I found another way using the registry.

Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:

1. Browse the registry to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.


2. Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.


3. Change the Start value for each service to 0x4 (hex 4, decimal 4).


4. Reboot.

Short version

1. Download


2. Extract


3. Double-click DisableDefender.reg
   

Explanation

By far the most effective and clean way to permanently disable Windows Defender in Windows 10 is via Group Policy, as described by Aaron Hoffman. Unfortunately, Windows 10 Home lacks the necessary tools.

Here's a registry file that contains the changes made by gpedit.msc on a Windows 10 Pro machine. It's been tested on Windows 10 Home as well. Save the file as DisableDefender.reg with Windows-style line endings and double-click it to import it into your registry.

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender]

"DisableAntiSpyware"=dword:00000001

"DisableRoutinelyTakingAction"=dword:00000001

If you ever want to re-enable Defender, change 00000001 to 00000000 on both lines.

You can download the files to disable and re-enable defender from Gist.

To disable Windows Defender completely (not just the Real-Time protection) you can:

1. Install another security suite (as Ramhound mentioned).


2. If you're willing to use a third party application, you could use NoDefender: http://msft.gq/pub/apps/NoDefender.zip
   

More information about NoDefender can be found here: http://winaero.com/blog/nodefender-disable-windows-defender-in-windows-10-with-few-clicks/

I have written the batch file and registry files that should completely disable Windows Defender in Windows 10.

1. Save the following files into the same folder.


2. Run Disable Windows Defender.bat as administrator.


3. After the batch file is done, restart.


4. Run Disable Windows Defender.bat again as administrator.


5. Windows Defender should be completely disabled now.

Disable Windows Defender.bat

@echo off



call :main %*

goto :eof



:main

    setlocal EnableDelayedExpansion



    rem Check if Windows Defender is running.

    tasklist /fi "imageName eq "MsMpEng.exe"" | find /i "MsMpEng.exe" > nul 2> nul

    if %errorLevel% equ 0 (

        rem Windows Defender is running.

        echo Windows Defender is running.



        rem Performable operations while Windows Defender is running.

        rem Disable Windows Defender drivers.

        echo Disabling Windows Defender drivers...

        set "drivers="%SystemRoot%System32driversWdBoot.sys";"%SystemRoot%System32driversWdFilter.sys";"%SystemRoot%System32driversWdNisDrv.sys""

        set "drivers=!drivers:""="!"



        set "wasDriverDisabled=false"

        for %%d in (!drivers!) do (

            if exist "%%~d" (

                echo Disabling Windows Defender driver "%%~d"...

                call :disableFile "%%~d"

                set "wasDriverDisabled=true"

            )

        )



        rem Disable Windows Defender objects.

        echo Disabling Windows Defender objects...

        call :importRegistry "Disable Windows Defender objects.reg"



        rem Require restart to unload Windows Defender drivers and objects.

        echo.

        echo Restart required.

    ) else (

        rem Windows Defender is not running.

        echo Windows Defender is not running.



        rem Performable operations while Windows Defender is not running.

        rem Disable Windows Defender features.

        echo Disabling Windows Defender features...

        call :importRegistry "Disable Windows Defender features.reg"

        rem Disable Windows Defender services.

        echo Disabling Windows Defender services...

        call :importRegistry "Disable Windows Defender services.reg"



        rem Disable Windows Defender files.

        echo Disabling Windows Defender files...

        ren "%ProgramFiles%Windows Defender" "Windows Defender.bak"

        ren "%ProgramFiles(x86)%Windows Defender" "Windows Defender.bak"

        ren "%ProgramData%MicrosoftWindows Defender" "Windows Defender.bak"

    )



    endlocal

    goto :eof



:ownFile

    setlocal

    set "filePath=%~1"

    set "user=%~2"

    takeown /f "%filePath%" /a

    icacls "%filePath%" /grant "%user%:F"

    endlocal

    goto :eof



:disableFile

    setlocal

    set "filePath=%~1"

    call :ownFile "%filePath%" "Administrators"

    ren "%filePath%" "%~nx1.bak"

    endlocal

    goto :eof



:importRegistry

    setlocal

    set "filePath=%~1"

    call OwnRegistryKeys.bat "%filePath%"

    @echo off

    regedit /s "%filePath%"

    endlocal

    goto :eof

Disable Windows Defender objects.reg

Windows Registry Editor Version 5.00



; Disable "Scan with Windows Defender..." right click context menu.

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{09A47860-11B0-4DA5-AFA5-26D86198A780}]

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]



; Disable PSFactoryBuffer ("mpuxhostproxy.dll").

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]



; Disable "DefenderCSP.dll".

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{195B4D07-3DE2-4744-BBF2-D90121AE785B}]



; Disable Windows Defender IOfficeAntiVirus implementation ("MpOav.dll").

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{2781761E-28E0-4109-99FE-B9D127C57AFE}]



; Disable InfectionState WMI Provider ("MpProvider.dll").

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]



; Disable Status WMI Provider ("MpProvider.dll").

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{8a696d12-576b-422e-9712-01b9dd84b446}]



; Disable PSFactoryBuffer ("mpuxhostproxy.dll").

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]



; Disable Microsoft Windows Defender ("MsMpCom.dll").

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]

[-HKEY_LOCAL_MACHINESoftwareClassesTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeTypeLib{8C389764-F036-48F2-9AE2-88C260DCF43B}]



; Disable Windows Defender WMI Provider ("ProtectionManagement.dll").

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]



; Disable AMMonitoring WMI Provider ("AMMonitoringProvider.dll").

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{DACA056E-216A-4FD1-84A6-C306A017ECEC}]



; Disable MP UX Host ("MpUxSrv.exe").

[-HKEY_LOCAL_MACHINESoftwareClassesCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]

[-HKEY_LOCAL_MACHINESoftwareClassesWow6432NodeCLSID{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]

Disable Windows Defender features.reg

Windows Registry Editor Version 5.00



; Disable Windows Defender features.

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Defender]

"DisableAntiSpyware"=dword:00000001

"DisableRoutinelyTakingAction"=dword:00000001

"ProductStatus"=dword:00000000



[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderReal-Time Protection]

"DisableAntiSpywareRealtimeProtection"=dword:00000001

"DisableRealtimeMonitoring"=dword:00000001



[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderScan]

"AutomaticallyCleanAfterScan"=dword:00000000

"ScheduleDay"=dword:00000008



[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows DefenderUX Configuration]

"AllowNonAdminFunctionality"=dword:00000000

"DisablePrivacyMode"=dword:00000001



[HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows Defender]

"DisableAntiSpyware"=dword:00000001

"DisableRoutinelyTakingAction"=dword:00000001

"ProductStatus"=dword:00000000



[HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderReal-Time Protection]

"DisableAntiSpywareRealtimeProtection"=dword:00000001

"DisableRealtimeMonitoring"=dword:00000001



[HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderScan]

"AutomaticallyCleanAfterScan"=dword:00000000

"ScheduleDay"=dword:00000008



[HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows DefenderUX Configuration]

"AllowNonAdminFunctionality"=dword:00000000

"DisablePrivacyMode"=dword:00000001

Disable Windows Defender services.reg

Windows Registry Editor Version 5.00



; Disable "Windows Defender" services.

[HKEY_LOCAL_MACHINESystemControlSet001ServicesWinDefend]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemControlSet002ServicesWinDefend]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinDefend]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemControlSet001ServicesWdBoot]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemControlSet002ServicesWdBoot]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdBoot]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemControlSet001ServicesWdFilter]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemControlSet002ServicesWdFilter]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdFilter]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisDrv]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisDrv]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisDrv]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisSvc]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisSvc]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisSvc]

"Start"=dword:00000004

OwnRegistryKeys.bat

@echo off



rem Get the location of the PowerShell file.

for /f "usebackq tokens=*" %%f in (`where "OwnRegistryKeys.ps1"`) do (

    rem Run command for each argument.

    for %%a in (%*) do (

        powershell -executionPolicy bypass -file "%%~f" "%%~a"

    )

)

OwnRegistryKeys.ps1

$script:baseKey = @{

    "HKEY_CLASSES_ROOT" = @{

        "name" = "HKEY_CLASSES_ROOT";

        "shortName" = "HKCR";

        "key" = [Microsoft.Win32.Registry]::ClassesRoot

    };

    "HKEY_CURRENT_CONFIG" = @{

        "name" = "HKEY_CURRENT_CONFIG";

        "shortName" = "HKCC";

        "key" = [Microsoft.Win32.Registry]::CurrentConfig

    };

    "HKEY_CURRENT_USER" = @{

        "name" = "HKEY_CURRENT_USER";

        "shortName" = "HKCU";

        "key" = [Microsoft.Win32.Registry]::CurrentUser

    };

    "HKEY_DYN_DATA" = @{

        "name" = "HKEY_DYN_DATA";

        "shortName" = "HKDD";

        "key" = [Microsoft.Win32.Registry]::DynData

    };

    "HKEY_LOCAL_MACHINE" = @{

        "name" = "HKEY_LOCAL_MACHINE";

        "shortName" = "HKLM";

        "key" = [Microsoft.Win32.Registry]::LocalMachine

    };

    "HKEY_PERFORMANCE_DATA" = @{

        "name" = "HKEY_PERFORMANCE_DATA";

        "shortName" = "HKPD";

        "key" = [Microsoft.Win32.Registry]::PerformanceData

    };

    "HKEY_USERS" = @{

        "name" = "HKEY_USERS";

        "shortName" = "HKU";

        "key" = [Microsoft.Win32.Registry]::Users

    }

}



function enablePrivilege {

    param(

        # The privilege to adjust. This set is taken from:

        # http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx

        [validateSet(

            "SeAssignPrimaryTokenPrivilege",

            "SeAuditPrivilege",

            "SeBackupPrivilege",

            "SeChangeNotifyPrivilege",

            "SeCreateGlobalPrivilege",

            "SeCreatePagefilePrivilege",

            "SeCreatePermanentPrivilege",

            "SeCreateSymbolicLinkPrivilege",

            "SeCreateTokenPrivilege",

            "SeDebugPrivilege",

            "SeEnableDelegationPrivilege",

            "SeImpersonatePrivilege",

            "SeIncreaseBasePriorityPrivilege",

            "SeIncreaseQuotaPrivilege",

            "SeIncreaseWorkingSetPrivilege",

            "SeLoadDriverPrivilege",

            "SeLockMemoryPrivilege",

            "SeMachineAccountPrivilege",

            "SeManageVolumePrivilege",

            "SeProfileSingleProcessPrivilege",

            "SeRelabelPrivilege",

            "SeRemoteShutdownPrivilege",

            "SeRestorePrivilege",

            "SeSecurityPrivilege",

            "SeShutdownPrivilege",

            "SeSyncAgentPrivilege",

            "SeSystemEnvironmentPrivilege",

            "SeSystemProfilePrivilege",

            "SeSystemtimePrivilege",

            "SeTakeOwnershipPrivilege",

            "SeTcbPrivilege",

            "SeTimeZonePrivilege",

            "SeTrustedCredManAccessPrivilege",

            "SeUndockPrivilege",

            "SeUnsolicitedInputPrivilege"

        )]

        $privilege,



        # The process on which to adjust the privilege. Defaults to the current process.

        $processId = $pid,



        # Switch to disable the privilege, rather than enable it.

        [switch] $disable

    )



    # Taken from P/Invoke.NET with minor adjustments.

    $definition = @'

using System;

using System.Runtime.InteropServices;



public class AdjustPrivilege {

    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]

    internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);



    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]

    internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);



    [DllImport("advapi32.dll", SetLastError = true)]

    internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);



    [StructLayout(LayoutKind.Sequential, Pack = 1)]

    internal struct TokPriv1Luid {

        public int Count;

        public long Luid;

        public int Attr;

    }



    internal const int SE_PRIVILEGE_ENABLED = 0x00000002;

    internal const int SE_PRIVILEGE_DISABLED = 0x00000000;

    internal const int TOKEN_QUERY = 0x00000008;

    internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;



    public static bool EnablePrivilege(long processHandle, string privilege, bool disable) {

        bool result;

        TokPriv1Luid tp;

        IntPtr hproc = new IntPtr(processHandle);

        IntPtr htok = IntPtr.Zero;

        result = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);

        tp.Count = 1;

        tp.Luid = 0;

        if (disable) {

            tp.Attr = SE_PRIVILEGE_DISABLED;

        } else {

            tp.Attr = SE_PRIVILEGE_ENABLED;

        }

        result = LookupPrivilegeValue(null, privilege, ref tp.Luid);

        result = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);

        return result;

    }

}

'@



    $processHandle = (get-process -id $processId).handle

    $type = add-type $definition -passThru

    $type[0]::EnablePrivilege($processHandle, $privilege, $disable)

}



function getKeyNames {

    param(

        [parameter(mandatory = $true)]

        [string] $filePaths = $null

    )



    return (get-content $filePaths | select-string -pattern "[-?(.*)]" -allMatches | forEach-object {$_.matches.groups[1].value} | get-unique)

}



function splitKeyName {

    param(

        [parameter(mandatory = $true)]

        [string] $keyName = $null

    )



    $names = $keyName.split("\/", 2)



    $rootKeyName = $names[0]

    $subKeyName = $names[1]



    $keyPart = @{

        root = $baseKey[$rootKeyName];

        subKey = @{

            name = $subKeyName

        }

    }



    return $keyPart

}



function ownRegistryKey {

    param(

        [parameter(mandatory = $true)]

        [string] $keyName = $null

    )



    write-host """$keyName"""



    # Check if the key exists.

    if ($(try { test-path -path "Registry::$keyName".trim() } catch { $false })) {

        write-host "    Opening..."



        $keyPart = splitKeyName -keyName $keyName

        $ownableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)

        if ($ownableKey -ne $null) {

            # Set the owner.

            write-host "    Setting owner..."

            $acl = $ownableKey.getAccessControl([System.Security.AccessControl.AccessControlSections]::None)

            $owner = [System.Security.Principal.NTAccount] "Administrators"

            $acl.setOwner($owner)

            $ownableKey.setAccessControl($acl)



            # Set the permissions.

            write-host "    Setting permissions..."

            $acl = $ownableKey.getAccessControl()

            $person = [System.Security.Principal.NTAccount] "Administrators"

            $access = [System.Security.AccessControl.RegistryRights] "FullControl"

            $inheritance = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit"

            $propagation = [System.Security.AccessControl.PropagationFlags] "None"

            $type = [System.Security.AccessControl.AccessControlType] "Allow"



            $rule = new-object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)

            $acl.setAccessRule($rule)

            $ownableKey.setAccessControl($acl)



            $ownableKey.close()



            write-host "    Done."



            # Own children subkeys.

            $readableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadSubTree, [System.Security.AccessControl.RegistryRights]::ReadKey)

            if ($readableKey -ne $null) {

                $subKeyNames = ($readableKey.getSubKeyNames() | forEach-object { "$keyName$_" })

                $readableKey.close()

                if ($subKeyNames -ne $null) {

                    ownRegistryKeys -keyNames $subKeyNames

                }

            } else {

                write-host "    Unable to open children subkeys."

            }

        } else {

            write-host "    Unable to open subkey."

        }

    } else {

        write-host "    Key does not exist."

    }



    write-host

}



function ownRegistryKeys {

    param(

        [parameter(mandatory = $true)]

        [string] $keyNames = $null

    )



    $keyName = $null

    foreach ($keyName in $keyNames) {

        # Own parent key and children subkeys.

        ownRegistryKey -keyName $keyName

    }

}



function requestPrivileges {

    $numberOfRetries = 10



    $privilegeResult = $false

    for ($r = 0; !$privilegeResult -band $r -lt $numberOfRetries; $r += 1) {

        $privilegeResult = enablePrivilege -privilege "SeTakeOwnershipPrivilege"

    }



    if (!$privilegeResult) {

        write-host "Unable to receive privilege."

        exit 1

    }

}



function main {

    param(

        [parameter(mandatory = $true)]

        [string] $filePaths = $null

    )



    requestPrivileges



    $keyNames = getKeyNames -filePaths $filePaths

    ownRegistryKeys -keyNames $keyNames

}



main $args

The easy powershell method is here from an answer I posted on a question later marked duplicate for this.

The easiest way to do this would be to use powershell to disable it, the command you probably want is this

Set-MpPreference -DisableRealtimeMonitoring $true

Get-Service WinDefend | stop-service 

For an article on using powershell to disable/enable Windows Defender check here: http://wmug.co.uk/wmug/b/pwin/archive/2015/05/12/quickly-disable-windows-defender-on-windows-10-using-powershell

Here is the technet article for a more detailed look at available defender cmdlets: https://technet.microsoft.com/en-us/library/dn433280.aspx

I found that the following procedure works well; it doesn't remove or disable Windows Defender, but it disables Windows Defender SERVICE, stops all start-up and real-time scanning, and prevents Windows Defender Real-Time Scan from turning itself back on. (It leaves Windows Defender in-place, so you can use it to perform on-demand scanning of suspicious files.)

PROCEDURE:

1. Find, download, install "SysInternals" program suite.


2. Run program "AutoRuns".


3. Find "Windows Defender Service".


4. Uncheck the box.


5. Restart your computer.

After doing that, my startup time decreased from 20min to 5min, and memory usage after startup (before launching any apps) decreased from 2.1GB to 1.2GB. And when I looked in "Services", I found that "Windows Defender Service", while still there, is now marked "NOT running, Disabled".

The easiest way I've found is to open an administrator command prompt and run:

reg add "HKLMSOFTWAREPoliciesMicrosoftWindows Defender" /t REG_DWORD /v DisableAntiSpyware /f /d 1

Then reboot. I have not been able to find away to shutdown the service once it is started with out a reboot.

It is not so easy to reliably and totally disable the Windows Defender. There is a PowerShell script that uninstalls Windows Defender, but you may not be able later to install it back. This script requires two reboots.

Just download the Debloat-Windows-10 and follow these steps, provided by the author:

1. Unpack the archive;


2. 
   

   Enable execution of PowerShell scripts:

   
   
   

   PS> Set-ExecutionPolicy Unrestricted

   
   


3. 
   

   Unblock PowerShell scripts and modules within this directory:

   
   
   

   PS > ls -Recurse *.ps1 | Unblock-File
   PS > ls -Recurse *.psm1 | Unblock-File

   
   



4. Run scriptsdisable-windows-defender.ps1



5. Reboot the computer (either usual way or via the PS > Restart-Computer)


6. Run scriptsdisable-windows-defender.ps1 one more time.


7. Reboot the computer again.

This is not the easiest way, but very reliable and resilient.

There are also the scripts to remove unnecessary programs like BingFinance, Skype, OneDrive, etc - if you don't need them.

The archive does also contain lot of scripts that you may find useful.

Please be aware that these scripts irreversible delete files and can delete vital functions of Windows. For example, they may totally disable the Start menu!

Don't run disable-ShellExperienceHost.bat from this package, otherwise the Start Menu will stop opening.

It would be helpful to understand why you cannot stop a particular service.

• I'm the administrator; worse than failure can't the Administrator administrate?!

It's because of the security permissions on the WinDefend service.

Note: WinDefend is the actual name of the "Windows Defender Antivirus Service"

Viewing Permissions

If you run from a command line:

>sc sdshow WinDefend

where

• 
  sdshow means "Displays a service's security descriptor."
  

You'll get the security descriptor:

C:UsersIan>sc sdshow WinDefend



D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:

D:

   (A;;CCLCSWRPLOCRRC;;;BU)

   (A;;CCLCSWRPLOCRRC;;;SY)

   (A;;CCLCSWRPLOCRRC;;;BA)

   (A;;CCLCSWRPLOCRRC;;;IU)

   (A;;CCLCSWRPLOCRRC;;;SU)

   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)

   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

The D: means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):

• 
  D: discretionary access control list
  
  
  
  
  • ACE1: A;;CCLCSWRPLOCRRC;;;BU
    
  
  
  • ACE2: A;;CCLCSWRPLOCRRC;;;SY
    
  
  
  • ACE3: A;;CCLCSWRPLOCRRC;;;BA
    
  
  
  • ACE4: A;;CCLCSWRPLOCRRC;;;IU
    
  
  
  • ACE5: A;;CCLCSWRPLOCRRC;;;SU
    
  
  
  • ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
    
  
  
  • ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
    
  
  
  
  

Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.

Looking first at who they apply to, a random blog article decode some of them (archive.is):

• 
  BU: Built-in users


• 
  SY: Local System


• 
  BA: Built-in administrators


• 
  UI: Interactively logged-on user


• 
  SU: Service logon user


• 
  S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: Trusted Installer


• 
  S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736:

You can get the name associated with an SID by running:

>wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name

Each ACE contains a list of permissions that the user is being allowed or denied.

• 
  D: discretionary access control list
  
  
  
  
  • 
    ACE 1: A;;CCLCSWRPLOCRRC;;; Built-in users
  
  
  • 
    ACE 2: A;;CCLCSWRPLOCRRC;;; Local system
  
  
  • 
    ACE 3: A;;CCLCSWRPLOCRRC;;; Built-in administrators
  
  
  • 
    ACE 4: A;;CCLCSWRPLOCRRC;;; Interactive user
  
  
  • 
    ACE 5: A;;CCLCSWRPLOCRRC;;; Service logon user
  
  
  • 
    ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; Trusted installer
  
  
  • 
    ACE 7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
  
  
  
  

Breaking down the remaining semicolon separated sections in an ACE:

• ACE: A;;CCLCSWRPLOCRRC;;;
  
  
  
  
  • AceType: A ACCESS_ALLOWED_ACE_TYPE
  
  
  • AceFlags: (none)
    
  
  
  • AccessMask: CC LC SW RP LO CR RC
    
    
    
    
    • 
      CC: CREATE_CHILD
    
    
    • 
      LC: LIST_CHILDREN
    
    
    • 
      SW: SELF_WRITE
    
    
    • 
      RP: READ_PROPERTY
    
    
    • 
      LO: LIST_OBJECT
    
    
    • 
      CR: CONTROL_ACCESS
    
    
    • 
      RC: READ_CONTROL
    
    
    
    
  
  
  • ObjectGuid: (none)
    
  
  
  • InheritObjectGuid: (none)
    
  
  
  
  

The leading A means Allowed, and the permissions are two-letter codes:

• 
  D: discretionary access control list
  
  
  
  
  • 
    ACE 1: Allow, CC LC SW RP LO CR RC, Built-in users
  
  
  • 
    ACE 2: Allow, CC LC SW RP LO CR RC, Local system
  
  
  • 
    ACE 3: Allow, CC LC SW RP LO CR RC, Built-in administrators
  
  
  • 
    ACE 4: Allow, CC LC SW RP LO CR RC, Interactive user
  
  
  • 
    ACE 5: Allow, CC LC SW RP LO CR RC, Service logon user
  
  
  • 
    ACE 6: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, Trusted installer
  
  
  • 
    ACE 7: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
  
  
  
  

And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.

Spoiler:

sc sdset WinDefend [newSDLString]

Bonus Reading

• 
  How to specify permissions to services in Windows by using SDDL? *(archive.is)


• 
  How to Convert SID to Username and Vice Versa (archive.is)
  


• 
  The Security Descriptor Definition Language of Love (Part 2) (archive.is)
  


• 
  2.5.1.1 Syntax (archive.is)
  

I managed to disable it using Autoruns; under the services tab there is an entry WinDefend, untick the box and reboot.