Disable Windows Defender in Windows 10

Question

I can't find any information on how to disable Windows Defender in Windows 10. There is some information about how to do it in the previews, but the configuration pages have changed with the final release.

Specifically, I want to stop and disable the Windows Defender Service.

• Using net stop windefend from an elevated command prompt gives "access denied"
• Stop and startup type are greyed out in sevices.msc, even when logged on as administrator
• There doesn't seem to be a GUI way to disable UAC in Windows 10

Has anyone figured out how to disable Defender in Windows 10?

Answer 1

You are able to do this using a Group Policy.

open gpedit.msc

navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender

Turn off Windows Defender = Enabled

If you then try to open Windows Defender you'll see this:

And even though in Settings it may appear to be on, the Service is not running:

more info:

http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html

and http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350

Answer 2

I found another way using the registry.

Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:

1. Browse the registry to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
2. Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.
3. Change the Start value for each service to 0x4 (hex 4, decimal 4).
4. Reboot.

Answer 3

It would be helpful to understand why you cannot stop a particular service.

• I'm the administrator; worse than failure can't the Administrator administrate?!

It's because of the security permissions on the WinDefend service.

Note: WinDefend is the actual name of the "Windows Defender Antivirus Service"

Viewing Permissions

If you run from a command line:

>sc sdshow WinDefend

where

• sdshow means "Displays a service's security descriptor."

You'll get the security descriptor:

C:\Users\Ian>sc sdshow WinDefend
D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:

D:
   (A;;CCLCSWRPLOCRRC;;;BU)
   (A;;CCLCSWRPLOCRRC;;;SY)
   (A;;CCLCSWRPLOCRRC;;;BA)
   (A;;CCLCSWRPLOCRRC;;;IU)
   (A;;CCLCSWRPLOCRRC;;;SU)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

The D: means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):

• D: discretionary access control list
  • ACE1: A;;CCLCSWRPLOCRRC;;;BU
  • ACE2: A;;CCLCSWRPLOCRRC;;;SY
  • ACE3: A;;CCLCSWRPLOCRRC;;;BA
  • ACE4: A;;CCLCSWRPLOCRRC;;;IU
  • ACE5: A;;CCLCSWRPLOCRRC;;;SU
  • ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.

Looking first at who they apply to, a random blog article decode some of them (archive.is):

• BU: Built-in users
• SY: Local System
• BA: Built-in administrators
• UI: Interactively logged-on user
• SU: Service logon user
• S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: Trusted Installer
• S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736: Virtual NT service account NT SERVICE\WinDefend

You can get the name associated with an SID by running:

>wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name

Each ACE contains a list of permissions that the user is being allowed or denied.

• D: discretionary access control list
  • ACE 1: A;;CCLCSWRPLOCRRC;;; Built-in users
  • ACE 2: A;;CCLCSWRPLOCRRC;;; Local system
  • ACE 3: A;;CCLCSWRPLOCRRC;;; Built-in administrators
  • ACE 4: A;;CCLCSWRPLOCRRC;;; Interactive user
  • ACE 5: A;;CCLCSWRPLOCRRC;;; Service logon user
  • ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; Trusted installer
  • ACE 7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; NT SERVICE\WinDefend

Breaking down the remaining semicolon separated sections in an ACE:

• ACE: A;;CCLCSWRPLOCRRC;;;
  • AceType: A ACCESS_ALLOWED_ACE_TYPE
  • AceFlags: (none)
  • AccessMask: CC LC SW RP LO CR RC
    • CC: CREATE_CHILD
    • LC: LIST_CHILDREN
    • SW: SELF_WRITE
    • RP: READ_PROPERTY
    • LO: LIST_OBJECT
    • CR: CONTROL_ACCESS
    • RC: READ_CONTROL
  • ObjectGuid: (none)
  • InheritObjectGuid: (none)

The leading A means Allowed, and the permissions are two-letter codes:

• D: discretionary access control list
  • ACE 1: Allow, CC LC SW RP LO CR RC, Built-in users
  • ACE 2: Allow, CC LC SW RP LO CR RC, Local system
  • ACE 3: Allow, CC LC SW RP LO CR RC, Built-in administrators
  • ACE 4: Allow, CC LC SW RP LO CR RC, Interactive user
  • ACE 5: Allow, CC LC SW RP LO CR RC, Service logon user
  • ACE 6: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, Trusted installer
  • ACE 7: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, NT SERVICE\WinDefend

And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.

Spoiler:

sc sdset WinDefend [newSDLString]

Bonus Reading

• How to specify permissions to services in Windows by using SDDL? (archive.is)
• How to Convert SID to Username and Vice Versa (archive.is)
• The Security Descriptor Definition Language of Love (Part 2) (archive.is)
• Microsoft Security Descriptor Language - 2.5.1.1 Syntax (archive.is)
• Old New Thing: A brief summary of the various versions of the Security Descriptor Definition Language (SDDL) ^archive

Answer 4

Note: This may not work any more as of feature update 1909.

Short version

1. Download
2. Extract
3. Double-click DisableDefender.reg

Explanation

By far the most effective and clean way to permanently disable Windows Defender in Windows 10 is via Group Policy, as described by Aaron Hoffman. Unfortunately, Windows 10 Home lacks the necessary tools.

Here's a registry file that contains the changes made by gpedit.msc on a Windows 10 Pro machine. It's been tested on Windows 10 Home as well. Save the file as DisableDefender.reg with Windows-style line endings and double-click it to import it into your registry.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001

If you ever want to re-enable Defender, change 00000001 to 00000000 on both lines.

You can download the files to disable and re-enable defender from Gist.

Answer 5

I have written the batch file and registry files that should completely disable Windows Defender in Windows 10.

1. Save the following files into the same folder.
2. Run Disable Windows Defender.bat as administrator.
3. After the batch file is done, restart.
4. The latest versions of Windows 10 make it difficult to terminate the "MsMpEng.exe" process, so you will have to boot into a different operating system and rename or delete the Windows Defender folders in Program Files manually before proceeding to the next step.
5. Run Disable Windows Defender.bat again as administrator.
6. Windows Defender should be completely disabled now.

Disable Windows Defender.bat

@echo off
call :main %*
goto :eof
:main
    setlocal EnableDelayedExpansion
rem Check if Windows Defender is running.
tasklist /fi "imageName eq "MsMpEng.exe"" | find /i "MsMpEng.exe" > nul 2> nul
if %errorLevel% equ 0 (
    rem Windows Defender is running.
    echo Windows Defender is running.

    rem Performable operations while Windows Defender is running.
    rem Disable Windows Defender drivers.
    echo Disabling Windows Defender drivers...
    set "drivers="%SystemRoot%\System32\drivers\WdBoot.sys";"%SystemRoot%\System32\drivers\WdFilter.sys";"%SystemRoot%\System32\drivers\WdNisDrv.sys""
    set "drivers=!drivers:""="!"

    set "wasDriverDisabled=false"
    for %%d in (!drivers!) do (
        if exist "%%~d" (
            echo Disabling Windows Defender driver "%%~d"...
            call :disableFile "%%~d"
            set "wasDriverDisabled=true"
        )
    )

    rem Disable Windows Defender objects.
    echo Disabling Windows Defender objects...
    call :importRegistry "Disable Windows Defender objects.reg"

    rem Require restart to unload Windows Defender drivers and objects.
    echo.
    echo Restart required.
) else (
    rem Windows Defender is not running.
    echo Windows Defender is not running.

    rem Performable operations while Windows Defender is not running.
    rem Disable Windows Defender features.
    echo Disabling Windows Defender features...
    call :importRegistry "Disable Windows Defender features.reg"
    rem Disable Windows Defender services.
    echo Disabling Windows Defender services...
    call :importRegistry "Disable Windows Defender services.reg"

    rem Disable Windows Defender files.
    echo Disabling Windows Defender files...
    ren "%ProgramFiles%\Windows Defender" "Windows Defender.bak"
    ren "%ProgramFiles(x86)%\Windows Defender" "Windows Defender.bak"
    ren "%ProgramData%\Microsoft\Windows Defender" "Windows Defender.bak"
)

endlocal
goto :eof


:ownFile
    setlocal
    set "filePath=%~1"
    set "user=%~2"
    takeown /f "%filePath%" /a
    icacls "%filePath%" /grant "%user%:F"
    endlocal
    goto :eof
:disableFile
    setlocal
    set "filePath=%~1"
    call :ownFile "%filePath%" "Administrators"
    ren "%filePath%" "%~nx1.bak"
    endlocal
    goto :eof
:importRegistry
    setlocal
    set "filePath=%~1"
    call OwnRegistryKeys.bat "%filePath%"
    @echo off
    regedit /s "%filePath%"
    endlocal
    goto :eof

Disable Windows Defender objects.reg

Windows Registry Editor Version 5.00
; Disable "Scan with Windows Defender..." right click context menu.
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]
; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]
; Disable "DefenderCSP.dll".
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
; Disable Windows Defender IOfficeAntiVirus implementation ("MpOav.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]
; Disable InfectionState WMI Provider ("MpProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]
; Disable Status WMI Provider ("MpProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{8a696d12-576b-422e-9712-01b9dd84b446}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{8a696d12-576b-422e-9712-01b9dd84b446}]
; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]
; Disable Microsoft Windows Defender ("MsMpCom.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
[-HKEY_LOCAL_MACHINE\Software\Classes\TypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\TypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]
; Disable Windows Defender WMI Provider ("ProtectionManagement.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
; Disable AMMonitoring WMI Provider ("AMMonitoringProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]
; Disable MP UX Host ("MpUxSrv.exe").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]

Disable Windows Defender features.reg

Windows Registry Editor Version 5.00
; Disable Windows Defender features.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ProductStatus"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Real-Time Protection]
"DisableAntiSpywareRealtimeProtection"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"ScheduleDay"=dword:00000008
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\UX Configuration]
"AllowNonAdminFunctionality"=dword:00000000
"DisablePrivacyMode"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ProductStatus"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection]
"DisableAntiSpywareRealtimeProtection"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"ScheduleDay"=dword:00000008
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\UX Configuration]
"AllowNonAdminFunctionality"=dword:00000000
"DisablePrivacyMode"=dword:00000001

Disable Windows Defender services.reg

Windows Registry Editor Version 5.00
; Disable "Windows Defender" services.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

OwnRegistryKeys.bat

@echo off
rem Get the location of the PowerShell file.
for /f "usebackq tokens=" %%f in (where "OwnRegistryKeys.ps1") do (
    rem Run command for each argument.
    for %%a in (%) do (
        powershell -executionPolicy bypass -file "%%~f" "%%~a"
    )
)

OwnRegistryKeys.ps1

$script:baseKey = @{
    "HKEY_CLASSES_ROOT" = @{
        "name" = "HKEY_CLASSES_ROOT";
        "shortName" = "HKCR";
        "key" = [Microsoft.Win32.Registry]::ClassesRoot
    };
    "HKEY_CURRENT_CONFIG" = @{
        "name" = "HKEY_CURRENT_CONFIG";
        "shortName" = "HKCC";
        "key" = [Microsoft.Win32.Registry]::CurrentConfig
    };
    "HKEY_CURRENT_USER" = @{
        "name" = "HKEY_CURRENT_USER";
        "shortName" = "HKCU";
        "key" = [Microsoft.Win32.Registry]::CurrentUser
    };
    "HKEY_DYN_DATA" = @{
        "name" = "HKEY_DYN_DATA";
        "shortName" = "HKDD";
        "key" = [Microsoft.Win32.Registry]::DynData
    };
    "HKEY_LOCAL_MACHINE" = @{
        "name" = "HKEY_LOCAL_MACHINE";
        "shortName" = "HKLM";
        "key" = [Microsoft.Win32.Registry]::LocalMachine
    };
    "HKEY_PERFORMANCE_DATA" = @{
        "name" = "HKEY_PERFORMANCE_DATA";
        "shortName" = "HKPD";
        "key" = [Microsoft.Win32.Registry]::PerformanceData
    };
    "HKEY_USERS" = @{
        "name" = "HKEY_USERS";
        "shortName" = "HKU";
        "key" = [Microsoft.Win32.Registry]::Users
    }
}
function enablePrivilege {
    param(
        # The privilege to adjust. This set is taken from:
        # http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
        [validateSet(
            "SeAssignPrimaryTokenPrivilege",
            "SeAuditPrivilege",
            "SeBackupPrivilege",
            "SeChangeNotifyPrivilege",
            "SeCreateGlobalPrivilege",
            "SeCreatePagefilePrivilege",
            "SeCreatePermanentPrivilege",
            "SeCreateSymbolicLinkPrivilege",
            "SeCreateTokenPrivilege",
            "SeDebugPrivilege",
            "SeEnableDelegationPrivilege",
            "SeImpersonatePrivilege",
            "SeIncreaseBasePriorityPrivilege",
            "SeIncreaseQuotaPrivilege",
            "SeIncreaseWorkingSetPrivilege",
            "SeLoadDriverPrivilege",
            "SeLockMemoryPrivilege",
            "SeMachineAccountPrivilege",
            "SeManageVolumePrivilege",
            "SeProfileSingleProcessPrivilege",
            "SeRelabelPrivilege",
            "SeRemoteShutdownPrivilege",
            "SeRestorePrivilege",
            "SeSecurityPrivilege",
            "SeShutdownPrivilege",
            "SeSyncAgentPrivilege",
            "SeSystemEnvironmentPrivilege",
            "SeSystemProfilePrivilege",
            "SeSystemtimePrivilege",
            "SeTakeOwnershipPrivilege",
            "SeTcbPrivilege",
            "SeTimeZonePrivilege",
            "SeTrustedCredManAccessPrivilege",
            "SeUndockPrivilege",
            "SeUnsolicitedInputPrivilege"
        )]
        $privilege,
    # The process on which to adjust the privilege. Defaults to the current process.
    $processId = $pid,

    # Switch to disable the privilege, rather than enable it.
    [switch] $disable
)

# Taken from P/Invoke.NET with minor adjustments.
$definition = @'

using System;
using System.Runtime.InteropServices;
public class AdjustPrivilege {
    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
    internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid {
    public int Count;
    public long Luid;
    public int Attr;
}

internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

public static bool EnablePrivilege(long processHandle, string privilege, bool disable) {
    bool result;
    TokPriv1Luid tp;
    IntPtr hproc = new IntPtr(processHandle);
    IntPtr htok = IntPtr.Zero;
    result = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    if (disable) {
        tp.Attr = SE_PRIVILEGE_DISABLED;
    } else {
        tp.Attr = SE_PRIVILEGE_ENABLED;
    }
    result = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    result = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    return result;
}

}
'@
$processHandle = (get-process -id $processId).handle
$type = add-type $definition -passThru
$type[0]::EnablePrivilege($processHandle, $privilege, $disable)

}
function getKeyNames {
    param(
        [parameter(mandatory = $true)]
        [string[]] $filePaths = $null
    )
return (get-content $filePaths | select-string -pattern "\[\-?(.*)\]" -allMatches | forEach-object {$_.matches.groups[1].value} | get-unique)

}
function splitKeyName {
    param(
        [parameter(mandatory = $true)]
        [string] $keyName = $null
    )
$names = $keyName.split("\\/", 2)

$rootKeyName = $names[0]
$subKeyName = $names[1]

$keyPart = @{
    root = $baseKey[$rootKeyName];
    subKey = @{
        name = $subKeyName
    }
}

return $keyPart

}
function ownRegistryKey {
    param(
        [parameter(mandatory = $true)]
        [string] $keyName = $null
    )
write-host """$keyName"""

# Check if the key exists.
if ($(try { test-path -path "Registry::$keyName".trim() } catch { $false })) {
    write-host "    Opening..."

    $keyPart = splitKeyName -keyName $keyName
    $ownableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
    if ($ownableKey -ne $null) {
        # Set the owner.
        write-host "    Setting owner..."
        $acl = $ownableKey.getAccessControl([System.Security.AccessControl.AccessControlSections]::None)
        $owner = [System.Security.Principal.NTAccount] "Administrators"
        $acl.setOwner($owner)
        $ownableKey.setAccessControl($acl)

        # Set the permissions.
        write-host "    Setting permissions..."
        $acl = $ownableKey.getAccessControl()
        $person = [System.Security.Principal.NTAccount] "Administrators"
        $access = [System.Security.AccessControl.RegistryRights] "FullControl"
        $inheritance = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit"
        $propagation = [System.Security.AccessControl.PropagationFlags] "None"
        $type = [System.Security.AccessControl.AccessControlType] "Allow"

        $rule = new-object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)
        $acl.setAccessRule($rule)
        $ownableKey.setAccessControl($acl)

        $ownableKey.close()

        write-host "    Done."

        # Own children subkeys.
        $readableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadSubTree, [System.Security.AccessControl.RegistryRights]::ReadKey)
        if ($readableKey -ne $null) {
            $subKeyNames = ($readableKey.getSubKeyNames() | forEach-object { "$keyName\$_" })
            $readableKey.close()
            if ($subKeyNames -ne $null) {
                ownRegistryKeys -keyNames $subKeyNames
            }
        } else {
            write-host "    Unable to open children subkeys."
        }
    } else {
        write-host "    Unable to open subkey."
    }
} else {
    write-host "    Key does not exist."
}

write-host

}
function ownRegistryKeys {
    param(
        [parameter(mandatory = $true)]
        [string[]] $keyNames = $null
    )
$keyName = $null
foreach ($keyName in $keyNames) {
    # Own parent key and children subkeys.
    ownRegistryKey -keyName $keyName
}

}
function requestPrivileges {
    $numberOfRetries = 10
$privilegeResult = $false
for ($r = 0; !$privilegeResult -band $r -lt $numberOfRetries; $r += 1) {
    $privilegeResult = enablePrivilege -privilege "SeTakeOwnershipPrivilege"
}

if (!$privilegeResult) {
    write-host "Unable to receive privilege."
    exit 1
}

}
function main {
    param(
        [parameter(mandatory = $true)]
        [string[]] $filePaths = $null
    )
requestPrivileges

$keyNames = getKeyNames -filePaths $filePaths
ownRegistryKeys -keyNames $keyNames

}
main $args

Answer 6

To disable Windows Defender completely (not just the Real-Time protection) you can:

1. Install another security suite (as Ramhound mentioned).
2. If you're willing to use a third party application, you could use NoDefender: http://msft.gq/pub/apps/NoDefender.zip

More information about NoDefender can be found here: http://winaero.com/blog/nodefender-disable-windows-defender-in-windows-10-with-few-clicks/

Answer 7

It is not so easy to reliably and totally disable the Windows Defender. There is a PowerShell script that uninstalls Windows Defender, but you may not be able later to install it back. This script requires two reboots.

Just download the Debloat-Windows-10 and follow these steps, provided by the author:

1. Unpack the archive;

2. Enable execution of PowerShell scripts:

   PS> Set-ExecutionPolicy Unrestricted

3. Unblock PowerShell scripts and modules within this directory:

   PS > ls -Recurse *.ps1 | Unblock-File PS > ls -Recurse *.psm1 | Unblock-File

4. Run scripts\disable-windows-defender.ps1

5. Reboot the computer (either usual way or via the PS > Restart-Computer)
6. Run scripts\disable-windows-defender.ps1 one more time.
7. Reboot the computer again.

This is not the easiest way, but very reliable and resilient.

There are also the scripts to remove unnecessary programs like BingFinance, Skype, OneDrive, etc - if you don't need them.

The archive does also contain lot of scripts that you may find useful.

Please be aware that these scripts irreversible delete files and can delete vital functions of Windows. For example, they may totally disable the Start menu!

Don't run disable-ShellExperienceHost.bat from this package, otherwise the Start Menu will stop opening.

Answer 8

In my experience setting the Group Policy is the most reliable way to stop Windows Defender and its Antimalware Service Executable. However, I recently encountered a situation where setting a Group Policy had no effect, and the Antimalware executable kept running and eating into my CPU.

I ended up writing a small script to take ownership of the executable and deny read and execute access rights for it. This solved the problem. The script is below.

@echo off

echo.
echo Disabling Windows Defender Antimalware Executable
echo Note: must be run with Admin permissions
echo.

rem taking ownership of Windows Defender files so that we can change their permissions
takeown /f "%PROGRAMDATA%\Microsoft\Windows Defender\Platform" /A /r /d y > takeown-result.txt

rem denying read and execute for all MsMpEng.exe files found in the directory structure (there may be multiple versions)
icacls %PROGRAMDATA%"\Microsoft\Windows Defender\Platform\*MsMpEng.exe" /deny SYSTEM:(RX) /T /C  /deny Administrators:(RX) /T /C   /deny Users:(RX) /T /C

@echo on

Answer 9

I found that the following procedure works well; it doesn't remove or disable Windows Defender, but it disables Windows Defender SERVICE, stops all start-up and real-time scanning, and prevents Windows Defender Real-Time Scan from turning itself back on. (It leaves Windows Defender in-place, so you can use it to perform on-demand scanning of suspicious files.)

PROCEDURE:

1. Find, download, install "SysInternals" program suite.
2. Run program "AutoRuns".
3. Find "Windows Defender Service".
4. Uncheck the box.
5. Restart your computer.

After doing that, my startup time decreased from 20min to 5min, and memory usage after startup (before launching any apps) decreased from 2.1GB to 1.2GB. And when I looked in "Services", I found that "Windows Defender Service", while still there, is now marked "NOT running, Disabled".

Answer 10

The easiest way I've found is to open an administrator command prompt and run:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /t REG_DWORD /v DisableAntiSpyware /f /d 1

Then reboot. I have not been able to find away to shutdown the service once it is started with out a reboot.

Answer 11

After trying heaps of methods both here and on other sites, I've finally found something that works (tested on v1909 and v2004)!

Sadly it's a 3rd party program but it's a portable EXE with GUI or can be run by command line.

Defender Control 1.6

Defender Control is a small Portable freeware which will allow you to disable Windows Defender in Windows 10 completely.

Answer 12

Disabling defender as newer W10 versions are pushed out is getting harder.

I have successfully removed the windows defender service with no side effects so far.

Windows 10 Version 2004 build 19041.450

This eliminated defender service from the PC

Use an bootable offline registry editor of choice, I used a windows 7 64bit ERD disc to do it, not publicly available but can be found. It has a registry editor that ignores permissions.

Once booted into the registry editor navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend

delete the WinDefend key

I would export the key first, then if you want it back you can merge the saved key back into the registry and reboot.

You can disable sidebar security messages about defender:

Disable Security Messages on Windows 10

Tap on the Windows-key, type regedit.exe, and hit the Enter-key on the keyboard afterwards. Confirm the UAC prompt that appears.

Go to

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer

using the left sidebar menu. If Explorer does not exist, right-click on Windows Key and select New > Key, and name it Explorer. Right-click on Explorer, and select New > Dword (32-bit) Value.

Name it

DisableNotificationCenter.

Double-click the new entry afterwards, and set its value to 1.

Restart the PC

Answer 13

I've worked for days to achieve this, looking at almost any work done on Internet including the posts here. I did not find any way to do it without using third-party dependencies. So I wrote a script for it instead.

You can apply it directly using https://privacy.sexy or through its GitHub page with a nice UI and categories. It's community-tested and completely open-source.

I cannot copy it here due to character limitation, it's around 1000 lines batch script with some PowerShell calls. It's totally reversible to Windows defaults, but you need to run revert script twice.

I combined different strategies to achieve as much persistence as possible, including some techniques here so thank you all for posting your findings:

1. Disable any configuration Microsoft made it configurable
2. Disable scheduled tasks
3. Disable services / drivers through (hacky way, but not possible without it):
   • Normal service management
   • Using privileged TrustedInstaller user because Administrator is not enough
   • Editing registry
   • Renaming files

Answer 14

I had to restart Antimalware service, not to disable it, downloaded Advanced Run

Then from drop-down list selected Run As Trusted Installer Program to run cmd.exe, click Run, then stopped and then started service

sc stop WinDefend
sc start WinDefend

Answer 15

Info for 2023-02-24: tried other answers but Windows Defender always come back.

How I succeeded:

1. safe mode by msconfig, PowerShell script:

$regpath='HKLM:\SYSTEM\CurrentControlSet\Services'
Set-ItemProperty -Path ($regpath+"\WinDefend") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\Sense") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\WdFilter") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\WdNisDrv") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\WdNisSvc") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\WdBoot") -Name Start -Value 4

2. normal boot, PowerShell script:

Get-ScheduledTask "Windows Defender Cache Maintenance" | Disable-ScheduledTask
Get-ScheduledTask "Windows Defender Cleanup" | Disable-ScheduledTask
Get-ScheduledTask "Windows Defender Scheduled Scan" | Disable-ScheduledTask
Get-ScheduledTask "Windows Defender Verification" | Disable-ScheduledTask

Only need to turn off notifications.

Answer 16

Answer: IObit Unlocker or Unlocker to remove Antimalware Service Executable folder and file from your hard drive.

---

Recommended steps for a good debloat :)

After a fresh windows installation make sure you do all the windows updates. For some reason windows wont always find all the needed/recent updates for your device right away so let your PC on for a day or two, restart every 5-6 hours and check for windows updates during these two days. After these two days, make sure every device in device manager is working properly (no unknown devices or yellow triangles under devices), so either install windows optional updates (which should install the appropriate drivers), or download the drivers for your device yourself.

At the last day of the updates, use window's cleaner to clean the window's updates cache:

restart, and check for updates one last time.

After these are done:

Disable tamper protection in windows defender and then use:

winaerotweaker to disable windows update (and other crap) and restart,
IObit Unlocker or Unlocker to remove Antimalware Service Executable folder and file from your hard drive.

Additionally:

WPD.exe to disable telemetry and restart,
OOSU10.exe to disable whatever is left and restart.

Win-Debloat-Tools to debloat your system (they have some in-depth tweaks) and restart.

Finally, its useful to follow a video as this as every year, new people find new ways to debloat windows.

Remember that after a windows update, some of the disabled features might get re-installed/re-enabled. Make sure you have automatic windows updates turned off (check for windows updates when you want to check) and every now and then check the window's features configuration (if they got re-enabled).

I have achieved less than 2.5 GB ram usage with the above tools.

For daily use I recommend using BCuninstaller to uninstall files (its a deep uninstaller but open-source) in combination with everything which is a tool that can search everything in your PC, to delete leftovers from uninstalled programs (as BCuninstaller can't find everything).

Tools like CCleaner are good for registry cleaning and important: startup programs disabling. Disabling program's auto-update features and just enabling them once every 3-4 months just for the updates to happen, is a great way to save some GBs of ram. There are some startup stuff you might disable from CCleaner and ruin your day, like you can disable the Wifi completely, the printer capability and the audio of windows. They are reversible, just find out which service was the one for audio/wifi/printer and re-enable it.

After doing all of the above, you might want to do something to reduce latency (includes unlocking all cores of your CPU, using a debloater for your Nvidia drivers etc.), I recommend this video.

Answer 17

The easy powershell method is here from an answer I posted on a question later marked duplicate for this.

The easiest way to do this would be to use powershell to disable it, the command you probably want is this

Set-MpPreference -DisableRealtimeMonitoring $true
Get-Service WinDefend | stop-service 

For an article on using powershell to disable/enable Windows Defender check here: http://wmug.co.uk/wmug/b/pwin/archive/2015/05/12/quickly-disable-windows-defender-on-windows-10-using-powershell

Here is the technet article for a more detailed look at available defender cmdlets: https://technet.microsoft.com/en-us/library/dn433280.aspx

Answer 18

Go to Settings, Security, Virus & threat protection, Manage settings, Tamper protection. Set to Off. Then add this:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001