Lean And Mean snippets for power users

Discussion in 'Scripting' started by BAU, May 7, 2021.

  1. cromulant

    cromulant MDL Novice

    Aug 12, 2015
    9
    2
    0
    Windows Defender deletes the script. :/

    Guessing I can't do anything besides adding manually an exclusion for that folder within Defender, right?
     
  2. Dark Monkey

    Dark Monkey MDL Addicted

    Feb 2, 2011
    678
    832
    30
    #62 Dark Monkey, Nov 17, 2021
    Last edited: Nov 17, 2021
    maybe delete Windows defender :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. (\_/)^(\_/)

    (\_/)^(\_/) MDL Member

    May 31, 2020
    1,743
    1,478
    60
    Powershell -C "Get-MpPreference"

    Code:
    AttackSurfaceReductionOnlyExclusions          :
    AttackSurfaceReductionRules_Actions           :
    AttackSurfaceReductionRules_Ids               :
    CheckForSignaturesBeforeRunningScan           : False
    CloudBlockLevel                               : 0
    CloudExtendedTimeout                          : 0
    ComputerID                                    :
    ControlledFolderAccessAllowedApplications     :
    ControlledFolderAccessProtectedFolders        :
    DisableArchiveScanning                        : True
    DisableAutoExclusions                         : True
    DisableBehaviorMonitoring                     : True
    DisableBlockAtFirstSeen                       : True
    DisableCatchupFullScan                        : True
    DisableCatchupQuickScan                       : True
    DisableEmailScanning                          : True
    DisableIntrusionPreventionSystem              :
    DisableIOAVProtection                         : True
    DisablePrivacyMode                            : True
    DisableRealtimeMonitoring                     : True
    DisableRemovableDriveScanning                 : True
    DisableRestorePoint                           : True
    DisableScanningMappedNetworkDrivesForFullScan : True
    DisableScanningNetworkFiles                   : True
    DisableScriptScanning                         : True
    EnableControlledFolderAccess                  : 0
    EnableFileHashComputation                     : False
    EnableLowCpuPriority                          : False
    EnableNetworkProtection                       : 0
    ExclusionExtension                            :
    ExclusionPath                                 :
    ExclusionProcess                              :
    HighThreatDefaultAction                       : 0
    LowThreatDefaultAction                        : 0
    MAPSReporting                                 : 0
    ModerateThreatDefaultAction                   : 0
    PUAProtection                                 : 0
    QuarantinePurgeItemsAfterDelay                : 0
    RandomizeScheduleTaskTimes                    : False
    RealTimeScanDirection                         : 0
    RemediationScheduleDay                        : 8
    RemediationScheduleTime                       : 00:00:00
    ReportingAdditionalActionTimeOut              : 0
    ReportingCriticalFailureTimeOut               : 0
    ReportingNonCriticalTimeOut                   : 0
    ScanAvgCPULoadFactor                          : 5
    ScanOnlyIfIdleEnabled                         : False
    ScanParameters                                : 0
    ScanPurgeItemsAfterDelay                      : 0
    ScanScheduleDay                               : 8
    ScanScheduleQuickScanTime                     : 00:00:00
    ScanScheduleTime                              : 00:00:00
    SevereThreatDefaultAction                     : 0
    SharedSignaturesPath                          :
    SignatureAuGracePeriod                        : 0
    SignatureDefinitionUpdateFileSharesSources    :
    SignatureDisableUpdateOnStartupWithoutEngine  : True
    SignatureFallbackOrder                        : 0
    SignatureFirstAuGracePeriod                   : 0
    SignatureScheduleDay                          : 8
    SignatureScheduleTime                         : 00:00:00
    SignatureUpdateCatchupInterval                : 0
    SignatureUpdateInterval                       : 0
    SubmitSamplesConsent                          : 2
    ThreatIDDefaultAction_Actions                 :
    ThreatIDDefaultAction_Ids                     :
    UILockdown                                    : True
    UnknownThreatDefaultAction                    : 0
    PSComputerName                                :
    
    My Result to permanently Disable Defender not coming back in any scenario.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. BAU

    BAU MDL Expert

    Feb 10, 2009
    1,287
    3,532
    60
    What script gets deleted?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. (\_/)^(\_/)

    (\_/)^(\_/) MDL Member

    May 31, 2020
    1,743
    1,478
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. (\_/)^(\_/)

    (\_/)^(\_/) MDL Member

    May 31, 2020
    1,743
    1,478
    60
    Bat Script to remove Defender Packages Using same St1ckys Method :

    Code:
    @echo off
    Powershell -EP Bypass -MTA -NOL -NONI -NOP -C "Write-Host 'Removing Defender Permanently' -EA SilentlyContinue -ForegroundColor Green -Verbose"
    Powershell -EP Bypass -MTA -NOL -NONI -NOP -C "Set-ItemProperty -Path 'HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*' -Name Visibility -Value 1 -Force -EA SilentlyContinue -Verbose"
    Powershell -C "Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*' -Include *Owner* -Recurse -Force -EA SilentlyContinue -Verbose"
    Powershell -C "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*' -Name | ForEach-Object  {dism /online /remove-package /PackageName:$_ /NoRestart}"
    
    I have added some extra packages according to my consent not suggested to others :
    Code:
    @echo off
    Powershell -EP Bypass -MTA -NOL -NONI -NOP -C "Write-Host 'Removing Media Streaming Permanently' -EA SilentlyContinue -ForegroundColor Green -Verbose"
    Powershell -EP Bypass -MTA -NOL -NONI -NOP -C "Set-ItemProperty -Path 'HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Microsoft-Windows-Media-Streaming*' -Name Visibility -Value 1 -Force -EA SilentlyContinue -Verbose"
    Powershell -C "Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Microsoft-Windows-Media-Streaming*' -Include *Owner* -Recurse -Force -EA SilentlyContinue -Verbose"
    Powershell -C "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Microsoft-Windows-Media-Streaming*' -Name | ForEach-Object  {dism /online /remove-package /PackageName:$_ /NoRestart}"
    
    Powershell -EP Bypass -MTA -NOL -NONI -NOP -C "Write-Host 'Removing Server Help Permanently' -EA SilentlyContinue -ForegroundColor Green -Verbose"
    Powershell -EP Bypass -MTA -NOL -NONI -NOP -C "Set-ItemProperty -Path 'HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Server-Help*' -Name Visibility -Value 1 -Force -EA SilentlyContinue -Verbose"
    Powershell -C "Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Server-Help*' -Include *Owner* -Recurse -Force -EA SilentlyContinue -Verbose"
    Powershell -C "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Server-Help*' -Name | ForEach-Object  {dism /online /remove-package /PackageName:$_ /NoRestart}"
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Dark Monkey

    Dark Monkey MDL Addicted

    Feb 2, 2011
    678
    832
    30
    #67 Dark Monkey, Nov 18, 2021
    Last edited: Nov 18, 2021
    now I have 3 ways to completely remove this s**t
    make sure it really gone,
    maybe delete the whole folder is not enough :D
    Code:
    call :export cson > "%temp%\Windows.10.Defender_Uninstall.ps1"
    >nul 2>&1 powershell -noprofile -executionpolicy bypass -file "%temp%\Windows.10.Defender_Uninstall.ps1"
    
    for %%A IN (WinDefend, WdBoot, WdFilter, Sense, WdNisDrv, WdNisSvc) do (
        >nul 2>&1 sc config %%A start=disabled
        >nul 2>&1 sc stop %%A
        >nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\%%A" /f
    )
    
    for %%A IN (SecurityHealthService.exe, SecurityHealthSystray.exe, smartscreen.exe, MpCmdRun.exe) do >nul 2>&1 taskkill /im %%A
    >nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Defender" /f
    >nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe" /f
    
    set Key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features"
    >nul 2>&1 call :reg_own !key! "" S-1-5-114 "" Allow FullControl
    >nul 2>&1 call :reg_own !key! "" S-1-5-32-544 "" Allow FullControl
    >nul 2>&1 REG ADD !Key! /f /v DisableAntiSpyware /t REG_DWORD /d 1
    >nul 2>&1 REG ADD !Key! /f /v TamperProtection /t REG_DWORD /d 0
    
    >nul 2>&1 call :DestryFolder "%ProgramFiles%\Windows Defender"
    >nul 2>&1 call :DestryFolder "%ProgramFiles(x86)%\Windows Defender"
    >nul 2>&1 call :DestryFolder "%ALLUSERSPROFILE%\Windows Defender"
    >nul 2>&1 call :DestryFolder "%ProgramFiles%\Windows Defender Advanced Threat Protection"
    >nul 2>&1 call :DestryFolder "%ProgramFiles(x86)%\Windows Defender Advanced Threat Protection"
    >nul 2>&1 call :DestryFolder "%ALLUSERSPROFILE%\Microsoft\Windows Defender Advanced Threat Protection"
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. BAU

    BAU MDL Expert

    Feb 10, 2009
    1,287
    3,532
    60
    Massive Usability Improvements for 2022!
    - my RunAsTI context menu .reg for folders and files (exe, msc, bat, cmd, reg), even shows up on the s**tty Windows 11 ;)
    - RunAsTI simplified (just one variant - the best one) and with improved cmd + arguments parsing. Works with any paths!
    - reg_own with powershell style arguments, much improved handling of recursively denied permissions (when you don't even have access to view them), -list switch will show rights even when regedit fails!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. fLOW.

    fLOW. MDL Senior Member

    Jul 28, 2009
    434
    406
    10
  10. migascalp

    migascalp MDL Junior Member

    Sep 18, 2009
    85
    46
    0
    A little forget ? :)
     
  11. BAU

    BAU MDL Expert

    Feb 10, 2009
    1,287
    3,532
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. BAU

    BAU MDL Expert

    Feb 10, 2009
    1,287
    3,532
    60
    Fixed that typo!
    And added Open Powershell as trustedinstaller entry on directory background (RunAsTI.reg)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...