Toggle Microsoft Defender

Discussion in 'Scripting' started by freddie-o, Feb 2, 2019.

  1. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    663
    741
    30

    Super! I'll modify the BAT script in the OP.
     
  2. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    663
    741
    30
    #43 freddie-o, Mar 14, 2020
    Last edited: Mar 14, 2020
    (OP)
    More edits to the script/s to prevent Windows Defender from automatically turning back on (even after restarts). Added also a pop up message because on some versions of Windows, the system tray icon does not display as disabled.
     
  3. NST_Adventure

    NST_Adventure MDL Addicted

    Jun 1, 2019
    694
    114
    30
    Hi did this reg also work in Windows 7?

    Thank you! :) ;) ^_^

    Best Regards
    NST_Adventure
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. BAU

    BAU MDL Addicted

    Feb 10, 2009
    823
    1,597
    30
    #46 BAU, Apr 26, 2020
    Last edited: Apr 27, 2020
    Alternatively you could use the following script without any need of external tools:
    ;)
     
  5. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    663
    741
    30
    #47 freddie-o, Apr 26, 2020
    Last edited: Apr 26, 2020
    (OP)
    My script is only to temporarily disable Defender. Mostly for false positives or if Defender slows down my work. The problem with your script is it changes quite a few settings and doesn't revert back to the default settings. :) An example is Spynet... after cancelling, my cloud protection and automatic sample submission were greyed out

    Untitled2.png




    It left this in the Registry.

    Untitled.png
     
  6. BAU

    BAU MDL Addicted

    Feb 10, 2009
    823
    1,597
    30
    Both are permanent until script is run again, not temporary. Temporary is switching just Realtime protection off, with windows re-enabling it by itself at the worst of times.
    Both adjust the global registry policy, but yours is manipulating Defender service directly while mine is using the dedicated MpCmdRun utility to refresh policy state.
    Mine originated as a toggle as well, but found to be more useful presenting a dialog to select on or off.
    There are other differences like having the ability to bypass UAC prompt for admin accounts or being not only stand-alone but also being able to copy-paste directly into powershell console (file-less).
    And indeed by default it comes with a tweaked configuration that goes hand-in-hand with a power-user-centered Defender toggle:
    extended protection and responsive signature updates, increased user privacy (no automatic submission to microsoft), more control (no automatic actions) minus the annoyance part (clears previous gui detection lists after toggle).
    By all means it is not set in stone and can be edited in the script to your liking.
    Anyway it's just an alternative, both work fine for the purpose of toggling Defender!
     
  7. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    663
    741
    30
    Right they are permanent until the script is ran again. I like that my script is simple and does a clean job.
     
  8. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    663
    741
    30
    #51 freddie-o, May 1, 2020
    Last edited: May 1, 2020
    (OP)
    Code:
    @echo off
    :: Elevate itself to TrustedInstaller AllPrivileges once
    whoami /user|findstr "S-1-5-18">nul || call :runasTI 1 cmd /c call "%~f0" %* && exit
    
    :: Anything below should now only run under System/TrustedInstaller
    sc query "WinDefend" | find "RUNNING" >nul && goto :stop
    
    :start
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f >nul
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f >nul
    sc config WinDefend start= auto >nul
    sc start WinDefend >nul
    powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is enabled!')&exit
    
    :stop
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f >nul
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f >nul
    sc config WinDefend start= disabled >nul
    sc stop WinDefend >nul
    powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is disabled!')&exit
    
    :runasTI [0-3] [cmd] AveYo`s Lean and Mean runas TrustedInstaller / System snippet v20191010                 pastebin.com/AtejMKLj
    set ">>=('-nop -c ',[char]34,'$mode=%1; $cmd=''%*''; iex(([io.file]::ReadAllText(''%~f0'')-split '':ps_TI\:.*'')[1])',[char]34)"
    whoami/user|findstr "S-1-5-18">nul||powershell -nop -c "start powershell -win 1 -verb runas -Arg %>>:"=\\\"% " && exit/b  :ps_TI:[
    $P="public";$U='CharSet=CharSet.Unicode';$DA="[DllImport(`"advapi32`",$U)]static extern bool"; $DK=$DA.Replace("advapi","kernel");
    $T="[StructLayout(LayoutKind.Sequential,$U)]$P struct"; $S="string"; $I="IntPtr"; $Z="IntPtr.Zero"; $CH='CloseHandle'; $TI=@"
    using System;using System.Diagnostics;using System.Runtime.InteropServices; $P class AveYo{   $T SA {$P uint l;$P $I d;$P bool i;}
    $T SI {$P int cb;$S b;$S c;$S d;int e;int f;int g;int h;$P int X;$P int Y;int k;$P int W;Int16 m;Int16 n;$I o;$I p;$I r;$I s;}
    $T SIEX {$P SI e;$P $I l;} $($T.Replace(",",",Pack=1,")) TL {$P UInt32 c; $P long l;$P int a;} $DA SetThreadToken($I h,$I t);
    $DA CreateProcessWithTokenW($I t,uint l,$S a,$S c,uint f,$I e,$S d,ref SIEX s); $DA OpenProcessToken($I p,uint a,ref $I t);
    $DA DuplicateToken($I h,int l,out $I d); $DA AdjustTokenPrivileges($I h,bool d,ref TL n,int l,int p,int r); $DK CloseHandle($I h);
    $DA DuplicateTokenEx($I t,uint a,ref SA s,Int32 i,Int32 f,ref $I d);  $P static void RunAs(int mode,$S cmd){ SIEX si=new SIEX();
    SA sa=new SA(); $I t,d; t=d=$Z; try{ $I p=Process.GetProcessesByName("lsass")[0].Handle; OpenProcessToken(p,6,ref t); if(mode<2){
    Process[] ar=Process.GetProcessesByName("TrustedInstaller");if(ar.Length>0){ DuplicateToken(t,3,out d); SetThreadToken($Z,d);
    $CH(p);$CH(t);$CH(d); p=ar[0].Handle; OpenProcessToken(p,6,ref t);}} DuplicateTokenEx(t,268435456,ref sa,3,1,ref d); if(mode%2>0){
    TL tk=new TL(); tk.c=1; tk.a=2; for(int i=0;i<37;i++){ tk.l=i; AdjustTokenPrivileges(d,false,ref tk,0,0,0); }}
    si.e.cb=Marshal.SizeOf(si); si.e.X=131; si.e.Y=9999; si.e.W=8; CreateProcessWithTokenW(d,0,null,cmd,1024,$Z,null,ref si);
    }finally{ if(t!=$Z) $CH(t); if(d!=$Z) $CH(d); if(sa.d!=$Z) $CH(sa.d); if(si.l!=$Z) $CH(si.l); } }}
    "@;Add-Type -TypeDefinition $TI;if($mode -lt 2){net start TrustedInstaller >$nul} [AveYo]::RunAs($mode,$cmd.substring(2))#:ps_TI:]
    
    
     
  9. BAU

    BAU MDL Addicted

    Feb 10, 2009
    823
    1,597
    30
    That works, too :rolleyes:
     
  10. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    663
    741
    30
    #54 freddie-o, Nov 16, 2020
    Last edited: Nov 21, 2020
    (OP)
    Updated the script to query and change the WinDefend service "Start" key registry value instead of deleting it so it no longer requires a PC restart.

    Update

    Placed 2 scripts in the OP

    1st script quickly toggles Microsoft Defender by stopping or starting the WinDefend service (Defender will restart when you run the script again or restart the computer)

    The other script "permanently" disables Microsoft Defender by deleting the WinDefend registry "Start" value so the WinDefend service doesn't start until the script is run again.
     
  11. BAU

    BAU MDL Addicted

    Feb 10, 2009
    823
    1,597
    30
    Or you should just accept the overwhelming superiority of ToggleDefender and copy-paste it instead :band:
     
  12. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    663
    741
    30
    After disabling with ToggleDefender then clicking the script again, don't you want to change the Popup to "Enable Windows Defender?"
     
  13. BAU

    BAU MDL Addicted

    Feb 10, 2009
    823
    1,597
    30
    #57 BAU, Nov 16, 2020
    Last edited: Nov 16, 2020
    The title has the status either On or Off.
    If I would change the text there, I would have to also swap choice variable around.
    But the main reason is that it might be confusing for some. This way, it's consistent Yes to disable, No to Enable :)
    But you're making a good point. Now I'm not so sure anymore, maybe I should switch it around.
    Edit: updated with your suggestion! Thanks!

    Pff and it makes it much better as you can just press enter every time to toggle (or esc to cancel it). With the before layout you had to press tab to switch to No if wanting to revert