Toggle Windows Defender

Discussion in 'Scripting' started by freddie-o, Feb 2, 2019.

  1. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    607
    659
    30

    Super! I'll modify the BAT script in the OP.
     
  2. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    607
    659
    30
    #43 freddie-o, Mar 14, 2020
    Last edited: Mar 14, 2020
    (OP)
    More edits to the script/s to prevent Windows Defender from automatically turning back on (even after restarts). Added also a pop up message because on some versions of Windows, the system tray icon does not display as disabled.
     
  3. NST_Adventure

    NST_Adventure MDL Addicted

    Jun 1, 2019
    612
    95
    30
    Hi did this reg also work in Windows 7?

    Thank you! :) ;) ^_^

    Best Regards
    NST_Adventure
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. BAU

    BAU MDL Addicted

    Feb 10, 2009
    626
    1,105
    30
    #46 BAU, Apr 26, 2020
    Last edited: Apr 27, 2020
    Alternatively you could use the following script without any need of external tools:
    ;)
     
  5. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    607
    659
    30
    #47 freddie-o, Apr 26, 2020
    Last edited: Apr 26, 2020
    (OP)
    My script is only to temporarily disable Defender. Mostly for false positives or if Defender slows down my work. The problem with your script is it changes quite a few settings and doesn't revert back to the default settings. :) An example is Spynet... after cancelling, my cloud protection and automatic sample submission were greyed out

    Untitled2.png




    It left this in the Registry.

    Untitled.png
     
  6. BAU

    BAU MDL Addicted

    Feb 10, 2009
    626
    1,105
    30
    Both are permanent until script is run again, not temporary. Temporary is switching just Realtime protection off, with windows re-enabling it by itself at the worst of times.
    Both adjust the global registry policy, but yours is manipulating Defender service directly while mine is using the dedicated MpCmdRun utility to refresh policy state.
    Mine originated as a toggle as well, but found to be more useful presenting a dialog to select on or off.
    There are other differences like having the ability to bypass UAC prompt for admin accounts or being not only stand-alone but also being able to copy-paste directly into powershell console (file-less).
    And indeed by default it comes with a tweaked configuration that goes hand-in-hand with a power-user-centered Defender toggle:
    extended protection and responsive signature updates, increased user privacy (no automatic submission to microsoft), more control (no automatic actions) minus the annoyance part (clears previous gui detection lists after toggle).
    By all means it is not set in stone and can be edited in the script to your liking.
    Anyway it's just an alternative, both work fine for the purpose of toggling Defender!
     
  7. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    607
    659
    30
    Right they are permanent until the script is ran again. I like that my script is simple and does a clean job.
     
  8. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    607
    659
    30
    #51 freddie-o, May 1, 2020
    Last edited: May 1, 2020
    (OP)
    Code:
    @echo off
    :: Elevate itself to TrustedInstaller AllPrivileges once
    whoami /user|findstr "S-1-5-18">nul || call :runasTI 1 cmd /c call "%~f0" %* && exit
    
    :: Anything below should now only run under System/TrustedInstaller
    sc query "WinDefend" | find "RUNNING" >nul && goto :stop
    
    :start
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f >nul
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f >nul
    sc config WinDefend start= auto >nul
    sc start WinDefend >nul
    powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is enabled!')&exit
    
    :stop
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f >nul
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f >nul
    sc config WinDefend start= disabled >nul
    sc stop WinDefend >nul
    powershell -nop -c Add-Type -As PresentationFramework;[System.Windows.MessageBox]::Show('Windows Defender is disabled!')&exit
    
    :runasTI [0-3] [cmd] AveYo`s Lean and Mean runas TrustedInstaller / System snippet v20191010                 pastebin.com/AtejMKLj
    set ">>=('-nop -c ',[char]34,'$mode=%1; $cmd=''%*''; iex(([io.file]::ReadAllText(''%~f0'')-split '':ps_TI\:.*'')[1])',[char]34)"
    whoami/user|findstr "S-1-5-18">nul||powershell -nop -c "start powershell -win 1 -verb runas -Arg %>>:"=\\\"% " && exit/b  :ps_TI:[
    $P="public";$U='CharSet=CharSet.Unicode';$DA="[DllImport(`"advapi32`",$U)]static extern bool"; $DK=$DA.Replace("advapi","kernel");
    $T="[StructLayout(LayoutKind.Sequential,$U)]$P struct"; $S="string"; $I="IntPtr"; $Z="IntPtr.Zero"; $CH='CloseHandle'; $TI=@"
    using System;using System.Diagnostics;using System.Runtime.InteropServices; $P class AveYo{   $T SA {$P uint l;$P $I d;$P bool i;}
    $T SI {$P int cb;$S b;$S c;$S d;int e;int f;int g;int h;$P int X;$P int Y;int k;$P int W;Int16 m;Int16 n;$I o;$I p;$I r;$I s;}
    $T SIEX {$P SI e;$P $I l;} $($T.Replace(",",",Pack=1,")) TL {$P UInt32 c; $P long l;$P int a;} $DA SetThreadToken($I h,$I t);
    $DA CreateProcessWithTokenW($I t,uint l,$S a,$S c,uint f,$I e,$S d,ref SIEX s); $DA OpenProcessToken($I p,uint a,ref $I t);
    $DA DuplicateToken($I h,int l,out $I d); $DA AdjustTokenPrivileges($I h,bool d,ref TL n,int l,int p,int r); $DK CloseHandle($I h);
    $DA DuplicateTokenEx($I t,uint a,ref SA s,Int32 i,Int32 f,ref $I d);  $P static void RunAs(int mode,$S cmd){ SIEX si=new SIEX();
    SA sa=new SA(); $I t,d; t=d=$Z; try{ $I p=Process.GetProcessesByName("lsass")[0].Handle; OpenProcessToken(p,6,ref t); if(mode<2){
    Process[] ar=Process.GetProcessesByName("TrustedInstaller");if(ar.Length>0){ DuplicateToken(t,3,out d); SetThreadToken($Z,d);
    $CH(p);$CH(t);$CH(d); p=ar[0].Handle; OpenProcessToken(p,6,ref t);}} DuplicateTokenEx(t,268435456,ref sa,3,1,ref d); if(mode%2>0){
    TL tk=new TL(); tk.c=1; tk.a=2; for(int i=0;i<37;i++){ tk.l=i; AdjustTokenPrivileges(d,false,ref tk,0,0,0); }}
    si.e.cb=Marshal.SizeOf(si); si.e.X=131; si.e.Y=9999; si.e.W=8; CreateProcessWithTokenW(d,0,null,cmd,1024,$Z,null,ref si);
    }finally{ if(t!=$Z) $CH(t); if(d!=$Z) $CH(d); if(sa.d!=$Z) $CH(sa.d); if(si.l!=$Z) $CH(si.l); } }}
    "@;Add-Type -TypeDefinition $TI;if($mode -lt 2){net start TrustedInstaller >$nul} [AveYo]::RunAs($mode,$cmd.substring(2))#:ps_TI:]
    
    
     
  9. BAU

    BAU MDL Addicted

    Feb 10, 2009
    626
    1,105
    30
    That works, too :rolleyes: