[DISCUSSION] Toggle Windows Defender

Discussion in 'Scripting' started by freddie-o, Feb 2, 2019.

  1. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    679
    1,111
    30
    @freddie-o

    This is the best permanent disabling of Defender with the ability to enable it at any time.

    Disable Defender
    Run cmd script as admin. NSudoLC.exe in same folder.
    Code:
    pushd "%~dp0"
    NSudoLC -U:T -P:E -Wait -ShowWindowMode:Hide powershell -command "& { Stop-Service -Name 'windefend' }"
    NSudoLC -U:T -P:E -Wait -ShowWindowMode:Hide sc config windefend start=demand
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
    sc qc windefend
    pause
    Enable Defender
    Run cmd script as admin.
    Code:
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    sc start windefend
    pause
    Comment
    1)
    sc stop windefend and net stop windefend is detected by Defender
    Stop-Service in powershell is undetected by Defender
    2)
    It is better to stop the defender (stop service windefend) first and then setting it (start service parameter)
    3)
    windefend start=demand (manual) and DisableAntiSpyware 1 = permanent disable Defender
    4)
    Works on Win 10/11
    Defender is possible to disable / enable it at any time
     
  2. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,562
    15,646
    270
    Why is it the best? Elaborate please...
    Also there's a @BAU 's script to toggle defender. Any difference between them?
     
  3. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    679
    1,111
    30
    #63 Krakatoa, Nov 6, 2021
    Last edited: Nov 6, 2021
    At first glance, you know what it does. Not in the Bau script. :)
    ... and to restore it to its original state is absolutely trivial (even without a script). Not in the Bau script. :)
     
  4. freddie-o

    freddie-o MDL Expert

    Jul 29, 2009
    1,551
    2,581
    60

    Thank you I will test it out.
    My intention here is just to toggle Windows Defender
    I disable a lot more (offline) to permanently disable Windows Defender
     
  5. freddie-o

    freddie-o MDL Expert

    Jul 29, 2009
    1,551
    2,581
    60


    Disable Defender doesn't work... Errors

    Code:
    E:\>pushd "E:\"
    
    E:\>NSudoLC -U:T -P:E -Wait -ShowWindowMode:Hide powershell -command "& { Stop-Service -Name 'windefend' }"
    M2-Team NSudo Launcher 8.2
    © M2-Team. All rights reserved.
    
    Error: Failed to create a process.
    
    For further information, please visit https://m2team.github.io/NSudo.
    
    ****************************************************************
    
    Sender: NSudoCreateProcess
    DateTime: 2021-11-07 15:37:45
    Process ID: 5472
    Thread ID: 7448
    
    UserModeType: 1
    PrivilegesModeType: 1
    MandatoryLabelType: 0
    ProcessPriorityClassType: 2
    ShowWindowModeType: 2
    WaitInterval: -1
    CreateNewConsole: 1
    CommandLine: powershell -command "& { Stop-Service -Name 'windefend' }"
    CurrentDirectory: E:
    
    ****************************************************************
    
    Sender: NSudoCreateProcess
    DateTime: 2021-11-07 15:37:45
    Process ID: 5472
    Thread ID: 7448
    
    Enable the SeDebugPrivilege for the context access token failed, returns -2147023596.
    
    ****************************************************************
    
    E:\>NSudoLC -U:T -P:E -Wait -ShowWindowMode:Hide sc config windefend start=demand
    M2-Team NSudo Launcher 8.2
    © M2-Team. All rights reserved.
    
    Error: Failed to create a process.
    
    For further information, please visit https://m2team.github.io/NSudo.
    
    ****************************************************************
    
    Sender: NSudoCreateProcess
    DateTime: 2021-11-07 15:37:45
    Process ID: 8624
    Thread ID: 7572
    
    UserModeType: 1
    PrivilegesModeType: 1
    MandatoryLabelType: 0
    ProcessPriorityClassType: 2
    ShowWindowModeType: 2
    WaitInterval: -1
    CreateNewConsole: 1
    CommandLine: sc config windefend start=demand
    CurrentDirectory: E:
    
    ****************************************************************
    
    Sender: NSudoCreateProcess
    DateTime: 2021-11-07 15:37:45
    Process ID: 8624
    Thread ID: 7572
    
    Enable the SeDebugPrivilege for the context access token failed, returns -2147023596.
    
    ****************************************************************
    
    E:\>reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
    ERROR: Access is denied.
    
    E:\>sc qc windefend
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: windefend
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2110.6-0\MsMpEng.exe"
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Microsoft Defender Antivirus Service
            DEPENDENCIES       : RpcSs
            SERVICE_START_NAME : LocalSystem
    
    E:\>powershell (New-Object -ComObject Wscript.Shell).Popup("""Operation Completed""",0,"""Done""",0x0)
    1
    
    E:\>pause
    Press any key to continue . . .
     
  6. freddie-o

    freddie-o MDL Expert

    Jul 29, 2009
    1,551
    2,581
    60
    #66 freddie-o, Nov 7, 2021
    Last edited: Nov 7, 2021
    (OP)
    I already tried this method before
    Code:
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
    and it didn't work

    After restarting the PC, the WinDefend service restarts, the Registry key gets deleted and Windows Defender gets re-enabled.

    So I ended up with​
    Code:
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /f

    You have to keep the WinDefend service from restarting if you want to keep Windows Defender disabled



     
  7. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    679
    1,111
    30
    #67 Krakatoa, Nov 7, 2021
    Last edited: Nov 7, 2021
    @freddie-o

    "E:\>pushd "E:\" ... and "Access is denied" ... probably run as user
    I wrote: "Run cmd script as admin."
    It would be there: C:\Windows\System32>pushd "E:\"

    DisableAntiSpyware 1 works if windefend is demand or disable
    ... and these settings are made when the windefend service is turned off as described in my script
    It works even after restarting Windows
    (...and to enable the defender, simply start the windefend service)

    Deleting WinDefend Start seems dirty to me, but also a possible variant :)
    I think "windefend start=demand (manual) and DisableAntiSpyware 1" is cleaner

    Comment
    "windefend start=demand (manual) and DisableAntiSpyware 1" also uses Defender Control.
    "sc qc windefend" is for verification only.
    It is possible that enabling Defender will work without reg delete Defender Policies (or delete DisableAntiSpyware) (the key deletes Defender when the Defender service starts).
     
  8. freddie-o

    freddie-o MDL Expert

    Jul 29, 2009
    1,551
    2,581
    60
    #68 freddie-o, Nov 7, 2021
    Last edited: Nov 7, 2021
    (OP)
    I will just forget about disabling Windows Defender "permanently" and just stay with "Toggle Windows Defender Temporarily".
    There's more to consider when wanting to permanently disable Windows Defender
     
  9. freddie-o

    freddie-o MDL Expert

    Jul 29, 2009
    1,551
    2,581
    60
    #69 freddie-o, Nov 7, 2021
    Last edited: Nov 22, 2021
    (OP)
    I think if you want to disable Windows Defender "permanently" you have to also include SmartScreen and Malicious Software Removal Tool
    I can only accomplish this offline without errors as TrustedInstaller

    Code:
    rem == disable microsoft defender, notifications, updates and malicious software removal tool ==
    reg load HKLM\SOFTHIVE mount\Windows\System32\config\SOFTWARE
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
    reg delete "HKLM\SOFTHIVE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe" /f
    
    rem == delete scheduled tasks ==
    reg delete "HKLM\SOFTHIVE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Defender" /f
    
    rem == disable smartscreen ==
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Microsoft\PolicyManager\default\Browser\AllowSmartScreen" /v "value" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "Enabled" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV8" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTHIVE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v "2301" /t REG_DWORD /d "3" /f
    reg unload HKLM\SOFTHIVE
    
    rem == delete WinDefend services ==
    reg load HKLM\SYSHIVE mount\Windows\System32\config\SYSTEM
    reg delete "HKLM\SYSHIVE\ControlSet001\Services\WinDefend" /f
    reg unload HKLM\SYSHIVE
    
    rem == disable smartscreen for store and apps ==
    reg load HKLM\NTUSER mount\Users\Default\NTUSER.DAT
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t REG_DWORD /d "1" /f
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t REG_DWORD /d "0" /f
    
    rem == disable smartscreen for microsoft edge ==
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Edge\SmartScreenEnabled" /ve /t REG_DWORD /d "0" /f
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled" /ve /t REG_DWORD /d "0" /f
    reg add "HKLM\NTUSER\SOFTWARE\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d "0" /f
    reg unload HKLM\NTUSER
    

     
  10. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    679
    1,111
    30
    #70 Krakatoa, Nov 7, 2021
    Last edited: Nov 7, 2021
    Yes, but I only comment on turning off the Defender service itself. So the common ground.
    You don't have to write me the settings, I know them :)
    https://krakatoa.www3.cz/win10aio.php
    (... and I think it will work in online windows as well)
     
  11. freddie-o

    freddie-o MDL Expert

    Jul 29, 2009
    1,551
    2,581
    60
    #71 freddie-o, Nov 7, 2021
    Last edited: Nov 7, 2021
    (OP)
    I added the script also for the benefit of others that will read this thread :)
     
  12. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,562
    15,646
    270
    What's the difference between your solution and @wtarkan 's Defender Control.
     
  13. freddie-o

    freddie-o MDL Expert

    Jul 29, 2009
    1,551
    2,581
    60
    My method is just temporary. I havent used Defender Control in a very long time because I stopped using Windows Defender but it's supposed to be permanent.
     
  14. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,562
    15,646
    270
    So yours is something similar to @BAU 's toggle defender script. Same goal (temporary) different approach?
     
  15. freddie-o

    freddie-o MDL Expert

    Jul 29, 2009
    1,551
    2,581
    60
    BAU's and wtarkan's are similar i think. They both toggle Windows Defender but permanently until you enable it again. While with mine Windows Defender gets enabled again when Windows restarts
     
  16. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    679
    1,111
    30
    #76 Krakatoa, Nov 20, 2021
    Last edited: Nov 20, 2021
    @Mr.X
    freddie-o wtarkan DC BAU my recommendation now
    elevation TI PowerRun internal ps NSudo
    stop windefend sc stop internal net1 stop in ps wsf vbscript in cmd
    deactivation of windefend start disabled start demand MpCmdRun DisableService start demand
    Preventing self-starting (permanent disabling) - reg DisableAntiSpyware 1 reg DisableAntiSpyware 1 + depend RpcSs-TOGGLE reg DisableAntiSpyware 1
    permanent disabling No Yes Yes Yes
    detected by Defender Yes Yes No No
     
  17. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,562
    15,646
    270
    @Krakatoa thank you

    Nice comparison chart
     
  18. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    4,139
    5,908
    150
    Krakatoa
    what is wtarkan DC script ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    679
    1,111
    30
  20. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,562
    15,646
    270
    I'm interested in permanency and the possibility to toggle easily and run again Defender, so it is @BAU 's script or yours, which one to pick. Here's the dilemma.