Windows Defender Auto Toggle

Discussion in 'Scripting' started by freddie-o, Feb 2, 2019.

  1. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    504
    498
    30
    #1 freddie-o, Feb 2, 2019
    Last edited: Oct 18, 2019

    The following scripts automatically toggle Windows Defender on and off.




    Credits to @Thomas Dubreuil for the Registry (REG) files and helping clean up Option 2 Batch (BAT) script and @Mouri_Naruto for Nsudo




    NOTICE


    If you have Windows 10 build 1903 (version 18305) or higher installed, you will need to turn off Tamper Protection to toggle Windows Defender for Option 1.





    [Option 1] Toggle Windows Defender Real-time protection


    [Option 1A] Powershell (PS1) script

    Code:
    $preferences = Get-MpPreference
    Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)
    
    

    You can convert the Powershell script to .EXE using Ps1 To Exe




    [Option 1B] Registry (REG) file

    Toggle Windows Defender Real-time protection from the Right-click context menu


    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\Toggle Windows Defender]
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\Toggle Windows Defender\Command]
    @="C:\\Your\\NSudo\\Folder\\NSudoG.exe -U:P -P:E -ShowWindowMode:Hide powershell \"Start-Process powershell -ArgumentList ' \\\"$preferences = Get-MpPreference\\\" ; \\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\"' -Window Hidden\""
    
    

    We need NSudo to hide the powershell window when the script is running. You will need to edit the REG file to point to the location of your NSudo folder.

    [​IMG]


    Download NSudo







    [Option 2] Toggle "WinDefend" service (Windows Defender Antivirus Service)

    The WinDefend service can only be stopped with TrustedInstaller privileges. So we need NSudo to run this script as TrustedInstaller.


    Download NSudo




    [Option 2A] Batch (BAT) script

    This BAT script and "NSudoG.exe" must be in the same folder.


    Code:
    @echo off
    
    cd /d "%~dp0"
    sc query WinDefend | find "STATE" | find "RUNNING" && goto :stop
    
    :start
    NSudoG.exe -U:T -ShowWindowMode:Hide sc start WinDefend & exit /b
    
    :stop
    NSudoG.exe -U:T -ShowWindowMode:Hide sc stop WinDefend & exit /b
    
    


    You can convert the BAT script To EXE using Bat To Exe Converter





    [Option 2B] Registry (REG) file


    Toggle "WinDefend" service from the Right-click context menu


    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\Toggle Windows Defender]
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\Directory\Background\Shell\Toggle Windows Defender\command]
    @="\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:P -ShowWindowMode:Hide cmd /c  \"sc query WinDefend | find /I \"STATE\" | find \"STOPPED\" && (\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:T -ShowWindowMode:Hide sc start WinDefend & exit/b) || (\"C:\\YOUR\\NSUDO\\FOLDER\\NSudoG.exe\" -U:T -ShowWindowMode:Hide sc stop WinDefend)\""
    
    

    You will need to edit the REG file to point to the location of your NSudo folder.

    [​IMG]









    Optional:

    Make Windows Defender detect and block Potentially Unwanted Programs (PUP), Potentially Unwanted Applications (PUA) and Potentially Unwanted Software (PUS) in real-time.






     
  2. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    504
    498
    30
    #2 freddie-o, Feb 3, 2019
    Last edited: Nov 7, 2019
    (OP)
    Make Windows Defender detect and block Potentially Unwanted Applications (PUA) and Potentially Unwanted Software (PUS) in real-time.

    “Potentially Unwanted” refers to the category of software which are considered unwanted, untrusted or undesirable. PUPs include adware, dialers, fake “optimizer” programs, toolbars and search bars that come bundled with programs. PUAs don’t fall under the definition of “malware” as they’re not malicious, but still, some PUAs are classified as “risky”.

    Typical PUA behavior includes:
    • Various types of software bundling
    • Ad injection into web browsers
    • Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs)
    These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste resources in cleaning up the applications.


    More on PUAs by MS: Shields up on potentially unwanted applications in your enterprise


    Registry key
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
    "PUAProtection"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
    "MpEnablePus"=dword:00000001
    
    
     
  3. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    504
    498
    30
    #3 freddie-o, Feb 3, 2019
    Last edited: Jun 7, 2019
    (OP)
    Update Windows Defender definitions manually.


    Even with Automatic Updates disabled, Windows Defender will still update
     
  4. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    306
    509
    10
    #4 Thomas Dubreuil, Feb 4, 2019
    Last edited: Feb 5, 2019
    Maybe written like this... ;)

    Code:
    powershell.exe -Command " '$preferences = Get-MpPreference' ; Start-Process powershell -ArgumentList '-Command \"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\" ' -verb RunAs -WindowStyle Hidden"
    and shortened
    Code:
    powershell -c "'$preferences = Get-MpPreference'; Start-Process powershell -ArgumentList '-c \"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\"' -verb RunAs -Window Hidden"
    ps: just need to copy this in "command" folder (default value data)
    Do you know what is the code to enable back?

    edit: This also works...
    Code:
    powershell -c "Start-Process powershell -ArgumentList '-c \"Set-MpPreference -DisableRealtimeMonitoring $true\"' -verb RunAs -Window Hidden"
    You can also use 1 (or any other number) for $true and 0 for $false

    So, your "final" reg file would be like that:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle]
    "MUIVerb"="Windows Defender Toggle"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll"
    "Position"="Bottom"
    "SubCommands"=""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off]
    "MUIVerb"="Toggle Defender Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,5"
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off\command]
    @="powershell -c \"Start-Process powershell -ArgumentList '-c \\\"Set-MpPreference -DisableRealtimeMonitoring 1\\\"' -verb RunAs -Window Hidden\""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On]
    "MUIVerb"="Toggle Defender On"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "CommandFlags"=dword:00000020
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On\command]
    @="powershell -c \"Start-Process powershell -ArgumentList '-c \\\"Set-MpPreference -DisableRealtimeMonitoring 0\\\"' -verb RunAs -Window Hidden\""
    
    Bonus tip: for a complete "silent" solution (hiding PS window), you can use NSudo, with /U=P to get admin elevation and /ShowWindowMode=Hide.

    Code:
    "YourNSudoFolderPath\NSudoG.exe" -U:P -P:E -ShowWindowMode=Hide powershell /c "Start-Process powershell -ArgumentList '-c \"Set-MpPreference -DisableRealtimeMonitoring 1\"' -Window Hidden"
    ps: For info NSudo accepts both "/" or "-" , and ":" or "=" ( /U= is the same as -U: )
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    504
    498
    30
    #5 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)

    Thanks. My powershell script works fine from the context menu. It's the Batch script that toggles Defender Control that's not working from the context menu. But your reg file works too--it's another option :)

    P.S The beauty of my toggle scripts is that it automatically enables or disables Defender when you run it.
    Another advantage of converting the .Bat or .Ps1 to .Exe is you have the option to hide the script's window.
     
  6. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    306
    509
    10
    I thought would be nice to have a window with a "done" message for the toggle, because powershell is so slow...
    so made my context menu like that for now...

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle]
    "MUIVerb"="Windows Defender Toggle"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    "SubCommands"=""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off]
    "MUIVerb"="Toggle Defender Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,5"
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\01_Off\command]
    @="\"C:\\Program Files\\System Tools\\System Utilities\\Nsudo\\NSudoG.exe\" -U:P -P:E -ShowWindowMode=Hide powershell /c \"Start-Process powershell -ArgumentList '-c mode 48,2; \\\"Set-MpPreference -DisableRealtimeMonitoring 1\\\"; Write-Host -n -f White Real Time Protection has been` ; Write-Host -n -f R Disabled.; Start-Sleep -s 4'\""
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On]
    "MUIVerb"="Toggle Defender On"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "CommandFlags"=dword:00000020
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\shell\02_On\command]
    @="\"C:\\Program Files\\System Tools\\System Utilities\\Nsudo\\NSudoG.exe\" -U:P -P:E -ShowWindowMode=Hide powershell /c \"Start-Process powershell -ArgumentList '-c mode 48,2; \\\"Set-MpPreference -DisableRealtimeMonitoring 0\\\"; Write-Host -n -f White Real Time Protection has been` ; Write-Host -n -f Gree Enabled.; Start-Sleep -s 4'\""
    
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    504
    498
    30
    Don't you want to create a reg file that automatically toggles Defender with just one click? Like so...

    [​IMG]
     
  8. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    306
    509
    10
    #8 Thomas Dubreuil, Feb 5, 2019
    Last edited: Feb 5, 2019
    ok, you mean in one button, I did it with 2 "subcommands"

    Then it simply is
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\DesktopBackground\Shell\WinDefenderToggle\Command]
    @="powershell -c \"Start-Process powershell -ArgumentList '-c \\\"$preferences = Get-MpPreference\\\" ; \\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\"' -verb RunAs -Window Hidden\""
    
    your icon is "native one" or?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    504
    498
    30
    #9 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)
    No I added the icon when converting the PS1 to EXE.
    You reg file is better... no need to create a powershell script, convert it then add it to the context menu.
    Still shows a PS window though
     
  10. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    306
    509
    10
    #10 Thomas Dubreuil, Feb 5, 2019
    Last edited: Feb 5, 2019
    you could use NSudo to hide first window...
    like this:
    Code:
    "C:\NSudoFolderPath\NSudoG.exe" -U:P -P:E -ShowWindowMode=Hide powershell -c "Start-Process powershell -ArgumentList '-c \"$preferences = Get-MpPreference\" ; \"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\"' -Window Hidden"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    504
    498
    30
    Is that the only way? The idea is to make it user friendly so anybody can do it
     
  12. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    306
    509
    10
    I think so...because you need to parse in 2 commands to run it elevated (it won't work if not elevated)
    so either powershell opening powershell or nsudo opening powershell (kind of)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    504
    498
    30
    If you like I can post your reg file in the OP as another option. Crediting you of course. Just need to test it out first
     
  14. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    306
    509
    10
    sure...no problem
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    504
    498
    30
    #15 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)
    I prefer "Directory\Background" to "DesktopBackground". This way you can still disable Defender from inside Windows Explorer. What do you think?
    Code:
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle]
    
     
  16. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    306
    509
    10
    Yes...me too, was just for testing purpose
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    504
    498
    30
    #17 freddie-o, Feb 5, 2019
    Last edited: Feb 5, 2019
    (OP)
    Cannot make it work with NSudo. In NSudoG.exe it says...
    "To ensure the best experience, NSudoC does not support context menu."

    But I was able to make it work with PowerRun
     
  18. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    306
    509
    10
    NSudoG not C ;) or NSudo.exe but NSudoG is faster...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. freddie-o

    freddie-o MDL Addicted

    Jul 29, 2009
    504
    498
    30
  20. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    306
    509
    10
    #20 Thomas Dubreuil, Feb 5, 2019
    Last edited: Feb 5, 2019
    By the way, we can also take out the first "-c" , because when we don't specify "-File" argument, -Command (abreviated to -c) is always the default.

    We can add another -WindowStyle Hidden too, but still windows will open shell for 1s before executing the "Hidden" command...
    So it would look like this :
    Code:
    powershell -Window Hidden "Start-Process powershell -ArgumentList '-c \"$preferences = Get-MpPreference\";\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\"' -verb RunAs -Window Hidden"
    
    :)
    and in reg:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle\Command]
    @="powershell -Window Hidden \"Start-Process powershell -ArgumentList '-c \\\"$preferences = Get-MpPreference\\\";\\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\"' -verb RunAs -Window Hidden\""
    
    I like also the option to show a small "Disabled/Enabled" Window...Because the PS command is quite slow and you not sure if command worked (or if state is disabled or enabled)...
    With NSudo it looks like this:
    Code:
    "C:\YourNSudoFolderPath\NSudoG.exe" -U:P -P:E -ShowWindowMode=Hide powershell "Start-Process powershell -ArgumentList '-c mode 48,2;\"$preferences = Get-MpPreference\";\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\";Write-Host -n -f White Real Time Protection has been` ;\"if (!$preferences.DisableRealtimeMonitoring -eq $true) {Write-Host -n -f R Disabled.} else {Write-Host -n -f Gree Enabled.}\";Start-Sleep -s 3'"
    
    and in reg, again:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle]
    "MUIVerb"="Toggle Defender On or Off"
    "Icon"="%ProgramFiles%\\Windows Defender\\EppManifest.dll,4"
    "Position"="Bottom"
    
    [HKEY_CLASSES_ROOT\Directory\Background\shell\WinDefenderToggle\Command]
    @="C:\\YourNSudoFolderPath\\NSudoG.exe\" -U:P -P:E -ShowWindowMode=Hide powershell \"Start-Process powershell -ArgumentList '-c mode 48,2;\\\"$preferences = Get-MpPreference\\\";\\\"Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)\\\";Write-Host -n -f White Real Time Protection has been` ;\\\"if (!$preferences.DisableRealtimeMonitoring -eq $true) {Write-Host -n -f R Disabled.} else {Write-Host -n -f Gree Enabled.}\\\";Start-Sleep -s 3'\""
    
    ps tested and working, maybe you got wrong path...
    oh I see you edited, so it works ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...