reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d 4 /f reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d 4 /f echo reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d 4 /f reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d 4 /f echo reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f reg.exe add "HKLM\_SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f echo. echo hive modified. if you want to check or make any changes ... pause echo. echo Unloading registry Hive. echo. reg.exe unload HKLM\_SYSTEM echo. pause EDIT : It might work on a installed windows too. But you will have to change CurrentControlSet to ControlSet001. Some of the more knowledgeable members can comment.
I thought it was a very knowledgeable thing for you to share the NTLite discussion link. It made my day...
Winaerotweaker has a link for each setting that explains how to achieve the same result using "the long way"
It looks, like MS has added yet another Microsoft Defender Core Service to remediate changes. With 1-click solutions, maybe. But you can just boot to safe mode (msconfig - Minimal), disable 5 services and boot back (msconfig - Normal), it takes like 1 min. You do not even have to disable realtime or tamper protection. Code: reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
This is great information. No more relying on 1-click solutions for me anymore. Thank you for sharing this. Quick, easy and super reliable.
you can disable-stop all of this service's. (now added MdCoreSvc too) WinDefend|Sense|WdBoot|WdFilter|WdNisSvc|WdNisDrv|wscsvc|SgrmBroker|MdCoreSvc in safe mode if PS available. full command. Code: gwmi Win32_BaseService|where Name -Match 'WinDefend|Sense|WdBoot|WdFilter|WdNisSvc|WdNisDrv|wscsvc|SgrmBroker|MdCoreSvc'|foreach {$_.StopService()} or wmic command Code: wmic path Win32_Service where(Name Like '%%%%WinDefend%%%%' OR Name Like '%%%%Sense%%%%' OR Name Like '%%%%WdBoot%%%%' OR Name Like '%%%%WdFilter%%%%' OR Name Like '%%%%WdNisSvc%%%%' OR Name Like '%%%%WdNisDrv%%%%' OR Name Like '%%%%wscsvc%%%%' OR Name Like '%%%%SgrmBroker%%%%' OR Name Like '%%%%MdCoreSvc%%%%') call stopService to disable. Code: for %$ in (WinDefend Sense WdBoot WdFilter WdNisSvc WdNisDrv wscsvc SgrmBroker MdCoreSvc) do reg add "HKLM\System\CurrentControlSet\Services\%$" /v "Start" /t REG_DWORD /d "4" /f
Thanks for this tip. I applied Windows to a VHD using WinNTSetup and selected disable defender tweak, defender seems permanently disabled and there is no Windows Security icon in taskbar either. When applying WIM with WinNTSetup it uses several cores so it's super fast, didn't even know that's it possible to use several cores with dism.
I don't see HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MDCoreSvc on my machine: Windows 11 x64 Education 23H2 fully updated.
In virtualbox, build 26212 Now allows to disable defender using group policy editor (gpedit.msc) Program still runs in background (~115 Mb RAM), does not delete "viruses" such as KMS_VL_ALL_AIO automatically, can detect threats by directly scanning folder or scheduling system scan (manually). acceptable