I can't disable the Microsoft Antimalware service (MsMpSvc/MsMpEng.exe). I tried using services.msc, but the Startup Type drop-down is grayed out and I can't change it to Disabled nor stop the service. I also tried msconfig, but when I click Apply, the service gets enabled again. I even tried net stop msmpsvc and got system error 5 (access denied).
Any suggestions?
Just in case someone will face the same questions on Windows 8/8.1 - there is now build-in option to stop both Windows Defender-related services:
Another way to get around the protection:
This way even if you can't disable it outright, it can't scan your computer at all.
Also do this for both Windows Defender and Microsoft Essentials.
The best way to disable the Defender is to run regedit.exe, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender, take ownership of this registry key (inside regedit.exe or via the 3rd party tool RegOwnershipEx) and set the values DisableAntiSpyware and DisableAntiVirus both to 1.
click to enlarge
Note, if you only see 1 of the values, change this one.
OK appears the UI has changed, at least with windows 10 "creators update":
Settings app -> "Update & Security" -> Windows Defender -> "Open Windows Defender Security Center" -> "Virus & Threat protection" -> "Virus & Thread Protection settings" (button) -> "Real-time protection" slide the selector button to "off"
Now MsMpEng.exe isn't using 100% cpu and system is faster (though unprotected).
For a disk intensive build my build times went from 8m33s to 1m49s whoa! Also note if you use WSL you can exclude its files from windows defender to get similar speedup. Or any other folders.
If you just want to shut it down temporarily:
1) Open the search bar (right side of screen)
2) Search SETTINGS and type in ADVANCED
3) Select "Advanced startup options"
4) Scroll to the bottom and select "Restart now" (computer will restart and bring you to the Advanced Startup options menu.)
5) Select "Troubleshoot" at the Advanced Startup options menu.
6) Select the "Startup settings" option.
7) Select "Disable early-launch anti-malware protection" (option #8)
8) Select the restart button and you'll be brought to windows.
Do whatever you want to do, and the next time you restart your computer it will be enabled automatically again.
On Windows 7, this MsMpEng.exe service is part of Microsoft Security Essentials (find it under Start > All Programs). You can disable its real-time protection, in the Settings tab:
However, this might not disable the MsMpEng.exe service from running, so you'd probably have to uninstall Microsoft Security Essentials for this matter:
Here is how to completely disable Windows Defender service on Windows 10 and Windows Server 2019:
C:\Windows\System32\regedt32.exe and click OK.This will launch Registry Editor with Trusted Installer privileges. Be extra careful because now you will be able to change or delete ANY registry key which means if you delete or change the wrong one you will hose your system.
Open HKLM\SYSTEM\CurrentControlSet\Services\WinDefend registry key.
Change the Start value to 4.
Reboot.
Enjoy your PC without Microsoft's protection.
A word of warning, don't do this unless you are absolutely sure you know what you are doing, because it will leave you exposed to malware.
Windows Defender/Microsoft Security Essentials is very tightly knit into the operating system in order to provide more security. It's best to disable it through the natural means than trying to cut it out piece by piece.
Go to your control panel, and select the entry for your Microsoft Antivirus. It might be listed as "Windows Defender" depending on your update history. Look in the 'settings' section in the Antivirus GUI for a "disable"
Depending on how updated your Windows Defender/MSE is, and how updated you received the program, these steps may vary, but the general idea is the same: disable it the way they provided you, not by trying to be crafty.
You'll find that many antiviruses will inject modifications into discrete crevasses of your operating system in the name of security.
Good rules of thumb to remember are to
Most answers are about Windows Defender, but the questions asks about Microsoft Antimalware Service aka MsMpEng.exe, which is different.
To stop the Microsoft Antimalware Service you need TrustedInstaller permissions. One way to gain those is using the RunAsTI tool. When you run that it opens a command prompt with TrustedInstaller privileges, from which you can stop it with net stop:
C:\>whoami
nt authority\system
C:>net stop msmpsvc
.
The Microsoft Antimalware Service service was stopped successfully.
Obviously only do this if you know what you're doing and choose to trust the RunAsTI tool (or Process Hacker plugin or whatever you use to obtain TI access).
If you want to disable the service permanently, you can run SubInACL /service MsMpSvc /grant=Administrators=F from that TrustedInstaller command prompt to grant Administrators Full Control over the service, then stop and disable it in the Service MMC snap-in as usual. Note that if you ever start it again it will reset its own permissions, so TrustedInstaller privileges will be required again to stop it.
I've tested this on Windows 7, but it should work on other versions that have TrustedInstaller (Vista and later).
(This is similar to Igor Levicki's answer, but a command-line version. The Process Hacker plugin binary doesn't seem to be available anymore.)
Go to Settings, Security, Virus & threat protection, Manage settings, Tamper protection. Set to Off. Then add this:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
I'm not sure if any of these methods work for anyone, and there is probably a better way (and I'm not sure how permanent this is either), but for me I did the following:
Located the executable for Windows Defender, using open file location in Task Manager. For me it was located at C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and was called MsMpEng.exe
Booted up a linux system via usb and used it to deleted the file (since the program was always running, I couldn't delete it while windows was running).
Steps using arch (assuming you have the iso, used rufus to extract onto a usb, and have booted into arch):
fdisk -l and located the name of the partition that would the C: drive (for me /dev/sda3)
mount the drive so that it can be accessed mount /dev/sda3 /mnt/c
used cd to navigate to the exe location. /mnt/c, cd /ProgramData/Microsoft/Windows Defender/Platform/4.18.2107.4-0 used ls to check it was there (you can also do it one dictionary at a time for convenience).
Deleted the file rm MsMpEng.exe
Navigated out of the /mnt filesystem with cd ../
Unmounted the disk with umount
Rebooted and the program was gone.
If nothing works for you. This might at least be a temporary solution :D
P.S. For most people I don't recommend
turning off your antivirus. It's a good way to get malware on your system,
tamper with windows systems in this way, at least without some sort of backup. This is a really good way to completely break your system
