Toggle Microsoft Defender

Discussion in 'Scripting' started by freddie-o, Feb 2, 2019.

  1. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    655
    734
    30
    A full PS window appears then becomes small to show the Disabled/Enabled notice. So we don't need NSudo anymore?
     
  2. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    655
    734
    30
    This is what I did to make it work...

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\WinDefenderToggle]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\WinDefenderToggle\Command]
    @="C:\\YourNSudoFolderPath\\NSudoG.exe -ShowWindowMode:Hide -U:T -P:E C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c \"Start-Process powershell -ArgumentList '-c \\\"$preferences = Get-MpPreference\\\" ; \\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\"' -verb RunAs -Window Hidden\""
    
     
  3. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    655
    734
    30
    [​IMG]
     
  4. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    356
    588
    10
    #25 Thomas Dubreuil, Feb 5, 2019
    Last edited: Feb 5, 2019
    ok, you probably miss Powershell folder in your system environment variables path, it should be there by default...
    1.PNG

    Nice one...didn't think of it :) I don't have because I disabled the systray icon from startup and prefer to have the minimum apps running at startup.

    Windows Server 2019 but that doesn't really matter it's almost the same as W10.

    As a side note, not sure it is necessary to use -T switch for Nsudo, it is Trusted Installer token and it's always safer to run with the least privilege...
    in this case -P (current process), as in my example gives you administrator rights and that should work (it does for me).
    Also you don't need the -Verb RunAs argument anymore with NSudo.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    655
    734
    30
    I did just the opposite. I use Server 2019 but used this reg file to show the tray icon

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray]
    "HideSystray"=dword:00000000
    
     
  6. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    356
    588
    10
    That would be another option, re-adding the RunAs at the end, but then we have a 1st window for 1sec, then a 2nd one which resizes to a 3rd one...not so fancy

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\background\shell\WinDefenderToggle]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\Directory\background\shell\WinDefenderToggle\Command]
    @="powershell -Window Hidden \"Start-Process powershell -ArgumentList '-c mode 48,2;\\\"$preferences = Get-MpPreference\\\";\\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\";Write-Host -n -f White Real Time Protection has been` ;\\\"if (!$preferences.DisableRealtimeMonitoring -eq $true) {Write-Host -n -f R Disabled.} else {Write-Host -n -f Gree Enabled.}\\\";Start-Sleep -s 3' -Verb RunAs\""
    but all solutions work anyway...

    have a good night, had fun to participate :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    655
    734
    30
  8. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    655
    734
    30
    Updated the OP with a new Option.

     
  9. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    356
    588
    10
    #33 Thomas Dubreuil, Feb 23, 2019
    Last edited: Feb 23, 2019
    for NSudo in same folder you need to write
    Code:
    "%~dp0NSudoG.exe"
    NSudoG (alone) will only work if NSudo is in your system environment variables path (under windows for ex. or NSudo path added manually there).

    So in the script; either enter NSudoG.exe full path, or copy NSudoG.exe app to windir (or add NSudo path to system environment path) and you can write NSudoG (short), or write
    Code:
    "%~dp0NSudoG.exe"
    if in same folder as .bat.

    Also, for option 2, you can simplify: -verb runas is not needed, as you already launch PS as admin (with NSudo),
    also I believe -c (shortened -command argument) can be taken out, because -command is default (when nothing is specified). This is shorter and should work the same:
    Code:
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\ToggleDefender\Command]
    @="\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:P -P:E -ShowWindowMode:Hide powershell \"Start-Process powershell -ArgumentList '\\\"$preferences = Get-MpPreference\\\" ; \\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\"' -Window Hidden\""
    
    edit: tested now and working.
    Note: differently as above we can't write (short) NSudoG in context menu entries, we need full path.

    ps: I personally ended up with an hybrid solution
    Code:
    @="\"C:\\Program Files\\System Tools\\System Utilities\\Nsudo\\NSudoG.exe\" -U:P -P:E -ShowWindowMode=Hide powershell -File \"C:\\Program Files\\System Tools\\System Utilities\\Scripts\\WinDefenderToggle.ps1\""
    as it is much faster on my system: when running as admin, launching powershell directly is always faster than launching powershell commands through command line.

    edit2 : Now tested this one with success, inspired from your .bat script.
    It is the fastest of all...it's a different method as it stops service instead of toggle real time protection but ends up being faster.

    Code:
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\ToggleDefender\Command]
    @="cmd.exe /c  \"sc query WinDefend | find /I \"STATE\" | find \"STOPPED\" && (\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:T -ShowWindowMode:Hide sc start WinDefend & exit/b) || (\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:T -ShowWindowMode:Hide sc stop WinDefend)\""
    
    and if you want to hide the "blinking for 1micro second" cmd window, as usual, you can use Nsudo...
    Code:
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\ToggleDefender\Command]
    @="\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:P -ShowWindowMode:Hide cmd /c  \"sc query WinDefend | find /I \"STATE\" | find \"STOPPED\" && (\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:T -ShowWindowMode:Hide sc start WinDefend & exit/b) || (\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:T -ShowWindowMode:Hide sc stop WinDefend)\""
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    655
    734
    30
    :thumbsup: Updated Option 2

    "%~dp0NSudoG.exe" does not work. Actually either NSudo or NSudoG (alone) works even if NSudo is not in the System.
     
  11. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    356
    588
    10
    #35 Thomas Dubreuil, Feb 23, 2019
    Last edited: Feb 23, 2019
    NSudo alone does work indeed, nice! But it won't in older windows editions/versions.
    So, for compatibility I think it's better to write it, either:
    Code:
    cd /d "%~dp0"
    NSudoG.exe
    or
    Code:
    "%~dp0NSudoG.exe"
    (tested and working, as it should, %~dp0 = script path)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    655
    734
    30
    Neither of them work in my system. It worked a couple of times, took a long time too, and then it stopped working :confused:

    The only one that works flawlessly for me is

    Code:
    NSudo
    
     
  13. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    356
    588
    10
    It should, you can ask the (many) "script masters" here, they'll sure know better than me.
    Anyway, with the latest reg file solution you don't need that batch script anymore.;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    655
    734
    30
    #38 freddie-o, Feb 23, 2019
    Last edited: Feb 23, 2019
    (OP)
    But this one, as you said, works fast.

    Code:
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\ToggleDefender\Command]
    @="\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:P -ShowWindowMode:Hide cmd /c  \"sc query WinDefend | find /I \"STATE\" | find \"STOPPED\" && (\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:T -ShowWindowMode:Hide sc start WinDefend & exit/b) || (\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:T -ShowWindowMode:Hide sc stop WinDefend)\""
    Is it OK I add it as another option?
     
  15. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    356
    588
    10
    of course, I'm glad if it can help others.
    for the related script, you could maybe remove because ends up being redundant options.
    But if you like to keep I would anyway add script path in the beginning (and simplify it a bit):

    Code:
    @echo off
    
    cd /d "%~dp0"
    sc query WinDefend | find "STATE" | find "RUNNING" && goto :stop
    
    :start
    NSudoG.exe -U:T -ShowWindowMode:Hide sc start WinDefend & exit /b
    
    :stop
    NSudoG.exe -U:T -ShowWindowMode:Hide sc stop WinDefend & exit /b
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    655
    734
    30
    It looks like the thing that was causing problems with me was
    Code:
    NSudoG
    
    But with
    Code:
    NSudo
    
    everything runs smoothly.