Disable Windows Defender Completely.

Lance1 · Jul 20, 2022

If you don't like or want Defender on your system and you want it Completely Gone, there is a way BUT! You have to add to the registry. Values and Keys and a lot of them. I disabled Defender and installed another AV for testing. Never liked Defender. To give you an idea of how in-depth this is I'll past the Values and Keys from Britec. Defender is so embedded into the Windows system that the average user will have no idea how to remove it. So My Post! Would you go this far? Or would you settle for what Microsoft says you need...

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
"DisableAntiVirus"=dword:00000001
"DisableSpecialRunningModes"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ServiceKeepAlive"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"ForceUpdateFromMU"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"DisableBlockAtFirstSeen"=dword:00000001

Wolfzz · Jul 20, 2022

Lance1 said:
If you don't like or want Defender on your system and you want it Completely Gone, there is a way BUT! You have to add to the registry. Values and Keys and a lot of them. I disabled Defender and installed another AV for testing. Never liked Defender. To give you an idea of how in-depth this is I'll past the Values and Keys from Britec. Defender is so embedded into the Windows system that the average user will have no idea how to remove it. So My Post! Would you go this far? Or would you settle for what Microsoft says you need...

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
"DisableAntiVirus"=dword:00000001
"DisableSpecialRunningModes"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ServiceKeepAlive"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"ForceUpdateFromMU"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"DisableBlockAtFirstSeen"=dword:00000001

What about these few extra's?

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen]
"ConfigureAppInstallControlEnabled"=dword:00000000
"ConfigureAppInstallControl"="Anywhere"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SpyNetReporting"=dword:00000000
"SubmitSamplesConsent"=dword:00000002

FreeBooter · Jul 21, 2022

In this video, i will guide you on how to disable Windows Defender in Windows 11.

Download batch script: Disable_Windows_Defender_Win11.bat

neemobeer · Jul 21, 2022

If another endpoint protection suite is installed and it properly registers with WSC there should not be a need to disable WD.

Cromax · Jul 21, 2022

Sry but i never found better suite performance wise for the system.. every suite that i used hogs the pc

TairikuOkami · Jul 22, 2022

Cromax said:
Sry but i never found better suite performance wise for the system.. every suite that i used hogs the pc

Have you tried Panda, WiseVector, 360 TSE or Adaware?

FreeBooter said:
In this video, i will guide you on how to disable Windows Defender in Windows 11.

I know your voice now, beware. :smirk:

FreeBooter · Jul 22, 2022

TairikuOkami said:
I know your voice now, beware.

Cromax · Jul 22, 2022

TairikuOkami said:
Have you tried Panda, WiseVector, 360 TSE or Adaware?

I know your voice now, beware.

Panda yes 2 other no

jimbo45 · Jul 22, 2022

Cromax said:
Panda yes 2 other no

Up to individuals so that's their choice - but WD is so good now and integrated with OS to use minimal resources I'm not sure what the problem is here or why the OP doesn't want it.

To me disabling WD seems a bit like saying I want a top of the range BMW but only want a Pinto engine in it.

Cheers
jimbo

swerd · Jul 27, 2022

Defender Control v2.1

In Windows there is no option to completely turn off Microsoft Defender , Defender control is a Portable freeware to disable Ms Defender.

www.sordum.org

Spartan · Aug 15, 2022

Lance1 said:
If you don't like or want Defender on your system and you want it Completely Gone, there is a way BUT! You have to add to the registry. Values and Keys and a lot of them. I disabled Defender and installed another AV for testing. Never liked Defender. To give you an idea of how in-depth this is I'll past the Values and Keys from Britec. Defender is so embedded into the Windows system that the average user will have no idea how to remove it. So My Post! Would you go this far? Or would you settle for what Microsoft says you need...

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
"DisableAntiVirus"=dword:00000001
"DisableSpecialRunningModes"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ServiceKeepAlive"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"ForceUpdateFromMU"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"DisableBlockAtFirstSeen"=dword:00000001

No need for all this. One simple batch file gets rid of Windows Defender completely from its roots. Running it again would restore it.

Download ToggleDefender

@(set "0=%~f0"^)#) & powershell -win 1 -nop -c iex([io.file]::ReadAllText($env:0)) & exit /b

## Toggle Defender, AveYo 2022.01.15
## changed: comment personal configuration tweaks

sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'
if ($(sc.exe qc windefend) -like '*TOGGLE*') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}

## Comment to hide dialog prompt with Yes, No, Cancel (6,7,2)
if ($env:1 -ne 6 -and $env:1 -ne 7) {
$choice=(new-object -ComObject Wscript.Shell).Popup($A + ' Windows Defender?', 0, 'Defender is: ' + $S, 0x1033)
if ($choice -eq 2) {break} elseif ($choice -eq 6) {$env:1=$TOGGLE} else {$env:1=$KEEP}
}

## Without the dialog prompt above will toggle automatically
if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }

## Cascade elevation
$u=0;$w=whoami /groups;if($w-like'*1-5-32-544*'){$u=1};if($w-like'*1-16-12288*'){$u=2};if($w-like'*1-16-16384*'){$u=3}

## Comment to not hide per-user toggle notifications
$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'
ni $notif -ea 0|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0
sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}

## Comment to not relaunch systray icon
$L="$env

rogramFiles\Windows Defender\MSASCuiL.exe"; if (!(test-path $L)) {$L='SecurityHealthSystray'}
if ($u -eq 2) {start $L -win 1}

## Reload from volatile registry as needed
$script='-win 1 -nop -c & {$AveYo='+"'`r`r"+' A LIMITED ACCOUNT PROTECTS YOU FROM UAC EXPLOITS '+"`r`r'"+';$env:1='+$env:1
$script+=';$k=@();$k+=gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0;iex($k[0].ToggleDefender)}'
$cmd='powershell '+$script; $env:__COMPAT_LAYER='Installer'

## 0: limited-user: must runas / 1: admin-user non-elevated: must runas [built-in lame uac bpass removed]
if ($u -lt 2) {
start powershell -args $script -verb runas -win 1; break
}

## 2: admin-user elevated: get ti/system via runasti lean and mean snippet [$window hide:0x0E080600 show:0x0E080610]
if ($u -eq 2) {
$A=[AppDomain]::CurrentDomain."DefineDynami`cAssembly"(1,1)."DefineDynami`cModule"(1);$D=@();0..5|%{$D+=$A."Defin`eType"('A'+$_,
1179913,[ValueType])} ;4,5|%{$D+=$D[$_]."MakeByR`efType"()} ;$I=[Int32];$J="Int`Ptr";$P=$I.module.GetType("System.$J"); $F=@(0)
$F+=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$P,$P,$P,$I,$I,$I,$I,$I,$I,$I,$I,[Int16],[Int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
$S=[String]; $9=$D[0]."DefinePInvok`eMethod"('CreateProcess',"kernel`32",8214,1,$I,@($S,$S,$I,$I,$I,$I,$I,$S,$D[6],$D[7]),1,4)
1..5|%{$k=$_;$n=1;$F[$_]|%{$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}};$T=@();0..5|%{$T+=$D[$_]."CreateT`ype"();$Z=[uintptr]::size
nv ('T'+$_)([Activator]::CreateInstance($T[$_]))}; $H=$I.module.GetType("System.Runtime.Interop`Services.Mar`shal");
$WP=$H."GetMeth`od"("Write$J",[type[]]($J,$J)); $HG=$H."GetMeth`od"("AllocHG`lobal",[type[]]'int32'); $v=$HG.invoke($null,$Z)
'TrustedInstaller','lsass'|%{if(!$pn){net1 start $_ 2>&1 >$null;$pn=[Diagnostics.Process]::GetProcessesByName($_)[0];}}
$WP.invoke($null,@($v,$pn.Handle)); $SZ=$H."GetMeth`od"("SizeOf",[type[]]'type'); $T1.f1=131072; $T1.f2=$Z; $T1.f3=$v; $T2.f1=1
$T2.f2=1;$T2.f3=1;$T2.f4=1;$T2.f6=$T1;$T3.f1=$SZ.invoke($null,$T[4]);$T4.f1=$T3;$T4.f2=$HG.invoke($null,$SZ.invoke($null,$T[2]))
$H."GetMeth`od"("StructureTo`Ptr",[type[]]($D[2],$J,'boolean')).invoke($null,@(($T2-as $D[2]),$T4.f2,$false));$window=0x0E080600
$9=$T[0]."GetMeth`od"('CreateProcess').Invoke($null,@($null,$cmd,0,0,0,$window,0,$null,($T4-as $D[4]),($T5-as $D[5]))); break
}

## Cleanup
rp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0

## Create registry paths
$wdp='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender'
' Security Center\Notifications','\UX Configuration','\MpEngine','\Spynet','\Real-Time Protection' |% {ni ($wdp+$_)-ea 0|out-null}

## Toggle Defender
if ($env:1 -eq 7) {
## enable notifications
rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0
rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0
rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' UILockdown -Force -ea 0
rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0
rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0
rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' UILockdown -Force -ea 0
## enable shell smartscreen and set to warn
rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen -Force -ea 0
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' ShellSmartScreenLevel 'Warn' -Force -ea 0
## enable store smartscreen and set to warn
gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost -ea 0 |% {
sp $_.PSPath 'EnableWebContentEvaluation' 1 -Type Dword -Force -ea 0
sp $_.PSPath 'PreventOverride' 0 -Type Dword -Force -ea 0
}
## enable chredge smartscreen + pua
gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Edge\SmartScreenEnabled -ea 0 |% {
sp $_.PSPath '(Default)' 1 -Type Dword -Force -ea 0
}
gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled -ea 0 |% {
sp $_.PSPath '(Default)' 1 -Type Dword -Force -ea 0
}
## enable legacy edge smartscreen
ri 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Force -ea 0
## enable av
rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' DisableRealtimeMonitoring -Force -ea 0
rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0
rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0
sc.exe config windefend depend= RpcSs
net1 start windefend
kill -Force -Name MpCmdRun -ea 0
start ($env

rogramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-EnableService' -win 1
} else {
## disable notifications
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' UILockdown 0 -Type Dword -Force -ea 0
sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0
sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0
sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' UILockdown 0 -Type Dword -Force -ea 0
## disable shell smartscreen and set to warn
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen 0 -Type Dword -Force -ea 0
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' ShellSmartScreenLevel 'Warn' -Force -ea 0
## disable store smartscreen and set to warn
gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost -ea 0 |% {
sp $_.PSPath 'EnableWebContentEvaluation' 0 -Type Dword -Force -ea 0
sp $_.PSPath 'PreventOverride' 0 -Type Dword -Force -ea 0
}
## disable chredge smartscreen + pua
gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Edge\SmartScreenEnabled -ea 0 |% {
sp $_.PSPath '(Default)' 0 -Type Dword -Force -ea 0
}
gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled -ea 0 |% {
sp $_.PSPath '(Default)' 0 -Type Dword -Force -ea 0
}
## disable legacy edge smartscreen
sp 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' EnabledV9 0 -Type Dword -Force -ea 0
## disable av
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' DisableRealtimeMonitoring 1 -Type Dword -Force
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0
sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0
net1 stop windefend
sc.exe config windefend depend= RpcSs-TOGGLE
kill -Name MpCmdRun -Force -ea 0
start ($env

rogramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-DisableService' -win 1
del ($env

rogramData+'\Microsoft\Windows Defender\Scans\mpenginedb.db') -Force -ea 0 ## Commented = keep scan history
del ($env

rogramData+'\Microsoft\Windows Defender\Scans\History\Service') -Recurse -Force -ea 0
}

## PERSONAL CONFIGURATION TWEAK - COMMENT OR UNCOMMENT ENTRIES TO TWEAK OR REVERT
#sp $wdp DisableRoutinelyTakingAction 1 -Type Dword -Force -ea 0 ## Auto Actions off
#rp $wdp DisableRoutinelyTakingAction -Force -ea 0 ## Auto Actions ON [default]

#sp ($wdp+'\MpEngine') MpCloudBlockLevel 2 -Type Dword -Force -ea 0 ## Cloud blocking level HIGH
#rp ($wdp+'\MpEngine') MpCloudBlockLevel -Force -ea 0 ## Cloud blocking level low [default]

#sp ($wdp+'\Spynet') SpyNetReporting 2 -Type Dword -Force -ea 0 ## Cloud protection ADVANCED
#rp ($wdp+'\Spynet') SpyNetReporting -Force -ea 0 ## Cloud protection basic [default]

#sp ($wdp+'\Spynet') SubmitSamplesConsent 0 -Type Dword -Force -ea 0 ## Sample Submission ALWAYS-PROMPT
#rp ($wdp+'\Spynet') SubmitSamplesConsent -Force -ea 0 ## Sample Submission automatic [default]

#sp ($wdp+'\Real-Time Protection') RealtimeScanDirection 1 -Type Dword -Force -ea 0 ## Scan incoming file only
#rp ($wdp+'\Real-Time Protection') RealtimeScanDirection -Force -ea 0 ## Scan INCOMING, OUTGOING file [default]

#sp $wdp PUAProtection 1 -Type Dword -Force -ea 0 ## Potential Unwanted Apps on [policy]
#rp $wdp PUAProtection -Force -ea 0 ## Potential Unwanted Apps off [default]
#sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' PUAProtection 1 -Type Dword -Force -ea 0 ## Potential Unwanted Apps ON [user]
#rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' PUAProtection -Force -ea 0 ## Potential Unwanted Apps off [default]

$env:1=$null
# done!
'@ -Force -ea 0; $k=@();$k+=gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0;iex($k[0].ToggleDefender)
#-_-# hybrid script, can be pasted directly into powershell console

Sammy888 · Aug 18, 2022

It's not without it's bugs, but the only way to disable Defender (100%) completely is installing and running Defender Control.

Sammy888 · Aug 18, 2022

Spartan said:
No need for all this. One simple batch file gets rid of Windows Defender completely from its roots. Running it again would restore it.

Download ToggleDefender

That batch feel needs updating. It's been reported early in the new year it stopped working after a Windows (11) update. That's why in March Defender Control was updated to 2.1.

Lance1 · Aug 19, 2022

This is one you should look at, as it covers so much more of what Defender protection is and what it's all about... He covers so much more... It's worth a look! O!! Only if you're into Registry Changes! I'm In!

jimbo45 · Sep 1, 2022

Sammy888 said:
It's not without it's bugs, but the only way to disable Defender (100%) completely is installing and running Defender Control.

That site has so many "Entrapment links" before you get to the real file download and it doesn't work anyway.

I've found absolutely no way to stop this wretched thing appearing on clean installs of W11 on latest builds whether using local account or not. You can even at first boot see there's a problem with WD as the store isn't even shown on the taskbar which it normally is when booting a new systyem ist time.

Update installs work OK - just clean installs whether using ISO's from UUPDUMP or the ms site.

I've given up with W11 new installs on this computer for the moment - it fails whether as a VM or a real machine, whether on real HDD's or vhdx files. None of the 10 zillion fixes on google work nor scannow or other commands to fix system files.

If this nonsense is going to happen when bog standard users finally do a mass switch -- I wouldn't like to be I.T admin !!!!

Cheers
jimbo

cereberus · Sep 1, 2022

The issue is not so much disabling defender - that is easy i.e. install another AV package. When people go out of their way to ask about deleting Defender, they never say why. It always seems to be gamers in pursuit of a tiny fps increase.

I have Defender full enabled on my laptop with nvme drives and it idles at 1% cpu and very occasionally blips to a few % when it does a background scan after an update.

In the end running without an AV package is just dumb (It's like peole saying I have never had an accident, so I never wear a seatbelt).

People can try and justify to the end of time why they feel they are more knowledgeable than hackers but in the end it is bullcrap. There is always some toerag out to get you - why make it easy?

I would not let any user attach a pc to my network if they have disabled all AVs.

jimbo45 · Sep 1, 2022

cereberus said:
The issue is not so much disabling defender - that is easy i.e. install another AV package. When people go out of their way to ask about deleting Defender, they never say why. It always seems to be gamers in pursuit of a tiny fps increase.

I have Defender full enabled on my laptop with nvme drives and it idles at 1% cpu and very occasionally blips to a few % when it does a background scan after an update.

In the end running without an AV package is just dumb (It's like peole saying I have never had an accident, so I never wear a seatbelt).

People can try and justify to the end of time why they feel they are more knowledgeable than hackers but in the end it is bullcrap. There is always some toerag out to get you - why make it easy?

I would not let any user attach a pc to my network if they have disabled all AVs.

The problem here is that I can't get into the application to run anything on it at all -- even a scan for malware !!!!!!!!

When it's working WD is excellent - but an OS where the security package fails to open so you can't even scan or change some settings is just plain useless.

I'm not sure why this app is such a problem --using 100% legal software and this is just after a clean install from an official W11 iso.

Cheers
jimbo

Master · Sep 1, 2022

Disable Temper Protection in defender and use this save as remove defnder.cmd and run as administrator

@cls
@echo off
>nul chcp 437
setlocal enabledelayedexpansion
title Group Policy Addins

>nul 2>&1 where powershell || (
echo.
echo Missing Critical files [powershell.exe]
echo.
pause
exit /b
)

rem == Destroy Defender Called from End OF Script
whoami|>nul findstr /i /c:"nt authority\system" && (
echo.
call :RunAtSystemLevel
timeout 6
exit
)

rem Credit ..
rem Bau For Run As TI Script
rem freddie-o, geepnozeex, St1ckys For Defender Script

cd /d "%~dp0"

:::: Run as administrator, AveYo: ps\vbs version
1>nul 2>nul fltmc || (
set "_=call "%~f0" %*" & powershell -nop -c start cmd -args'/d/x/r',$env:_ -verb runas || (
>"%temp%\Elevate.vbs" echo CreateObject^("Shell.Application"^).ShellExecute "%~dpf0", "%*" , "", "runas", 1
>nul "%temp%\Elevate.vbs" & del /q "%temp%\Elevate.vbs" )
exit)

echo.
set Policies=HKEY_LOCAL_MACHINE\SOFTWARE\Policies

set Key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"
>nul 2>&1 REG ADD !Key! /f /v DisableSR /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v DisableConfig /t REG_DWORD /d 1

set Key="%Policies%\Microsoft\Windows NT\SystemRestore"
>nul 2>&1 REG ADD !Key! /f /v DisableSR /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v DisableConfig /t REG_DWORD /d 1

echo == Disable Malicious Software Reporting Tool
set Key="%Policies%\Microsoft\MRT"
>nul 2>&1 REG ADD !Key! /f /v DontReportInfectionInformation /t REG_DWORD /d "1"
>nul 2>&1 REG ADD !Key! /f /v DontOfferThroughWUAU /t REG_DWORD /d "1"

echo == Disable Windows Defender Security Center Notifications
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender Security Center\Notifications" /f /v DisableNotifications /t REG_DWORD /d "1"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender Security Center\Notifications" /f /v DisableEnhancedNotifications /t REG_DWORD /d "1"

echo == Hide Windows Security Systray
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender Security Center\Systray" /f /v HideSystray /t REG_DWORD /d "1"

echo == Turn off Windows Defender
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d "1"

echo == Disable smartscreen
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows\System" /f /v EnableSmartScreen /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender\SmartScreen" /f /v ConfigureAppInstallControlEnabled /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender\SmartScreen" /f /v ConfigureAppInstallControl /t REG_SZ /d "Anywhere"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v Enabled /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v EnabledV8 /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v EnabledV9 /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /f /v 2301 /t REG_DWORD /d "3"
>nul 2>&1 REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Browser\AllowSmartScreen" /f /v value /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /f /v SmartScreenEnabled /t REG_SZ /d "Off"

echo == Disable smartscreen for store and apps
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /f /v EnableWebContentEvaluation /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /f /v PreventOverride /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State" /f /v AppAndBrowser_StoreAppsSmartScreenOff /t REG_DWORD /d "0"

echo == Disable smartscreen for microsoft edge
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge" /f /v SmartScreenEnabled /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge" /f /v SmartScreenPuaEnabled /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State" /f /v AppAndBrowser_EdgeSmartScreenOff /t REG_DWORD /d "0"

call :RunAsTI "%~dpf0"

timeout 10
exit

:RunAtSystemLevel
:RunAtSystemLevel
:RunAtSystemLevel

echo == Delete Windows Defender Services
for %%A IN (WinDefend, WdBoot, WdFilter, Sense, WdNisDrv, WdNisSvc) do (
>nul 2>&1 sc config %%A start=disabled
>nul 2>&1 sc stop %%A
>nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\%%A" /f
)

echo == Close Windows Defender Application
for %%A IN (SecurityHealthService.exe, SecurityHealthSystray.exe, smartscreen.exe, MpCmdRun.exe) do >nul 2>&1 taskkill /im %%A

echo == Delete Windows Defender scheduled tasks
>nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Defender" /f

echo == Disable Malicious Software Reporting Tool
>nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe" /f

echo == Remove Defender Components
call :export cson > "%temp%\Windows.10.Defender_Uninstall.ps1"
>nul 2>&1 powershell -noprofile -executionpolicy bypass -file "%temp%\Windows.10.Defender_Uninstall.ps1"

echo == Remove Temper Protection
set Key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features"
>nul 2>&1 call :reg_own !key! "" S-1-5-114 "" Allow FullControl
>nul 2>&1 call :reg_own !key! "" S-1-5-32-544 "" Allow FullControl
>nul 2>&1 REG ADD !Key! /f /v DisableAntiSpyware /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v TamperProtection /t REG_DWORD /d 0

echo == Remove Windows Defender Folder
>nul 2>&1 call

estryFolder "%ProgramFiles%\Windows Defender"
>nul 2>&1 call

estryFolder "%ProgramFiles(x86)%\Windows Defender"
>nul 2>&1 call

estryFolder "%ALLUSERSPROFILE%\Windows Defender"
>nul 2>&1 call

estryFolder "%ProgramFiles%\Windows Defender Advanced Threat Protection"
>nul 2>&1 call

estryFolder "%ProgramFiles(x86)%\Windows Defender Advanced Threat Protection"
>nul 2>&1 call

estryFolder "%ALLUSERSPROFILE%\Microsoft\Windows Defender Advanced Threat Protection"

goto :eof

estryFolder
set targetFolder=%*
if exist %targetFolder% (
rd /s /q %targetFolder%
if exist %targetFolder% (
for /f "tokens=*" %%g in ('dir /b/s /a-d %targetFolder%') do move /y "%%g" "%temp%"
rd /s /q %targetFolder%
)
)
goto :eof

:export
rem AveYo's :export text attachments snippet
setlocal enabledelayedexpansion || Prints all text between lines starting with :NAME:[ and :NAME:] - A pure batch snippet by AveYo
set [=&for /f "delims=:" %%s in ('findstr/nbrc:":%~1:\[" /c:":%~1:\]" "%~f0"') do if defined [ (set/a ]=%%s-3) else set/a [=%%s-1
<"%~fs0" ((for /l %%i in (0 1 %[%) do set /p =)&for /l %%i in (%[% 1 %]%) do (set txt=&set /p txt=&echo(!txt!)) &endlocal &exit/b

:cson:[

#---------------------------------------------------------------
# Windows.10.Defender_Uninstall.ps1
# IMPORTANT: Run as Administrator or for the better as TrustedInstaller
# Stuff/Windows.10.Defender_Uninstall.ps1 at main · St1ckys/Stuff
#---------------------------------------------------------------

Set-ItemProperty -Path "REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*" -Name Visibility -Value "1"
Remove-Item -Path "REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*" -Include *Owner* -Recurse -Force | Out-Null
Get-ChildItem -Path "REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*" -Name | ForEach-Object {dism /online /remove-package /PackageName:$_ /NoRestart}

:cson:]

#:RunAsTI: #1 snippet to run as TI/System, with /high priority, /priv ownership, explorer and HKCU load
set ^ #=& set "0=%~f0"& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':RunAsTI\:.*')[1])& exit/b
$_CAN_PASTE_DIRECTLY_IN_POWERSHELL='^,^'; function RunAsTI ($cmd) { $id='RunAsTI'; $sid=((whoami /user)-split' ')[-1]; $code=@'
$ti=(whoami /groups)-like"*1-16-16384*"; $DM=[AppDomain]::CurrentDomain."DefineDynamicAss`embly"(1,1)."DefineDynamicMod`ule"(1)
$D=@(); 0..5|% {$D+=$DM."DefineT`ype"("M$_",1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype("System.Int`Ptr"); $U=[uintptr]
$D+=$U; 4..6|% {$D+=$D[$_]."MakeB`yRefType"()};$M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal");$Z=[uintptr]::size
$S=[string]; $F="kernel","advapi","advapi",($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),($U,$S,$I,$I,$D[9]),($U,$S,$I,$I,[byte[]],$I)
0..2|% {$9=$D[0]."DefinePInvokeMeth`od"(("CreateProcess","RegOpenKeyEx","RegSetValueEx")[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}
$DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_]."CreateT`ype"()}
0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0]."GetMeth`od"($1).invoke(0,$2)};
if (!$ti) { $g=0; "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
function M($1,$2,$3){$M."GetMeth`od"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M "AllocHG`lobal" $I $_};
M "WriteInt`Ptr" ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
$A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600
$out=@($null,"powershell -win 1 -nop -c iex `$env:A",0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F "CreateProcess" $out
} else { $env:A=''; $PRIV=[uri].module.gettype("System.Diagnostics.Process")."GetMeth`ods"(42) |? {$_.Name -eq "SetPrivilege"}
"SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeBackupPrivilege","SeRestorePrivilege" |% {$PRIV.Invoke(0, @("$_",2))}
$HKU=[uintptr][uint32]2147483651; $LNK=$HKU; $reg=@($HKU,"S-1-5-18",8,2,($LNK -as $D[9])); F "RegOpenKeyEx" $reg; $LNK=$reg[4]
function SYM($1,$2){$b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1");@($2,"SymbolicLinkValue",0,6,[byte[]]$b,$b.Length)}
F "RegSetValueEx" (SYM $(($key-split'\\')[1]) $LNK); $EXP="HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}"
$r="explorer"; if (!$cmd) {$cmd='C:\'}; $dir=test-path -lit ((($cmd -split '^("[^"]+")|^([^\s]+)') -ne'')[0].trim('"')) -type 1
if (!$dir) {$r="start `"$id`" /high /w"}; sp $EXP RunAs '' -force; start cmd -args ("/q/x/d/r title $id && $r",$cmd) -wait -win 1
do {sleep 7} while ((gwmi win32_process -filter 'name="explorer.exe"'|? {$_.getownersid().sid -eq "S-1-5-18"}))
F "RegSetValueEx" (SYM ".Default" $LNK); sp $EXP RunAs "Interactive User" -force } # lean and mean snippet by AveYo, 2018-2021
'@; $key="Registry::HKEY_USERS\$sid\Volatile Environment"; $a1="`$id='$id';`$key='$key';";$a2="`$cmd='$($cmd-replace"'","''")';`n"
sp $key $id $($a1,$a2,$code) -type 7 -force; $arg="$a1 `$env:A=(gi `$key).getvalue(`$id)-join'';rp `$key `$id -force; iex `$env:A"
$_PRESS_ENTER='^,^'; start powershell -args "-win 1 -nop -c $arg" -verb runas }; <#,#> RunAsTI $env:1; #:RunAsTI:

:reg_own #key [optional] all user owner access permission : call :reg_own "HKCU\My" "" S-1-5-32-544 "" Allow FullControl
powershell -nop -c $A='%~1','%~2','%~3','%~4','%~5','%~6';iex(([io.file]::ReadAllText('%~f0')-split':Own1\:.*')[1])&exit/b:Own1:
$D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ethods"(42) |where {$_.Name -eq 'SetPrivilege'} #`:no-ev-warn
'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege'|foreach {$D1.Invoke($null, @("$_",2))}
$path=$A[0]; $rk=$path-split'\\',2; $HK=gi -lit Registry::$($rk[0]) -fo; $s=$A[1]; $sps=[Security.Principal.SecurityIdentifier]
$u=($A[2],'S-1-5-32-544')[!$A[2]];$o=($A[3],$u)[!$A[3]];$w=$u,$o |% {new-object $sps($_)}; $old=!$A[3];$own=!$old; $y=$s-eq'all'
$rar=new-object Security.AccessControl.RegistryAccessRule( $w[0], ($A[5],'FullControl')[!$A[5]], 1, 0, ($A[4],'Allow')[!$A[4]] )
$x=$s-eq'none';function Own1($k){$t=$HK.OpenSubKey($k,2,'TakeOwnership');if($t){0,4|%{try{$o=$t.GetAccessControl($_)}catch{$old=0}
};if($old){$own=1;$w[1]=$o.GetOwner($sps)};$o.SetOwner($w[0]);$t.SetAccessControl($o); $c=$HK.OpenSubKey($k,2,'ChangePermissions')
$p=$c.GetAccessControl(2);if($y){$p.SetAccessRuleProtection(1,1)};$p.ResetAccessRule($rar);if($x){$p.RemoveAccessRuleAll($rar)}
$c.SetAccessControl($p);if($own){$o.SetOwner($w[1]);$t.SetAccessControl($o)};if($s){$subkeys=$HK.OpenSubKey($k).GetSubKeyNames()
foreach($n in $subkeys){Own1 "$k\$n"}}}};Own1 $rk[1];if($env:VO){get-acl Registry::$path|fl} #:Own1: lean & mean snippet by AveYo
::-_-::

jimbo45 · Sep 1, 2022

Master said:
Disable Temper Protection in defender and use this save as remove defnder.cmd

@cls
@echo off
>nul chcp 437
setlocal enabledelayedexpansion
title Group Policy Addins

>nul 2>&1 where powershell || (
echo.
echo Missing Critical files [powershell.exe]
echo.
pause
exit /b
)

rem == Destroy Defender Called from End OF Script
whoami|>nul findstr /i /c:"nt authority\system" && (
echo.
call :RunAtSystemLevel
timeout 6
exit
)

rem Credit ..
rem Bau For Run As TI Script
rem freddie-o, geepnozeex, St1ckys For Defender Script

cd /d "%~dp0"

:::: Run as administrator, AveYo: ps\vbs version
1>nul 2>nul fltmc || (
set "_=call "%~f0" %*" & powershell -nop -c start cmd -args'/d/x/r',$env:_ -verb runas || (
>"%temp%\Elevate.vbs" echo CreateObject^("Shell.Application"^).ShellExecute "%~dpf0", "%*" , "", "runas", 1
>nul "%temp%\Elevate.vbs" & del /q "%temp%\Elevate.vbs" )
exit)

echo.
set Policies=HKEY_LOCAL_MACHINE\SOFTWARE\Policies

set Key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"
>nul 2>&1 REG ADD !Key! /f /v DisableSR /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v DisableConfig /t REG_DWORD /d 1

set Key="%Policies%\Microsoft\Windows NT\SystemRestore"
>nul 2>&1 REG ADD !Key! /f /v DisableSR /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v DisableConfig /t REG_DWORD /d 1

echo == Disable Malicious Software Reporting Tool
set Key="%Policies%\Microsoft\MRT"
>nul 2>&1 REG ADD !Key! /f /v DontReportInfectionInformation /t REG_DWORD /d "1"
>nul 2>&1 REG ADD !Key! /f /v DontOfferThroughWUAU /t REG_DWORD /d "1"

echo == Disable Windows Defender Security Center Notifications
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender Security Center\Notifications" /f /v DisableNotifications /t REG_DWORD /d "1"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender Security Center\Notifications" /f /v DisableEnhancedNotifications /t REG_DWORD /d "1"

echo == Hide Windows Security Systray
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender Security Center\Systray" /f /v HideSystray /t REG_DWORD /d "1"

echo == Turn off Windows Defender
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d "1"

echo == Disable smartscreen
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows\System" /f /v EnableSmartScreen /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender\SmartScreen" /f /v ConfigureAppInstallControlEnabled /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows Defender\SmartScreen" /f /v ConfigureAppInstallControl /t REG_SZ /d "Anywhere"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v Enabled /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v EnabledV8 /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Internet Explorer\PhishingFilter" /f /v EnabledV9 /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "%Policies%\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /f /v 2301 /t REG_DWORD /d "3"
>nul 2>&1 REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Browser\AllowSmartScreen" /f /v value /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /f /v SmartScreenEnabled /t REG_SZ /d "Off"

echo == Disable smartscreen for store and apps
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /f /v EnableWebContentEvaluation /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /f /v PreventOverride /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State" /f /v AppAndBrowser_StoreAppsSmartScreenOff /t REG_DWORD /d "0"

echo == Disable smartscreen for microsoft edge
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge" /f /v SmartScreenEnabled /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge" /f /v SmartScreenPuaEnabled /t REG_DWORD /d "0"
>nul 2>&1 REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State" /f /v AppAndBrowser_EdgeSmartScreenOff /t REG_DWORD /d "0"

call :RunAsTI "%~dpf0"

timeout 10
exit

:RunAtSystemLevel
:RunAtSystemLevel
:RunAtSystemLevel

echo == Delete Windows Defender Services
for %%A IN (WinDefend, WdBoot, WdFilter, Sense, WdNisDrv, WdNisSvc) do (
>nul 2>&1 sc config %%A start=disabled
>nul 2>&1 sc stop %%A
>nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\%%A" /f
)

echo == Close Windows Defender Application
for %%A IN (SecurityHealthService.exe, SecurityHealthSystray.exe, smartscreen.exe, MpCmdRun.exe) do >nul 2>&1 taskkill /im %%A

echo == Delete Windows Defender scheduled tasks
>nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Defender" /f

echo == Disable Malicious Software Reporting Tool
>nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe" /f

echo == Remove Defender Components
call :export cson > "%temp%\Windows.10.Defender_Uninstall.ps1"
>nul 2>&1 powershell -noprofile -executionpolicy bypass -file "%temp%\Windows.10.Defender_Uninstall.ps1"

echo == Remove Temper Protection
set Key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features"
>nul 2>&1 call :reg_own !key! "" S-1-5-114 "" Allow FullControl
>nul 2>&1 call :reg_own !key! "" S-1-5-32-544 "" Allow FullControl
>nul 2>&1 REG ADD !Key! /f /v DisableAntiSpyware /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v TamperProtection /t REG_DWORD /d 0

echo == Remove Windows Defender Folder
>nul 2>&1 call estryFolder "%ProgramFiles%\Windows Defender"
>nul 2>&1 call estryFolder "%ProgramFiles(x86)%\Windows Defender"
>nul 2>&1 call estryFolder "%ALLUSERSPROFILE%\Windows Defender"
>nul 2>&1 call estryFolder "%ProgramFiles%\Windows Defender Advanced Threat Protection"
>nul 2>&1 call estryFolder "%ProgramFiles(x86)%\Windows Defender Advanced Threat Protection"
>nul 2>&1 call estryFolder "%ALLUSERSPROFILE%\Microsoft\Windows Defender Advanced Threat Protection"

goto :eof

estryFolder
set targetFolder=%*
if exist %targetFolder% (
rd /s /q %targetFolder%
if exist %targetFolder% (
for /f "tokens=*" %%g in ('dir /b/s /a-d %targetFolder%') do move /y "%%g" "%temp%"
rd /s /q %targetFolder%
)
)
goto :eof

:export
rem AveYo's :export text attachments snippet
setlocal enabledelayedexpansion || Prints all text between lines starting with :NAME:[ and :NAME:] - A pure batch snippet by AveYo
set [=&for /f "delims=:" %%s in ('findstr/nbrc:":%~1:\[" /c:":%~1:\]" "%~f0"') do if defined [ (set/a ]=%%s-3) else set/a [=%%s-1
<"%~fs0" ((for /l %%i in (0 1 %[%) do set /p =)&for /l %%i in (%[% 1 %]%) do (set txt=&set /p txt=&echo(!txt!)) &endlocal &exit/b

:cson:[

#---------------------------------------------------------------
# Windows.10.Defender_Uninstall.ps1
# IMPORTANT: Run as Administrator or for the better as TrustedInstaller
# Stuff/Windows.10.Defender_Uninstall.ps1 at main · St1ckys/Stuff
#---------------------------------------------------------------

Set-ItemProperty -Path "REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*" -Name Visibility -Value "1"
Remove-Item -Path "REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*" -Include *Owner* -Recurse -Force | Out-Null
Get-ChildItem -Path "REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*" -Name | ForEach-Object {dism /online /remove-package /PackageName:$_ /NoRestart}

:cson:]

#:RunAsTI: #1 snippet to run as TI/System, with /high priority, /priv ownership, explorer and HKCU load
set ^ #=& set "0=%~f0"& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':RunAsTI\:.*')[1])& exit/b
$_CAN_PASTE_DIRECTLY_IN_POWERSHELL='^,^'; function RunAsTI ($cmd) { $id='RunAsTI'; $sid=((whoami /user)-split' ')[-1]; $code=@'
$ti=(whoami /groups)-like"*1-16-16384*"; $DM=[AppDomain]::CurrentDomain."DefineDynamicAss`embly"(1,1)."DefineDynamicMod`ule"(1)
$D=@(); 0..5|% {$D+=$DM."DefineT`ype"("M$_",1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype("System.Int`Ptr"); $U=[uintptr]
$D+=$U; 4..6|% {$D+=$D[$_]."MakeB`yRefType"()};$M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal");$Z=[uintptr]::size
$S=[string]; $F="kernel","advapi","advapi",($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),($U,$S,$I,$I,$D[9]),($U,$S,$I,$I,[byte[]],$I)
0..2|% {$9=$D[0]."DefinePInvokeMeth`od"(("CreateProcess","RegOpenKeyEx","RegSetValueEx")[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}
$DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_]."CreateT`ype"()}
0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0]."GetMeth`od"($1).invoke(0,$2)};
if (!$ti) { $g=0; "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
function M($1,$2,$3){$M."GetMeth`od"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M "AllocHG`lobal" $I $_};
M "WriteInt`Ptr" ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
$A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600
$out=@($null,"powershell -win 1 -nop -c iex `$env:A",0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F "CreateProcess" $out
} else { $env:A=''; $PRIV=[uri].module.gettype("System.Diagnostics.Process")."GetMeth`ods"(42) |? {$_.Name -eq "SetPrivilege"}
"SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeBackupPrivilege","SeRestorePrivilege" |% {$PRIV.Invoke(0, @("$_",2))}
$HKU=[uintptr][uint32]2147483651; $LNK=$HKU; $reg=@($HKU,"S-1-5-18",8,2,($LNK -as $D[9])); F "RegOpenKeyEx" $reg; $LNK=$reg[4]
function SYM($1,$2){$b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1");@($2,"SymbolicLinkValue",0,6,[byte[]]$b,$b.Length)}
F "RegSetValueEx" (SYM $(($key-split'\\')[1]) $LNK); $EXP="HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}"
$r="explorer"; if (!$cmd) {$cmd='C:\'}; $dir=test-path -lit ((($cmd -split '^("[^"]+")|^([^\s]+)') -ne'')[0].trim('"')) -type 1
if (!$dir) {$r="start `"$id`" /high /w"}; sp $EXP RunAs '' -force; start cmd -args ("/q/x/d/r title $id && $r",$cmd) -wait -win 1
do {sleep 7} while ((gwmi win32_process -filter 'name="explorer.exe"'|? {$_.getownersid().sid -eq "S-1-5-18"}))
F "RegSetValueEx" (SYM ".Default" $LNK); sp $EXP RunAs "Interactive User" -force } # lean and mean snippet by AveYo, 2018-2021
'@; $key="Registry::HKEY_USERS\$sid\Volatile Environment"; $a1="`$id='$id';`$key='$key';";$a2="`$cmd='$($cmd-replace"'","''")';`n"
sp $key $id $($a1,$a2,$code) -type 7 -force; $arg="$a1 `$env:A=(gi `$key).getvalue(`$id)-join'';rp `$key `$id -force; iex `$env:A"
$_PRESS_ENTER='^,^'; start powershell -args "-win 1 -nop -c $arg" -verb runas }; <#,#> RunAsTI $env:1; #:RunAsTI:

:reg_own #key [optional] all user owner access permission : call :reg_own "HKCU\My" "" S-1-5-32-544 "" Allow FullControl
powershell -nop -c $A='%~1','%~2','%~3','%~4','%~5','%~6';iex(([io.file]::ReadAllText('%~f0')-split':Own1\:.*')[1])&exit/b:Own1:
$D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ethods"(42) |where {$_.Name -eq 'SetPrivilege'} #`:no-ev-warn
'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege'|foreach {$D1.Invoke($null, @("$_",2))}
$path=$A[0]; $rk=$path-split'\\',2; $HK=gi -lit Registry::$($rk[0]) -fo; $s=$A[1]; $sps=[Security.Principal.SecurityIdentifier]
$u=($A[2],'S-1-5-32-544')[!$A[2]];$o=($A[3],$u)[!$A[3]];$w=$u,$o |% {new-object $sps($_)}; $old=!$A[3];$own=!$old; $y=$s-eq'all'
$rar=new-object Security.AccessControl.RegistryAccessRule( $w[0], ($A[5],'FullControl')[!$A[5]], 1, 0, ($A[4],'Allow')[!$A[4]] )
$x=$s-eq'none';function Own1($k){$t=$HK.OpenSubKey($k,2,'TakeOwnership');if($t){0,4|%{try{$o=$t.GetAccessControl($_)}catch{$old=0}
};if($old){$own=1;$w[1]=$o.GetOwner($sps)};$o.SetOwner($w[0]);$t.SetAccessControl($o); $c=$HK.OpenSubKey($k,2,'ChangePermissions')
$p=$c.GetAccessControl(2);if($y){$p.SetAccessRuleProtection(1,1)};$p.ResetAccessRule($rar);if($x){$p.RemoveAccessRuleAll($rar)}
$c.SetAccessControl($p);if($own){$o.SetOwner($w[1]);$t.SetAccessControl($o)};if($s){$subkeys=$HK.OpenSubKey($k).GetSubKeyNames()
foreach($n in $subkeys){Own1 "$k\$n"}}}};Own1 $rk[1];if($env:VO){get-acl Registry::$path|fl} #:Own1: lean & mean snippet by AveYo
::-_-::

There's some mis-understanding here -- I DON'T WANT WD to be gone, I just want it to WORK - don't people understand SIMPLE PLAIN ENGLISH here any more.

This is the problem : WD won't open and says it needs another app !!! Surely people can understand what I posted. !!! It's not in 12th century Faroese or pre historic Sanscrit --surely.

Please @Master --tell me EXACTLY how I can turn off WD tamper protection if I can't get into WD in the first place !!!!!.

You might have all the skills on the planet in coding / obscure reg hacks or whatever --but please look at what the original problem actually consists of before providing answers.

Not wanting to be nasty -- there's enough of that around at the moment anyway - but I suggest a lot of failing problems that beset the world in general currently is that people are trying to give answers out before they've even understood the problem. Help is always appreciated but it needs to address the actual problem.

Cheers
jimbo

Master · Sep 1, 2022

Thread:

Disable Windows Defender Completely.

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Microsoft 365 Basic

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

Disable Windows Defender Completely.​

My Computer

Similar threads

Disable Windows Defender Completely.