More edits to the script/s to prevent Windows Defender from automatically turning back on (even after restarts). Added also a pop up message because on some versions of Windows, the system tray icon does not display as disabled.
The REG key is for "Windows Defender". For "Microsoft Security Essentials" I found this site https://www.winhelponline.com/blog/microsoft-security-essentials-adware-pua-protection/
My script is only to temporarily disable Defender. Mostly for false positives or if Defender slows down my work. The problem with your script is it changes quite a few settings and doesn't revert back to the default settings. An example is Spynet... after cancelling, my cloud protection and automatic sample submission were greyed out It left this in the Registry.
Both are permanent until script is run again, not temporary. Temporary is switching just Realtime protection off, with windows re-enabling it by itself at the worst of times. Both adjust the global registry policy, but yours is manipulating Defender service directly while mine is using the dedicated MpCmdRun utility to refresh policy state. Mine originated as a toggle as well, but found to be more useful presenting a dialog to select on or off. There are other differences like having the ability to bypass UAC prompt for admin accounts or being not only stand-alone but also being able to copy-paste directly into powershell console (file-less). And indeed by default it comes with a tweaked configuration that goes hand-in-hand with a power-user-centered Defender toggle: extended protection and responsive signature updates, increased user privacy (no automatic submission to microsoft), more control (no automatic actions) minus the annoyance part (clears previous gui detection lists after toggle). By all means it is not set in stone and can be edited in the script to your liking. Anyway it's just an alternative, both work fine for the purpose of toggling Defender!
Right they are permanent until the script is ran again. I like that my script is simple and does a clean job.
Code: @echo off :: Elevate itself to TrustedInstaller AllPrivileges once whoami /user|findstr "S-1-5-18">nul || call :runasTI 1 cmd /c call "%~f0" %* && exit :: Anything below should now only run under System/TrustedInstaller sc query "WinDefend" | find "RUNNING" >nul && goto :stop :start reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f >nul reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f >nul sc config WinDefend start= auto >nul sc start WinDefend >nul powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is enabled!')&exit :stop reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f >nul reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f >nul sc config WinDefend start= disabled >nul sc stop WinDefend >nul powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is disabled!')&exit :runasTI [0-3] [cmd] AveYo`s Lean and Mean runas TrustedInstaller / System snippet v20191010 pastebin.com/AtejMKLj set ">>=('-nop -c ',[char]34,'$mode=%1; $cmd=''%*''; iex(([io.file]::ReadAllText(''%~f0'')-split '':ps_TI\:.*'')[1])',[char]34)" whoami/user|findstr "S-1-5-18">nul||powershell -nop -c "start powershell -win 1 -verb runas -Arg %>>:"=\\\"% " && exit/b :ps_TI:[ $P="public";$U='CharSet=CharSet.Unicode';$DA="[DllImport(`"advapi32`",$U)]static extern bool"; $DK=$DA.Replace("advapi","kernel"); $T="[StructLayout(LayoutKind.Sequential,$U)]$P struct"; $S="string"; $I="IntPtr"; $Z="IntPtr.Zero"; $CH='CloseHandle'; $TI=@" using System;using System.Diagnostics;using System.Runtime.InteropServices; $P class AveYo{ $T SA {$P uint l;$P $I d;$P bool i;} $T SI {$P int cb;$S b;$S c;$S d;int e;int f;int g;int h;$P int X;$P int Y;int k;$P int W;Int16 m;Int16 n;$I o;$I p;$I r;$I s;} $T SIEX {$P SI e;$P $I l;} $($T.Replace(",",",Pack=1,")) TL {$P UInt32 c; $P long l;$P int a;} $DA SetThreadToken($I h,$I t); $DA CreateProcessWithTokenW($I t,uint l,$S a,$S c,uint f,$I e,$S d,ref SIEX s); $DA OpenProcessToken($I p,uint a,ref $I t); $DA DuplicateToken($I h,int l,out $I d); $DA AdjustTokenPrivileges($I h,bool d,ref TL n,int l,int p,int r); $DK CloseHandle($I h); $DA DuplicateTokenEx($I t,uint a,ref SA s,Int32 i,Int32 f,ref $I d); $P static void RunAs(int mode,$S cmd){ SIEX si=new SIEX(); SA sa=new SA(); $I t,d; t=d=$Z; try{ $I p=Process.GetProcessesByName("lsass")[0].Handle; OpenProcessToken(p,6,ref t); if(mode<2){ Process[] ar=Process.GetProcessesByName("TrustedInstaller");if(ar.Length>0){ DuplicateToken(t,3,out d); SetThreadToken($Z,d); $CH(p);$CH(t);$CH(d); p=ar[0].Handle; OpenProcessToken(p,6,ref t);}} DuplicateTokenEx(t,268435456,ref sa,3,1,ref d); if(mode%2>0){ TL tk=new TL(); tk.c=1; tk.a=2; for(int i=0;i<37;i++){ tk.l=i; AdjustTokenPrivileges(d,false,ref tk,0,0,0); }} si.e.cb=Marshal.SizeOf(si); si.e.X=131; si.e.Y=9999; si.e.W=8; CreateProcessWithTokenW(d,0,null,cmd,1024,$Z,null,ref si); }finally{ if(t!=$Z) $CH(t); if(d!=$Z) $CH(d); if(sa.d!=$Z) $CH(sa.d); if(si.l!=$Z) $CH(si.l); } }} "@;Add-Type -TypeDefinition $TI;if($mode -lt 2){net start TrustedInstaller >$nul} [AveYo]::RunAs($mode,$cmd.substring(2))#:ps_TI:]
Updated the script to query and change the WinDefend service "Start" key registry value instead of deleting it so it no longer requires a PC restart. Update Placed 2 scripts in the OP 1st script quickly toggles Microsoft Defender by stopping or starting the WinDefend service (Defender will restart when you run the script again or restart the computer) The other script "permanently" disables Microsoft Defender by deleting the WinDefend registry "Start" value so the WinDefend service doesn't start until the script is run again.
After disabling with ToggleDefender then clicking the script again, don't you want to change the Popup to "Enable Windows Defender?"
The title has the status either On or Off. If I would change the text there, I would have to also swap choice variable around. But the main reason is that it might be confusing for some. This way, it's consistent Yes to disable, No to Enable But you're making a good point. Now I'm not so sure anymore, maybe I should switch it around. Edit: updated with your suggestion! Thanks! Pff and it makes it much better as you can just press enter every time to toggle (or esc to cancel it). With the before layout you had to press tab to switch to No if wanting to revert
Hello, I found this thread from Google. When running the script the second time I still get the message 'Windows Defender is disabled'. Instead activating it. Windows still shows that Microsoft Defender Antivirus is active. (even when the disabled message appears, so it never worked in the first place) Or am I looking at the wrong place in windows?
I've never had that problem. Been using both scripts on a regular basis when I used to use Windows Defender Do you have the script and PowerRun in the same folder? Update: Also just tested both scripts on Windows 11
After rebooting my system the script works as expected. Thank you. 1) Run script first time 2) Add to exclusion list 3) Reboot 4)Toggle Script