Disable Windows Defender in Windows 10












27















I can't find any information on how to disable Windows Defender in Windows 10. There is some information about how to do it in the previews, but the configuration pages have changed with the final release.



Specifically, I want to stop and disable the Windows Defender Service.




  • Using net stop windefend from an elevated command prompt gives "access denied"

  • Stop and startup type are greyed out in sevices.msc, even when logged on as administrator

  • There doesn't seem to be a GUI way to disable UAC in Windows 10


Has anyone figured out how to disable Defender in Windows 10?










share|improve this question


















  • 3





    Simplest method. Just install a paid/free security suite and it will automatically disable itself. Outside of that just go to` Update and Security` and disable the Real-Time protection. You cannot disable UAC in Windows 8 and above to the same degree as you could in Windows 7. Of course I am not sure what the UAC has to do with Windows Defender.

    – Ramhound
    Jul 30 '15 at 20:58













  • I mentioned UAC because it seemed possible that UAC was preventing me from disabling Defender. I haven't deployed the latest Kaspersky that supports Windows 10 yet, and frankly I'm not so confident that Kaspersky will install well with Defender running. Plus I want to be able to disabled it on principle in case I need or want to for other reasons.

    – Todd Wilcox
    Jul 30 '15 at 21:02











  • I opened Update & Security and I am able to disable Windows Defender. Personally I was able to disable the service though after I do that.

    – Ramhound
    Jul 30 '15 at 21:08











  • Windows Defender is designed to be easily replacable, just install another AV and it should automatically turn off.

    – gronostaj
    Jul 30 '15 at 21:15






  • 3





    @gronostaj If my question were how to replace Windows Defender with another A/V solution, I would suggest you post your comment as an answer and I'd accept it, except your comment is the same as Ramhound's, so I'd really suggest he do it. But that's not what I'm trying to do.

    – Todd Wilcox
    Jul 30 '15 at 21:26
















27















I can't find any information on how to disable Windows Defender in Windows 10. There is some information about how to do it in the previews, but the configuration pages have changed with the final release.



Specifically, I want to stop and disable the Windows Defender Service.




  • Using net stop windefend from an elevated command prompt gives "access denied"

  • Stop and startup type are greyed out in sevices.msc, even when logged on as administrator

  • There doesn't seem to be a GUI way to disable UAC in Windows 10


Has anyone figured out how to disable Defender in Windows 10?










share|improve this question


















  • 3





    Simplest method. Just install a paid/free security suite and it will automatically disable itself. Outside of that just go to` Update and Security` and disable the Real-Time protection. You cannot disable UAC in Windows 8 and above to the same degree as you could in Windows 7. Of course I am not sure what the UAC has to do with Windows Defender.

    – Ramhound
    Jul 30 '15 at 20:58













  • I mentioned UAC because it seemed possible that UAC was preventing me from disabling Defender. I haven't deployed the latest Kaspersky that supports Windows 10 yet, and frankly I'm not so confident that Kaspersky will install well with Defender running. Plus I want to be able to disabled it on principle in case I need or want to for other reasons.

    – Todd Wilcox
    Jul 30 '15 at 21:02











  • I opened Update & Security and I am able to disable Windows Defender. Personally I was able to disable the service though after I do that.

    – Ramhound
    Jul 30 '15 at 21:08











  • Windows Defender is designed to be easily replacable, just install another AV and it should automatically turn off.

    – gronostaj
    Jul 30 '15 at 21:15






  • 3





    @gronostaj If my question were how to replace Windows Defender with another A/V solution, I would suggest you post your comment as an answer and I'd accept it, except your comment is the same as Ramhound's, so I'd really suggest he do it. But that's not what I'm trying to do.

    – Todd Wilcox
    Jul 30 '15 at 21:26














27












27








27


14






I can't find any information on how to disable Windows Defender in Windows 10. There is some information about how to do it in the previews, but the configuration pages have changed with the final release.



Specifically, I want to stop and disable the Windows Defender Service.




  • Using net stop windefend from an elevated command prompt gives "access denied"

  • Stop and startup type are greyed out in sevices.msc, even when logged on as administrator

  • There doesn't seem to be a GUI way to disable UAC in Windows 10


Has anyone figured out how to disable Defender in Windows 10?










share|improve this question














I can't find any information on how to disable Windows Defender in Windows 10. There is some information about how to do it in the previews, but the configuration pages have changed with the final release.



Specifically, I want to stop and disable the Windows Defender Service.




  • Using net stop windefend from an elevated command prompt gives "access denied"

  • Stop and startup type are greyed out in sevices.msc, even when logged on as administrator

  • There doesn't seem to be a GUI way to disable UAC in Windows 10


Has anyone figured out how to disable Defender in Windows 10?







windows windows-10






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jul 30 '15 at 20:52









Todd WilcoxTodd Wilcox

4761414




4761414








  • 3





    Simplest method. Just install a paid/free security suite and it will automatically disable itself. Outside of that just go to` Update and Security` and disable the Real-Time protection. You cannot disable UAC in Windows 8 and above to the same degree as you could in Windows 7. Of course I am not sure what the UAC has to do with Windows Defender.

    – Ramhound
    Jul 30 '15 at 20:58













  • I mentioned UAC because it seemed possible that UAC was preventing me from disabling Defender. I haven't deployed the latest Kaspersky that supports Windows 10 yet, and frankly I'm not so confident that Kaspersky will install well with Defender running. Plus I want to be able to disabled it on principle in case I need or want to for other reasons.

    – Todd Wilcox
    Jul 30 '15 at 21:02











  • I opened Update & Security and I am able to disable Windows Defender. Personally I was able to disable the service though after I do that.

    – Ramhound
    Jul 30 '15 at 21:08











  • Windows Defender is designed to be easily replacable, just install another AV and it should automatically turn off.

    – gronostaj
    Jul 30 '15 at 21:15






  • 3





    @gronostaj If my question were how to replace Windows Defender with another A/V solution, I would suggest you post your comment as an answer and I'd accept it, except your comment is the same as Ramhound's, so I'd really suggest he do it. But that's not what I'm trying to do.

    – Todd Wilcox
    Jul 30 '15 at 21:26














  • 3





    Simplest method. Just install a paid/free security suite and it will automatically disable itself. Outside of that just go to` Update and Security` and disable the Real-Time protection. You cannot disable UAC in Windows 8 and above to the same degree as you could in Windows 7. Of course I am not sure what the UAC has to do with Windows Defender.

    – Ramhound
    Jul 30 '15 at 20:58













  • I mentioned UAC because it seemed possible that UAC was preventing me from disabling Defender. I haven't deployed the latest Kaspersky that supports Windows 10 yet, and frankly I'm not so confident that Kaspersky will install well with Defender running. Plus I want to be able to disabled it on principle in case I need or want to for other reasons.

    – Todd Wilcox
    Jul 30 '15 at 21:02











  • I opened Update & Security and I am able to disable Windows Defender. Personally I was able to disable the service though after I do that.

    – Ramhound
    Jul 30 '15 at 21:08











  • Windows Defender is designed to be easily replacable, just install another AV and it should automatically turn off.

    – gronostaj
    Jul 30 '15 at 21:15






  • 3





    @gronostaj If my question were how to replace Windows Defender with another A/V solution, I would suggest you post your comment as an answer and I'd accept it, except your comment is the same as Ramhound's, so I'd really suggest he do it. But that's not what I'm trying to do.

    – Todd Wilcox
    Jul 30 '15 at 21:26








3




3





Simplest method. Just install a paid/free security suite and it will automatically disable itself. Outside of that just go to` Update and Security` and disable the Real-Time protection. You cannot disable UAC in Windows 8 and above to the same degree as you could in Windows 7. Of course I am not sure what the UAC has to do with Windows Defender.

– Ramhound
Jul 30 '15 at 20:58







Simplest method. Just install a paid/free security suite and it will automatically disable itself. Outside of that just go to` Update and Security` and disable the Real-Time protection. You cannot disable UAC in Windows 8 and above to the same degree as you could in Windows 7. Of course I am not sure what the UAC has to do with Windows Defender.

– Ramhound
Jul 30 '15 at 20:58















I mentioned UAC because it seemed possible that UAC was preventing me from disabling Defender. I haven't deployed the latest Kaspersky that supports Windows 10 yet, and frankly I'm not so confident that Kaspersky will install well with Defender running. Plus I want to be able to disabled it on principle in case I need or want to for other reasons.

– Todd Wilcox
Jul 30 '15 at 21:02





I mentioned UAC because it seemed possible that UAC was preventing me from disabling Defender. I haven't deployed the latest Kaspersky that supports Windows 10 yet, and frankly I'm not so confident that Kaspersky will install well with Defender running. Plus I want to be able to disabled it on principle in case I need or want to for other reasons.

– Todd Wilcox
Jul 30 '15 at 21:02













I opened Update & Security and I am able to disable Windows Defender. Personally I was able to disable the service though after I do that.

– Ramhound
Jul 30 '15 at 21:08





I opened Update & Security and I am able to disable Windows Defender. Personally I was able to disable the service though after I do that.

– Ramhound
Jul 30 '15 at 21:08













Windows Defender is designed to be easily replacable, just install another AV and it should automatically turn off.

– gronostaj
Jul 30 '15 at 21:15





Windows Defender is designed to be easily replacable, just install another AV and it should automatically turn off.

– gronostaj
Jul 30 '15 at 21:15




3




3





@gronostaj If my question were how to replace Windows Defender with another A/V solution, I would suggest you post your comment as an answer and I'd accept it, except your comment is the same as Ramhound's, so I'd really suggest he do it. But that's not what I'm trying to do.

– Todd Wilcox
Jul 30 '15 at 21:26





@gronostaj If my question were how to replace Windows Defender with another A/V solution, I would suggest you post your comment as an answer and I'd accept it, except your comment is the same as Ramhound's, so I'd really suggest he do it. But that's not what I'm trying to do.

– Todd Wilcox
Jul 30 '15 at 21:26










11 Answers
11






active

oldest

votes


















20














You are able to do this using a Group Policy.



open gpedit.msc



navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender



Turn off Windows Defender = Enabled



If you then try to open Windows Defender you'll see this:
enter image description here



And even though in Settings it may appear to be on, the Service is not running:enter image description here



more info:



http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html



and http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350






share|improve this answer


























  • I can't believe I didn't find this on my own. Thanks!

    – Todd Wilcox
    Sep 3 '15 at 14:26






  • 1





    Is this also for Windows Home? I can't find gpedit.msc

    – Stijn de Witt
    Jan 4 '16 at 10:14






  • 1





    No, it does not work for home users. Pro/Enterprise/Education only

    – sloosecannon
    Dec 6 '16 at 22:00






  • 1





    Tried this... however service is still running in task manager.

    – Brig
    Mar 25 '17 at 19:00



















11














I found another way using the registry.



Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:




  1. Browse the registry to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.

  2. Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.

  3. Change the Start value for each service to 0x4 (hex 4, decimal 4).

  4. Reboot.






share|improve this answer





















  • 2





    I am logged in as administrator and I still get the error "Error writing start. Error writing the value's new contents."

    – Mark
    Aug 27 '15 at 8:44






  • 1





    Me too with the same error "Error writing start. Error writing the value's new contents. Any work around for us @Todd Wilcox?

    – Nam G VU
    Oct 21 '15 at 2:33






  • 1





    Have you tried right-clicking on regedit and running as administrator?

    – Todd Wilcox
    Oct 21 '15 at 3:48






  • 1





    unfortunately on Win10 Home Single Language, I get the same error even if I started regedit as admin, any other other workaround. I'm really starting to depise windows 10 now.

    – gideon
    Jan 2 '18 at 13:18











  • If getting Error writing (...), close regedit and reopen.

    – Marc.2377
    Jan 12 at 0:06



















9














Short version




  1. Download

  2. Extract

  3. Double-click DisableDefender.reg


Explanation



By far the most effective and clean way to permanently disable Windows Defender in Windows 10 is via Group Policy, as described by Aaron Hoffman. Unfortunately, Windows 10 Home lacks the necessary tools.



Here's a registry file that contains the changes made by gpedit.msc on a Windows 10 Pro machine. It's been tested on Windows 10 Home as well. Save the file as DisableDefender.reg with Windows-style line endings and double-click it to import it into your registry.



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001


If you ever want to re-enable Defender, change 00000001 to 00000000 on both lines.



You can download the files to disable and re-enable defender from Gist.






share|improve this answer



















  • 1





    You win the Internet today, sir.

    – ivan_bilan
    Oct 24 '16 at 12:11











  • I had re-enable WD by the regedit the value to 00000000, results WD Real-time protection is off because you are using another AV. In fact I do not have any antivirus installed. How to fix this? Thanks

    – Santosa Sandy
    Nov 17 '16 at 10:22











  • @SantosaSandy That could happen for a number of reasons, including malware. You should start a separate question.

    – Zenexer
    Nov 17 '16 at 15:41











  • Thanks Mr. PB. In an emergency and lack of error investigating clue, I just update the windows and run registry cleaner (e.g. CCleaner). The Windows Defender is active again. Thanks

    – Santosa Sandy
    Nov 21 '16 at 4:41





















4














To disable Windows Defender completely (not just the Real-Time protection) you can:




  1. Install another security suite (as Ramhound mentioned).

  2. If you're willing to use a third party application, you could use NoDefender: http://msft.gq/pub/apps/NoDefender.zip


More information about NoDefender can be found here: http://winaero.com/blog/nodefender-disable-windows-defender-in-windows-10-with-few-clicks/






share|improve this answer
























  • I suspect NoDefender might just be an automated way to edit the registry, which I have done manually.

    – Todd Wilcox
    Jul 30 '15 at 21:29











  • @ToddWilcox, Your method is better than mine then! One less third party application to worry about.

    – user5071535
    Jul 30 '15 at 21:49






  • 1





    i still see antimalware service running, which runs windows defender. I have avg free edition installed

    – shorif2000
    Aug 15 '15 at 19:25






  • 2





    Exactly, @Sharif I'd like to see any confirmations that the antimalware service is also disabled.

    – Mark
    Aug 27 '15 at 8:39



















2














I have written the batch file and registry files that should completely disable Windows Defender in Windows 10.




  1. Save the following files into the same folder.

  2. Run Disable Windows Defender.bat as administrator.

  3. After the batch file is done, restart.

  4. Run Disable Windows Defender.bat again as administrator.

  5. Windows Defender should be completely disabled now.


Disable Windows Defender.bat



@echo off

call :main %*
goto :eof

:main
setlocal EnableDelayedExpansion

rem Check if Windows Defender is running.
tasklist /fi "imageName eq "MsMpEng.exe"" | find /i "MsMpEng.exe" > nul 2> nul
if %errorLevel% equ 0 (
rem Windows Defender is running.
echo Windows Defender is running.

rem Performable operations while Windows Defender is running.
rem Disable Windows Defender drivers.
echo Disabling Windows Defender drivers...
set "drivers="%SystemRoot%System32driversWdBoot.sys";"%SystemRoot%System32driversWdFilter.sys";"%SystemRoot%System32driversWdNisDrv.sys""
set "drivers=!drivers:""="!"

set "wasDriverDisabled=false"
for %%d in (!drivers!) do (
if exist "%%~d" (
echo Disabling Windows Defender driver "%%~d"...
call :disableFile "%%~d"
set "wasDriverDisabled=true"
)
)

rem Disable Windows Defender objects.
echo Disabling Windows Defender objects...
call :importRegistry "Disable Windows Defender objects.reg"

rem Require restart to unload Windows Defender drivers and objects.
echo.
echo Restart required.
) else (
rem Windows Defender is not running.
echo Windows Defender is not running.

rem Performable operations while Windows Defender is not running.
rem Disable Windows Defender features.
echo Disabling Windows Defender features...
call :importRegistry "Disable Windows Defender features.reg"
rem Disable Windows Defender services.
echo Disabling Windows Defender services...
call :importRegistry "Disable Windows Defender services.reg"

rem Disable Windows Defender files.
echo Disabling Windows Defender files...
ren "%ProgramFiles%Windows Defender" "Windows Defender.bak"
ren "%ProgramFiles(x86)%Windows Defender" "Windows Defender.bak"
ren "%ProgramData%MicrosoftWindows Defender" "Windows Defender.bak"
)

endlocal
goto :eof

:ownFile
setlocal
set "filePath=%~1"
set "user=%~2"
takeown /f "%filePath%" /a
icacls "%filePath%" /grant "%user%:F"
endlocal
goto :eof

:disableFile
setlocal
set "filePath=%~1"
call :ownFile "%filePath%" "Administrators"
ren "%filePath%" "%~nx1.bak"
endlocal
goto :eof

:importRegistry
setlocal
set "filePath=%~1"
call OwnRegistryKeys.bat "%filePath%"
@echo off
regedit /s "%filePath%"
endlocal
goto :eof


Disable Windows Defender objects.reg



Windows Registry Editor Version 5.00

; Disable "Scan with Windows Defender..." right click context menu.
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]

; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]

; Disable "DefenderCSP.dll".
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]

; Disable Windows Defender IOfficeAntiVirus implementation ("MpOav.dll").
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]

; Disable InfectionState WMI Provider ("MpProvider.dll").
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]

; Disable Status WMI Provider ("MpProvider.dll").
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]

; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]

; Disable Microsoft Windows Defender ("MsMpCom.dll").
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
[-HKEY_LOCAL_MACHINESoftwareClassesTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]

; Disable Windows Defender WMI Provider ("ProtectionManagement.dll").
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]

; Disable AMMonitoring WMI Provider ("AMMonitoringProvider.dll").
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]

; Disable MP UX Host ("MpUxSrv.exe").
[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]
[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]


Disable Windows Defender features.reg



Windows Registry Editor Version 5.00

; Disable Windows Defender features.
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ProductStatus"=dword:00000000

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderReal-Time Protection]
"DisableAntiSpywareRealtimeProtection"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderScan]
"AutomaticallyCleanAfterScan"=dword:00000000
"ScheduleDay"=dword:00000008

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderUX Configuration]
"AllowNonAdminFunctionality"=dword:00000000
"DisablePrivacyMode"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ProductStatus"=dword:00000000

[HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderReal-Time Protection]
"DisableAntiSpywareRealtimeProtection"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderScan]
"AutomaticallyCleanAfterScan"=dword:00000000
"ScheduleDay"=dword:00000008

[HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderUX Configuration]
"AllowNonAdminFunctionality"=dword:00000000
"DisablePrivacyMode"=dword:00000001


Disable Windows Defender services.reg



Windows Registry Editor Version 5.00

; Disable "Windows Defender" services.
[HKEY_LOCAL_MACHINESystemControlSet001ServicesWinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemControlSet002ServicesWinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemControlSet001ServicesWdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemControlSet002ServicesWdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemControlSet001ServicesWdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemControlSet002ServicesWdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisSvc]
"Start"=dword:00000004


OwnRegistryKeys.bat



@echo off

rem Get the location of the PowerShell file.
for /f "usebackq tokens=*" %%f in (`where "OwnRegistryKeys.ps1"`) do (
rem Run command for each argument.
for %%a in (%*) do (
powershell -executionPolicy bypass -file "%%~f" "%%~a"
)
)


OwnRegistryKeys.ps1



$script:baseKey = @{
"HKEY_CLASSES_ROOT" = @{
"name" = "HKEY_CLASSES_ROOT";
"shortName" = "HKCR";
"key" = [Microsoft.Win32.Registry]::ClassesRoot
};
"HKEY_CURRENT_CONFIG" = @{
"name" = "HKEY_CURRENT_CONFIG";
"shortName" = "HKCC";
"key" = [Microsoft.Win32.Registry]::CurrentConfig
};
"HKEY_CURRENT_USER" = @{
"name" = "HKEY_CURRENT_USER";
"shortName" = "HKCU";
"key" = [Microsoft.Win32.Registry]::CurrentUser
};
"HKEY_DYN_DATA" = @{
"name" = "HKEY_DYN_DATA";
"shortName" = "HKDD";
"key" = [Microsoft.Win32.Registry]::DynData
};
"HKEY_LOCAL_MACHINE" = @{
"name" = "HKEY_LOCAL_MACHINE";
"shortName" = "HKLM";
"key" = [Microsoft.Win32.Registry]::LocalMachine
};
"HKEY_PERFORMANCE_DATA" = @{
"name" = "HKEY_PERFORMANCE_DATA";
"shortName" = "HKPD";
"key" = [Microsoft.Win32.Registry]::PerformanceData
};
"HKEY_USERS" = @{
"name" = "HKEY_USERS";
"shortName" = "HKU";
"key" = [Microsoft.Win32.Registry]::Users
}
}

function enablePrivilege {
param(
# The privilege to adjust. This set is taken from:
# http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
[validateSet(
"SeAssignPrimaryTokenPrivilege",
"SeAuditPrivilege",
"SeBackupPrivilege",
"SeChangeNotifyPrivilege",
"SeCreateGlobalPrivilege",
"SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege",
"SeCreateSymbolicLinkPrivilege",
"SeCreateTokenPrivilege",
"SeDebugPrivilege",
"SeEnableDelegationPrivilege",
"SeImpersonatePrivilege",
"SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege",
"SeIncreaseWorkingSetPrivilege",
"SeLoadDriverPrivilege",
"SeLockMemoryPrivilege",
"SeMachineAccountPrivilege",
"SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege",
"SeRelabelPrivilege",
"SeRemoteShutdownPrivilege",
"SeRestorePrivilege",
"SeSecurityPrivilege",
"SeShutdownPrivilege",
"SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege",
"SeSystemProfilePrivilege",
"SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege",
"SeTcbPrivilege",
"SeTimeZonePrivilege",
"SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege",
"SeUnsolicitedInputPrivilege"
)]
$privilege,

# The process on which to adjust the privilege. Defaults to the current process.
$processId = $pid,

# Switch to disable the privilege, rather than enable it.
[switch] $disable
)

# Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;

public class AdjustPrivilege {
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid {
public int Count;
public long Luid;
public int Attr;
}

internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

public static bool EnablePrivilege(long processHandle, string privilege, bool disable) {
bool result;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
result = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if (disable) {
tp.Attr = SE_PRIVILEGE_DISABLED;
} else {
tp.Attr = SE_PRIVILEGE_ENABLED;
}
result = LookupPrivilegeValue(null, privilege, ref tp.Luid);
result = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return result;
}
}
'@

$processHandle = (get-process -id $processId).handle
$type = add-type $definition -passThru
$type[0]::EnablePrivilege($processHandle, $privilege, $disable)
}

function getKeyNames {
param(
[parameter(mandatory = $true)]
[string] $filePaths = $null
)

return (get-content $filePaths | select-string -pattern "[-?(.*)]" -allMatches | forEach-object {$_.matches.groups[1].value} | get-unique)
}

function splitKeyName {
param(
[parameter(mandatory = $true)]
[string] $keyName = $null
)

$names = $keyName.split("\/", 2)

$rootKeyName = $names[0]
$subKeyName = $names[1]

$keyPart = @{
root = $baseKey[$rootKeyName];
subKey = @{
name = $subKeyName
}
}

return $keyPart
}

function ownRegistryKey {
param(
[parameter(mandatory = $true)]
[string] $keyName = $null
)

write-host """$keyName"""

# Check if the key exists.
if ($(try { test-path -path "Registry::$keyName".trim() } catch { $false })) {
write-host " Opening..."

$keyPart = splitKeyName -keyName $keyName
$ownableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
if ($ownableKey -ne $null) {
# Set the owner.
write-host " Setting owner..."
$acl = $ownableKey.getAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$owner = [System.Security.Principal.NTAccount] "Administrators"
$acl.setOwner($owner)
$ownableKey.setAccessControl($acl)

# Set the permissions.
write-host " Setting permissions..."
$acl = $ownableKey.getAccessControl()
$person = [System.Security.Principal.NTAccount] "Administrators"
$access = [System.Security.AccessControl.RegistryRights] "FullControl"
$inheritance = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit"
$propagation = [System.Security.AccessControl.PropagationFlags] "None"
$type = [System.Security.AccessControl.AccessControlType] "Allow"

$rule = new-object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)
$acl.setAccessRule($rule)
$ownableKey.setAccessControl($acl)

$ownableKey.close()

write-host " Done."

# Own children subkeys.
$readableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadSubTree, [System.Security.AccessControl.RegistryRights]::ReadKey)
if ($readableKey -ne $null) {
$subKeyNames = ($readableKey.getSubKeyNames() | forEach-object { "$keyName$_" })
$readableKey.close()
if ($subKeyNames -ne $null) {
ownRegistryKeys -keyNames $subKeyNames
}
} else {
write-host " Unable to open children subkeys."
}
} else {
write-host " Unable to open subkey."
}
} else {
write-host " Key does not exist."
}

write-host
}

function ownRegistryKeys {
param(
[parameter(mandatory = $true)]
[string] $keyNames = $null
)

$keyName = $null
foreach ($keyName in $keyNames) {
# Own parent key and children subkeys.
ownRegistryKey -keyName $keyName
}
}

function requestPrivileges {
$numberOfRetries = 10

$privilegeResult = $false
for ($r = 0; !$privilegeResult -band $r -lt $numberOfRetries; $r += 1) {
$privilegeResult = enablePrivilege -privilege "SeTakeOwnershipPrivilege"
}

if (!$privilegeResult) {
write-host "Unable to receive privilege."
exit 1
}
}

function main {
param(
[parameter(mandatory = $true)]
[string] $filePaths = $null
)

requestPrivileges

$keyNames = getKeyNames -filePaths $filePaths
ownRegistryKeys -keyNames $keyNames
}

main $args





share|improve this answer


























  • Thanks! BTW:This requires English version of windows to work correctly

    – Abdelhafid Madoui
    Sep 13 '18 at 19:04



















1














The easy powershell method is here from an answer I posted on a question later marked duplicate for this.



The easiest way to do this would be to use powershell to disable it, the command you probably want is this



Set-MpPreference -DisableRealtimeMonitoring $true
Get-Service WinDefend | stop-service


For an article on using powershell to disable/enable Windows Defender check here: http://wmug.co.uk/wmug/b/pwin/archive/2015/05/12/quickly-disable-windows-defender-on-windows-10-using-powershell



Here is the technet article for a more detailed look at available defender cmdlets: https://technet.microsoft.com/en-us/library/dn433280.aspx






share|improve this answer


























  • I don't believe this would stop and disable the service itself. It just disables the real-time capabilities of Windows Defender which an be simply be done through Settings no need for a PowerShell applet.

    – Ramhound
    Jan 14 '16 at 19:48











  • @Ramhound edited for service mgmt with powershell. I'm not 100% it will stop the service without the same issue as net stop service but I have had more luck with powershell and don't believe get/stop-service alias to net-stop

    – Abraxas
    Jan 14 '16 at 19:57



















0














I found that the following procedure works well; it doesn't remove or disable Windows Defender, but it disables Windows Defender SERVICE, stops all start-up and real-time scanning, and prevents Windows Defender Real-Time Scan from turning itself back on. (It leaves Windows Defender in-place, so you can use it to perform on-demand scanning of suspicious files.)



PROCEDURE:




  1. Find, download, install "SysInternals" program suite.

  2. Run program "AutoRuns".

  3. Find "Windows Defender Service".

  4. Uncheck the box.

  5. Restart your computer.


After doing that, my startup time decreased from 20min to 5min, and memory usage after startup (before launching any apps) decreased from 2.1GB to 1.2GB. And when I looked in "Services", I found that "Windows Defender Service", while still there, is now marked "NOT running, Disabled".






share|improve this answer































    0














    The easiest way I've found is to open an administrator command prompt and run:



    reg add "HKLMSOFTWAREPoliciesMicrosoftWindows Defender" /t REG_DWORD /v DisableAntiSpyware /f /d 1


    Then reboot. I have not been able to find away to shutdown the service once it is started with out a reboot.






    share|improve this answer































      0














      It is not so easy to reliably and totally disable the Windows Defender. There is a PowerShell script that uninstalls Windows Defender, but you may not be able later to install it back. This script requires two reboots.



      Just download the Debloat-Windows-10 and follow these steps, provided by the author:




      1. Unpack the archive;


      2. Enable execution of PowerShell scripts:



        PS> Set-ExecutionPolicy Unrestricted




      3. Unblock PowerShell scripts and modules within this directory:



        PS > ls -Recurse *.ps1 | Unblock-File
        PS > ls -Recurse *.psm1 | Unblock-File



      4. Run scriptsdisable-windows-defender.ps1


      5. Reboot the computer (either usual way or via the PS > Restart-Computer)

      6. Run scriptsdisable-windows-defender.ps1 one more time.

      7. Reboot the computer again.


      This is not the easiest way, but very reliable and resilient.



      There are also the scripts to remove unnecessary programs like BingFinance, Skype, OneDrive, etc - if you don't need them.



      The archive does also contain lot of scripts that you may find useful.



      Please be aware that these scripts irreversible delete files and can delete vital functions of Windows. For example, they may totally disable the Start menu!



      Don't run disable-ShellExperienceHost.bat from this package, otherwise the Start Menu will stop opening.






      share|improve this answer

































        0














        It would be helpful to understand why you cannot stop a particular service.




        • I'm the administrator; worse than failure can't the Administrator administrate?!


        It's because of the security permissions on the WinDefend service.



        Note: WinDefend is the actual name of the "Windows Defender Antivirus Service"



        enter image description here



        Viewing Permissions



        If you run from a command line:



        >sc sdshow WinDefend


        where





        • sdshow means "Displays a service's security descriptor."


        You'll get the security descriptor:



        C:UsersIan>sc sdshow WinDefend

        D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)


        This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:



        D:
        (A;;CCLCSWRPLOCRRC;;;BU)
        (A;;CCLCSWRPLOCRRC;;;SY)
        (A;;CCLCSWRPLOCRRC;;;BA)
        (A;;CCLCSWRPLOCRRC;;;IU)
        (A;;CCLCSWRPLOCRRC;;;SU)
        (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
        (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)


        The D: means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):





        • D: discretionary access control list


          • ACE1: A;;CCLCSWRPLOCRRC;;;BU

          • ACE2: A;;CCLCSWRPLOCRRC;;;SY

          • ACE3: A;;CCLCSWRPLOCRRC;;;BA

          • ACE4: A;;CCLCSWRPLOCRRC;;;IU

          • ACE5: A;;CCLCSWRPLOCRRC;;;SU

          • ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464

          • ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




        Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.



        Looking first at who they apply to, a random blog article decode some of them (archive.is):





        • BU: Built-in users


        • SY: Local System


        • BA: Built-in administrators


        • UI: Interactively logged-on user


        • SU: Service logon user


        • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: Trusted Installer


        • S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736:


        You can get the name associated with an SID by running:



        >wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name


        Each ACE contains a list of permissions that the user is being allowed or denied.





        • D: discretionary access control list



          • ACE 1: A;;CCLCSWRPLOCRRC;;; Built-in users


          • ACE 2: A;;CCLCSWRPLOCRRC;;; Local system


          • ACE 3: A;;CCLCSWRPLOCRRC;;; Built-in administrators


          • ACE 4: A;;CCLCSWRPLOCRRC;;; Interactive user


          • ACE 5: A;;CCLCSWRPLOCRRC;;; Service logon user


          • ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; Trusted installer


          • ACE 7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




        Breaking down the remaining semicolon separated sections in an ACE:




        • ACE: A;;CCLCSWRPLOCRRC;;;


          • AceType: A ACCESS_ALLOWED_ACE_TYPE

          • AceFlags: (none)

          • AccessMask: CC LC SW RP LO CR RC



            • CC: CREATE_CHILD


            • LC: LIST_CHILDREN


            • SW: SELF_WRITE


            • RP: READ_PROPERTY


            • LO: LIST_OBJECT


            • CR: CONTROL_ACCESS


            • RC: READ_CONTROL



          • ObjectGuid: (none)

          • InheritObjectGuid: (none)




        The leading A means Allowed, and the permissions are two-letter codes:





        • D: discretionary access control list



          • ACE 1: Allow, CC LC SW RP LO CR RC, Built-in users


          • ACE 2: Allow, CC LC SW RP LO CR RC, Local system


          • ACE 3: Allow, CC LC SW RP LO CR RC, Built-in administrators


          • ACE 4: Allow, CC LC SW RP LO CR RC, Interactive user


          • ACE 5: Allow, CC LC SW RP LO CR RC, Service logon user


          • ACE 6: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, Trusted installer


          • ACE 7: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




        And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.



        Spoiler:



        sc sdset WinDefend [newSDLString]


        Bonus Reading





        • How to specify permissions to services in Windows by using SDDL? *(archive.is)


        • How to Convert SID to Username and Vice Versa (archive.is)


        • The Security Descriptor Definition Language of Love (Part 2) (archive.is)


        • 2.5.1.1 Syntax (archive.is)






        share|improve this answer

































          -1














          I managed to disable it using Autoruns; under the services tab there is an entry WinDefend, untick the box and reboot.






          share|improve this answer
























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f947873%2fdisable-windows-defender-in-windows-10%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            11 Answers
            11






            active

            oldest

            votes








            11 Answers
            11






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            20














            You are able to do this using a Group Policy.



            open gpedit.msc



            navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender



            Turn off Windows Defender = Enabled



            If you then try to open Windows Defender you'll see this:
            enter image description here



            And even though in Settings it may appear to be on, the Service is not running:enter image description here



            more info:



            http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html



            and http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350






            share|improve this answer


























            • I can't believe I didn't find this on my own. Thanks!

              – Todd Wilcox
              Sep 3 '15 at 14:26






            • 1





              Is this also for Windows Home? I can't find gpedit.msc

              – Stijn de Witt
              Jan 4 '16 at 10:14






            • 1





              No, it does not work for home users. Pro/Enterprise/Education only

              – sloosecannon
              Dec 6 '16 at 22:00






            • 1





              Tried this... however service is still running in task manager.

              – Brig
              Mar 25 '17 at 19:00
















            20














            You are able to do this using a Group Policy.



            open gpedit.msc



            navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender



            Turn off Windows Defender = Enabled



            If you then try to open Windows Defender you'll see this:
            enter image description here



            And even though in Settings it may appear to be on, the Service is not running:enter image description here



            more info:



            http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html



            and http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350






            share|improve this answer


























            • I can't believe I didn't find this on my own. Thanks!

              – Todd Wilcox
              Sep 3 '15 at 14:26






            • 1





              Is this also for Windows Home? I can't find gpedit.msc

              – Stijn de Witt
              Jan 4 '16 at 10:14






            • 1





              No, it does not work for home users. Pro/Enterprise/Education only

              – sloosecannon
              Dec 6 '16 at 22:00






            • 1





              Tried this... however service is still running in task manager.

              – Brig
              Mar 25 '17 at 19:00














            20












            20








            20







            You are able to do this using a Group Policy.



            open gpedit.msc



            navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender



            Turn off Windows Defender = Enabled



            If you then try to open Windows Defender you'll see this:
            enter image description here



            And even though in Settings it may appear to be on, the Service is not running:enter image description here



            more info:



            http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html



            and http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350






            share|improve this answer















            You are able to do this using a Group Policy.



            open gpedit.msc



            navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender



            Turn off Windows Defender = Enabled



            If you then try to open Windows Defender you'll see this:
            enter image description here



            And even though in Settings it may appear to be on, the Service is not running:enter image description here



            more info:



            http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html



            and http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Sep 3 '15 at 13:40

























            answered Sep 3 '15 at 13:28









            Aaron HoffmanAaron Hoffman

            32616




            32616













            • I can't believe I didn't find this on my own. Thanks!

              – Todd Wilcox
              Sep 3 '15 at 14:26






            • 1





              Is this also for Windows Home? I can't find gpedit.msc

              – Stijn de Witt
              Jan 4 '16 at 10:14






            • 1





              No, it does not work for home users. Pro/Enterprise/Education only

              – sloosecannon
              Dec 6 '16 at 22:00






            • 1





              Tried this... however service is still running in task manager.

              – Brig
              Mar 25 '17 at 19:00



















            • I can't believe I didn't find this on my own. Thanks!

              – Todd Wilcox
              Sep 3 '15 at 14:26






            • 1





              Is this also for Windows Home? I can't find gpedit.msc

              – Stijn de Witt
              Jan 4 '16 at 10:14






            • 1





              No, it does not work for home users. Pro/Enterprise/Education only

              – sloosecannon
              Dec 6 '16 at 22:00






            • 1





              Tried this... however service is still running in task manager.

              – Brig
              Mar 25 '17 at 19:00

















            I can't believe I didn't find this on my own. Thanks!

            – Todd Wilcox
            Sep 3 '15 at 14:26





            I can't believe I didn't find this on my own. Thanks!

            – Todd Wilcox
            Sep 3 '15 at 14:26




            1




            1





            Is this also for Windows Home? I can't find gpedit.msc

            – Stijn de Witt
            Jan 4 '16 at 10:14





            Is this also for Windows Home? I can't find gpedit.msc

            – Stijn de Witt
            Jan 4 '16 at 10:14




            1




            1





            No, it does not work for home users. Pro/Enterprise/Education only

            – sloosecannon
            Dec 6 '16 at 22:00





            No, it does not work for home users. Pro/Enterprise/Education only

            – sloosecannon
            Dec 6 '16 at 22:00




            1




            1





            Tried this... however service is still running in task manager.

            – Brig
            Mar 25 '17 at 19:00





            Tried this... however service is still running in task manager.

            – Brig
            Mar 25 '17 at 19:00













            11














            I found another way using the registry.



            Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:




            1. Browse the registry to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.

            2. Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.

            3. Change the Start value for each service to 0x4 (hex 4, decimal 4).

            4. Reboot.






            share|improve this answer





















            • 2





              I am logged in as administrator and I still get the error "Error writing start. Error writing the value's new contents."

              – Mark
              Aug 27 '15 at 8:44






            • 1





              Me too with the same error "Error writing start. Error writing the value's new contents. Any work around for us @Todd Wilcox?

              – Nam G VU
              Oct 21 '15 at 2:33






            • 1





              Have you tried right-clicking on regedit and running as administrator?

              – Todd Wilcox
              Oct 21 '15 at 3:48






            • 1





              unfortunately on Win10 Home Single Language, I get the same error even if I started regedit as admin, any other other workaround. I'm really starting to depise windows 10 now.

              – gideon
              Jan 2 '18 at 13:18











            • If getting Error writing (...), close regedit and reopen.

              – Marc.2377
              Jan 12 at 0:06
















            11














            I found another way using the registry.



            Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:




            1. Browse the registry to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.

            2. Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.

            3. Change the Start value for each service to 0x4 (hex 4, decimal 4).

            4. Reboot.






            share|improve this answer





















            • 2





              I am logged in as administrator and I still get the error "Error writing start. Error writing the value's new contents."

              – Mark
              Aug 27 '15 at 8:44






            • 1





              Me too with the same error "Error writing start. Error writing the value's new contents. Any work around for us @Todd Wilcox?

              – Nam G VU
              Oct 21 '15 at 2:33






            • 1





              Have you tried right-clicking on regedit and running as administrator?

              – Todd Wilcox
              Oct 21 '15 at 3:48






            • 1





              unfortunately on Win10 Home Single Language, I get the same error even if I started regedit as admin, any other other workaround. I'm really starting to depise windows 10 now.

              – gideon
              Jan 2 '18 at 13:18











            • If getting Error writing (...), close regedit and reopen.

              – Marc.2377
              Jan 12 at 0:06














            11












            11








            11







            I found another way using the registry.



            Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:




            1. Browse the registry to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.

            2. Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.

            3. Change the Start value for each service to 0x4 (hex 4, decimal 4).

            4. Reboot.






            share|improve this answer















            I found another way using the registry.



            Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:




            1. Browse the registry to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.

            2. Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.

            3. Change the Start value for each service to 0x4 (hex 4, decimal 4).

            4. Reboot.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Jul 30 '15 at 22:10

























            answered Jul 30 '15 at 21:23









            Todd WilcoxTodd Wilcox

            4761414




            4761414








            • 2





              I am logged in as administrator and I still get the error "Error writing start. Error writing the value's new contents."

              – Mark
              Aug 27 '15 at 8:44






            • 1





              Me too with the same error "Error writing start. Error writing the value's new contents. Any work around for us @Todd Wilcox?

              – Nam G VU
              Oct 21 '15 at 2:33






            • 1





              Have you tried right-clicking on regedit and running as administrator?

              – Todd Wilcox
              Oct 21 '15 at 3:48






            • 1





              unfortunately on Win10 Home Single Language, I get the same error even if I started regedit as admin, any other other workaround. I'm really starting to depise windows 10 now.

              – gideon
              Jan 2 '18 at 13:18











            • If getting Error writing (...), close regedit and reopen.

              – Marc.2377
              Jan 12 at 0:06














            • 2





              I am logged in as administrator and I still get the error "Error writing start. Error writing the value's new contents."

              – Mark
              Aug 27 '15 at 8:44






            • 1





              Me too with the same error "Error writing start. Error writing the value's new contents. Any work around for us @Todd Wilcox?

              – Nam G VU
              Oct 21 '15 at 2:33






            • 1





              Have you tried right-clicking on regedit and running as administrator?

              – Todd Wilcox
              Oct 21 '15 at 3:48






            • 1





              unfortunately on Win10 Home Single Language, I get the same error even if I started regedit as admin, any other other workaround. I'm really starting to depise windows 10 now.

              – gideon
              Jan 2 '18 at 13:18











            • If getting Error writing (...), close regedit and reopen.

              – Marc.2377
              Jan 12 at 0:06








            2




            2





            I am logged in as administrator and I still get the error "Error writing start. Error writing the value's new contents."

            – Mark
            Aug 27 '15 at 8:44





            I am logged in as administrator and I still get the error "Error writing start. Error writing the value's new contents."

            – Mark
            Aug 27 '15 at 8:44




            1




            1





            Me too with the same error "Error writing start. Error writing the value's new contents. Any work around for us @Todd Wilcox?

            – Nam G VU
            Oct 21 '15 at 2:33





            Me too with the same error "Error writing start. Error writing the value's new contents. Any work around for us @Todd Wilcox?

            – Nam G VU
            Oct 21 '15 at 2:33




            1




            1





            Have you tried right-clicking on regedit and running as administrator?

            – Todd Wilcox
            Oct 21 '15 at 3:48





            Have you tried right-clicking on regedit and running as administrator?

            – Todd Wilcox
            Oct 21 '15 at 3:48




            1




            1





            unfortunately on Win10 Home Single Language, I get the same error even if I started regedit as admin, any other other workaround. I'm really starting to depise windows 10 now.

            – gideon
            Jan 2 '18 at 13:18





            unfortunately on Win10 Home Single Language, I get the same error even if I started regedit as admin, any other other workaround. I'm really starting to depise windows 10 now.

            – gideon
            Jan 2 '18 at 13:18













            If getting Error writing (...), close regedit and reopen.

            – Marc.2377
            Jan 12 at 0:06





            If getting Error writing (...), close regedit and reopen.

            – Marc.2377
            Jan 12 at 0:06











            9














            Short version




            1. Download

            2. Extract

            3. Double-click DisableDefender.reg


            Explanation



            By far the most effective and clean way to permanently disable Windows Defender in Windows 10 is via Group Policy, as described by Aaron Hoffman. Unfortunately, Windows 10 Home lacks the necessary tools.



            Here's a registry file that contains the changes made by gpedit.msc on a Windows 10 Pro machine. It's been tested on Windows 10 Home as well. Save the file as DisableDefender.reg with Windows-style line endings and double-click it to import it into your registry.



            Windows Registry Editor Version 5.00

            [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001


            If you ever want to re-enable Defender, change 00000001 to 00000000 on both lines.



            You can download the files to disable and re-enable defender from Gist.






            share|improve this answer



















            • 1





              You win the Internet today, sir.

              – ivan_bilan
              Oct 24 '16 at 12:11











            • I had re-enable WD by the regedit the value to 00000000, results WD Real-time protection is off because you are using another AV. In fact I do not have any antivirus installed. How to fix this? Thanks

              – Santosa Sandy
              Nov 17 '16 at 10:22











            • @SantosaSandy That could happen for a number of reasons, including malware. You should start a separate question.

              – Zenexer
              Nov 17 '16 at 15:41











            • Thanks Mr. PB. In an emergency and lack of error investigating clue, I just update the windows and run registry cleaner (e.g. CCleaner). The Windows Defender is active again. Thanks

              – Santosa Sandy
              Nov 21 '16 at 4:41


















            9














            Short version




            1. Download

            2. Extract

            3. Double-click DisableDefender.reg


            Explanation



            By far the most effective and clean way to permanently disable Windows Defender in Windows 10 is via Group Policy, as described by Aaron Hoffman. Unfortunately, Windows 10 Home lacks the necessary tools.



            Here's a registry file that contains the changes made by gpedit.msc on a Windows 10 Pro machine. It's been tested on Windows 10 Home as well. Save the file as DisableDefender.reg with Windows-style line endings and double-click it to import it into your registry.



            Windows Registry Editor Version 5.00

            [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001


            If you ever want to re-enable Defender, change 00000001 to 00000000 on both lines.



            You can download the files to disable and re-enable defender from Gist.






            share|improve this answer



















            • 1





              You win the Internet today, sir.

              – ivan_bilan
              Oct 24 '16 at 12:11











            • I had re-enable WD by the regedit the value to 00000000, results WD Real-time protection is off because you are using another AV. In fact I do not have any antivirus installed. How to fix this? Thanks

              – Santosa Sandy
              Nov 17 '16 at 10:22











            • @SantosaSandy That could happen for a number of reasons, including malware. You should start a separate question.

              – Zenexer
              Nov 17 '16 at 15:41











            • Thanks Mr. PB. In an emergency and lack of error investigating clue, I just update the windows and run registry cleaner (e.g. CCleaner). The Windows Defender is active again. Thanks

              – Santosa Sandy
              Nov 21 '16 at 4:41
















            9












            9








            9







            Short version




            1. Download

            2. Extract

            3. Double-click DisableDefender.reg


            Explanation



            By far the most effective and clean way to permanently disable Windows Defender in Windows 10 is via Group Policy, as described by Aaron Hoffman. Unfortunately, Windows 10 Home lacks the necessary tools.



            Here's a registry file that contains the changes made by gpedit.msc on a Windows 10 Pro machine. It's been tested on Windows 10 Home as well. Save the file as DisableDefender.reg with Windows-style line endings and double-click it to import it into your registry.



            Windows Registry Editor Version 5.00

            [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001


            If you ever want to re-enable Defender, change 00000001 to 00000000 on both lines.



            You can download the files to disable and re-enable defender from Gist.






            share|improve this answer













            Short version




            1. Download

            2. Extract

            3. Double-click DisableDefender.reg


            Explanation



            By far the most effective and clean way to permanently disable Windows Defender in Windows 10 is via Group Policy, as described by Aaron Hoffman. Unfortunately, Windows 10 Home lacks the necessary tools.



            Here's a registry file that contains the changes made by gpedit.msc on a Windows 10 Pro machine. It's been tested on Windows 10 Home as well. Save the file as DisableDefender.reg with Windows-style line endings and double-click it to import it into your registry.



            Windows Registry Editor Version 5.00

            [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001


            If you ever want to re-enable Defender, change 00000001 to 00000000 on both lines.



            You can download the files to disable and re-enable defender from Gist.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Dec 1 '15 at 7:27









            ZenexerZenexer

            8381817




            8381817








            • 1





              You win the Internet today, sir.

              – ivan_bilan
              Oct 24 '16 at 12:11











            • I had re-enable WD by the regedit the value to 00000000, results WD Real-time protection is off because you are using another AV. In fact I do not have any antivirus installed. How to fix this? Thanks

              – Santosa Sandy
              Nov 17 '16 at 10:22











            • @SantosaSandy That could happen for a number of reasons, including malware. You should start a separate question.

              – Zenexer
              Nov 17 '16 at 15:41











            • Thanks Mr. PB. In an emergency and lack of error investigating clue, I just update the windows and run registry cleaner (e.g. CCleaner). The Windows Defender is active again. Thanks

              – Santosa Sandy
              Nov 21 '16 at 4:41
















            • 1





              You win the Internet today, sir.

              – ivan_bilan
              Oct 24 '16 at 12:11











            • I had re-enable WD by the regedit the value to 00000000, results WD Real-time protection is off because you are using another AV. In fact I do not have any antivirus installed. How to fix this? Thanks

              – Santosa Sandy
              Nov 17 '16 at 10:22











            • @SantosaSandy That could happen for a number of reasons, including malware. You should start a separate question.

              – Zenexer
              Nov 17 '16 at 15:41











            • Thanks Mr. PB. In an emergency and lack of error investigating clue, I just update the windows and run registry cleaner (e.g. CCleaner). The Windows Defender is active again. Thanks

              – Santosa Sandy
              Nov 21 '16 at 4:41










            1




            1





            You win the Internet today, sir.

            – ivan_bilan
            Oct 24 '16 at 12:11





            You win the Internet today, sir.

            – ivan_bilan
            Oct 24 '16 at 12:11













            I had re-enable WD by the regedit the value to 00000000, results WD Real-time protection is off because you are using another AV. In fact I do not have any antivirus installed. How to fix this? Thanks

            – Santosa Sandy
            Nov 17 '16 at 10:22





            I had re-enable WD by the regedit the value to 00000000, results WD Real-time protection is off because you are using another AV. In fact I do not have any antivirus installed. How to fix this? Thanks

            – Santosa Sandy
            Nov 17 '16 at 10:22













            @SantosaSandy That could happen for a number of reasons, including malware. You should start a separate question.

            – Zenexer
            Nov 17 '16 at 15:41





            @SantosaSandy That could happen for a number of reasons, including malware. You should start a separate question.

            – Zenexer
            Nov 17 '16 at 15:41













            Thanks Mr. PB. In an emergency and lack of error investigating clue, I just update the windows and run registry cleaner (e.g. CCleaner). The Windows Defender is active again. Thanks

            – Santosa Sandy
            Nov 21 '16 at 4:41







            Thanks Mr. PB. In an emergency and lack of error investigating clue, I just update the windows and run registry cleaner (e.g. CCleaner). The Windows Defender is active again. Thanks

            – Santosa Sandy
            Nov 21 '16 at 4:41













            4














            To disable Windows Defender completely (not just the Real-Time protection) you can:




            1. Install another security suite (as Ramhound mentioned).

            2. If you're willing to use a third party application, you could use NoDefender: http://msft.gq/pub/apps/NoDefender.zip


            More information about NoDefender can be found here: http://winaero.com/blog/nodefender-disable-windows-defender-in-windows-10-with-few-clicks/






            share|improve this answer
























            • I suspect NoDefender might just be an automated way to edit the registry, which I have done manually.

              – Todd Wilcox
              Jul 30 '15 at 21:29











            • @ToddWilcox, Your method is better than mine then! One less third party application to worry about.

              – user5071535
              Jul 30 '15 at 21:49






            • 1





              i still see antimalware service running, which runs windows defender. I have avg free edition installed

              – shorif2000
              Aug 15 '15 at 19:25






            • 2





              Exactly, @Sharif I'd like to see any confirmations that the antimalware service is also disabled.

              – Mark
              Aug 27 '15 at 8:39
















            4














            To disable Windows Defender completely (not just the Real-Time protection) you can:




            1. Install another security suite (as Ramhound mentioned).

            2. If you're willing to use a third party application, you could use NoDefender: http://msft.gq/pub/apps/NoDefender.zip


            More information about NoDefender can be found here: http://winaero.com/blog/nodefender-disable-windows-defender-in-windows-10-with-few-clicks/






            share|improve this answer
























            • I suspect NoDefender might just be an automated way to edit the registry, which I have done manually.

              – Todd Wilcox
              Jul 30 '15 at 21:29











            • @ToddWilcox, Your method is better than mine then! One less third party application to worry about.

              – user5071535
              Jul 30 '15 at 21:49






            • 1





              i still see antimalware service running, which runs windows defender. I have avg free edition installed

              – shorif2000
              Aug 15 '15 at 19:25






            • 2





              Exactly, @Sharif I'd like to see any confirmations that the antimalware service is also disabled.

              – Mark
              Aug 27 '15 at 8:39














            4












            4








            4







            To disable Windows Defender completely (not just the Real-Time protection) you can:




            1. Install another security suite (as Ramhound mentioned).

            2. If you're willing to use a third party application, you could use NoDefender: http://msft.gq/pub/apps/NoDefender.zip


            More information about NoDefender can be found here: http://winaero.com/blog/nodefender-disable-windows-defender-in-windows-10-with-few-clicks/






            share|improve this answer













            To disable Windows Defender completely (not just the Real-Time protection) you can:




            1. Install another security suite (as Ramhound mentioned).

            2. If you're willing to use a third party application, you could use NoDefender: http://msft.gq/pub/apps/NoDefender.zip


            More information about NoDefender can be found here: http://winaero.com/blog/nodefender-disable-windows-defender-in-windows-10-with-few-clicks/







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jul 30 '15 at 21:11









            user5071535user5071535

            370315




            370315













            • I suspect NoDefender might just be an automated way to edit the registry, which I have done manually.

              – Todd Wilcox
              Jul 30 '15 at 21:29











            • @ToddWilcox, Your method is better than mine then! One less third party application to worry about.

              – user5071535
              Jul 30 '15 at 21:49






            • 1





              i still see antimalware service running, which runs windows defender. I have avg free edition installed

              – shorif2000
              Aug 15 '15 at 19:25






            • 2





              Exactly, @Sharif I'd like to see any confirmations that the antimalware service is also disabled.

              – Mark
              Aug 27 '15 at 8:39



















            • I suspect NoDefender might just be an automated way to edit the registry, which I have done manually.

              – Todd Wilcox
              Jul 30 '15 at 21:29











            • @ToddWilcox, Your method is better than mine then! One less third party application to worry about.

              – user5071535
              Jul 30 '15 at 21:49






            • 1





              i still see antimalware service running, which runs windows defender. I have avg free edition installed

              – shorif2000
              Aug 15 '15 at 19:25






            • 2





              Exactly, @Sharif I'd like to see any confirmations that the antimalware service is also disabled.

              – Mark
              Aug 27 '15 at 8:39

















            I suspect NoDefender might just be an automated way to edit the registry, which I have done manually.

            – Todd Wilcox
            Jul 30 '15 at 21:29





            I suspect NoDefender might just be an automated way to edit the registry, which I have done manually.

            – Todd Wilcox
            Jul 30 '15 at 21:29













            @ToddWilcox, Your method is better than mine then! One less third party application to worry about.

            – user5071535
            Jul 30 '15 at 21:49





            @ToddWilcox, Your method is better than mine then! One less third party application to worry about.

            – user5071535
            Jul 30 '15 at 21:49




            1




            1





            i still see antimalware service running, which runs windows defender. I have avg free edition installed

            – shorif2000
            Aug 15 '15 at 19:25





            i still see antimalware service running, which runs windows defender. I have avg free edition installed

            – shorif2000
            Aug 15 '15 at 19:25




            2




            2





            Exactly, @Sharif I'd like to see any confirmations that the antimalware service is also disabled.

            – Mark
            Aug 27 '15 at 8:39





            Exactly, @Sharif I'd like to see any confirmations that the antimalware service is also disabled.

            – Mark
            Aug 27 '15 at 8:39











            2














            I have written the batch file and registry files that should completely disable Windows Defender in Windows 10.




            1. Save the following files into the same folder.

            2. Run Disable Windows Defender.bat as administrator.

            3. After the batch file is done, restart.

            4. Run Disable Windows Defender.bat again as administrator.

            5. Windows Defender should be completely disabled now.


            Disable Windows Defender.bat



            @echo off

            call :main %*
            goto :eof

            :main
            setlocal EnableDelayedExpansion

            rem Check if Windows Defender is running.
            tasklist /fi "imageName eq "MsMpEng.exe"" | find /i "MsMpEng.exe" > nul 2> nul
            if %errorLevel% equ 0 (
            rem Windows Defender is running.
            echo Windows Defender is running.

            rem Performable operations while Windows Defender is running.
            rem Disable Windows Defender drivers.
            echo Disabling Windows Defender drivers...
            set "drivers="%SystemRoot%System32driversWdBoot.sys";"%SystemRoot%System32driversWdFilter.sys";"%SystemRoot%System32driversWdNisDrv.sys""
            set "drivers=!drivers:""="!"

            set "wasDriverDisabled=false"
            for %%d in (!drivers!) do (
            if exist "%%~d" (
            echo Disabling Windows Defender driver "%%~d"...
            call :disableFile "%%~d"
            set "wasDriverDisabled=true"
            )
            )

            rem Disable Windows Defender objects.
            echo Disabling Windows Defender objects...
            call :importRegistry "Disable Windows Defender objects.reg"

            rem Require restart to unload Windows Defender drivers and objects.
            echo.
            echo Restart required.
            ) else (
            rem Windows Defender is not running.
            echo Windows Defender is not running.

            rem Performable operations while Windows Defender is not running.
            rem Disable Windows Defender features.
            echo Disabling Windows Defender features...
            call :importRegistry "Disable Windows Defender features.reg"
            rem Disable Windows Defender services.
            echo Disabling Windows Defender services...
            call :importRegistry "Disable Windows Defender services.reg"

            rem Disable Windows Defender files.
            echo Disabling Windows Defender files...
            ren "%ProgramFiles%Windows Defender" "Windows Defender.bak"
            ren "%ProgramFiles(x86)%Windows Defender" "Windows Defender.bak"
            ren "%ProgramData%MicrosoftWindows Defender" "Windows Defender.bak"
            )

            endlocal
            goto :eof

            :ownFile
            setlocal
            set "filePath=%~1"
            set "user=%~2"
            takeown /f "%filePath%" /a
            icacls "%filePath%" /grant "%user%:F"
            endlocal
            goto :eof

            :disableFile
            setlocal
            set "filePath=%~1"
            call :ownFile "%filePath%" "Administrators"
            ren "%filePath%" "%~nx1.bak"
            endlocal
            goto :eof

            :importRegistry
            setlocal
            set "filePath=%~1"
            call OwnRegistryKeys.bat "%filePath%"
            @echo off
            regedit /s "%filePath%"
            endlocal
            goto :eof


            Disable Windows Defender objects.reg



            Windows Registry Editor Version 5.00

            ; Disable "Scan with Windows Defender..." right click context menu.
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]

            ; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]

            ; Disable "DefenderCSP.dll".
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]

            ; Disable Windows Defender IOfficeAntiVirus implementation ("MpOav.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]

            ; Disable InfectionState WMI Provider ("MpProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]

            ; Disable Status WMI Provider ("MpProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]

            ; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]

            ; Disable Microsoft Windows Defender ("MsMpCom.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
            [-HKEY_LOCAL_MACHINESoftwareClassesTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]

            ; Disable Windows Defender WMI Provider ("ProtectionManagement.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]

            ; Disable AMMonitoring WMI Provider ("AMMonitoringProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]

            ; Disable MP UX Host ("MpUxSrv.exe").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]


            Disable Windows Defender features.reg



            Windows Registry Editor Version 5.00

            ; Disable Windows Defender features.
            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001
            "ProductStatus"=dword:00000000

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderReal-Time Protection]
            "DisableAntiSpywareRealtimeProtection"=dword:00000001
            "DisableRealtimeMonitoring"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderScan]
            "AutomaticallyCleanAfterScan"=dword:00000000
            "ScheduleDay"=dword:00000008

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderUX Configuration]
            "AllowNonAdminFunctionality"=dword:00000000
            "DisablePrivacyMode"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001
            "ProductStatus"=dword:00000000

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderReal-Time Protection]
            "DisableAntiSpywareRealtimeProtection"=dword:00000001
            "DisableRealtimeMonitoring"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderScan]
            "AutomaticallyCleanAfterScan"=dword:00000000
            "ScheduleDay"=dword:00000008

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderUX Configuration]
            "AllowNonAdminFunctionality"=dword:00000000
            "DisablePrivacyMode"=dword:00000001


            Disable Windows Defender services.reg



            Windows Registry Editor Version 5.00

            ; Disable "Windows Defender" services.
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisSvc]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisSvc]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisSvc]
            "Start"=dword:00000004


            OwnRegistryKeys.bat



            @echo off

            rem Get the location of the PowerShell file.
            for /f "usebackq tokens=*" %%f in (`where "OwnRegistryKeys.ps1"`) do (
            rem Run command for each argument.
            for %%a in (%*) do (
            powershell -executionPolicy bypass -file "%%~f" "%%~a"
            )
            )


            OwnRegistryKeys.ps1



            $script:baseKey = @{
            "HKEY_CLASSES_ROOT" = @{
            "name" = "HKEY_CLASSES_ROOT";
            "shortName" = "HKCR";
            "key" = [Microsoft.Win32.Registry]::ClassesRoot
            };
            "HKEY_CURRENT_CONFIG" = @{
            "name" = "HKEY_CURRENT_CONFIG";
            "shortName" = "HKCC";
            "key" = [Microsoft.Win32.Registry]::CurrentConfig
            };
            "HKEY_CURRENT_USER" = @{
            "name" = "HKEY_CURRENT_USER";
            "shortName" = "HKCU";
            "key" = [Microsoft.Win32.Registry]::CurrentUser
            };
            "HKEY_DYN_DATA" = @{
            "name" = "HKEY_DYN_DATA";
            "shortName" = "HKDD";
            "key" = [Microsoft.Win32.Registry]::DynData
            };
            "HKEY_LOCAL_MACHINE" = @{
            "name" = "HKEY_LOCAL_MACHINE";
            "shortName" = "HKLM";
            "key" = [Microsoft.Win32.Registry]::LocalMachine
            };
            "HKEY_PERFORMANCE_DATA" = @{
            "name" = "HKEY_PERFORMANCE_DATA";
            "shortName" = "HKPD";
            "key" = [Microsoft.Win32.Registry]::PerformanceData
            };
            "HKEY_USERS" = @{
            "name" = "HKEY_USERS";
            "shortName" = "HKU";
            "key" = [Microsoft.Win32.Registry]::Users
            }
            }

            function enablePrivilege {
            param(
            # The privilege to adjust. This set is taken from:
            # http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
            [validateSet(
            "SeAssignPrimaryTokenPrivilege",
            "SeAuditPrivilege",
            "SeBackupPrivilege",
            "SeChangeNotifyPrivilege",
            "SeCreateGlobalPrivilege",
            "SeCreatePagefilePrivilege",
            "SeCreatePermanentPrivilege",
            "SeCreateSymbolicLinkPrivilege",
            "SeCreateTokenPrivilege",
            "SeDebugPrivilege",
            "SeEnableDelegationPrivilege",
            "SeImpersonatePrivilege",
            "SeIncreaseBasePriorityPrivilege",
            "SeIncreaseQuotaPrivilege",
            "SeIncreaseWorkingSetPrivilege",
            "SeLoadDriverPrivilege",
            "SeLockMemoryPrivilege",
            "SeMachineAccountPrivilege",
            "SeManageVolumePrivilege",
            "SeProfileSingleProcessPrivilege",
            "SeRelabelPrivilege",
            "SeRemoteShutdownPrivilege",
            "SeRestorePrivilege",
            "SeSecurityPrivilege",
            "SeShutdownPrivilege",
            "SeSyncAgentPrivilege",
            "SeSystemEnvironmentPrivilege",
            "SeSystemProfilePrivilege",
            "SeSystemtimePrivilege",
            "SeTakeOwnershipPrivilege",
            "SeTcbPrivilege",
            "SeTimeZonePrivilege",
            "SeTrustedCredManAccessPrivilege",
            "SeUndockPrivilege",
            "SeUnsolicitedInputPrivilege"
            )]
            $privilege,

            # The process on which to adjust the privilege. Defaults to the current process.
            $processId = $pid,

            # Switch to disable the privilege, rather than enable it.
            [switch] $disable
            )

            # Taken from P/Invoke.NET with minor adjustments.
            $definition = @'
            using System;
            using System.Runtime.InteropServices;

            public class AdjustPrivilege {
            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

            [DllImport("advapi32.dll", SetLastError = true)]
            internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

            [StructLayout(LayoutKind.Sequential, Pack = 1)]
            internal struct TokPriv1Luid {
            public int Count;
            public long Luid;
            public int Attr;
            }

            internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
            internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
            internal const int TOKEN_QUERY = 0x00000008;
            internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

            public static bool EnablePrivilege(long processHandle, string privilege, bool disable) {
            bool result;
            TokPriv1Luid tp;
            IntPtr hproc = new IntPtr(processHandle);
            IntPtr htok = IntPtr.Zero;
            result = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
            tp.Count = 1;
            tp.Luid = 0;
            if (disable) {
            tp.Attr = SE_PRIVILEGE_DISABLED;
            } else {
            tp.Attr = SE_PRIVILEGE_ENABLED;
            }
            result = LookupPrivilegeValue(null, privilege, ref tp.Luid);
            result = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
            return result;
            }
            }
            '@

            $processHandle = (get-process -id $processId).handle
            $type = add-type $definition -passThru
            $type[0]::EnablePrivilege($processHandle, $privilege, $disable)
            }

            function getKeyNames {
            param(
            [parameter(mandatory = $true)]
            [string] $filePaths = $null
            )

            return (get-content $filePaths | select-string -pattern "[-?(.*)]" -allMatches | forEach-object {$_.matches.groups[1].value} | get-unique)
            }

            function splitKeyName {
            param(
            [parameter(mandatory = $true)]
            [string] $keyName = $null
            )

            $names = $keyName.split("\/", 2)

            $rootKeyName = $names[0]
            $subKeyName = $names[1]

            $keyPart = @{
            root = $baseKey[$rootKeyName];
            subKey = @{
            name = $subKeyName
            }
            }

            return $keyPart
            }

            function ownRegistryKey {
            param(
            [parameter(mandatory = $true)]
            [string] $keyName = $null
            )

            write-host """$keyName"""

            # Check if the key exists.
            if ($(try { test-path -path "Registry::$keyName".trim() } catch { $false })) {
            write-host " Opening..."

            $keyPart = splitKeyName -keyName $keyName
            $ownableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
            if ($ownableKey -ne $null) {
            # Set the owner.
            write-host " Setting owner..."
            $acl = $ownableKey.getAccessControl([System.Security.AccessControl.AccessControlSections]::None)
            $owner = [System.Security.Principal.NTAccount] "Administrators"
            $acl.setOwner($owner)
            $ownableKey.setAccessControl($acl)

            # Set the permissions.
            write-host " Setting permissions..."
            $acl = $ownableKey.getAccessControl()
            $person = [System.Security.Principal.NTAccount] "Administrators"
            $access = [System.Security.AccessControl.RegistryRights] "FullControl"
            $inheritance = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit"
            $propagation = [System.Security.AccessControl.PropagationFlags] "None"
            $type = [System.Security.AccessControl.AccessControlType] "Allow"

            $rule = new-object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)
            $acl.setAccessRule($rule)
            $ownableKey.setAccessControl($acl)

            $ownableKey.close()

            write-host " Done."

            # Own children subkeys.
            $readableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadSubTree, [System.Security.AccessControl.RegistryRights]::ReadKey)
            if ($readableKey -ne $null) {
            $subKeyNames = ($readableKey.getSubKeyNames() | forEach-object { "$keyName$_" })
            $readableKey.close()
            if ($subKeyNames -ne $null) {
            ownRegistryKeys -keyNames $subKeyNames
            }
            } else {
            write-host " Unable to open children subkeys."
            }
            } else {
            write-host " Unable to open subkey."
            }
            } else {
            write-host " Key does not exist."
            }

            write-host
            }

            function ownRegistryKeys {
            param(
            [parameter(mandatory = $true)]
            [string] $keyNames = $null
            )

            $keyName = $null
            foreach ($keyName in $keyNames) {
            # Own parent key and children subkeys.
            ownRegistryKey -keyName $keyName
            }
            }

            function requestPrivileges {
            $numberOfRetries = 10

            $privilegeResult = $false
            for ($r = 0; !$privilegeResult -band $r -lt $numberOfRetries; $r += 1) {
            $privilegeResult = enablePrivilege -privilege "SeTakeOwnershipPrivilege"
            }

            if (!$privilegeResult) {
            write-host "Unable to receive privilege."
            exit 1
            }
            }

            function main {
            param(
            [parameter(mandatory = $true)]
            [string] $filePaths = $null
            )

            requestPrivileges

            $keyNames = getKeyNames -filePaths $filePaths
            ownRegistryKeys -keyNames $keyNames
            }

            main $args





            share|improve this answer


























            • Thanks! BTW:This requires English version of windows to work correctly

              – Abdelhafid Madoui
              Sep 13 '18 at 19:04
















            2














            I have written the batch file and registry files that should completely disable Windows Defender in Windows 10.




            1. Save the following files into the same folder.

            2. Run Disable Windows Defender.bat as administrator.

            3. After the batch file is done, restart.

            4. Run Disable Windows Defender.bat again as administrator.

            5. Windows Defender should be completely disabled now.


            Disable Windows Defender.bat



            @echo off

            call :main %*
            goto :eof

            :main
            setlocal EnableDelayedExpansion

            rem Check if Windows Defender is running.
            tasklist /fi "imageName eq "MsMpEng.exe"" | find /i "MsMpEng.exe" > nul 2> nul
            if %errorLevel% equ 0 (
            rem Windows Defender is running.
            echo Windows Defender is running.

            rem Performable operations while Windows Defender is running.
            rem Disable Windows Defender drivers.
            echo Disabling Windows Defender drivers...
            set "drivers="%SystemRoot%System32driversWdBoot.sys";"%SystemRoot%System32driversWdFilter.sys";"%SystemRoot%System32driversWdNisDrv.sys""
            set "drivers=!drivers:""="!"

            set "wasDriverDisabled=false"
            for %%d in (!drivers!) do (
            if exist "%%~d" (
            echo Disabling Windows Defender driver "%%~d"...
            call :disableFile "%%~d"
            set "wasDriverDisabled=true"
            )
            )

            rem Disable Windows Defender objects.
            echo Disabling Windows Defender objects...
            call :importRegistry "Disable Windows Defender objects.reg"

            rem Require restart to unload Windows Defender drivers and objects.
            echo.
            echo Restart required.
            ) else (
            rem Windows Defender is not running.
            echo Windows Defender is not running.

            rem Performable operations while Windows Defender is not running.
            rem Disable Windows Defender features.
            echo Disabling Windows Defender features...
            call :importRegistry "Disable Windows Defender features.reg"
            rem Disable Windows Defender services.
            echo Disabling Windows Defender services...
            call :importRegistry "Disable Windows Defender services.reg"

            rem Disable Windows Defender files.
            echo Disabling Windows Defender files...
            ren "%ProgramFiles%Windows Defender" "Windows Defender.bak"
            ren "%ProgramFiles(x86)%Windows Defender" "Windows Defender.bak"
            ren "%ProgramData%MicrosoftWindows Defender" "Windows Defender.bak"
            )

            endlocal
            goto :eof

            :ownFile
            setlocal
            set "filePath=%~1"
            set "user=%~2"
            takeown /f "%filePath%" /a
            icacls "%filePath%" /grant "%user%:F"
            endlocal
            goto :eof

            :disableFile
            setlocal
            set "filePath=%~1"
            call :ownFile "%filePath%" "Administrators"
            ren "%filePath%" "%~nx1.bak"
            endlocal
            goto :eof

            :importRegistry
            setlocal
            set "filePath=%~1"
            call OwnRegistryKeys.bat "%filePath%"
            @echo off
            regedit /s "%filePath%"
            endlocal
            goto :eof


            Disable Windows Defender objects.reg



            Windows Registry Editor Version 5.00

            ; Disable "Scan with Windows Defender..." right click context menu.
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]

            ; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]

            ; Disable "DefenderCSP.dll".
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]

            ; Disable Windows Defender IOfficeAntiVirus implementation ("MpOav.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]

            ; Disable InfectionState WMI Provider ("MpProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]

            ; Disable Status WMI Provider ("MpProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]

            ; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]

            ; Disable Microsoft Windows Defender ("MsMpCom.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
            [-HKEY_LOCAL_MACHINESoftwareClassesTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]

            ; Disable Windows Defender WMI Provider ("ProtectionManagement.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]

            ; Disable AMMonitoring WMI Provider ("AMMonitoringProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]

            ; Disable MP UX Host ("MpUxSrv.exe").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]


            Disable Windows Defender features.reg



            Windows Registry Editor Version 5.00

            ; Disable Windows Defender features.
            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001
            "ProductStatus"=dword:00000000

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderReal-Time Protection]
            "DisableAntiSpywareRealtimeProtection"=dword:00000001
            "DisableRealtimeMonitoring"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderScan]
            "AutomaticallyCleanAfterScan"=dword:00000000
            "ScheduleDay"=dword:00000008

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderUX Configuration]
            "AllowNonAdminFunctionality"=dword:00000000
            "DisablePrivacyMode"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001
            "ProductStatus"=dword:00000000

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderReal-Time Protection]
            "DisableAntiSpywareRealtimeProtection"=dword:00000001
            "DisableRealtimeMonitoring"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderScan]
            "AutomaticallyCleanAfterScan"=dword:00000000
            "ScheduleDay"=dword:00000008

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderUX Configuration]
            "AllowNonAdminFunctionality"=dword:00000000
            "DisablePrivacyMode"=dword:00000001


            Disable Windows Defender services.reg



            Windows Registry Editor Version 5.00

            ; Disable "Windows Defender" services.
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisSvc]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisSvc]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisSvc]
            "Start"=dword:00000004


            OwnRegistryKeys.bat



            @echo off

            rem Get the location of the PowerShell file.
            for /f "usebackq tokens=*" %%f in (`where "OwnRegistryKeys.ps1"`) do (
            rem Run command for each argument.
            for %%a in (%*) do (
            powershell -executionPolicy bypass -file "%%~f" "%%~a"
            )
            )


            OwnRegistryKeys.ps1



            $script:baseKey = @{
            "HKEY_CLASSES_ROOT" = @{
            "name" = "HKEY_CLASSES_ROOT";
            "shortName" = "HKCR";
            "key" = [Microsoft.Win32.Registry]::ClassesRoot
            };
            "HKEY_CURRENT_CONFIG" = @{
            "name" = "HKEY_CURRENT_CONFIG";
            "shortName" = "HKCC";
            "key" = [Microsoft.Win32.Registry]::CurrentConfig
            };
            "HKEY_CURRENT_USER" = @{
            "name" = "HKEY_CURRENT_USER";
            "shortName" = "HKCU";
            "key" = [Microsoft.Win32.Registry]::CurrentUser
            };
            "HKEY_DYN_DATA" = @{
            "name" = "HKEY_DYN_DATA";
            "shortName" = "HKDD";
            "key" = [Microsoft.Win32.Registry]::DynData
            };
            "HKEY_LOCAL_MACHINE" = @{
            "name" = "HKEY_LOCAL_MACHINE";
            "shortName" = "HKLM";
            "key" = [Microsoft.Win32.Registry]::LocalMachine
            };
            "HKEY_PERFORMANCE_DATA" = @{
            "name" = "HKEY_PERFORMANCE_DATA";
            "shortName" = "HKPD";
            "key" = [Microsoft.Win32.Registry]::PerformanceData
            };
            "HKEY_USERS" = @{
            "name" = "HKEY_USERS";
            "shortName" = "HKU";
            "key" = [Microsoft.Win32.Registry]::Users
            }
            }

            function enablePrivilege {
            param(
            # The privilege to adjust. This set is taken from:
            # http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
            [validateSet(
            "SeAssignPrimaryTokenPrivilege",
            "SeAuditPrivilege",
            "SeBackupPrivilege",
            "SeChangeNotifyPrivilege",
            "SeCreateGlobalPrivilege",
            "SeCreatePagefilePrivilege",
            "SeCreatePermanentPrivilege",
            "SeCreateSymbolicLinkPrivilege",
            "SeCreateTokenPrivilege",
            "SeDebugPrivilege",
            "SeEnableDelegationPrivilege",
            "SeImpersonatePrivilege",
            "SeIncreaseBasePriorityPrivilege",
            "SeIncreaseQuotaPrivilege",
            "SeIncreaseWorkingSetPrivilege",
            "SeLoadDriverPrivilege",
            "SeLockMemoryPrivilege",
            "SeMachineAccountPrivilege",
            "SeManageVolumePrivilege",
            "SeProfileSingleProcessPrivilege",
            "SeRelabelPrivilege",
            "SeRemoteShutdownPrivilege",
            "SeRestorePrivilege",
            "SeSecurityPrivilege",
            "SeShutdownPrivilege",
            "SeSyncAgentPrivilege",
            "SeSystemEnvironmentPrivilege",
            "SeSystemProfilePrivilege",
            "SeSystemtimePrivilege",
            "SeTakeOwnershipPrivilege",
            "SeTcbPrivilege",
            "SeTimeZonePrivilege",
            "SeTrustedCredManAccessPrivilege",
            "SeUndockPrivilege",
            "SeUnsolicitedInputPrivilege"
            )]
            $privilege,

            # The process on which to adjust the privilege. Defaults to the current process.
            $processId = $pid,

            # Switch to disable the privilege, rather than enable it.
            [switch] $disable
            )

            # Taken from P/Invoke.NET with minor adjustments.
            $definition = @'
            using System;
            using System.Runtime.InteropServices;

            public class AdjustPrivilege {
            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

            [DllImport("advapi32.dll", SetLastError = true)]
            internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

            [StructLayout(LayoutKind.Sequential, Pack = 1)]
            internal struct TokPriv1Luid {
            public int Count;
            public long Luid;
            public int Attr;
            }

            internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
            internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
            internal const int TOKEN_QUERY = 0x00000008;
            internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

            public static bool EnablePrivilege(long processHandle, string privilege, bool disable) {
            bool result;
            TokPriv1Luid tp;
            IntPtr hproc = new IntPtr(processHandle);
            IntPtr htok = IntPtr.Zero;
            result = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
            tp.Count = 1;
            tp.Luid = 0;
            if (disable) {
            tp.Attr = SE_PRIVILEGE_DISABLED;
            } else {
            tp.Attr = SE_PRIVILEGE_ENABLED;
            }
            result = LookupPrivilegeValue(null, privilege, ref tp.Luid);
            result = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
            return result;
            }
            }
            '@

            $processHandle = (get-process -id $processId).handle
            $type = add-type $definition -passThru
            $type[0]::EnablePrivilege($processHandle, $privilege, $disable)
            }

            function getKeyNames {
            param(
            [parameter(mandatory = $true)]
            [string] $filePaths = $null
            )

            return (get-content $filePaths | select-string -pattern "[-?(.*)]" -allMatches | forEach-object {$_.matches.groups[1].value} | get-unique)
            }

            function splitKeyName {
            param(
            [parameter(mandatory = $true)]
            [string] $keyName = $null
            )

            $names = $keyName.split("\/", 2)

            $rootKeyName = $names[0]
            $subKeyName = $names[1]

            $keyPart = @{
            root = $baseKey[$rootKeyName];
            subKey = @{
            name = $subKeyName
            }
            }

            return $keyPart
            }

            function ownRegistryKey {
            param(
            [parameter(mandatory = $true)]
            [string] $keyName = $null
            )

            write-host """$keyName"""

            # Check if the key exists.
            if ($(try { test-path -path "Registry::$keyName".trim() } catch { $false })) {
            write-host " Opening..."

            $keyPart = splitKeyName -keyName $keyName
            $ownableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
            if ($ownableKey -ne $null) {
            # Set the owner.
            write-host " Setting owner..."
            $acl = $ownableKey.getAccessControl([System.Security.AccessControl.AccessControlSections]::None)
            $owner = [System.Security.Principal.NTAccount] "Administrators"
            $acl.setOwner($owner)
            $ownableKey.setAccessControl($acl)

            # Set the permissions.
            write-host " Setting permissions..."
            $acl = $ownableKey.getAccessControl()
            $person = [System.Security.Principal.NTAccount] "Administrators"
            $access = [System.Security.AccessControl.RegistryRights] "FullControl"
            $inheritance = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit"
            $propagation = [System.Security.AccessControl.PropagationFlags] "None"
            $type = [System.Security.AccessControl.AccessControlType] "Allow"

            $rule = new-object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)
            $acl.setAccessRule($rule)
            $ownableKey.setAccessControl($acl)

            $ownableKey.close()

            write-host " Done."

            # Own children subkeys.
            $readableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadSubTree, [System.Security.AccessControl.RegistryRights]::ReadKey)
            if ($readableKey -ne $null) {
            $subKeyNames = ($readableKey.getSubKeyNames() | forEach-object { "$keyName$_" })
            $readableKey.close()
            if ($subKeyNames -ne $null) {
            ownRegistryKeys -keyNames $subKeyNames
            }
            } else {
            write-host " Unable to open children subkeys."
            }
            } else {
            write-host " Unable to open subkey."
            }
            } else {
            write-host " Key does not exist."
            }

            write-host
            }

            function ownRegistryKeys {
            param(
            [parameter(mandatory = $true)]
            [string] $keyNames = $null
            )

            $keyName = $null
            foreach ($keyName in $keyNames) {
            # Own parent key and children subkeys.
            ownRegistryKey -keyName $keyName
            }
            }

            function requestPrivileges {
            $numberOfRetries = 10

            $privilegeResult = $false
            for ($r = 0; !$privilegeResult -band $r -lt $numberOfRetries; $r += 1) {
            $privilegeResult = enablePrivilege -privilege "SeTakeOwnershipPrivilege"
            }

            if (!$privilegeResult) {
            write-host "Unable to receive privilege."
            exit 1
            }
            }

            function main {
            param(
            [parameter(mandatory = $true)]
            [string] $filePaths = $null
            )

            requestPrivileges

            $keyNames = getKeyNames -filePaths $filePaths
            ownRegistryKeys -keyNames $keyNames
            }

            main $args





            share|improve this answer


























            • Thanks! BTW:This requires English version of windows to work correctly

              – Abdelhafid Madoui
              Sep 13 '18 at 19:04














            2












            2








            2







            I have written the batch file and registry files that should completely disable Windows Defender in Windows 10.




            1. Save the following files into the same folder.

            2. Run Disable Windows Defender.bat as administrator.

            3. After the batch file is done, restart.

            4. Run Disable Windows Defender.bat again as administrator.

            5. Windows Defender should be completely disabled now.


            Disable Windows Defender.bat



            @echo off

            call :main %*
            goto :eof

            :main
            setlocal EnableDelayedExpansion

            rem Check if Windows Defender is running.
            tasklist /fi "imageName eq "MsMpEng.exe"" | find /i "MsMpEng.exe" > nul 2> nul
            if %errorLevel% equ 0 (
            rem Windows Defender is running.
            echo Windows Defender is running.

            rem Performable operations while Windows Defender is running.
            rem Disable Windows Defender drivers.
            echo Disabling Windows Defender drivers...
            set "drivers="%SystemRoot%System32driversWdBoot.sys";"%SystemRoot%System32driversWdFilter.sys";"%SystemRoot%System32driversWdNisDrv.sys""
            set "drivers=!drivers:""="!"

            set "wasDriverDisabled=false"
            for %%d in (!drivers!) do (
            if exist "%%~d" (
            echo Disabling Windows Defender driver "%%~d"...
            call :disableFile "%%~d"
            set "wasDriverDisabled=true"
            )
            )

            rem Disable Windows Defender objects.
            echo Disabling Windows Defender objects...
            call :importRegistry "Disable Windows Defender objects.reg"

            rem Require restart to unload Windows Defender drivers and objects.
            echo.
            echo Restart required.
            ) else (
            rem Windows Defender is not running.
            echo Windows Defender is not running.

            rem Performable operations while Windows Defender is not running.
            rem Disable Windows Defender features.
            echo Disabling Windows Defender features...
            call :importRegistry "Disable Windows Defender features.reg"
            rem Disable Windows Defender services.
            echo Disabling Windows Defender services...
            call :importRegistry "Disable Windows Defender services.reg"

            rem Disable Windows Defender files.
            echo Disabling Windows Defender files...
            ren "%ProgramFiles%Windows Defender" "Windows Defender.bak"
            ren "%ProgramFiles(x86)%Windows Defender" "Windows Defender.bak"
            ren "%ProgramData%MicrosoftWindows Defender" "Windows Defender.bak"
            )

            endlocal
            goto :eof

            :ownFile
            setlocal
            set "filePath=%~1"
            set "user=%~2"
            takeown /f "%filePath%" /a
            icacls "%filePath%" /grant "%user%:F"
            endlocal
            goto :eof

            :disableFile
            setlocal
            set "filePath=%~1"
            call :ownFile "%filePath%" "Administrators"
            ren "%filePath%" "%~nx1.bak"
            endlocal
            goto :eof

            :importRegistry
            setlocal
            set "filePath=%~1"
            call OwnRegistryKeys.bat "%filePath%"
            @echo off
            regedit /s "%filePath%"
            endlocal
            goto :eof


            Disable Windows Defender objects.reg



            Windows Registry Editor Version 5.00

            ; Disable "Scan with Windows Defender..." right click context menu.
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]

            ; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]

            ; Disable "DefenderCSP.dll".
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]

            ; Disable Windows Defender IOfficeAntiVirus implementation ("MpOav.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]

            ; Disable InfectionState WMI Provider ("MpProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]

            ; Disable Status WMI Provider ("MpProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]

            ; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]

            ; Disable Microsoft Windows Defender ("MsMpCom.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
            [-HKEY_LOCAL_MACHINESoftwareClassesTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]

            ; Disable Windows Defender WMI Provider ("ProtectionManagement.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]

            ; Disable AMMonitoring WMI Provider ("AMMonitoringProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]

            ; Disable MP UX Host ("MpUxSrv.exe").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]


            Disable Windows Defender features.reg



            Windows Registry Editor Version 5.00

            ; Disable Windows Defender features.
            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001
            "ProductStatus"=dword:00000000

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderReal-Time Protection]
            "DisableAntiSpywareRealtimeProtection"=dword:00000001
            "DisableRealtimeMonitoring"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderScan]
            "AutomaticallyCleanAfterScan"=dword:00000000
            "ScheduleDay"=dword:00000008

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderUX Configuration]
            "AllowNonAdminFunctionality"=dword:00000000
            "DisablePrivacyMode"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001
            "ProductStatus"=dword:00000000

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderReal-Time Protection]
            "DisableAntiSpywareRealtimeProtection"=dword:00000001
            "DisableRealtimeMonitoring"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderScan]
            "AutomaticallyCleanAfterScan"=dword:00000000
            "ScheduleDay"=dword:00000008

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderUX Configuration]
            "AllowNonAdminFunctionality"=dword:00000000
            "DisablePrivacyMode"=dword:00000001


            Disable Windows Defender services.reg



            Windows Registry Editor Version 5.00

            ; Disable "Windows Defender" services.
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisSvc]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisSvc]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisSvc]
            "Start"=dword:00000004


            OwnRegistryKeys.bat



            @echo off

            rem Get the location of the PowerShell file.
            for /f "usebackq tokens=*" %%f in (`where "OwnRegistryKeys.ps1"`) do (
            rem Run command for each argument.
            for %%a in (%*) do (
            powershell -executionPolicy bypass -file "%%~f" "%%~a"
            )
            )


            OwnRegistryKeys.ps1



            $script:baseKey = @{
            "HKEY_CLASSES_ROOT" = @{
            "name" = "HKEY_CLASSES_ROOT";
            "shortName" = "HKCR";
            "key" = [Microsoft.Win32.Registry]::ClassesRoot
            };
            "HKEY_CURRENT_CONFIG" = @{
            "name" = "HKEY_CURRENT_CONFIG";
            "shortName" = "HKCC";
            "key" = [Microsoft.Win32.Registry]::CurrentConfig
            };
            "HKEY_CURRENT_USER" = @{
            "name" = "HKEY_CURRENT_USER";
            "shortName" = "HKCU";
            "key" = [Microsoft.Win32.Registry]::CurrentUser
            };
            "HKEY_DYN_DATA" = @{
            "name" = "HKEY_DYN_DATA";
            "shortName" = "HKDD";
            "key" = [Microsoft.Win32.Registry]::DynData
            };
            "HKEY_LOCAL_MACHINE" = @{
            "name" = "HKEY_LOCAL_MACHINE";
            "shortName" = "HKLM";
            "key" = [Microsoft.Win32.Registry]::LocalMachine
            };
            "HKEY_PERFORMANCE_DATA" = @{
            "name" = "HKEY_PERFORMANCE_DATA";
            "shortName" = "HKPD";
            "key" = [Microsoft.Win32.Registry]::PerformanceData
            };
            "HKEY_USERS" = @{
            "name" = "HKEY_USERS";
            "shortName" = "HKU";
            "key" = [Microsoft.Win32.Registry]::Users
            }
            }

            function enablePrivilege {
            param(
            # The privilege to adjust. This set is taken from:
            # http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
            [validateSet(
            "SeAssignPrimaryTokenPrivilege",
            "SeAuditPrivilege",
            "SeBackupPrivilege",
            "SeChangeNotifyPrivilege",
            "SeCreateGlobalPrivilege",
            "SeCreatePagefilePrivilege",
            "SeCreatePermanentPrivilege",
            "SeCreateSymbolicLinkPrivilege",
            "SeCreateTokenPrivilege",
            "SeDebugPrivilege",
            "SeEnableDelegationPrivilege",
            "SeImpersonatePrivilege",
            "SeIncreaseBasePriorityPrivilege",
            "SeIncreaseQuotaPrivilege",
            "SeIncreaseWorkingSetPrivilege",
            "SeLoadDriverPrivilege",
            "SeLockMemoryPrivilege",
            "SeMachineAccountPrivilege",
            "SeManageVolumePrivilege",
            "SeProfileSingleProcessPrivilege",
            "SeRelabelPrivilege",
            "SeRemoteShutdownPrivilege",
            "SeRestorePrivilege",
            "SeSecurityPrivilege",
            "SeShutdownPrivilege",
            "SeSyncAgentPrivilege",
            "SeSystemEnvironmentPrivilege",
            "SeSystemProfilePrivilege",
            "SeSystemtimePrivilege",
            "SeTakeOwnershipPrivilege",
            "SeTcbPrivilege",
            "SeTimeZonePrivilege",
            "SeTrustedCredManAccessPrivilege",
            "SeUndockPrivilege",
            "SeUnsolicitedInputPrivilege"
            )]
            $privilege,

            # The process on which to adjust the privilege. Defaults to the current process.
            $processId = $pid,

            # Switch to disable the privilege, rather than enable it.
            [switch] $disable
            )

            # Taken from P/Invoke.NET with minor adjustments.
            $definition = @'
            using System;
            using System.Runtime.InteropServices;

            public class AdjustPrivilege {
            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

            [DllImport("advapi32.dll", SetLastError = true)]
            internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

            [StructLayout(LayoutKind.Sequential, Pack = 1)]
            internal struct TokPriv1Luid {
            public int Count;
            public long Luid;
            public int Attr;
            }

            internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
            internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
            internal const int TOKEN_QUERY = 0x00000008;
            internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

            public static bool EnablePrivilege(long processHandle, string privilege, bool disable) {
            bool result;
            TokPriv1Luid tp;
            IntPtr hproc = new IntPtr(processHandle);
            IntPtr htok = IntPtr.Zero;
            result = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
            tp.Count = 1;
            tp.Luid = 0;
            if (disable) {
            tp.Attr = SE_PRIVILEGE_DISABLED;
            } else {
            tp.Attr = SE_PRIVILEGE_ENABLED;
            }
            result = LookupPrivilegeValue(null, privilege, ref tp.Luid);
            result = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
            return result;
            }
            }
            '@

            $processHandle = (get-process -id $processId).handle
            $type = add-type $definition -passThru
            $type[0]::EnablePrivilege($processHandle, $privilege, $disable)
            }

            function getKeyNames {
            param(
            [parameter(mandatory = $true)]
            [string] $filePaths = $null
            )

            return (get-content $filePaths | select-string -pattern "[-?(.*)]" -allMatches | forEach-object {$_.matches.groups[1].value} | get-unique)
            }

            function splitKeyName {
            param(
            [parameter(mandatory = $true)]
            [string] $keyName = $null
            )

            $names = $keyName.split("\/", 2)

            $rootKeyName = $names[0]
            $subKeyName = $names[1]

            $keyPart = @{
            root = $baseKey[$rootKeyName];
            subKey = @{
            name = $subKeyName
            }
            }

            return $keyPart
            }

            function ownRegistryKey {
            param(
            [parameter(mandatory = $true)]
            [string] $keyName = $null
            )

            write-host """$keyName"""

            # Check if the key exists.
            if ($(try { test-path -path "Registry::$keyName".trim() } catch { $false })) {
            write-host " Opening..."

            $keyPart = splitKeyName -keyName $keyName
            $ownableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
            if ($ownableKey -ne $null) {
            # Set the owner.
            write-host " Setting owner..."
            $acl = $ownableKey.getAccessControl([System.Security.AccessControl.AccessControlSections]::None)
            $owner = [System.Security.Principal.NTAccount] "Administrators"
            $acl.setOwner($owner)
            $ownableKey.setAccessControl($acl)

            # Set the permissions.
            write-host " Setting permissions..."
            $acl = $ownableKey.getAccessControl()
            $person = [System.Security.Principal.NTAccount] "Administrators"
            $access = [System.Security.AccessControl.RegistryRights] "FullControl"
            $inheritance = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit"
            $propagation = [System.Security.AccessControl.PropagationFlags] "None"
            $type = [System.Security.AccessControl.AccessControlType] "Allow"

            $rule = new-object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)
            $acl.setAccessRule($rule)
            $ownableKey.setAccessControl($acl)

            $ownableKey.close()

            write-host " Done."

            # Own children subkeys.
            $readableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadSubTree, [System.Security.AccessControl.RegistryRights]::ReadKey)
            if ($readableKey -ne $null) {
            $subKeyNames = ($readableKey.getSubKeyNames() | forEach-object { "$keyName$_" })
            $readableKey.close()
            if ($subKeyNames -ne $null) {
            ownRegistryKeys -keyNames $subKeyNames
            }
            } else {
            write-host " Unable to open children subkeys."
            }
            } else {
            write-host " Unable to open subkey."
            }
            } else {
            write-host " Key does not exist."
            }

            write-host
            }

            function ownRegistryKeys {
            param(
            [parameter(mandatory = $true)]
            [string] $keyNames = $null
            )

            $keyName = $null
            foreach ($keyName in $keyNames) {
            # Own parent key and children subkeys.
            ownRegistryKey -keyName $keyName
            }
            }

            function requestPrivileges {
            $numberOfRetries = 10

            $privilegeResult = $false
            for ($r = 0; !$privilegeResult -band $r -lt $numberOfRetries; $r += 1) {
            $privilegeResult = enablePrivilege -privilege "SeTakeOwnershipPrivilege"
            }

            if (!$privilegeResult) {
            write-host "Unable to receive privilege."
            exit 1
            }
            }

            function main {
            param(
            [parameter(mandatory = $true)]
            [string] $filePaths = $null
            )

            requestPrivileges

            $keyNames = getKeyNames -filePaths $filePaths
            ownRegistryKeys -keyNames $keyNames
            }

            main $args





            share|improve this answer















            I have written the batch file and registry files that should completely disable Windows Defender in Windows 10.




            1. Save the following files into the same folder.

            2. Run Disable Windows Defender.bat as administrator.

            3. After the batch file is done, restart.

            4. Run Disable Windows Defender.bat again as administrator.

            5. Windows Defender should be completely disabled now.


            Disable Windows Defender.bat



            @echo off

            call :main %*
            goto :eof

            :main
            setlocal EnableDelayedExpansion

            rem Check if Windows Defender is running.
            tasklist /fi "imageName eq "MsMpEng.exe"" | find /i "MsMpEng.exe" > nul 2> nul
            if %errorLevel% equ 0 (
            rem Windows Defender is running.
            echo Windows Defender is running.

            rem Performable operations while Windows Defender is running.
            rem Disable Windows Defender drivers.
            echo Disabling Windows Defender drivers...
            set "drivers="%SystemRoot%System32driversWdBoot.sys";"%SystemRoot%System32driversWdFilter.sys";"%SystemRoot%System32driversWdNisDrv.sys""
            set "drivers=!drivers:""="!"

            set "wasDriverDisabled=false"
            for %%d in (!drivers!) do (
            if exist "%%~d" (
            echo Disabling Windows Defender driver "%%~d"...
            call :disableFile "%%~d"
            set "wasDriverDisabled=true"
            )
            )

            rem Disable Windows Defender objects.
            echo Disabling Windows Defender objects...
            call :importRegistry "Disable Windows Defender objects.reg"

            rem Require restart to unload Windows Defender drivers and objects.
            echo.
            echo Restart required.
            ) else (
            rem Windows Defender is not running.
            echo Windows Defender is not running.

            rem Performable operations while Windows Defender is not running.
            rem Disable Windows Defender features.
            echo Disabling Windows Defender features...
            call :importRegistry "Disable Windows Defender features.reg"
            rem Disable Windows Defender services.
            echo Disabling Windows Defender services...
            call :importRegistry "Disable Windows Defender services.reg"

            rem Disable Windows Defender files.
            echo Disabling Windows Defender files...
            ren "%ProgramFiles%Windows Defender" "Windows Defender.bak"
            ren "%ProgramFiles(x86)%Windows Defender" "Windows Defender.bak"
            ren "%ProgramData%MicrosoftWindows Defender" "Windows Defender.bak"
            )

            endlocal
            goto :eof

            :ownFile
            setlocal
            set "filePath=%~1"
            set "user=%~2"
            takeown /f "%filePath%" /a
            icacls "%filePath%" /grant "%user%:F"
            endlocal
            goto :eof

            :disableFile
            setlocal
            set "filePath=%~1"
            call :ownFile "%filePath%" "Administrators"
            ren "%filePath%" "%~nx1.bak"
            endlocal
            goto :eof

            :importRegistry
            setlocal
            set "filePath=%~1"
            call OwnRegistryKeys.bat "%filePath%"
            @echo off
            regedit /s "%filePath%"
            endlocal
            goto :eof


            Disable Windows Defender objects.reg



            Windows Registry Editor Version 5.00

            ; Disable "Scan with Windows Defender..." right click context menu.
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]

            ; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]

            ; Disable "DefenderCSP.dll".
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]

            ; Disable Windows Defender IOfficeAntiVirus implementation ("MpOav.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]

            ; Disable InfectionState WMI Provider ("MpProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]

            ; Disable Status WMI Provider ("MpProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]

            ; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]

            ; Disable Microsoft Windows Defender ("MsMpCom.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
            [-HKEY_LOCAL_MACHINESoftwareClassesTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]

            ; Disable Windows Defender WMI Provider ("ProtectionManagement.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]

            ; Disable AMMonitoring WMI Provider ("AMMonitoringProvider.dll").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]

            ; Disable MP UX Host ("MpUxSrv.exe").
            [-HKEY_LOCAL_MACHINESoftwareClassesCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]
            [-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]


            Disable Windows Defender features.reg



            Windows Registry Editor Version 5.00

            ; Disable Windows Defender features.
            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001
            "ProductStatus"=dword:00000000

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderReal-Time Protection]
            "DisableAntiSpywareRealtimeProtection"=dword:00000001
            "DisableRealtimeMonitoring"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderScan]
            "AutomaticallyCleanAfterScan"=dword:00000000
            "ScheduleDay"=dword:00000008

            [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderUX Configuration]
            "AllowNonAdminFunctionality"=dword:00000000
            "DisablePrivacyMode"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows Defender]
            "DisableAntiSpyware"=dword:00000001
            "DisableRoutinelyTakingAction"=dword:00000001
            "ProductStatus"=dword:00000000

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderReal-Time Protection]
            "DisableAntiSpywareRealtimeProtection"=dword:00000001
            "DisableRealtimeMonitoring"=dword:00000001

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderScan]
            "AutomaticallyCleanAfterScan"=dword:00000000
            "ScheduleDay"=dword:00000008

            [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderUX Configuration]
            "AllowNonAdminFunctionality"=dword:00000000
            "DisablePrivacyMode"=dword:00000001


            Disable Windows Defender services.reg



            Windows Registry Editor Version 5.00

            ; Disable "Windows Defender" services.
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinDefend]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdBoot]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdFilter]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisDrv]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisSvc]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisSvc]
            "Start"=dword:00000004
            [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisSvc]
            "Start"=dword:00000004


            OwnRegistryKeys.bat



            @echo off

            rem Get the location of the PowerShell file.
            for /f "usebackq tokens=*" %%f in (`where "OwnRegistryKeys.ps1"`) do (
            rem Run command for each argument.
            for %%a in (%*) do (
            powershell -executionPolicy bypass -file "%%~f" "%%~a"
            )
            )


            OwnRegistryKeys.ps1



            $script:baseKey = @{
            "HKEY_CLASSES_ROOT" = @{
            "name" = "HKEY_CLASSES_ROOT";
            "shortName" = "HKCR";
            "key" = [Microsoft.Win32.Registry]::ClassesRoot
            };
            "HKEY_CURRENT_CONFIG" = @{
            "name" = "HKEY_CURRENT_CONFIG";
            "shortName" = "HKCC";
            "key" = [Microsoft.Win32.Registry]::CurrentConfig
            };
            "HKEY_CURRENT_USER" = @{
            "name" = "HKEY_CURRENT_USER";
            "shortName" = "HKCU";
            "key" = [Microsoft.Win32.Registry]::CurrentUser
            };
            "HKEY_DYN_DATA" = @{
            "name" = "HKEY_DYN_DATA";
            "shortName" = "HKDD";
            "key" = [Microsoft.Win32.Registry]::DynData
            };
            "HKEY_LOCAL_MACHINE" = @{
            "name" = "HKEY_LOCAL_MACHINE";
            "shortName" = "HKLM";
            "key" = [Microsoft.Win32.Registry]::LocalMachine
            };
            "HKEY_PERFORMANCE_DATA" = @{
            "name" = "HKEY_PERFORMANCE_DATA";
            "shortName" = "HKPD";
            "key" = [Microsoft.Win32.Registry]::PerformanceData
            };
            "HKEY_USERS" = @{
            "name" = "HKEY_USERS";
            "shortName" = "HKU";
            "key" = [Microsoft.Win32.Registry]::Users
            }
            }

            function enablePrivilege {
            param(
            # The privilege to adjust. This set is taken from:
            # http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
            [validateSet(
            "SeAssignPrimaryTokenPrivilege",
            "SeAuditPrivilege",
            "SeBackupPrivilege",
            "SeChangeNotifyPrivilege",
            "SeCreateGlobalPrivilege",
            "SeCreatePagefilePrivilege",
            "SeCreatePermanentPrivilege",
            "SeCreateSymbolicLinkPrivilege",
            "SeCreateTokenPrivilege",
            "SeDebugPrivilege",
            "SeEnableDelegationPrivilege",
            "SeImpersonatePrivilege",
            "SeIncreaseBasePriorityPrivilege",
            "SeIncreaseQuotaPrivilege",
            "SeIncreaseWorkingSetPrivilege",
            "SeLoadDriverPrivilege",
            "SeLockMemoryPrivilege",
            "SeMachineAccountPrivilege",
            "SeManageVolumePrivilege",
            "SeProfileSingleProcessPrivilege",
            "SeRelabelPrivilege",
            "SeRemoteShutdownPrivilege",
            "SeRestorePrivilege",
            "SeSecurityPrivilege",
            "SeShutdownPrivilege",
            "SeSyncAgentPrivilege",
            "SeSystemEnvironmentPrivilege",
            "SeSystemProfilePrivilege",
            "SeSystemtimePrivilege",
            "SeTakeOwnershipPrivilege",
            "SeTcbPrivilege",
            "SeTimeZonePrivilege",
            "SeTrustedCredManAccessPrivilege",
            "SeUndockPrivilege",
            "SeUnsolicitedInputPrivilege"
            )]
            $privilege,

            # The process on which to adjust the privilege. Defaults to the current process.
            $processId = $pid,

            # Switch to disable the privilege, rather than enable it.
            [switch] $disable
            )

            # Taken from P/Invoke.NET with minor adjustments.
            $definition = @'
            using System;
            using System.Runtime.InteropServices;

            public class AdjustPrivilege {
            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

            [DllImport("advapi32.dll", SetLastError = true)]
            internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

            [StructLayout(LayoutKind.Sequential, Pack = 1)]
            internal struct TokPriv1Luid {
            public int Count;
            public long Luid;
            public int Attr;
            }

            internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
            internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
            internal const int TOKEN_QUERY = 0x00000008;
            internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

            public static bool EnablePrivilege(long processHandle, string privilege, bool disable) {
            bool result;
            TokPriv1Luid tp;
            IntPtr hproc = new IntPtr(processHandle);
            IntPtr htok = IntPtr.Zero;
            result = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
            tp.Count = 1;
            tp.Luid = 0;
            if (disable) {
            tp.Attr = SE_PRIVILEGE_DISABLED;
            } else {
            tp.Attr = SE_PRIVILEGE_ENABLED;
            }
            result = LookupPrivilegeValue(null, privilege, ref tp.Luid);
            result = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
            return result;
            }
            }
            '@

            $processHandle = (get-process -id $processId).handle
            $type = add-type $definition -passThru
            $type[0]::EnablePrivilege($processHandle, $privilege, $disable)
            }

            function getKeyNames {
            param(
            [parameter(mandatory = $true)]
            [string] $filePaths = $null
            )

            return (get-content $filePaths | select-string -pattern "[-?(.*)]" -allMatches | forEach-object {$_.matches.groups[1].value} | get-unique)
            }

            function splitKeyName {
            param(
            [parameter(mandatory = $true)]
            [string] $keyName = $null
            )

            $names = $keyName.split("\/", 2)

            $rootKeyName = $names[0]
            $subKeyName = $names[1]

            $keyPart = @{
            root = $baseKey[$rootKeyName];
            subKey = @{
            name = $subKeyName
            }
            }

            return $keyPart
            }

            function ownRegistryKey {
            param(
            [parameter(mandatory = $true)]
            [string] $keyName = $null
            )

            write-host """$keyName"""

            # Check if the key exists.
            if ($(try { test-path -path "Registry::$keyName".trim() } catch { $false })) {
            write-host " Opening..."

            $keyPart = splitKeyName -keyName $keyName
            $ownableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
            if ($ownableKey -ne $null) {
            # Set the owner.
            write-host " Setting owner..."
            $acl = $ownableKey.getAccessControl([System.Security.AccessControl.AccessControlSections]::None)
            $owner = [System.Security.Principal.NTAccount] "Administrators"
            $acl.setOwner($owner)
            $ownableKey.setAccessControl($acl)

            # Set the permissions.
            write-host " Setting permissions..."
            $acl = $ownableKey.getAccessControl()
            $person = [System.Security.Principal.NTAccount] "Administrators"
            $access = [System.Security.AccessControl.RegistryRights] "FullControl"
            $inheritance = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit"
            $propagation = [System.Security.AccessControl.PropagationFlags] "None"
            $type = [System.Security.AccessControl.AccessControlType] "Allow"

            $rule = new-object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)
            $acl.setAccessRule($rule)
            $ownableKey.setAccessControl($acl)

            $ownableKey.close()

            write-host " Done."

            # Own children subkeys.
            $readableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadSubTree, [System.Security.AccessControl.RegistryRights]::ReadKey)
            if ($readableKey -ne $null) {
            $subKeyNames = ($readableKey.getSubKeyNames() | forEach-object { "$keyName$_" })
            $readableKey.close()
            if ($subKeyNames -ne $null) {
            ownRegistryKeys -keyNames $subKeyNames
            }
            } else {
            write-host " Unable to open children subkeys."
            }
            } else {
            write-host " Unable to open subkey."
            }
            } else {
            write-host " Key does not exist."
            }

            write-host
            }

            function ownRegistryKeys {
            param(
            [parameter(mandatory = $true)]
            [string] $keyNames = $null
            )

            $keyName = $null
            foreach ($keyName in $keyNames) {
            # Own parent key and children subkeys.
            ownRegistryKey -keyName $keyName
            }
            }

            function requestPrivileges {
            $numberOfRetries = 10

            $privilegeResult = $false
            for ($r = 0; !$privilegeResult -band $r -lt $numberOfRetries; $r += 1) {
            $privilegeResult = enablePrivilege -privilege "SeTakeOwnershipPrivilege"
            }

            if (!$privilegeResult) {
            write-host "Unable to receive privilege."
            exit 1
            }
            }

            function main {
            param(
            [parameter(mandatory = $true)]
            [string] $filePaths = $null
            )

            requestPrivileges

            $keyNames = getKeyNames -filePaths $filePaths
            ownRegistryKeys -keyNames $keyNames
            }

            main $args






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Dec 6 '15 at 0:01

























            answered Dec 5 '15 at 23:38









            XP1XP1

            7241919




            7241919













            • Thanks! BTW:This requires English version of windows to work correctly

              – Abdelhafid Madoui
              Sep 13 '18 at 19:04



















            • Thanks! BTW:This requires English version of windows to work correctly

              – Abdelhafid Madoui
              Sep 13 '18 at 19:04

















            Thanks! BTW:This requires English version of windows to work correctly

            – Abdelhafid Madoui
            Sep 13 '18 at 19:04





            Thanks! BTW:This requires English version of windows to work correctly

            – Abdelhafid Madoui
            Sep 13 '18 at 19:04











            1














            The easy powershell method is here from an answer I posted on a question later marked duplicate for this.



            The easiest way to do this would be to use powershell to disable it, the command you probably want is this



            Set-MpPreference -DisableRealtimeMonitoring $true
            Get-Service WinDefend | stop-service


            For an article on using powershell to disable/enable Windows Defender check here: http://wmug.co.uk/wmug/b/pwin/archive/2015/05/12/quickly-disable-windows-defender-on-windows-10-using-powershell



            Here is the technet article for a more detailed look at available defender cmdlets: https://technet.microsoft.com/en-us/library/dn433280.aspx






            share|improve this answer


























            • I don't believe this would stop and disable the service itself. It just disables the real-time capabilities of Windows Defender which an be simply be done through Settings no need for a PowerShell applet.

              – Ramhound
              Jan 14 '16 at 19:48











            • @Ramhound edited for service mgmt with powershell. I'm not 100% it will stop the service without the same issue as net stop service but I have had more luck with powershell and don't believe get/stop-service alias to net-stop

              – Abraxas
              Jan 14 '16 at 19:57
















            1














            The easy powershell method is here from an answer I posted on a question later marked duplicate for this.



            The easiest way to do this would be to use powershell to disable it, the command you probably want is this



            Set-MpPreference -DisableRealtimeMonitoring $true
            Get-Service WinDefend | stop-service


            For an article on using powershell to disable/enable Windows Defender check here: http://wmug.co.uk/wmug/b/pwin/archive/2015/05/12/quickly-disable-windows-defender-on-windows-10-using-powershell



            Here is the technet article for a more detailed look at available defender cmdlets: https://technet.microsoft.com/en-us/library/dn433280.aspx






            share|improve this answer


























            • I don't believe this would stop and disable the service itself. It just disables the real-time capabilities of Windows Defender which an be simply be done through Settings no need for a PowerShell applet.

              – Ramhound
              Jan 14 '16 at 19:48











            • @Ramhound edited for service mgmt with powershell. I'm not 100% it will stop the service without the same issue as net stop service but I have had more luck with powershell and don't believe get/stop-service alias to net-stop

              – Abraxas
              Jan 14 '16 at 19:57














            1












            1








            1







            The easy powershell method is here from an answer I posted on a question later marked duplicate for this.



            The easiest way to do this would be to use powershell to disable it, the command you probably want is this



            Set-MpPreference -DisableRealtimeMonitoring $true
            Get-Service WinDefend | stop-service


            For an article on using powershell to disable/enable Windows Defender check here: http://wmug.co.uk/wmug/b/pwin/archive/2015/05/12/quickly-disable-windows-defender-on-windows-10-using-powershell



            Here is the technet article for a more detailed look at available defender cmdlets: https://technet.microsoft.com/en-us/library/dn433280.aspx






            share|improve this answer















            The easy powershell method is here from an answer I posted on a question later marked duplicate for this.



            The easiest way to do this would be to use powershell to disable it, the command you probably want is this



            Set-MpPreference -DisableRealtimeMonitoring $true
            Get-Service WinDefend | stop-service


            For an article on using powershell to disable/enable Windows Defender check here: http://wmug.co.uk/wmug/b/pwin/archive/2015/05/12/quickly-disable-windows-defender-on-windows-10-using-powershell



            Here is the technet article for a more detailed look at available defender cmdlets: https://technet.microsoft.com/en-us/library/dn433280.aspx







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Jan 14 '16 at 19:55

























            answered Jan 14 '16 at 19:18









            AbraxasAbraxas

            3,29442139




            3,29442139













            • I don't believe this would stop and disable the service itself. It just disables the real-time capabilities of Windows Defender which an be simply be done through Settings no need for a PowerShell applet.

              – Ramhound
              Jan 14 '16 at 19:48











            • @Ramhound edited for service mgmt with powershell. I'm not 100% it will stop the service without the same issue as net stop service but I have had more luck with powershell and don't believe get/stop-service alias to net-stop

              – Abraxas
              Jan 14 '16 at 19:57



















            • I don't believe this would stop and disable the service itself. It just disables the real-time capabilities of Windows Defender which an be simply be done through Settings no need for a PowerShell applet.

              – Ramhound
              Jan 14 '16 at 19:48











            • @Ramhound edited for service mgmt with powershell. I'm not 100% it will stop the service without the same issue as net stop service but I have had more luck with powershell and don't believe get/stop-service alias to net-stop

              – Abraxas
              Jan 14 '16 at 19:57

















            I don't believe this would stop and disable the service itself. It just disables the real-time capabilities of Windows Defender which an be simply be done through Settings no need for a PowerShell applet.

            – Ramhound
            Jan 14 '16 at 19:48





            I don't believe this would stop and disable the service itself. It just disables the real-time capabilities of Windows Defender which an be simply be done through Settings no need for a PowerShell applet.

            – Ramhound
            Jan 14 '16 at 19:48













            @Ramhound edited for service mgmt with powershell. I'm not 100% it will stop the service without the same issue as net stop service but I have had more luck with powershell and don't believe get/stop-service alias to net-stop

            – Abraxas
            Jan 14 '16 at 19:57





            @Ramhound edited for service mgmt with powershell. I'm not 100% it will stop the service without the same issue as net stop service but I have had more luck with powershell and don't believe get/stop-service alias to net-stop

            – Abraxas
            Jan 14 '16 at 19:57











            0














            I found that the following procedure works well; it doesn't remove or disable Windows Defender, but it disables Windows Defender SERVICE, stops all start-up and real-time scanning, and prevents Windows Defender Real-Time Scan from turning itself back on. (It leaves Windows Defender in-place, so you can use it to perform on-demand scanning of suspicious files.)



            PROCEDURE:




            1. Find, download, install "SysInternals" program suite.

            2. Run program "AutoRuns".

            3. Find "Windows Defender Service".

            4. Uncheck the box.

            5. Restart your computer.


            After doing that, my startup time decreased from 20min to 5min, and memory usage after startup (before launching any apps) decreased from 2.1GB to 1.2GB. And when I looked in "Services", I found that "Windows Defender Service", while still there, is now marked "NOT running, Disabled".






            share|improve this answer




























              0














              I found that the following procedure works well; it doesn't remove or disable Windows Defender, but it disables Windows Defender SERVICE, stops all start-up and real-time scanning, and prevents Windows Defender Real-Time Scan from turning itself back on. (It leaves Windows Defender in-place, so you can use it to perform on-demand scanning of suspicious files.)



              PROCEDURE:




              1. Find, download, install "SysInternals" program suite.

              2. Run program "AutoRuns".

              3. Find "Windows Defender Service".

              4. Uncheck the box.

              5. Restart your computer.


              After doing that, my startup time decreased from 20min to 5min, and memory usage after startup (before launching any apps) decreased from 2.1GB to 1.2GB. And when I looked in "Services", I found that "Windows Defender Service", while still there, is now marked "NOT running, Disabled".






              share|improve this answer


























                0












                0








                0







                I found that the following procedure works well; it doesn't remove or disable Windows Defender, but it disables Windows Defender SERVICE, stops all start-up and real-time scanning, and prevents Windows Defender Real-Time Scan from turning itself back on. (It leaves Windows Defender in-place, so you can use it to perform on-demand scanning of suspicious files.)



                PROCEDURE:




                1. Find, download, install "SysInternals" program suite.

                2. Run program "AutoRuns".

                3. Find "Windows Defender Service".

                4. Uncheck the box.

                5. Restart your computer.


                After doing that, my startup time decreased from 20min to 5min, and memory usage after startup (before launching any apps) decreased from 2.1GB to 1.2GB. And when I looked in "Services", I found that "Windows Defender Service", while still there, is now marked "NOT running, Disabled".






                share|improve this answer













                I found that the following procedure works well; it doesn't remove or disable Windows Defender, but it disables Windows Defender SERVICE, stops all start-up and real-time scanning, and prevents Windows Defender Real-Time Scan from turning itself back on. (It leaves Windows Defender in-place, so you can use it to perform on-demand scanning of suspicious files.)



                PROCEDURE:




                1. Find, download, install "SysInternals" program suite.

                2. Run program "AutoRuns".

                3. Find "Windows Defender Service".

                4. Uncheck the box.

                5. Restart your computer.


                After doing that, my startup time decreased from 20min to 5min, and memory usage after startup (before launching any apps) decreased from 2.1GB to 1.2GB. And when I looked in "Services", I found that "Windows Defender Service", while still there, is now marked "NOT running, Disabled".







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Oct 1 '16 at 23:02









                Robbie HatleyRobbie Hatley

                1




                1























                    0














                    The easiest way I've found is to open an administrator command prompt and run:



                    reg add "HKLMSOFTWAREPoliciesMicrosoftWindows Defender" /t REG_DWORD /v DisableAntiSpyware /f /d 1


                    Then reboot. I have not been able to find away to shutdown the service once it is started with out a reboot.






                    share|improve this answer




























                      0














                      The easiest way I've found is to open an administrator command prompt and run:



                      reg add "HKLMSOFTWAREPoliciesMicrosoftWindows Defender" /t REG_DWORD /v DisableAntiSpyware /f /d 1


                      Then reboot. I have not been able to find away to shutdown the service once it is started with out a reboot.






                      share|improve this answer


























                        0












                        0








                        0







                        The easiest way I've found is to open an administrator command prompt and run:



                        reg add "HKLMSOFTWAREPoliciesMicrosoftWindows Defender" /t REG_DWORD /v DisableAntiSpyware /f /d 1


                        Then reboot. I have not been able to find away to shutdown the service once it is started with out a reboot.






                        share|improve this answer













                        The easiest way I've found is to open an administrator command prompt and run:



                        reg add "HKLMSOFTWAREPoliciesMicrosoftWindows Defender" /t REG_DWORD /v DisableAntiSpyware /f /d 1


                        Then reboot. I have not been able to find away to shutdown the service once it is started with out a reboot.







                        share|improve this answer












                        share|improve this answer



                        share|improve this answer










                        answered Feb 5 '17 at 1:46









                        jcofflandjcoffland

                        20016




                        20016























                            0














                            It is not so easy to reliably and totally disable the Windows Defender. There is a PowerShell script that uninstalls Windows Defender, but you may not be able later to install it back. This script requires two reboots.



                            Just download the Debloat-Windows-10 and follow these steps, provided by the author:




                            1. Unpack the archive;


                            2. Enable execution of PowerShell scripts:



                              PS> Set-ExecutionPolicy Unrestricted




                            3. Unblock PowerShell scripts and modules within this directory:



                              PS > ls -Recurse *.ps1 | Unblock-File
                              PS > ls -Recurse *.psm1 | Unblock-File



                            4. Run scriptsdisable-windows-defender.ps1


                            5. Reboot the computer (either usual way or via the PS > Restart-Computer)

                            6. Run scriptsdisable-windows-defender.ps1 one more time.

                            7. Reboot the computer again.


                            This is not the easiest way, but very reliable and resilient.



                            There are also the scripts to remove unnecessary programs like BingFinance, Skype, OneDrive, etc - if you don't need them.



                            The archive does also contain lot of scripts that you may find useful.



                            Please be aware that these scripts irreversible delete files and can delete vital functions of Windows. For example, they may totally disable the Start menu!



                            Don't run disable-ShellExperienceHost.bat from this package, otherwise the Start Menu will stop opening.






                            share|improve this answer






























                              0














                              It is not so easy to reliably and totally disable the Windows Defender. There is a PowerShell script that uninstalls Windows Defender, but you may not be able later to install it back. This script requires two reboots.



                              Just download the Debloat-Windows-10 and follow these steps, provided by the author:




                              1. Unpack the archive;


                              2. Enable execution of PowerShell scripts:



                                PS> Set-ExecutionPolicy Unrestricted




                              3. Unblock PowerShell scripts and modules within this directory:



                                PS > ls -Recurse *.ps1 | Unblock-File
                                PS > ls -Recurse *.psm1 | Unblock-File



                              4. Run scriptsdisable-windows-defender.ps1


                              5. Reboot the computer (either usual way or via the PS > Restart-Computer)

                              6. Run scriptsdisable-windows-defender.ps1 one more time.

                              7. Reboot the computer again.


                              This is not the easiest way, but very reliable and resilient.



                              There are also the scripts to remove unnecessary programs like BingFinance, Skype, OneDrive, etc - if you don't need them.



                              The archive does also contain lot of scripts that you may find useful.



                              Please be aware that these scripts irreversible delete files and can delete vital functions of Windows. For example, they may totally disable the Start menu!



                              Don't run disable-ShellExperienceHost.bat from this package, otherwise the Start Menu will stop opening.






                              share|improve this answer




























                                0












                                0








                                0







                                It is not so easy to reliably and totally disable the Windows Defender. There is a PowerShell script that uninstalls Windows Defender, but you may not be able later to install it back. This script requires two reboots.



                                Just download the Debloat-Windows-10 and follow these steps, provided by the author:




                                1. Unpack the archive;


                                2. Enable execution of PowerShell scripts:



                                  PS> Set-ExecutionPolicy Unrestricted




                                3. Unblock PowerShell scripts and modules within this directory:



                                  PS > ls -Recurse *.ps1 | Unblock-File
                                  PS > ls -Recurse *.psm1 | Unblock-File



                                4. Run scriptsdisable-windows-defender.ps1


                                5. Reboot the computer (either usual way or via the PS > Restart-Computer)

                                6. Run scriptsdisable-windows-defender.ps1 one more time.

                                7. Reboot the computer again.


                                This is not the easiest way, but very reliable and resilient.



                                There are also the scripts to remove unnecessary programs like BingFinance, Skype, OneDrive, etc - if you don't need them.



                                The archive does also contain lot of scripts that you may find useful.



                                Please be aware that these scripts irreversible delete files and can delete vital functions of Windows. For example, they may totally disable the Start menu!



                                Don't run disable-ShellExperienceHost.bat from this package, otherwise the Start Menu will stop opening.






                                share|improve this answer















                                It is not so easy to reliably and totally disable the Windows Defender. There is a PowerShell script that uninstalls Windows Defender, but you may not be able later to install it back. This script requires two reboots.



                                Just download the Debloat-Windows-10 and follow these steps, provided by the author:




                                1. Unpack the archive;


                                2. Enable execution of PowerShell scripts:



                                  PS> Set-ExecutionPolicy Unrestricted




                                3. Unblock PowerShell scripts and modules within this directory:



                                  PS > ls -Recurse *.ps1 | Unblock-File
                                  PS > ls -Recurse *.psm1 | Unblock-File



                                4. Run scriptsdisable-windows-defender.ps1


                                5. Reboot the computer (either usual way or via the PS > Restart-Computer)

                                6. Run scriptsdisable-windows-defender.ps1 one more time.

                                7. Reboot the computer again.


                                This is not the easiest way, but very reliable and resilient.



                                There are also the scripts to remove unnecessary programs like BingFinance, Skype, OneDrive, etc - if you don't need them.



                                The archive does also contain lot of scripts that you may find useful.



                                Please be aware that these scripts irreversible delete files and can delete vital functions of Windows. For example, they may totally disable the Start menu!



                                Don't run disable-ShellExperienceHost.bat from this package, otherwise the Start Menu will stop opening.







                                share|improve this answer














                                share|improve this answer



                                share|improve this answer








                                edited Jun 4 '17 at 0:25

























                                answered May 27 '17 at 14:41









                                Maxim MasiutinMaxim Masiutin

                                1093




                                1093























                                    0














                                    It would be helpful to understand why you cannot stop a particular service.




                                    • I'm the administrator; worse than failure can't the Administrator administrate?!


                                    It's because of the security permissions on the WinDefend service.



                                    Note: WinDefend is the actual name of the "Windows Defender Antivirus Service"



                                    enter image description here



                                    Viewing Permissions



                                    If you run from a command line:



                                    >sc sdshow WinDefend


                                    where





                                    • sdshow means "Displays a service's security descriptor."


                                    You'll get the security descriptor:



                                    C:UsersIan>sc sdshow WinDefend

                                    D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)


                                    This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:



                                    D:
                                    (A;;CCLCSWRPLOCRRC;;;BU)
                                    (A;;CCLCSWRPLOCRRC;;;SY)
                                    (A;;CCLCSWRPLOCRRC;;;BA)
                                    (A;;CCLCSWRPLOCRRC;;;IU)
                                    (A;;CCLCSWRPLOCRRC;;;SU)
                                    (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
                                    (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)


                                    The D: means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):





                                    • D: discretionary access control list


                                      • ACE1: A;;CCLCSWRPLOCRRC;;;BU

                                      • ACE2: A;;CCLCSWRPLOCRRC;;;SY

                                      • ACE3: A;;CCLCSWRPLOCRRC;;;BA

                                      • ACE4: A;;CCLCSWRPLOCRRC;;;IU

                                      • ACE5: A;;CCLCSWRPLOCRRC;;;SU

                                      • ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464

                                      • ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                    Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.



                                    Looking first at who they apply to, a random blog article decode some of them (archive.is):





                                    • BU: Built-in users


                                    • SY: Local System


                                    • BA: Built-in administrators


                                    • UI: Interactively logged-on user


                                    • SU: Service logon user


                                    • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: Trusted Installer


                                    • S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736:


                                    You can get the name associated with an SID by running:



                                    >wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name


                                    Each ACE contains a list of permissions that the user is being allowed or denied.





                                    • D: discretionary access control list



                                      • ACE 1: A;;CCLCSWRPLOCRRC;;; Built-in users


                                      • ACE 2: A;;CCLCSWRPLOCRRC;;; Local system


                                      • ACE 3: A;;CCLCSWRPLOCRRC;;; Built-in administrators


                                      • ACE 4: A;;CCLCSWRPLOCRRC;;; Interactive user


                                      • ACE 5: A;;CCLCSWRPLOCRRC;;; Service logon user


                                      • ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; Trusted installer


                                      • ACE 7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                    Breaking down the remaining semicolon separated sections in an ACE:




                                    • ACE: A;;CCLCSWRPLOCRRC;;;


                                      • AceType: A ACCESS_ALLOWED_ACE_TYPE

                                      • AceFlags: (none)

                                      • AccessMask: CC LC SW RP LO CR RC



                                        • CC: CREATE_CHILD


                                        • LC: LIST_CHILDREN


                                        • SW: SELF_WRITE


                                        • RP: READ_PROPERTY


                                        • LO: LIST_OBJECT


                                        • CR: CONTROL_ACCESS


                                        • RC: READ_CONTROL



                                      • ObjectGuid: (none)

                                      • InheritObjectGuid: (none)




                                    The leading A means Allowed, and the permissions are two-letter codes:





                                    • D: discretionary access control list



                                      • ACE 1: Allow, CC LC SW RP LO CR RC, Built-in users


                                      • ACE 2: Allow, CC LC SW RP LO CR RC, Local system


                                      • ACE 3: Allow, CC LC SW RP LO CR RC, Built-in administrators


                                      • ACE 4: Allow, CC LC SW RP LO CR RC, Interactive user


                                      • ACE 5: Allow, CC LC SW RP LO CR RC, Service logon user


                                      • ACE 6: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, Trusted installer


                                      • ACE 7: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                    And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.



                                    Spoiler:



                                    sc sdset WinDefend [newSDLString]


                                    Bonus Reading





                                    • How to specify permissions to services in Windows by using SDDL? *(archive.is)


                                    • How to Convert SID to Username and Vice Versa (archive.is)


                                    • The Security Descriptor Definition Language of Love (Part 2) (archive.is)


                                    • 2.5.1.1 Syntax (archive.is)






                                    share|improve this answer






























                                      0














                                      It would be helpful to understand why you cannot stop a particular service.




                                      • I'm the administrator; worse than failure can't the Administrator administrate?!


                                      It's because of the security permissions on the WinDefend service.



                                      Note: WinDefend is the actual name of the "Windows Defender Antivirus Service"



                                      enter image description here



                                      Viewing Permissions



                                      If you run from a command line:



                                      >sc sdshow WinDefend


                                      where





                                      • sdshow means "Displays a service's security descriptor."


                                      You'll get the security descriptor:



                                      C:UsersIan>sc sdshow WinDefend

                                      D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)


                                      This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:



                                      D:
                                      (A;;CCLCSWRPLOCRRC;;;BU)
                                      (A;;CCLCSWRPLOCRRC;;;SY)
                                      (A;;CCLCSWRPLOCRRC;;;BA)
                                      (A;;CCLCSWRPLOCRRC;;;IU)
                                      (A;;CCLCSWRPLOCRRC;;;SU)
                                      (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
                                      (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)


                                      The D: means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):





                                      • D: discretionary access control list


                                        • ACE1: A;;CCLCSWRPLOCRRC;;;BU

                                        • ACE2: A;;CCLCSWRPLOCRRC;;;SY

                                        • ACE3: A;;CCLCSWRPLOCRRC;;;BA

                                        • ACE4: A;;CCLCSWRPLOCRRC;;;IU

                                        • ACE5: A;;CCLCSWRPLOCRRC;;;SU

                                        • ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464

                                        • ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                      Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.



                                      Looking first at who they apply to, a random blog article decode some of them (archive.is):





                                      • BU: Built-in users


                                      • SY: Local System


                                      • BA: Built-in administrators


                                      • UI: Interactively logged-on user


                                      • SU: Service logon user


                                      • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: Trusted Installer


                                      • S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736:


                                      You can get the name associated with an SID by running:



                                      >wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name


                                      Each ACE contains a list of permissions that the user is being allowed or denied.





                                      • D: discretionary access control list



                                        • ACE 1: A;;CCLCSWRPLOCRRC;;; Built-in users


                                        • ACE 2: A;;CCLCSWRPLOCRRC;;; Local system


                                        • ACE 3: A;;CCLCSWRPLOCRRC;;; Built-in administrators


                                        • ACE 4: A;;CCLCSWRPLOCRRC;;; Interactive user


                                        • ACE 5: A;;CCLCSWRPLOCRRC;;; Service logon user


                                        • ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; Trusted installer


                                        • ACE 7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                      Breaking down the remaining semicolon separated sections in an ACE:




                                      • ACE: A;;CCLCSWRPLOCRRC;;;


                                        • AceType: A ACCESS_ALLOWED_ACE_TYPE

                                        • AceFlags: (none)

                                        • AccessMask: CC LC SW RP LO CR RC



                                          • CC: CREATE_CHILD


                                          • LC: LIST_CHILDREN


                                          • SW: SELF_WRITE


                                          • RP: READ_PROPERTY


                                          • LO: LIST_OBJECT


                                          • CR: CONTROL_ACCESS


                                          • RC: READ_CONTROL



                                        • ObjectGuid: (none)

                                        • InheritObjectGuid: (none)




                                      The leading A means Allowed, and the permissions are two-letter codes:





                                      • D: discretionary access control list



                                        • ACE 1: Allow, CC LC SW RP LO CR RC, Built-in users


                                        • ACE 2: Allow, CC LC SW RP LO CR RC, Local system


                                        • ACE 3: Allow, CC LC SW RP LO CR RC, Built-in administrators


                                        • ACE 4: Allow, CC LC SW RP LO CR RC, Interactive user


                                        • ACE 5: Allow, CC LC SW RP LO CR RC, Service logon user


                                        • ACE 6: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, Trusted installer


                                        • ACE 7: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                      And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.



                                      Spoiler:



                                      sc sdset WinDefend [newSDLString]


                                      Bonus Reading





                                      • How to specify permissions to services in Windows by using SDDL? *(archive.is)


                                      • How to Convert SID to Username and Vice Versa (archive.is)


                                      • The Security Descriptor Definition Language of Love (Part 2) (archive.is)


                                      • 2.5.1.1 Syntax (archive.is)






                                      share|improve this answer




























                                        0












                                        0








                                        0







                                        It would be helpful to understand why you cannot stop a particular service.




                                        • I'm the administrator; worse than failure can't the Administrator administrate?!


                                        It's because of the security permissions on the WinDefend service.



                                        Note: WinDefend is the actual name of the "Windows Defender Antivirus Service"



                                        enter image description here



                                        Viewing Permissions



                                        If you run from a command line:



                                        >sc sdshow WinDefend


                                        where





                                        • sdshow means "Displays a service's security descriptor."


                                        You'll get the security descriptor:



                                        C:UsersIan>sc sdshow WinDefend

                                        D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)


                                        This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:



                                        D:
                                        (A;;CCLCSWRPLOCRRC;;;BU)
                                        (A;;CCLCSWRPLOCRRC;;;SY)
                                        (A;;CCLCSWRPLOCRRC;;;BA)
                                        (A;;CCLCSWRPLOCRRC;;;IU)
                                        (A;;CCLCSWRPLOCRRC;;;SU)
                                        (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
                                        (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)


                                        The D: means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):





                                        • D: discretionary access control list


                                          • ACE1: A;;CCLCSWRPLOCRRC;;;BU

                                          • ACE2: A;;CCLCSWRPLOCRRC;;;SY

                                          • ACE3: A;;CCLCSWRPLOCRRC;;;BA

                                          • ACE4: A;;CCLCSWRPLOCRRC;;;IU

                                          • ACE5: A;;CCLCSWRPLOCRRC;;;SU

                                          • ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464

                                          • ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                        Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.



                                        Looking first at who they apply to, a random blog article decode some of them (archive.is):





                                        • BU: Built-in users


                                        • SY: Local System


                                        • BA: Built-in administrators


                                        • UI: Interactively logged-on user


                                        • SU: Service logon user


                                        • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: Trusted Installer


                                        • S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736:


                                        You can get the name associated with an SID by running:



                                        >wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name


                                        Each ACE contains a list of permissions that the user is being allowed or denied.





                                        • D: discretionary access control list



                                          • ACE 1: A;;CCLCSWRPLOCRRC;;; Built-in users


                                          • ACE 2: A;;CCLCSWRPLOCRRC;;; Local system


                                          • ACE 3: A;;CCLCSWRPLOCRRC;;; Built-in administrators


                                          • ACE 4: A;;CCLCSWRPLOCRRC;;; Interactive user


                                          • ACE 5: A;;CCLCSWRPLOCRRC;;; Service logon user


                                          • ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; Trusted installer


                                          • ACE 7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                        Breaking down the remaining semicolon separated sections in an ACE:




                                        • ACE: A;;CCLCSWRPLOCRRC;;;


                                          • AceType: A ACCESS_ALLOWED_ACE_TYPE

                                          • AceFlags: (none)

                                          • AccessMask: CC LC SW RP LO CR RC



                                            • CC: CREATE_CHILD


                                            • LC: LIST_CHILDREN


                                            • SW: SELF_WRITE


                                            • RP: READ_PROPERTY


                                            • LO: LIST_OBJECT


                                            • CR: CONTROL_ACCESS


                                            • RC: READ_CONTROL



                                          • ObjectGuid: (none)

                                          • InheritObjectGuid: (none)




                                        The leading A means Allowed, and the permissions are two-letter codes:





                                        • D: discretionary access control list



                                          • ACE 1: Allow, CC LC SW RP LO CR RC, Built-in users


                                          • ACE 2: Allow, CC LC SW RP LO CR RC, Local system


                                          • ACE 3: Allow, CC LC SW RP LO CR RC, Built-in administrators


                                          • ACE 4: Allow, CC LC SW RP LO CR RC, Interactive user


                                          • ACE 5: Allow, CC LC SW RP LO CR RC, Service logon user


                                          • ACE 6: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, Trusted installer


                                          • ACE 7: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                        And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.



                                        Spoiler:



                                        sc sdset WinDefend [newSDLString]


                                        Bonus Reading





                                        • How to specify permissions to services in Windows by using SDDL? *(archive.is)


                                        • How to Convert SID to Username and Vice Versa (archive.is)


                                        • The Security Descriptor Definition Language of Love (Part 2) (archive.is)


                                        • 2.5.1.1 Syntax (archive.is)






                                        share|improve this answer















                                        It would be helpful to understand why you cannot stop a particular service.




                                        • I'm the administrator; worse than failure can't the Administrator administrate?!


                                        It's because of the security permissions on the WinDefend service.



                                        Note: WinDefend is the actual name of the "Windows Defender Antivirus Service"



                                        enter image description here



                                        Viewing Permissions



                                        If you run from a command line:



                                        >sc sdshow WinDefend


                                        where





                                        • sdshow means "Displays a service's security descriptor."


                                        You'll get the security descriptor:



                                        C:UsersIan>sc sdshow WinDefend

                                        D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)


                                        This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:



                                        D:
                                        (A;;CCLCSWRPLOCRRC;;;BU)
                                        (A;;CCLCSWRPLOCRRC;;;SY)
                                        (A;;CCLCSWRPLOCRRC;;;BA)
                                        (A;;CCLCSWRPLOCRRC;;;IU)
                                        (A;;CCLCSWRPLOCRRC;;;SU)
                                        (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
                                        (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)


                                        The D: means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):





                                        • D: discretionary access control list


                                          • ACE1: A;;CCLCSWRPLOCRRC;;;BU

                                          • ACE2: A;;CCLCSWRPLOCRRC;;;SY

                                          • ACE3: A;;CCLCSWRPLOCRRC;;;BA

                                          • ACE4: A;;CCLCSWRPLOCRRC;;;IU

                                          • ACE5: A;;CCLCSWRPLOCRRC;;;SU

                                          • ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464

                                          • ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                        Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.



                                        Looking first at who they apply to, a random blog article decode some of them (archive.is):





                                        • BU: Built-in users


                                        • SY: Local System


                                        • BA: Built-in administrators


                                        • UI: Interactively logged-on user


                                        • SU: Service logon user


                                        • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: Trusted Installer


                                        • S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736:


                                        You can get the name associated with an SID by running:



                                        >wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name


                                        Each ACE contains a list of permissions that the user is being allowed or denied.





                                        • D: discretionary access control list



                                          • ACE 1: A;;CCLCSWRPLOCRRC;;; Built-in users


                                          • ACE 2: A;;CCLCSWRPLOCRRC;;; Local system


                                          • ACE 3: A;;CCLCSWRPLOCRRC;;; Built-in administrators


                                          • ACE 4: A;;CCLCSWRPLOCRRC;;; Interactive user


                                          • ACE 5: A;;CCLCSWRPLOCRRC;;; Service logon user


                                          • ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; Trusted installer


                                          • ACE 7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                        Breaking down the remaining semicolon separated sections in an ACE:




                                        • ACE: A;;CCLCSWRPLOCRRC;;;


                                          • AceType: A ACCESS_ALLOWED_ACE_TYPE

                                          • AceFlags: (none)

                                          • AccessMask: CC LC SW RP LO CR RC



                                            • CC: CREATE_CHILD


                                            • LC: LIST_CHILDREN


                                            • SW: SELF_WRITE


                                            • RP: READ_PROPERTY


                                            • LO: LIST_OBJECT


                                            • CR: CONTROL_ACCESS


                                            • RC: READ_CONTROL



                                          • ObjectGuid: (none)

                                          • InheritObjectGuid: (none)




                                        The leading A means Allowed, and the permissions are two-letter codes:





                                        • D: discretionary access control list



                                          • ACE 1: Allow, CC LC SW RP LO CR RC, Built-in users


                                          • ACE 2: Allow, CC LC SW RP LO CR RC, Local system


                                          • ACE 3: Allow, CC LC SW RP LO CR RC, Built-in administrators


                                          • ACE 4: Allow, CC LC SW RP LO CR RC, Interactive user


                                          • ACE 5: Allow, CC LC SW RP LO CR RC, Service logon user


                                          • ACE 6: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, Trusted installer


                                          • ACE 7: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736




                                        And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.



                                        Spoiler:



                                        sc sdset WinDefend [newSDLString]


                                        Bonus Reading





                                        • How to specify permissions to services in Windows by using SDDL? *(archive.is)


                                        • How to Convert SID to Username and Vice Versa (archive.is)


                                        • The Security Descriptor Definition Language of Love (Part 2) (archive.is)


                                        • 2.5.1.1 Syntax (archive.is)







                                        share|improve this answer














                                        share|improve this answer



                                        share|improve this answer








                                        edited Feb 11 at 14:53

























                                        answered Feb 3 at 17:18









                                        Ian BoydIan Boyd

                                        13.1k38109161




                                        13.1k38109161























                                            -1














                                            I managed to disable it using Autoruns; under the services tab there is an entry WinDefend, untick the box and reboot.






                                            share|improve this answer




























                                              -1














                                              I managed to disable it using Autoruns; under the services tab there is an entry WinDefend, untick the box and reboot.






                                              share|improve this answer


























                                                -1












                                                -1








                                                -1







                                                I managed to disable it using Autoruns; under the services tab there is an entry WinDefend, untick the box and reboot.






                                                share|improve this answer













                                                I managed to disable it using Autoruns; under the services tab there is an entry WinDefend, untick the box and reboot.







                                                share|improve this answer












                                                share|improve this answer



                                                share|improve this answer










                                                answered Aug 9 '15 at 21:50









                                                FreddyFlaresFreddyFlares

                                                1012




                                                1012






























                                                    draft saved

                                                    draft discarded




















































                                                    Thanks for contributing an answer to Super User!


                                                    • Please be sure to answer the question. Provide details and share your research!

                                                    But avoid



                                                    • Asking for help, clarification, or responding to other answers.

                                                    • Making statements based on opinion; back them up with references or personal experience.


                                                    To learn more, see our tips on writing great answers.




                                                    draft saved


                                                    draft discarded














                                                    StackExchange.ready(
                                                    function () {
                                                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f947873%2fdisable-windows-defender-in-windows-10%23new-answer', 'question_page');
                                                    }
                                                    );

                                                    Post as a guest















                                                    Required, but never shown





















































                                                    Required, but never shown














                                                    Required, but never shown












                                                    Required, but never shown







                                                    Required, but never shown

































                                                    Required, but never shown














                                                    Required, but never shown












                                                    Required, but never shown







                                                    Required, but never shown







                                                    Popular posts from this blog

                                                    Сан-Квентин

                                                    8-я гвардейская общевойсковая армия

                                                    Алькесар