[DISCUSSION] Toggle Windows Defender

Discussion in 'Scripting' started by freddie-o, Feb 2, 2019.

  1. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    629
    1,033
    30
    @freddie-o

    This is the best permanent disabling of Defender with the ability to enable it at any time.

    Disable Defender
    Run cmd script as admin. NSudoLC.exe in same folder.
    Code:
    pushd "%~dp0"
    NSudoLC -U:T -P:E -Wait -ShowWindowMode:Hide powershell -command "& { Stop-Service -Name 'windefend' }"
    NSudoLC -U:T -P:E -Wait -ShowWindowMode:Hide sc config windefend start=demand
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
    sc qc windefend
    pause
    Enable Defender
    Run cmd script as admin.
    Code:
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    sc start windefend
    pause
    Comment
    1)
    sc stop windefend and net stop windefend is detected by Defender
    Stop-Service in powershell is undetected by Defender
    2)
    It is better to stop the defender (stop service windefend) first and then setting it (start service parameter)
    3)
    windefend start=demand (manual) and DisableAntiSpyware 1 = permanent disable Defender
    4)
    Works on Win 10/11
    Defender is possible to disable / enable it at any time
     
  2. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,235
    15,393
    270
    Why is it the best? Elaborate please...
    Also there's a @BAU 's script to toggle defender. Any difference between them?
     
  3. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    629
    1,033
    30
    #63 Krakatoa, Nov 6, 2021
    Last edited: Nov 6, 2021
    At first glance, you know what it does. Not in the Bau script. :)
    ... and to restore it to its original state is absolutely trivial (even without a script). Not in the Bau script. :)
     
  4. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    949
    1,236
    30

    Thank you I will test it out.
    My intention here is just to toggle Windows Defender
    I disable a lot more (offline) to permanently disable Windows Defender
     
  5. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    949
    1,236
    30


    Disable Defender doesn't work... Errors

    Code:
    E:\>pushd "E:\"
    
    E:\>NSudoLC -U:T -P:E -Wait -ShowWindowMode:Hide powershell -command "& { Stop-Service -Name 'windefend' }"
    M2-Team NSudo Launcher 8.2
    © M2-Team. All rights reserved.
    
    Error: Failed to create a process.
    
    For further information, please visit https://m2team.github.io/NSudo.
    
    ****************************************************************
    
    Sender: NSudoCreateProcess
    DateTime: 2021-11-07 15:37:45
    Process ID: 5472
    Thread ID: 7448
    
    UserModeType: 1
    PrivilegesModeType: 1
    MandatoryLabelType: 0
    ProcessPriorityClassType: 2
    ShowWindowModeType: 2
    WaitInterval: -1
    CreateNewConsole: 1
    CommandLine: powershell -command "& { Stop-Service -Name 'windefend' }"
    CurrentDirectory: E:
    
    ****************************************************************
    
    Sender: NSudoCreateProcess
    DateTime: 2021-11-07 15:37:45
    Process ID: 5472
    Thread ID: 7448
    
    Enable the SeDebugPrivilege for the context access token failed, returns -2147023596.
    
    ****************************************************************
    
    E:\>NSudoLC -U:T -P:E -Wait -ShowWindowMode:Hide sc config windefend start=demand
    M2-Team NSudo Launcher 8.2
    © M2-Team. All rights reserved.
    
    Error: Failed to create a process.
    
    For further information, please visit https://m2team.github.io/NSudo.
    
    ****************************************************************
    
    Sender: NSudoCreateProcess
    DateTime: 2021-11-07 15:37:45
    Process ID: 8624
    Thread ID: 7572
    
    UserModeType: 1
    PrivilegesModeType: 1
    MandatoryLabelType: 0
    ProcessPriorityClassType: 2
    ShowWindowModeType: 2
    WaitInterval: -1
    CreateNewConsole: 1
    CommandLine: sc config windefend start=demand
    CurrentDirectory: E:
    
    ****************************************************************
    
    Sender: NSudoCreateProcess
    DateTime: 2021-11-07 15:37:45
    Process ID: 8624
    Thread ID: 7572
    
    Enable the SeDebugPrivilege for the context access token failed, returns -2147023596.
    
    ****************************************************************
    
    E:\>reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
    ERROR: Access is denied.
    
    E:\>sc qc windefend
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: windefend
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2110.6-0\MsMpEng.exe"
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Microsoft Defender Antivirus Service
            DEPENDENCIES       : RpcSs
            SERVICE_START_NAME : LocalSystem
    
    E:\>powershell (New-Object -ComObject Wscript.Shell).Popup("""Operation Completed""",0,"""Done""",0x0)
    1
    
    E:\>pause
    Press any key to continue . . .
     
  6. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    949
    1,236
    30
    #66 freddie-o, Nov 7, 2021
    Last edited: Nov 7, 2021
    (OP)
    I already tried this method before
    Code:
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
    and it didn't work

    After restarting the PC, the WinDefend service restarts, the Registry key gets deleted and Windows Defender gets re-enabled.

    So I ended up with​
    Code:
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /f

    You have to keep the WinDefend service from restarting if you want to keep Windows Defender disabled



     
  7. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    629
    1,033
    30
    #67 Krakatoa, Nov 7, 2021
    Last edited: Nov 7, 2021
    @freddie-o

    "E:\>pushd "E:\" ... and "Access is denied" ... probably run as user
    I wrote: "Run cmd script as admin."
    It would be there: C:\Windows\System32>pushd "E:\"

    DisableAntiSpyware 1 works if windefend is demand or disable
    ... and these settings are made when the windefend service is turned off as described in my script
    It works even after restarting Windows
    (...and to enable the defender, simply start the windefend service)

    Deleting WinDefend Start seems dirty to me, but also a possible variant :)
    I think "windefend start=demand (manual) and DisableAntiSpyware 1" is cleaner

    Comment
    "windefend start=demand (manual) and DisableAntiSpyware 1" also uses Defender Control.
    "sc qc windefend" is for verification only.
    It is possible that enabling Defender will work without reg delete Defender Policies (or delete DisableAntiSpyware) (the key deletes Defender when the Defender service starts).
     
  8. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    949
    1,236
    30
    #68 freddie-o, Nov 7, 2021
    Last edited: Nov 7, 2021
    (OP)
    I will just forget about disabling Windows Defender "permanently" and just stay with "Toggle Windows Defender Temporarily".
    There's more to consider when wanting to permanently disable Windows Defender
     
  9. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    949
    1,236
    30
    #69 freddie-o, Nov 7, 2021
    Last edited: Nov 22, 2021
    (OP)
    I think if you want to disable Windows Defender "permanently" you have to also include SmartScreen and Malicious Software Removal Tool
    I can only accomplish this offline without errors as TrustedInstaller

    Code:
    rem == disable microsoft defender, notifications, updates and malicious software removal tool ==
    reg load HKLM\SOFTHIVE mount\Windows\System32\config\SOFTWARE
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
    reg delete "HKLM\SOFTHIVE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe" /f
    
    rem == delete scheduled tasks ==
    reg delete "HKLM\SOFTHIVE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Defender" /f
    
    rem == disable smartscreen ==
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Microsoft\PolicyManager\default\Browser\AllowSmartScreen" /v "value" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "Enabled" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV8" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v "2301" /t REG_DWORD /d "3" /f
    reg unload HKLM\SOFTHIVE
    
    rem == delete WinDefend services ==
    reg load HKLM\SYSHIVE mount\Windows\System32\config\SYSTEM
    reg delete "HKLM\SYSHIVE\ControlSet001\Services\WinDefend" /f
    reg unload HKLM\SYSHIVE
    
    rem == disable smartscreen for store and apps ==
    reg load HKLM\NTUSER mount\Users\Default\NTUSER.DAT
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t REG_DWORD /d "1" /f
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t REG_DWORD /d "0" /f
    
    rem == disable smartscreen for microsoft edge ==
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Edge\SmartScreenEnabled" /ve /t REG_DWORD /d "0" /f
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled" /ve /t REG_DWORD /d "0" /f
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d "0" /f
    reg unload HKLM\NTUSER
    

     
  10. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    629
    1,033
    30
    #70 Krakatoa, Nov 7, 2021
    Last edited: Nov 7, 2021
    Yes, but I only comment on turning off the Defender service itself. So the common ground.
    You don't have to write me the settings, I know them :)
    https://krakatoa.www3.cz/win10aio.php
    (... and I think it will work in online windows as well)
     
  11. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,235
    15,393
    270
    What's the difference between your solution and @wtarkan 's Defender Control.
     
  12. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    949
    1,236
    30
  13. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,235
    15,393
    270
    So yours is something similar to @BAU 's toggle defender script. Same goal (temporary) different approach?
     
  14. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    949
    1,236
    30
    BAU's and wtarkan's are similar i think. They both toggle Windows Defender but permanently until you enable it again. While with mine Windows Defender gets enabled again when Windows restarts
     
  15. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    629
    1,033
    30
    #76 Krakatoa, Nov 20, 2021
    Last edited: Nov 20, 2021
    @Mr.X
    freddie-o wtarkan DC BAU my recommendation now
    elevation TI PowerRun internal ps NSudo
    stop windefend sc stop internal net1 stop in ps wsf vbscript in cmd
    deactivation of windefend start disabled start demand MpCmdRun DisableService start demand
    Preventing self-starting (permanent disabling) - reg DisableAntiSpyware 1 reg DisableAntiSpyware 1 + depend RpcSs-TOGGLE reg DisableAntiSpyware 1
    permanent disabling No Yes Yes Yes
    detected by Defender Yes Yes No No
     
  16. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,235
    15,393
    270
    @Krakatoa thank you

    Nice comparison chart
     
  17. Dark Monkey

    Dark Monkey MDL Addicted

    Feb 2, 2011
    710
    849
    30
    Krakatoa
    what is wtarkan DC script ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    629
    1,033
    30
  19. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,235
    15,393
    270
    I'm interested in permanency and the possibility to toggle easily and run again Defender, so it is @BAU 's script or yours, which one to pick. Here's the dilemma.