Toggle Windows Defender

Discussion in 'Scripting' started by freddie-o, Feb 2, 2019.

  1. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    600
    646
    30
    #1 freddie-o, Feb 2, 2019
    Last edited: May 17, 2020
    How it works:
    This batch script (toggles) enables and/or disables Windows Defender by...
    • Stopping or starting the “WinDefend” Service
    • Editing the registry so Windows Defender doesn't restart until the script is ran again.
    Stopping or starting the “WinDefend” service and editing these registry keys can only be done with TrustedInstaller privileges.




    Credits:
    @Thomas Dubreuil for helping with the script
    @wtarkan for PowerRun




    Downloads:
    PowerRun (to run the script with TrustedInstaller privileges)
    Bat_To_Exe_Converter (to convert the script to EXE)




    Toggle script:

    This script and PowerRun must be in the same folder.

    Code:
    @echo off
    WHOAMI /USER | findstr "S-1-5-18" >nul && (
    goto :toggle
    )
    "%~dp0PowerRun_x64.exe" /SW:0 "%~dpnx0" & exit /b >nul 2>nul
    
    :toggle
    sc query "WinDefend" | find "RUNNING" >nul && goto :stop
    
    :start
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f >nul
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f >nul
    sc config WinDefend start= auto >nul
    sc start WinDefend >nul
    powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is enabled!')&exit
    
    :stop
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f >nul
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f >nul
    sc config WinDefend start= disabled >nul
    sc stop WinDefend >nul
    powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is disabled!')&exit
    
    




    Add "Toggle Windows Defender" to the right-click context menu:

    Edit the location of Toggle Windows Defender

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\Toggle Windows Defender]
    "icon"="X:\\Batch script folder\\Toggle Windows Defender.exe"
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\Toggle Windows Defender\command]
    @="X:\\Batch script folder\\Toggle Windows Defender.exe"
    
    




     
  2. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    600
    646
    30
    #2 freddie-o, Feb 3, 2019
    Last edited: May 12, 2020
    (OP)
    Toggle Windows Defender without using a 3rd party tool to elevate to TrustedInstaller

    Credit to @BAU for his "runasTI" script

    Code:
    @echo off
    :: Elevate itself to TrustedInstaller AllPrivileges once
    whoami /user|findstr "S-1-5-18">nul || call :runasTI 1 cmd /c call "%~f0" %* && exit
    
    :: Toggle
    sc query "WinDefend" | find "RUNNING" >nul && goto :stop
    
    :start
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f >nul
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f >nul
    sc config WinDefend start= auto >nul
    sc start WinDefend >nul
    powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is enabled!')&exit
    
    :stop
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f >nul
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f >nul
    sc config WinDefend start= disabled >nul
    sc stop WinDefend >nul
    powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is disabled!')&exit
    
    :runasTI [0-3] [cmd] AveYo`s Lean and Mean runas TrustedInstaller / System snippet v20191010                 pastebin.com/AtejMKLj
    set ">>=('-nop -c ',[char]34,'$mode=%1; $cmd=''%*''; iex(([io.file]::ReadAllText(''%~f0'')-split '':ps_TI\:.*'')[1])',[char]34)"
    whoami/user|findstr "S-1-5-18">nul||powershell -nop -c "start powershell -win 1 -verb runas -Arg %>>:"=\\\"% " && exit/b  :ps_TI:[
    $P="public";$U='CharSet=CharSet.Unicode';$DA="[DllImport(`"advapi32`",$U)]static extern bool"; $DK=$DA.Replace("advapi","kernel");
    $T="[StructLayout(LayoutKind.Sequential,$U)]$P struct"; $S="string"; $I="IntPtr"; $Z="IntPtr.Zero"; $CH='CloseHandle'; $TI=@"
    using System;using System.Diagnostics;using System.Runtime.InteropServices; $P class AveYo{   $T SA {$P uint l;$P $I d;$P bool i;}
    $T SI {$P int cb;$S b;$S c;$S d;int e;int f;int g;int h;$P int X;$P int Y;int k;$P int W;Int16 m;Int16 n;$I o;$I p;$I r;$I s;}
    $T SIEX {$P SI e;$P $I l;} $($T.Replace(",",",Pack=1,")) TL {$P UInt32 c; $P long l;$P int a;} $DA SetThreadToken($I h,$I t);
    $DA CreateProcessWithTokenW($I t,uint l,$S a,$S c,uint f,$I e,$S d,ref SIEX s); $DA OpenProcessToken($I p,uint a,ref $I t);
    $DA DuplicateToken($I h,int l,out $I d); $DA AdjustTokenPrivileges($I h,bool d,ref TL n,int l,int p,int r); $DK CloseHandle($I h);
    $DA DuplicateTokenEx($I t,uint a,ref SA s,Int32 i,Int32 f,ref $I d);  $P static void RunAs(int mode,$S cmd){ SIEX si=new SIEX();
    SA sa=new SA(); $I t,d; t=d=$Z; try{ $I p=Process.GetProcessesByName("lsass")[0].Handle; OpenProcessToken(p,6,ref t); if(mode<2){
    Process[] ar=Process.GetProcessesByName("TrustedInstaller");if(ar.Length>0){ DuplicateToken(t,3,out d); SetThreadToken($Z,d);
    $CH(p);$CH(t);$CH(d); p=ar[0].Handle; OpenProcessToken(p,6,ref t);}} DuplicateTokenEx(t,268435456,ref sa,3,1,ref d); if(mode%2>0){
    TL tk=new TL(); tk.c=1; tk.a=2; for(int i=0;i<37;i++){ tk.l=i; AdjustTokenPrivileges(d,false,ref tk,0,0,0); }}
    si.e.cb=Marshal.SizeOf(si); si.e.X=131; si.e.Y=9999; si.e.W=8; CreateProcessWithTokenW(d,0,null,cmd,1024,$Z,null,ref si);
    }finally{ if(t!=$Z) $CH(t); if(d!=$Z) $CH(d); if(sa.d!=$Z) $CH(sa.d); if(si.l!=$Z) $CH(si.l); } }}
    "@;Add-Type -TypeDefinition $TI;if($mode -lt 2){net start TrustedInstaller >$nul} [AveYo]::RunAs($mode,$cmd.substring(2))#:ps_TI:]
    :-_-:
    
    
     
  3. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    600
    646
    30
    #3 freddie-o, Feb 3, 2019
    Last edited: May 12, 2020
    (OP)
    Harden Windows Defender

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
    
    ; Does not automatically take action on the detected threats but prompts user to choose from the actions available for each threat
    "DisableRoutinelyTakingAction"=dword:00000001
    
    ; Detects potentially unwanted applications
    "PUAProtection"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS]
    
    ; Enable protocol recognition for network protection against exploits of known vulnerabilities
    "DisableProtocolRecognition"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
    
    ; Scans all downloaded files and attachments
    "DisableIOAVProtection"=dword:00000000
    
    ; Turn on behavior monitoring
    "DisableBehaviorMonitoring"=dword:00000000
    
    ; Turn on process scanning whenever real-time protection is enabled
    "DisableScanOnRealtimeEnable"=dword:00000000
    
    ; Turn on network protection against exploits of known vulnerabilities
    "DisableIntrusionPreventionSystem"=dword:00000000
    
    ; Monitor file and program activity on your computer
    "DisableOnAccessProtection"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan]
    
    ; Check for the latest virus and spyware security intelligence before running a scheduled scan
    "CheckForSignaturesBeforeRunningScan"=dword:00000001
    
    ; Scan archive files
    "DisableArchiveScanning"=dword:00000000
    
    ; Windows Defender runs catch-up scans for missed scheduled quick scans
    "DisableCatchupQuickScan"=dword:00000000
    
    ; Scan packed executables
    "DisablePackedExeScanning"=dword:00000000
    
    ; Turn on heuristics
    "DisableHeuristics"=dword:00000000
    
    ; Ensures removable drives are scanned
    "DisableRemovableDriveScanning"=dword:0000000
    
    ; Network files will be scanned
    "DisableScanningNetworkFiles"=dword:0000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
    
    ; Check for security intelligence updates every hour
    "SignatureUpdateInterval"=dword:00000001
    
    ; Check for definition updates through both WSUS and Windows Update
    "CheckAlternateDownloadLocation"=dword:00000001
    
    ; Check for definition updates through both WSUS and the Microsoft Malware Protection Center
    "CheckAlternateHttpLocation"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access]
    
    ; Enable and lock Controlled folder access. Block attempts by untrusted apps to modify or delete files in protected folders and to write to disk sectors
    "EnableControlledFolderAccess"=dword:00000001



    Harden Windows Firewall

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
    
    ; Lock Windows Firewall settings in the Control panel
    "DisableNotifications"=dword:00000000
    
    ; Protect all network connections
    "EnableFirewall"=dword:00000001
    
    ; Do not allow exceptions
    "DoNotAllowExceptions"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    
    ; Prevent incoming connections when on a public network
    "DoNotAllowExceptions"=dword:00000001
    
    
     
  4. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    348
    577
    10
    #4 Thomas Dubreuil, Feb 4, 2019
    Last edited: Feb 5, 2019
    Maybe written like this... ;)

    Code:
    powershell.exe -Command " '$preferences = Get-MpPreference' ; Start-Process powershell -ArgumentList '-Command \"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\" ' -verb RunAs -WindowStyle Hidden"
    and shortened
    Code:
    powershell -c "'$preferences = Get-MpPreference'; Start-Process powershell -ArgumentList '-c \"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\"' -verb RunAs -Window Hidden"
    ps: just need to copy this in "command" folder (default value data)
    Do you know what is the code to enable back?

    edit: This also works...
    Code:
    powershell -c "Start-Process powershell -ArgumentList '-c \"Set-MpPreference -DisableRealtimeMonitoring $true\"' -verb RunAs -Window Hidden"
    You can also use 1 (or any other number) for $true and 0 for $false

    So, your "final" reg file would be like that:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle]
    "MUIVerb"="Windows Defender Toggle"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll"
    "Position"="Bottom"
    "SubCommands"=""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off]
    "MUIVerb"="Toggle Defender Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,5"
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off\command]
    @="powershell -c \"Start-Process powershell -ArgumentList '-c \\\"Set-MpPreference -DisableRealtimeMonitoring 1\\\"' -verb RunAs -Window Hidden\""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On]
    "MUIVerb"="Toggle Defender On"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "CommandFlags"=dword:00000020
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On\command]
    @="powershell -c \"Start-Process powershell -ArgumentList '-c \\\"Set-MpPreference -DisableRealtimeMonitoring 0\\\"' -verb RunAs -Window Hidden\""
    
    Bonus tip: for a complete "silent" solution (hiding PS window), you can use NSudo, with /U=P to get admin elevation and /ShowWindowMode=Hide.

    Code:
    "YourNSudoFolderPath\NSudoG.exe" -U:P -P:E -ShowWindowMode=Hide powershell /c "Start-Process powershell -ArgumentList '-c \"Set-MpPreference -DisableRealtimeMonitoring 1\"' -Window Hidden"
    ps: For info NSudo accepts both "/" or "-" , and ":" or "=" ( /U= is the same as -U: )
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    600
    646
    30
    #5 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)

    Thanks. My powershell script works fine from the context menu. It's the Batch script that toggles Defender Control that's not working from the context menu. But your reg file works too--it's another option :)

    P.S The beauty of my toggle scripts is that it automatically enables or disables Defender when you run it.
    Another advantage of converting the .Bat or .Ps1 to .Exe is you have the option to hide the script's window.
     
  6. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    348
    577
    10
    I thought would be nice to have a window with a "done" message for the toggle, because powershell is so slow...
    so made my context menu like that for now...

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle]
    "MUIVerb"="Windows Defender Toggle"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    "SubCommands"=""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off]
    "MUIVerb"="Toggle Defender Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,5"
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off\command]
    @="\"C:\\Program Files\\System Tools\\System Utilities\\Nsudo\\NSudoG.exe\" -U:P -P:E -ShowWindowMode=Hide powershell /c \"Start-Process powershell -ArgumentList '-c mode 48,2; \\\"Set-MpPreference -DisableRealtimeMonitoring 1\\\"; Write-Host -n -f White Real Time Protection has been` ; Write-Host -n -f R Disabled.; Start-Sleep -s 4'\""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On]
    "MUIVerb"="Toggle Defender On"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "CommandFlags"=dword:00000020
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On\command]
    @="\"C:\\Program Files\\System Tools\\System Utilities\\Nsudo\\NSudoG.exe\" -U:P -P:E -ShowWindowMode=Hide powershell /c \"Start-Process powershell -ArgumentList '-c mode 48,2; \\\"Set-MpPreference -DisableRealtimeMonitoring 0\\\"; Write-Host -n -f White Real Time Protection has been` ; Write-Host -n -f Gree Enabled.; Start-Sleep -s 4'\""
    
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    600
    646
    30
    Don't you want to create a reg file that automatically toggles Defender with just one click? Like so...

    [​IMG]
     
  8. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    348
    577
    10
    #8 Thomas Dubreuil, Feb 5, 2019
    Last edited: Feb 5, 2019
    ok, you mean in one button, I did it with 2 "subcommands"

    Then it simply is
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\Command]
    @="powershell -c \"Start-Process powershell -ArgumentList '-c \\\"$preferences = Get-MpPreference\\\" ; \\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\"' -verb RunAs -Window Hidden\""
    
    your icon is "native one" or?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    600
    646
    30
    #9 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)
    No I added the icon when converting the PS1 to EXE.
    You reg file is better... no need to create a powershell script, convert it then add it to the context menu.
    Still shows a PS window though
     
  10. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    348
    577
    10
    #10 Thomas Dubreuil, Feb 5, 2019
    Last edited: Feb 5, 2019
    you could use NSudo to hide first window...
    like this:
    Code:
    "C:\NSudoFolderPath\NSudoG.exe" -U:P -P:E -ShowWindowMode=Hide powershell -c "Start-Process powershell -ArgumentList '-c \"$preferences = Get-MpPreference\" ; \"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\"' -Window Hidden"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    600
    646
    30
  12. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    348
    577
    10
    I think so...because you need to parse in 2 commands to run it elevated (it won't work if not elevated)
    so either powershell opening powershell or nsudo opening powershell (kind of)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    600
    646
    30
    If you like I can post your reg file in the OP as another option. Crediting you of course. Just need to test it out first
     
  14. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    348
    577
    10
    sure...no problem
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    600
    646
    30
    #15 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)
    I prefer "Directory\Background" to "DesktopBackground". This way you can still disable Defender from inside Windows Explorer. What do you think?
    Code:
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle]
    
     
  16. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    348
    577
    10
    Yes...me too, was just for testing purpose
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    600
    646
    30
    #17 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)
    Cannot make it work with NSudo. In NSudoG.exe it says...
    "To ensure the best experience, NSudoC does not support context menu."

    But I was able to make it work with PowerRun
     
  18. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    348
    577
    10
    NSudoG not C ;) or NSudo.exe but NSudoG is faster...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    348
    577
    10
    #20 Thomas Dubreuil, Feb 5, 2019
    Last edited: Feb 5, 2019
    By the way, we can also take out the first "-c" , because when we don't specify "-File" argument, -Command (abreviated to -c) is always the default.

    We can add another -WindowStyle Hidden too, but still windows will open shell for 1s before executing the "Hidden" command...
    So it would look like this :
    Code:
    powershell -Window Hidden "Start-Process powershell -ArgumentList '-c \"$preferences = Get-MpPreference\";\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\"' -verb RunAs -Window Hidden"
    
    :)
    and in reg:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle\Command]
    @="powershell -Window Hidden \"Start-Process powershell -ArgumentList '-c \\\"$preferences = Get-MpPreference\\\";\\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\"' -verb RunAs -Window Hidden\""
    
    I like also the option to show a small "Disabled/Enabled" Window...Because the PS command is quite slow and you not sure if command worked (or if state is disabled or enabled)...
    With NSudo it looks like this:
    Code:
    "C:\YourNSudoFolderPath\NSudoG.exe" -U:P -P:E -ShowWindowMode=Hide powershell "Start-Process powershell -ArgumentList '-c mode 48,2;\"$preferences = Get-MpPreference\";\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\";Write-Host -n -f White Real Time Protection has been` ;\"if (!$preferences.DisableRealtimeMonitoring -eq $true) {Write-Host -n -f R Disabled.} else {Write-Host -n -f Gree Enabled.}\";Start-Sleep -s 3'"
    
    and in reg, again:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle\Command]
    @="C:\\YourNSudoFolderPath\\NSudoG.exe\" -U:P -P:E -ShowWindowMode=Hide powershell \"Start-Process powershell -ArgumentList '-c mode 48,2;\\\"$preferences = Get-MpPreference\\\";\\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\";Write-Host -n -f White Real Time Protection has been` ;\\\"if (!$preferences.DisableRealtimeMonitoring -eq $true) {Write-Host -n -f R Disabled.} else {Write-Host -n -f Gree Enabled.}\\\";Start-Sleep -s 3'\""
    
    ps tested and working, maybe you got wrong path...
    oh I see you edited, so it works ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...