I am trying to turn off WD realtime protection temporarily via the registry on Windows 11, but I get access denied trying to change DisableRealtimeMonitoring. I've tried it with powerrun, su, and nsudo and they all cannot reset this key. Edit: Tamper Protection is off Build 22631.4602 Not sure what build version ended up breaking this, but it was still ok with 2024-03 Preview (22631.3374) Code: c:\>su64 /s /w reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /reg:64 /v DisableRealtimeMonitoring /t REG_DWORD /d 0x00001 /f >nul ERROR: Access is denied. c:\>ns64.exe -U:T -P:E -UseCurrentConsole -Wait d:\defender.cmd ERROR: Access is denied. Powerrun Shows no error, but nothing is changed c:\>powerrun "reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /reg:64 /v "DisableRealtimeMonitoring" /t REG_DWORD /d "0x00001" /f The only thing that will change the key with this Win11 build (Dec.) that I've found is: Code: powershell -WindowStyle Hidden Set-MpPreference -DisableRealtimeMonitoring $true Is there a way to update this via the registry as before?
I already have tamper protection set off and editing the key will also fail. What version of W11 were you able to update the key?
22621.1 Tamper Off Code: D:\Files>powershell -nop -c "start 'windowsdefender://threatsettings/'" D:\Files>nsudo -U:T -P:E -UseCurrentConsole -Wait reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /f /reg:64 /v "DisableRealtimeMonitoring" /t REG_DWORD /d "0x00001" The operation completed successfully. D:\Files>
try minsudo instead of nsudo, idk why but nsudo sometimes gives me unexpected errors even on fresh machine.
Spoiler: Tamper Off Code: Microsoft Windows [Version 10.0.22621.4602] (c) Microsoft Corporation. All rights reserved. C:\Users\Administrator>d: D:\>cd files D:\Files>powershell -nop -c "start 'windowsdefender://threatsettings/'" D:\Files>nsudo -U:T -P:E -UseCurrentConsole -Wait reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /f /reg:64 /v "DisableRealtimeMonitoring" /t REG_DWORD /d "0x00001" The operation completed successfully. D:\Files>
If you can do this, then all WD services are not running. Otherwise, it is not possible to modify this key like that.
Code: Microsoft Windows [Version 10.0.22621.4602] (c) Microsoft Corporation. All rights reserved. C:\Users\Administrator>sc query RpcSs SERVICE_NAME: RpcSs TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Users\Administrator>sc query WinDefend SERVICE_NAME: WinDefend TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Users\Administrator>sc query WdNisSvc SERVICE_NAME: WdNisSvc TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Users\Administrator>sc query mpssvc SERVICE_NAME: mpssvc TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Users\Administrator>powershell -nop -c "start 'windowsdefender://threatsettings/'" C:\Users\Administrator>d: D:\>cd files D:\Files>nsudo -U:T -P:E -UseCurrentConsole -Wait reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /f /reg:64 /v "DisableRealtimeMonitoring" /t REG_DWORD /d "0x00001" The operation completed successfully. D:\Files> D:\Files> D:\Files>sc query RpcSs SERVICE_NAME: RpcSs TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 D:\Files>sc query WinDefend SERVICE_NAME: WinDefend TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 D:\Files>sc query WdNisSvc SERVICE_NAME: WdNisSvc TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 D:\Files>sc query mpssvc SERVICE_NAME: mpssvc TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 D:\Files>
I also have the enablement package installed (22631). Maybe that has something to do with it since I get access denied there with nsudo using your command: Code: Microsoft Windows [Version 10.0.22631.4602] (c) Microsoft Corporation. All rights reserved. c:\>ns64 -U:T -P:E -UseCurrentConsole -Wait reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /f /reg:64 /v "DisableRealtimeMonitoring" /t REG_DWORD /d "0x00001" ERROR: Access is denied.