Windows Defender Auto Toggle

Discussion in 'Scripting' started by freddie-o, Feb 2, 2019.

  1. freddie-o

    freddie-o MDL Member

    Jul 29, 2009
    176
    158
    10
    #1 freddie-o, Feb 2, 2019
    Last edited: Feb 10, 2019
    Automatically Toggle Windows Defender On or Off

    These scripts will automatically enable or disable Windows Defender when you run it.
    • When Defender is enabled, and you run the script, Defender automatically gets disabled.
    • When you run the script again, Defender automatically gets enabled.

    Important Note:
    • The Powershell scripts (Options 1 & 2) just disables Windows Defender real-time monitoring
    • Defender Control batch script (Option 3) stops Windows Defender Antivirus Service (WinDefend) and Windows Defender Antivirus Network Inspection Service (WdNisSvc) and only Defender Control can start them again.

    Option 1: Powershell script
    Code:
    $preferences = Get-MpPreference
    Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)
    
    

    You can convert the Powershell script to .EXE using Ps1 To Exe





    Option 2: Reg file
    (Credits to @Thomas Dubreuil)
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\ToggleDefender]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\ToggleDefender\Command]
    @="C:\\YourNSudoFolderPath\\NSudoG.exe -U:P -P:E -ShowWindowMode:Hide powershell -c \"Start-Process powershell -ArgumentList '-c \\\"$preferences = Get-MpPreference\\\" ; \\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\"' -verb RunAs -Window Hidden\""
    
    
    This REG file uses Powershell to Toggle Defender On or Off. To hide the Powershell window when the script is running, we will need NSudo.

    You will need to edit the REG file to point to the location of your NSudo folder.

    [​IMG]


    Download NSudo here: NSudo 6.2


    [​IMG]





    Option 3: Batch script

    This BAT script works with Defender Control. It toggles Defender Control to enable or disable Windows Defender. The BAT script needs to be in the same folder as Defender Control.

    Code:
    @echo off
    CLS
    ECHO.
    
    :init
    setlocal DisableDelayedExpansion
    set "batchPath=%~0"
    for %%k in (%0) do set batchName=%%~nk
    set "vbsGetPrivileges=%temp%\OEgetPriv_%batchName%.vbs"
    setlocal EnableDelayedExpansion
    
    :checkPrivileges
    NET FILE 1>NUL 2>NUL
    if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( goto getPrivileges )
    
    :getPrivileges
    if '%1'=='ELEV' (echo ELEV & shift /1 & goto gotPrivileges)
    ECHO.
    
    ECHO Set UAC = CreateObject^("Shell.Application"^) > "%vbsGetPrivileges%"
    ECHO args = "ELEV " >> "%vbsGetPrivileges%"
    ECHO For Each strArg in WScript.Arguments >> "%vbsGetPrivileges%"
    ECHO args = args ^& strArg ^& " "  >> "%vbsGetPrivileges%"
    ECHO Next >> "%vbsGetPrivileges%"
    ECHO UAC.ShellExecute "!batchPath!", args, "", "runas", 1 >> "%vbsGetPrivileges%"
    "%SystemRoot%\System32\WScript.exe" "%vbsGetPrivileges%" %*
    exit /B
    
    :gotPrivileges
    setlocal & pushd .
    cd /d %~dp0
    if '%1'=='ELEV' (del "%vbsGetPrivileges%" 1>nul 2>nul  &  shift /1)
    
    REM get current status:
    <"%userprofile%\defendercontrol.status" set /p status=
    echo Currently: %status%
    if "%status%"=="D" (
       defendercontrol.exe /E
       echo E>"%userprofile%\defendercontrol.status"
    ) else (
       defendercontrol.exe /D
       echo D>"%userprofile%\defendercontrol.status"
    )
    
    

    Download Defender Control v1.4

    You can convert the BAT To EXE using Bat To Exe Converter


    [​IMG]




    To add the script (converted to EXE) to the Context menu... How to Add Any Application to the Windows Desktop Right-Click Menu



    + + +​



    Enable protection against PUA, PUP and PUS in Windows Defender

    Make Windows Defender scan and eliminate Potentially Unwanted Programs (PUP), Potentially Unwanted Applications (PUA) and Potentially Unwanted Software (PUS) in real-time.

    Note: “Potentially Unwanted” refers to the category of software which are considered unwanted, untrusted or undesirable. PUPs include adware, dialers, fake “optimizer” programs, toolbars and search bars that come bundled with programs. PUAs don’t fall under the definition of “malware” as they’re not malicious, but still, some PUAs are classified as “risky”.


    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
    "PUAProtection"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
    "MpEnablePus"=dword:00000001
    
    

    [​IMG]
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. freddie-o

    freddie-o MDL Member

    Jul 29, 2009
    176
    158
    10
    #2 freddie-o, Feb 3, 2019
    Last edited: Feb 6, 2019
    (OP)
    Update: The Defender Control Batch script doesn't work when I add it to the Context menu. Still figuring out the problem/solution.

    Fixed :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. freddie-o

    freddie-o MDL Member

    Jul 29, 2009
    176
    158
    10
    #3 freddie-o, Feb 3, 2019
    Last edited: Feb 5, 2019
    (OP)
    Updated the OP with a revised .Bat script so it works too when converting the Defender Control batch script to .Exe
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    185
    271
    10
    #4 Thomas Dubreuil, Feb 4, 2019
    Last edited: Feb 5, 2019
    Maybe written like this... ;)

    Code:
    powershell.exe -Command " '$preferences = Get-MpPreference' ; Start-Process powershell -ArgumentList '-Command \"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\" ' -verb RunAs -WindowStyle Hidden"
    and shortened
    Code:
    powershell -c "'$preferences = Get-MpPreference'; Start-Process powershell -ArgumentList '-c \"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\"' -verb RunAs -Window Hidden"
    ps: just need to copy this in "command" folder (default value data)
    Do you know what is the code to enable back?

    edit: This also works...
    Code:
    powershell -c "Start-Process powershell -ArgumentList '-c \"Set-MpPreference -DisableRealtimeMonitoring $true\"' -verb RunAs -Window Hidden"
    You can also use 1 (or any other number) for $true and 0 for $false

    So, your "final" reg file would be like that:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle]
    "MUIVerb"="Windows Defender Toggle"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll"
    "Position"="Bottom"
    "SubCommands"=""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off]
    "MUIVerb"="Toggle Defender Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,5"
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off\command]
    @="powershell -c \"Start-Process powershell -ArgumentList '-c \\\"Set-MpPreference -DisableRealtimeMonitoring 1\\\"' -verb RunAs -Window Hidden\""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On]
    "MUIVerb"="Toggle Defender On"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "CommandFlags"=dword:00000020
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On\command]
    @="powershell -c \"Start-Process powershell -ArgumentList '-c \\\"Set-MpPreference -DisableRealtimeMonitoring 0\\\"' -verb RunAs -Window Hidden\""
    
    Bonus tip: for a complete "silent" solution (hiding PS window), you can use NSudo, with /U=P to get admin elevation and /ShowWindowMode=Hide.

    Code:
    "YourNSudoFolderPath\NSudoG.exe" -U:P -P:E -ShowWindowMode=Hide powershell /c "Start-Process powershell -ArgumentList '-c \"Set-MpPreference -DisableRealtimeMonitoring 1\"' -Window Hidden"
    ps: For info NSudo accepts both "/" or "-" , and ":" or "=" ( /U= is the same as -U: )
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. freddie-o

    freddie-o MDL Member

    Jul 29, 2009
    176
    158
    10
    #5 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)

    Thanks. My powershell script works fine from the context menu. It's the Batch script that toggles Defender Control that's not working from the context menu. But your reg file works too--it's another option :)

    P.S The beauty of my toggle scripts is that it automatically enables or disables Defender when you run it.
    Another advantage of converting the .Bat or .Ps1 to .Exe is you have the option to hide the script's window.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    185
    271
    10
    I thought would be nice to have a window with a "done" message for the toggle, because powershell is so slow...
    so made my context menu like that for now...

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle]
    "MUIVerb"="Windows Defender Toggle"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    "SubCommands"=""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off]
    "MUIVerb"="Toggle Defender Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,5"
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off\command]
    @="\"C:\\Program Files\\System Tools\\System Utilities\\Nsudo\\NSudoG.exe\" -U:P -P:E -ShowWindowMode=Hide powershell /c \"Start-Process powershell -ArgumentList '-c mode 48,2; \\\"Set-MpPreference -DisableRealtimeMonitoring 1\\\"; Write-Host -n -f White Real Time Protection has been` ; Write-Host -n -f R Disabled.; Start-Sleep -s 4'\""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On]
    "MUIVerb"="Toggle Defender On"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "CommandFlags"=dword:00000020
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On\command]
    @="\"C:\\Program Files\\System Tools\\System Utilities\\Nsudo\\NSudoG.exe\" -U:P -P:E -ShowWindowMode=Hide powershell /c \"Start-Process powershell -ArgumentList '-c mode 48,2; \\\"Set-MpPreference -DisableRealtimeMonitoring 0\\\"; Write-Host -n -f White Real Time Protection has been` ; Write-Host -n -f Gree Enabled.; Start-Sleep -s 4'\""
    
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. freddie-o

    freddie-o MDL Member

    Jul 29, 2009
    176
    158
    10
    Don't you want to create a reg file that automatically toggles Defender with just one click? Like so...

    [​IMG]
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    185
    271
    10
    #8 Thomas Dubreuil, Feb 5, 2019
    Last edited: Feb 5, 2019
    ok, you mean in one button, I did it with 2 "subcommands"

    Then it simply is
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\Command]
    @="powershell -c \"Start-Process powershell -ArgumentList '-c \\\"$preferences = Get-MpPreference\\\" ; \\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\"' -verb RunAs -Window Hidden\""
    
    your icon is "native one" or?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. freddie-o

    freddie-o MDL Member

    Jul 29, 2009
    176
    158
    10
    #9 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)
    No I added the icon when converting the PS1 to EXE.
    You reg file is better... no need to create a powershell script, convert it then add it to the context menu.
    Still shows a PS window though
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    185
    271
    10
    #10 Thomas Dubreuil, Feb 5, 2019
    Last edited: Feb 5, 2019
    you could use NSudo to hide first window...
    like this:
    Code:
    "C:\NSudoFolderPath\NSudoG.exe" -U:P -P:E -ShowWindowMode=Hide powershell -c "Start-Process powershell -ArgumentList '-c \"$preferences = Get-MpPreference\" ; \"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\"' -Window Hidden"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. freddie-o

    freddie-o MDL Member

    Jul 29, 2009
    176
    158
    10
    Is that the only way? The idea is to make it user friendly so anybody can do it
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    185
    271
    10
    I think so...because you need to parse in 2 commands to run it elevated (it won't work if not elevated)
    so either powershell opening powershell or nsudo opening powershell (kind of)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. freddie-o

    freddie-o MDL Member

    Jul 29, 2009
    176
    158
    10
    If you like I can post your reg file in the OP as another option. Crediting you of course. Just need to test it out first
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    185
    271
    10
    sure...no problem
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. freddie-o

    freddie-o MDL Member

    Jul 29, 2009
    176
    158
    10
    #15 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)
    I prefer "Directory\Background" to "DesktopBackground". This way you can still disable Defender from inside Windows Explorer. What do you think?
    Code:
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle]
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    185
    271
    10
    Yes...me too, was just for testing purpose
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. freddie-o

    freddie-o MDL Member

    Jul 29, 2009
    176
    158
    10
    #17 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)
    Cannot make it work with NSudo. In NSudoG.exe it says...
    "To ensure the best experience, NSudoC does not support context menu."

    But I was able to make it work with PowerRun
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    185
    271
    10
    NSudoG not C ;) or NSudo.exe but NSudoG is faster...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. freddie-o

    freddie-o MDL Member

    Jul 29, 2009
    176
    158
    10
    #19 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)
    OK Got it to work
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    185
    271
    10
    #20 Thomas Dubreuil, Feb 5, 2019
    Last edited: Feb 5, 2019
    By the way, we can also take out the first "-c" , because when we don't specify "-File" argument, -Command (abreviated to -c) is always the default.

    We can add another -WindowStyle Hidden too, but still windows will open shell for 1s before executing the "Hidden" command...
    So it would look like this :
    Code:
    powershell -Window Hidden "Start-Process powershell -ArgumentList '-c \"$preferences = Get-MpPreference\";\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\"' -verb RunAs -Window Hidden"
    
    :)
    and in reg:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle\Command]
    @="powershell -Window Hidden \"Start-Process powershell -ArgumentList '-c \\\"$preferences = Get-MpPreference\\\";\\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\"' -verb RunAs -Window Hidden\""
    
    I like also the option to show a small "Disabled/Enabled" Window...Because the PS command is quite slow and you not sure if command worked (or if state is disabled or enabled)...
    With NSudo it looks like this:
    Code:
    "C:\YourNSudoFolderPath\NSudoG.exe" -U:P -P:E -ShowWindowMode=Hide powershell "Start-Process powershell -ArgumentList '-c mode 48,2;\"$preferences = Get-MpPreference\";\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\";Write-Host -n -f White Real Time Protection has been` ;\"if (!$preferences.DisableRealtimeMonitoring -eq $true) {Write-Host -n -f R Disabled.} else {Write-Host -n -f Gree Enabled.}\";Start-Sleep -s 3'"
    
    and in reg, again:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle\Command]
    @="C:\\YourNSudoFolderPath\\NSudoG.exe\" -U:P -P:E -ShowWindowMode=Hide powershell \"Start-Process powershell -ArgumentList '-c mode 48,2;\\\"$preferences = Get-MpPreference\\\";\\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\";Write-Host -n -f White Real Time Protection has been` ;\\\"if (!$preferences.DisableRealtimeMonitoring -eq $true) {Write-Host -n -f R Disabled.} else {Write-Host -n -f Gree Enabled.}\\\";Start-Sleep -s 3'\""
    
    ps tested and working, maybe you got wrong path...
    oh I see you edited, so it works ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...