How to Disable Tamper Protection in 1903?

Discussion in 'Windows 10' started by jukiyidip, May 8, 2019.

  1. jukiyidip

    jukiyidip MDL Novice

    May 2, 2019
    5
    0
    0
    I have always used this code in my C# Program:

    Runspace runspace = RunspaceFactory.CreateRunspace();
    runspace.Open();
    Pipeline pipeline = runspace.CreatePipeline();
    pipeline.Commands.AddScript("Set-MpPreference -DisableRealtimeMonitoring $true");
    pipeline.Invoke();
    runspace.Close();

    and

    RegistryKey keyx = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender", true);
    {
    keyx.SetValue("DisableAntiSpyware", 1, RegistryValueKind.DWord);
    keyx.Flush();
    keyx.Close();
    }

    but now in 1903 with Tamper Protection nothin work, so i have see that tool sordum.org/9480/defender-control-v1-5/ have a workaround but is write in C++ i have tried to decompile with de4dot but nothing.

    The interessed key is:

    "reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f"

    Always return "Permission Denied" so i have tried with:

    SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\" -ot reg -actn setowner -ownr "n:administrator"
    SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\" -ot reg -actn ace -ace "n:administrator;p:full"

    with Success message, but nothing is changed, someone have any idea? I have contacted the author of tool without answer...
     
  2. TairikuOkami

    TairikuOkami MDL Addicted

    Mar 15, 2014
    874
    766
    30
    Just a foot note. It can be easily disabled on a clean installed 18362.30, but once the update is installed (.53 and above), it becomes really tamper protected.
     
  3. jukiyidip

    jukiyidip MDL Novice

    May 2, 2019
    5
    0
    0
    Yes... But this sordum.org/9480/defender-control-v1-5/ tool how to work? .30+ working
     
  4. zm1868179

    zm1868179 MDL Novice

    Apr 1, 2017
    3
    1
    0
    I was at the Microsoft Office in Charlotte NC yesterday for a meeting and asked about this. they have made it almost impossible to remove defender due to Azure and their Autopilot program with Hardware OEMs. it is so OEMs can just ship devices to enterprises or SMBs and they can enter their Azure credentials which will AAD join the devices and push polices and software that is set up in the Azure portal and it relies on Defender and its services to function correctly. Also based on 3rd party testing why would people want to replace defender its been proven to one of the best AV and malware Programs out there since its backed relies on Microsoft Graph which the second an attack or previously unknown piece of malware is found they can blacklist it in the graph which then protects all windows users from it
     
  5. jukiyidip

    jukiyidip MDL Novice

    May 2, 2019
    5
    0
    0
    YES, but I only need to disable it as the defender-control-v1-5 tool does, I would like my program to do it on 1903, but nobody knows how that program does, the author has a very vague response, I quote the his answer:

    "Hi Dirk
    In the 1903 version, a protection was added to prevent tampering with defender settings. To close the defender, you need to stop the defender service (WinDefend). This requires system + trustedinstaller authority ...

    Regards
    Sordum.org TEAM "

    I know if a simple program 800KB can run command with trustedinstaller And how to add to my program this "feature"?
     
  6. rpo

    rpo MDL Addicted

    Jan 3, 2010
    978
    740
    30
    This look like the method used by the Windows Update Blocker (wub) edited by Sordum. The authorization register subkey of the wuauserv key is modified in such a way that Windows can't change it and Windows update stands disabled.
     
  7. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    23,730
    33,244
    390
    I noticed, when i installed a sysprepped/captured 18362.86 without installing the defender platform update, tamper protection was disabled till the moment that the platform update got installed by WU.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. jukiyidip

    jukiyidip MDL Novice

    May 2, 2019
    5
    0
    0
    Finaly i have a solution, github.com/lilkui/runasti run all command or program like TrustedInstaller =)
     
  9. rpo

    rpo MDL Addicted

    Jan 3, 2010
    978
    740
    30
    as an alternate solution, you can use nsudo maintained by @Mouri_Naruto.
     
  10. jukiyidip

    jukiyidip MDL Novice

    May 2, 2019
    5
    0
    0
    Wow GG
     
  11. MS_User

    MS_User MDL Guru

    Nov 30, 2014
    3,332
    657
    120
    to me this makes your machine less secure and u dont want to do that when it comes to windows....but hey knock yourself out;)
     
  12. nipponico

    nipponico MDL Novice

    Nov 18, 2015
    13
    4
    0
    Never had an antivirus since ten years or more. Never had a problem...
     
  13. TairikuOkami

    TairikuOkami MDL Addicted

    Mar 15, 2014
    874
    766
    30
    Windows 10 is way more secure than any other Windows before. AV is not there to block malware, but to stop people from doing silly things, like opening infected links, attachments, exes, etc. It is anti-stupid software.
    Majority do not need AV, I bet most people have never seen a single alert from AV, meaning, you do not need it, but marketing has done its work: "You get infected within a minute, if you go on the internet without AV."

    There are some workarounds, like this one, tons of malware need scripts in one way or another. Ever heard the expression, malware downloaded and ran itself? Well it did not do it all by itself, scripts helped, a little. :D
    Code:
    reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\WOW6432Node\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
    camp_02.png
     
  14. Wetryshka

    Wetryshka MDL Novice

    Apr 16, 2017
    36
    3
    0
    How can it be disabled on .30 ? Only by turning it off in the Defender or is there more steps involved in that?
     
  15. TairikuOkami

    TairikuOkami MDL Addicted

    Mar 15, 2014
    874
    766
    30
    .bat

    Disabling services might break other windows features like smartscreen or system guard, but I do not use any of those, so I have no idea.
     
  16. Wetryshka

    Wetryshka MDL Novice

    Apr 16, 2017
    36
    3
    0
    I don't need those pop-ups. Worked like charm, thank you. Anyway, the problem was because firstly I Enabled the policy 'Disable Windows Defender Anti-Virus', and after that I disabled Tamper Protection so I was unable to turn off defender until I did a reset on my Windows, not sure if bug or feature.
     
  17. DavidXanatos

    DavidXanatos MDL Senior Member

    May 23, 2010
    256
    1,049
    10
    interesting it seams you only need to

    Code:
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    
    to disable the deffender using GPO, i wonder if MSFT will "fix" that one way or another
     
  18. piercekalton

    piercekalton MDL Senior Member

    Apr 2, 2010
    417
    37
    10
    I think there are some people who just want to disable everything they possibly can just "because"