[DISCUSSION] Toggle Windows Defender

freddie-o · Feb 23, 2019

Thomas Dubreuil said: ↑
of course, I'm glad if it can help others.
for the related script, you could maybe remove because ends up being redundant options.
But if you like to keep I would anyway add script path in the beginning (and simplify it a bit):
Code:
@echo off

cd /d "%~dp0"
sc query WinDefend | find "STATE" | find "RUNNING" && goto :stop

:start
NSudoG.exe -U:T -ShowWindowMode:Hide sc start WinDefend & exit /b

:stop
NSudoG.exe -U:T -ShowWindowMode:Hide sc stop WinDefend & exit /b
Click to expand...
Super! I'll modify the BAT script in the OP.

freddie-o · Mar 13, 2020

Updated

freddie-o · Mar 14, 2020

More edits to the script/s to prevent Windows Defender from automatically turning back on (even after restarts). Added also a pop up message because on some versions of Windows, the system tray icon does not display as disabled.

NST_Adventure · Mar 20, 2020

freddie-o said: ↑

Make Windows Defender detect and block Potentially Unwanted Applications (PUA) and Potentially Unwanted Software (PUS) in real-time.
Click to expand...

Hi did this reg also work in Windows 7?
freddie-o said: ↑
Registry key
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"PUAProtection"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"MpEnablePus"=dword:00000001
Click to expand...
Thank you! ^_^

Best Regards
NST_Adventure

freddie-o · Mar 20, 2020

The REG key is for "Windows Defender". For "Microsoft Security Essentials" I found this site
https://www.winhelponline.com/blog/microsoft-security-essentials-adware-pua-protection/

AveYo · Apr 26, 2020

Alternatively you could use the following script without any need of external tools:

BAU said: ↑

Anyway, forgot to publish the last version of DefenderToggle script from last month incorporating some user requests:

Code:

@(echo off% <#%) &color 07 &title Windows Defender Toggle, AveYo 2020-04-27
set "0=%~f0" &set 1=%*& powershell -nop -c iex ([io.file]::ReadAllText($env:0)) &exit/b ||#>)[1]

$PS ={ $Main ={
 $status='Windows Defender is ENABLED!'
 $wdp='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender'
 if (gp $wdp DisableAntiSpyware -ea 0) {$status='Windows Defender is DISABLED!'}

# Choice 6 = yes, 7 = no, 2 = cancel
 if ($env:1 -ne 6 -and $env:1 -ne 7) {
   Add-Type -As PresentationFramework;$choice=[System.Windows.MessageBox]::Show('Disable Windows Defender?',$status,3,32);
   if ($choice -eq 2) {exit} else {$c=[int]$choice; $env:1=$c}
 }

# Comment to not relaunch systray icon
 try{start SecurityHealthSystray}catch{}

# 'UAC is not a security boundary' - OK, Microsoft. But why do you refuse to adress the lamest AlwaysNotify-compatible bypass?
 $ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')
 $bypass=$baffling.GetTask('SilentCleanup'); $flaw=$bypass.Definition

# Cascade elevation
 $r=[char]13; $i=[char]39+$(date)+$r+' (\   /)'+$r+'( * . * )   UAC is useless below Always-Notify'+$r+'    ```'+$r+[char]39
 $script='-nop -win hidden -c & {mode 50,1;rp hkcu:\environment windir -ea 0;$i='+$i+';$env:1='+$env:1+';$PS={'+$PS+'};& $PS}'
 $u=0;$w=whoami /groups;if($w-like'*1-5-32-544*'){$u=1};if($w-like'*1-16-12288*'){$u=2};if($w-like'*1-16-16384*'){$u=3}
# limited-user: must runas
 if ($u -eq 0) {
   start powershell -args $script -verb runas -win 1; exit
 }
# admin-user non-elevated: try bypass before runas
 if($u -eq 1){
   if ($flaw.Actions.Item(1).Path -inotlike '*windir*'){start powershell -args $script -verb runas -win 1; exit}
   sp hkcu:\environment windir $('powershell '+$script+' #')
   $z=$bypass.RunEx($null,2,0,$null); $wait=0; while($bypass.State -gt 3 -and $wait -lt 7){sleep -m 100; $wait+=0.1}
   if(gp hkcu:\environment windir -ea 0){rp hkcu:\environment windir -ea 0; start powershell -args $script -verb runas -win 1}
   exit
 }
# admin-user elevated: get system via schtasks (ti on 1903+)
 if($u -eq 2){
   $sys='NT AUTHORITY\SYSTEM'; if ([Environment]::OSVersion.Version.Build -gt 17763) {$sys='NT SERVICE\TrustedInstaller'}
   $act=New-ScheduledTaskAction -Execute powershell -Argument $script
   $z=Register-ScheduledTask -TaskName '~ti' -Action $act -User $sys -Force|out-null
   $f=$ts.GetFolder('\'); $t=$f.GetTask('~ti'); $t.Stop(0); $z=$t.RunEx($null,2,0,$null); $f.DeleteTask('~ti',0); exit
 }

# Toggle
 $wdc=$env:ProgramFiles+'\Windows Defender'
 $wdp='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender'
 if($env:1 -eq 7) { <# (gp $wdp DisableAntiSpyware -ea 0) #>
   rp $($wdp+'\UX Configuration') Notification_Suppress -Force -ea 0
   rp $($wdp+'\UX Configuration') UILockdown -Force -ea 0
   rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen -Force -ea 0
   rp $wdp DisableAntiSpyware -Force -ea 0
   kill -Force -Name MpCmdRun -ea 0
   start $($wdc+'\MpCmdRun.exe') -Arg '-WDEnable' -Wait
   start $($wdc+'\MpCmdRun.exe') -Arg '-EnableService'
 }else{
   ni $($wdp+'\UX Configuration') -Force -ea 0|out-null
   sp $($wdp+'\UX Configuration') Notification_Suppress 1 -Type Dword -Force -ea 0
   sp $($wdp+'\UX Configuration') UILockdown 1 -Type Dword -Force -ea 0
   sp $wdp DisableAntiSpyware 1 -Type Dword -Force -ea 0
   sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen 0 -Type Dword -Force -ea 0
   kill -Force -Name MpCmdRun -ea 0
   start $($wdc+'\MpCmdRun.exe') -Arg '-WDEnable' -Wait
   start $($wdc+'\MpCmdRun.exe') -Arg '-DisableService'
   del $($env:ProgramData+'\Microsoft\Windows Defender\Scans\History\Service') -Recurse -Force -ea 0
   del $($env:ProgramData+'\Microsoft\Windows Defender\Scans\mpenginedb.db') -Force -ea 0

   <# PERSONAL CONFIGURATION - UNCOMMENT #rp ENTRIES TO REVERT #>
   sp $wdp DisableLocalAdminMerge 1 -Type Dword -Force -ea 0;                    # Scriptable Admin Exclusions OFF
   rp $wdp DisableLocalAdminMerge -Force -ea 0;                                  # Scriptable Admin Exclusions ON [default]
   sp $wdp DisableRoutinelyTakingAction 1 -Type Dword -Force -ea 0;              # Auto Actions OFF
  #rp $wdp DisableRoutinelyTakingAction -Force -ea 0;                            # Auto Actions ON [default]
   sp $wdp PUAProtection 1 -Type Dword -Force -ea 0;                             # Potential Unwanted Applications ON
  #rp $wdp PUAProtection -Force -ea 0;                                           # Potential Unwanted Applications OFF [default]
   ni $($wdp+'\MpEngine') -Force -ea 0|out-null;
   sp $($wdp+'\MpEngine') MpCloudBlockLevel 2 -Type Dword -Force -ea 0;          # Cloud blocking level HIGH
  #rp $($wdp+'\MpEngine') MpCloudBlockLevel -Force -ea 0;                        # Cloud blocking level LOW [default]
   ni $($wdp+'\Spynet') -Force -ea 0|out-null
   sp $($wdp+'\Spynet') SpyNetReporting 2 -Type Dword -Force -ea 0;              # Cloud protection ADVANCED
  #rp $($wdp+'\Spynet') SpyNetReporting -Force -ea 0;                            # Cloud protection BASIC [default]
   sp $($wdp+'\Spynet') SubmitSamplesConsent 0 -Type Dword -Force -ea 0;         # Sample Submission ALWAYS-PROMPT
  #rp $($wdp+'\Spynet') SubmitSamplesConsent -Force -ea 0;                       # Sample Submission AUTOMATIC [default]
 }
# Previous script versions closed uac-bypass flaw - but since Microsoft still does not consider it as such, now restoring it
 if ($flaw.Actions.Item(1).Path -inotlike '*windir*'){
   $flaw.Actions.Item(1).Path=[char]37+'windir'+[char]37+'\system32\cleanmgr.exe'
   $bypass.Stop(0); $baffling.RegisterTaskDefinition($bypass.Name,$flaw,20,$null,$null,$null)
 }
# Uncomment to close alwaysnotify-compatible uac bypass flaw and reset uac as in previous script versions
 #if ($flaw.Actions.Item(1).Path -ilike '*windir*') {
   #$flaw.Actions.Item(1).Path=$env:systemroot+'\system32\cleanmgr.exe';         # %windir%\system32\cleanmgr.exe [default]
   #$baffling.RegisterTaskDefinition($bypass.Name,$flaw,20,$null,$null,$null);   # UAC silent bypass mitigation
   #$uac='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
   #sp $uac EnableLUA 1 -Type Dword -Force -ea 0;                                # UAC enable
   #sp $uac ConsentPromptBehaviorAdmin 2 -Type Dword -Force -ea 0;               # UAC always notify - easily bypassed otherwise
   #sp $uac PromptOnSecureDesktop 1 -Type Dword -Force -ea 0;                    # UAC secure - prevent automation
 #}
}
& $Main }; & $PS
#-_-# hybrid script, can be pasted directly into powershell console

- toggle dialog (Yes to disable, No to enable, Cancel to..cancel)
- restored uac-bypass flaw since Microsoft still does not consider it as such (can uncomment the last section in the script to restore old behavior of mitigating it and forcing UAC on)
- script can be directly copy-pasted in powershell window

Click to expand...

freddie-o · Apr 26, 2020

My script is only to temporarily disable Defender. Mostly for false positives or if Defender slows down my work. The problem with your script is it changes quite a few settings and doesn't revert back to the default settings. An example is Spynet... after cancelling, my cloud protection and automatic sample submission were greyed out

It left this in the Registry.

AveYo · Apr 26, 2020

Both are permanent until script is run again, not temporary. Temporary is switching just Realtime protection off, with windows re-enabling it by itself at the worst of times.
Both adjust the global registry policy, but yours is manipulating Defender service directly while mine is using the dedicated MpCmdRun utility to refresh policy state.
Mine originated as a toggle as well, but found to be more useful presenting a dialog to select on or off.
There are other differences like having the ability to bypass UAC prompt for admin accounts or being not only stand-alone but also being able to copy-paste directly into powershell console (file-less).
And indeed by default it comes with a tweaked configuration that goes hand-in-hand with a power-user-centered Defender toggle:
extended protection and responsive signature updates, increased user privacy (no automatic submission to microsoft), more control (no automatic actions) minus the annoyance part (clears previous gui detection lists after toggle).
By all means it is not set in stone and can be edited in the script to your liking.
Anyway it's just an alternative, both work fine for the purpose of toggling Defender!

freddie-o · Apr 26, 2020

Right they are permanent until the script is ran again. I like that my script is simple and does a clean job.

freddie-o · Apr 26, 2020

Updated Harden Windows Defender

freddie-o · May 1, 2020

Code:

@echo off
:: Elevate itself to TrustedInstaller AllPrivileges once
whoami /user|findstr "S-1-5-18">nul || call :runasTI 1 cmd /c call "%~f0" %* && exit

:: Anything below should now only run under System/TrustedInstaller
sc query "WinDefend" | find "RUNNING" >nul && goto :stop

:start
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f >nul
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f >nul
sc config WinDefend start= auto >nul
sc start WinDefend >nul
powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is enabled!')&exit

:stop
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f >nul
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f >nul
sc config WinDefend start= disabled >nul
sc stop WinDefend >nul
powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is disabled!')&exit

:runasTI [0-3] [cmd] AveYo`s Lean and Mean runas TrustedInstaller / System snippet v20191010                 pastebin.com/AtejMKLj
set ">>=('-nop -c ',[char]34,'$mode=%1; $cmd=''%*''; iex(([io.file]::ReadAllText(''%~f0'')-split '':ps_TI\:.*'')[1])',[char]34)"
whoami/user|findstr "S-1-5-18">nul||powershell -nop -c "start powershell -win 1 -verb runas -Arg %>>:"=\\\"% " && exit/b  :ps_TI:[
$P="public";$U='CharSet=CharSet.Unicode';$DA="[DllImport(`"advapi32`",$U)]static extern bool"; $DK=$DA.Replace("advapi","kernel");
$T="[StructLayout(LayoutKind.Sequential,$U)]$P struct"; $S="string"; $I="IntPtr"; $Z="IntPtr.Zero"; $CH='CloseHandle'; $TI=@"
using System;using System.Diagnostics;using System.Runtime.InteropServices; $P class AveYo{   $T SA {$P uint l;$P $I d;$P bool i;}
$T SI {$P int cb;$S b;$S c;$S d;int e;int f;int g;int h;$P int X;$P int Y;int k;$P int W;Int16 m;Int16 n;$I o;$I p;$I r;$I s;}
$T SIEX {$P SI e;$P $I l;} $($T.Replace(",",",Pack=1,")) TL {$P UInt32 c; $P long l;$P int a;} $DA SetThreadToken($I h,$I t);
$DA CreateProcessWithTokenW($I t,uint l,$S a,$S c,uint f,$I e,$S d,ref SIEX s); $DA OpenProcessToken($I p,uint a,ref $I t);
$DA DuplicateToken($I h,int l,out $I d); $DA AdjustTokenPrivileges($I h,bool d,ref TL n,int l,int p,int r); $DK CloseHandle($I h);
$DA DuplicateTokenEx($I t,uint a,ref SA s,Int32 i,Int32 f,ref $I d);  $P static void RunAs(int mode,$S cmd){ SIEX si=new SIEX();
SA sa=new SA(); $I t,d; t=d=$Z; try{ $I p=Process.GetProcessesByName("lsass")[0].Handle; OpenProcessToken(p,6,ref t); if(mode<2){
Process[] ar=Process.GetProcessesByName("TrustedInstaller");if(ar.Length>0){ DuplicateToken(t,3,out d); SetThreadToken($Z,d);
$CH(p);$CH(t);$CH(d); p=ar[0].Handle; OpenProcessToken(p,6,ref t);}} DuplicateTokenEx(t,268435456,ref sa,3,1,ref d); if(mode%2>0){
TL tk=new TL(); tk.c=1; tk.a=2; for(int i=0;i<37;i++){ tk.l=i; AdjustTokenPrivileges(d,false,ref tk,0,0,0); }}
si.e.cb=Marshal.SizeOf(si); si.e.X=131; si.e.Y=9999; si.e.W=8; CreateProcessWithTokenW(d,0,null,cmd,1024,$Z,null,ref si);
}finally{ if(t!=$Z) $CH(t); if(d!=$Z) $CH(d); if(sa.d!=$Z) $CH(sa.d); if(si.l!=$Z) $CH(si.l); } }}
"@;Add-Type -TypeDefinition $TI;if($mode -lt 2){net start TrustedInstaller >$nul} [AveYo]::RunAs($mode,$cmd.substring(2))#:ps_TI:]

AveYo · May 1, 2020

That works, too

freddie-o · Sep 11, 2020

Updated the script

freddie-o · Nov 16, 2020

Updated the script to query and change the WinDefend service "Start" key registry value instead of deleting it so it no longer requires a PC restart.

Update

Placed 2 scripts in the OP

1st script quickly toggles Microsoft Defender by stopping or starting the WinDefend service (Defender will restart when you run the script again or restart the computer)

The other script "permanently" disables Microsoft Defender by deleting the WinDefend registry "Start" value so the WinDefend service doesn't start until the script is run again.

AveYo · Nov 16, 2020

Or you should just accept the overwhelming superiority of ToggleDefender and copy-paste it instead

freddie-o · Nov 16, 2020

After disabling with ToggleDefender then clicking the script again, don't you want to change the Popup to "Enable Windows Defender?"

AveYo · Nov 16, 2020

The title has the status either On or Off.
If I would change the text there, I would have to also swap choice variable around.
But the main reason is that it might be confusing for some. This way, it's consistent Yes to disable, No to Enable
But you're making a good point. Now I'm not so sure anymore, maybe I should switch it around.
Edit: updated with your suggestion! Thanks!

Pff and it makes it much better as you can just press enter every time to toggle (or esc to cancel it). With the before layout you had to press tab to switch to No if wanting to revert

gme30655 · Nov 5, 2021

Hello, I found this thread from Google.
When running the script the second time I still get the message 'Windows Defender is disabled'. Instead activating it.
Windows still shows that Microsoft Defender Antivirus is active. (even when the disabled message appears, so it never worked in the first place) Or am I looking at the wrong place in windows?

freddie-o · Nov 6, 2021

I've never had that problem. Been using both scripts on a regular basis when I used to use Windows Defender
Do you have the script and PowerRun in the same folder?

Update: Also just tested both scripts on Windows 11

gme30655 · Nov 6, 2021

After rebooting my system the script works as expected. Thank you.

1) Run script first time
2) Add to exclusion list
3) Reboot
4)Toggle Script

[DISCUSSION] Toggle Windows Defender

freddie-o MDL Expert

freddie-o MDL Expert

freddie-o MDL Expert

NST_Adventure MDL Addicted

freddie-o MDL Expert

AveYo MDL Expert

freddie-o MDL Expert

AveYo MDL Expert

freddie-o MDL Expert

freddie-o MDL Expert

freddie-o MDL Expert

AveYo MDL Expert

freddie-o MDL Expert

freddie-o MDL Expert

AveYo MDL Expert

freddie-o MDL Expert

AveYo MDL Expert

gme30655 MDL Novice

freddie-o MDL Expert

gme30655 MDL Novice