Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable windows defender script appears not working on Windows 10 2004 #273

Open
afirmware opened this issue Oct 12, 2020 · 16 comments
Open

Disable windows defender script appears not working on Windows 10 2004 #273

afirmware opened this issue Oct 12, 2020 · 16 comments

Comments

@afirmware
Copy link

I used this script on a freshly installed Windows 10 Enterprise version 2004 build 19041.508. But it shows the following errors even if I have rebooted multiple times.

PS C:\Windows\system32> cd C:\setup\Debloat-Windows-10\scripts
PS C:\setup\Debloat-Windows-10\scripts> .\disable-windows-defender.ps1
Elevating priviledges for this process
Trying to disable scheduled task Windows Defender Cache Maintenance

TaskPath                                       TaskName                          State
--------                                       --------                          -----
\Microsoft\Windows\Windows Defender\           Windows Defender Cache Mainten... Disabled
Trying to disable scheduled task Windows Defender Cleanup
\Microsoft\Windows\Windows Defender\           Windows Defender Cleanup          Disabled
Trying to disable scheduled task Windows Defender Scheduled Scan
\Microsoft\Windows\Windows Defender\           Windows Defender Scheduled Scan   Disabled
Trying to disable scheduled task Windows Defender Verification
\Microsoft\Windows\Windows Defender\           Windows Defender Verification     Disabled
Disabling Windows Defender via Group Policies
Disabling Windows Defender Services
Set-ItemProperty : Attempted to perform an unauthorized operation.
At C:\setup\Debloat-Windows-10\scripts\disable-windows-defender.ps1:37 char:1
+ Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Start:String) [Set-ItemProperty], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Set-ItemProperty : Attempted to perform an unauthorized operation.
At C:\setup\Debloat-Windows-10\scripts\disable-windows-defender.ps1:38 char:1
+ Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (AutorunsDisabled:String) [Set-ItemProperty], UnauthorizedAccessExcept
   ion
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Set-ItemProperty : Attempted to perform an unauthorized operation.
At C:\setup\Debloat-Windows-10\scripts\disable-windows-defender.ps1:39 char:1
+ Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Start:String) [Set-ItemProperty], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Set-ItemProperty : Attempted to perform an unauthorized operation.
At C:\setup\Debloat-Windows-10\scripts\disable-windows-defender.ps1:40 char:1
+ Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (AutorunsDisabled:String) [Set-ItemProperty], UnauthorizedAccessExcept
   ion
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Removing Windows Defender context menu item
Removing Windows Defender GUI / tray from autorun

I heard that windows introduced "Tamper Protection" that makes it hard to turn off windows defender. https://superuser.com/questions/1529000/is-there-any-way-to-turn-off-tamper-protection-using-command-line Is this the reason of the error?
@W4RH4WK
Copy link
Owner

W4RH4WK commented Oct 12, 2020

Could be. I haven't revisited the script since the introduction of Tamper Protection. I just figured out yesterday. That group policies are ignored if tamper protection is enabled.

Following the thread you linked. It doesn't seem to be possible to turn off tamper protection via the shell. Intune is mentioned, but that'd be overkill for this project.

@ghost
Copy link

ghost commented Oct 23, 2020

Same here

@kokotas89
Copy link

How does sordum does it with his defender control then? Because his application works on 2009 as well.

@W4RH4WK
Copy link
Owner

W4RH4WK commented Nov 3, 2020

@kokotas89 I've never heard of Sordum. Is the application you are referring to open source?

@kokotas89
Copy link

@kokotas89 I've never heard of Sordum. Is the application you are referring to open source?

No it's not open source otherwise I would have provided a link :P I was wondering if you knew how he does it by comparing before and after system snapshots or something like that.

@W4RH4WK
Copy link
Owner

W4RH4WK commented Nov 3, 2020

@kokotas89 ah. So no, I don't know. Maybe I'll take a look at it in the next couple of days. Depends on my time.

If it's only different registry keys, that could be adapted easily. However, if it makes use of other things that are not yet part of the scripts, I may be hesitant to add it. Anyways, I'll let you know if I find something.

@kokotas89
Copy link

Probably lots more going other than changing registry values. It's all cool man thank you for your time and contribution.

@W4RH4WK
Copy link
Owner

W4RH4WK commented Nov 4, 2020

I did some superficial analysis of the mentioned application. Here are the details (see notes.txt):

def_ctrl_re.zip

To summarize, it seems like it's manually setting the group policy to disable Windows Defender globally. IIRC we had several issues related to this. It broke a few ways of installation things, mainly through the Windows Store.

I tried installing 2 applications through the Windows Store, after running Defender Control, and it worked fine. So, maybe MS has changed something here.

Initially I thought that the simple group policy entry wouldn't do anything because of the Windows Defender Anti-Temper setting, but apparently it's working and I haven't found anything that seems to specifically disable the Anti-Temper feature.

My takeaway, unless I've missed something, here is that it (simply) uses 1 group policy setting, set via files located in system32. and 3 registry entries we already set in our script. Modifying the files in system32 doesn't seem trivial for a PowerShell script, so that's not exactly an option for now I'd say. In addition to this, group policies are already the go-to tool for system administrators. So if that one rule, is actually sufficient, there is no need for the PowerShell scripts to cover that part.

@kokotas89
Copy link

That's a great first analysis wow! Hopefully this will lead to something so that we can get rid of what ms forces down our throats.

@W4RH4WK
Copy link
Owner

W4RH4WK commented Nov 4, 2020

For what it's worth, Defender Control doesn't seem to do anything that should result in a major breakage of the system, nor does it seem to be somehow malicious. I am not a security expert and haven't looked into every detail of the program. But so far, it looks fine I'd say.

@kokotas89
Copy link

That's good news. I guess I will test it when I do a clean installation of w10 2009 along with your ps scripts.

@chrisliebaer
Copy link

chrisliebaer commented Dec 13, 2020
edited
Loading

Since Microsoft decided to deprecate the DisableAntiSpyware registry key I looked into disabling Windows Defender for good. It's actually quite complicated to get any information about the workings for Windows Defender since the internet is flooded with "Why would you disable it?" and "Just set DisableAntiSpyware". Using the aforementioned method will now only disable it for a short period until it reenables itself. You can also tell by the context menu entry staying alive.

There are multiple processes involed in keeping the Defender enabled. All of them appear to be residing in a bunch of services that partly reenable each other if you simply disable one of them. The registry keys are owned and controlled by the NT-authority user and will be reset if windows detects this.

Setting the following registry keys which will essentially disable all relevant Windows Defender services seems to completly kill all Windows Defender activities. Changing these keys requires NT-authoriy permissions (or whatever it is called in english)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

The source of these keys is https://superuser.com/a/1009656 and the post contains a few other registry changes that would probably remove even more parts of the Windows Defender but I tried to be conserative with my changes.

The only issue is that with these changes, the security center will notice that something is very wrong and start pestering you. So to prevent it from doing that, you can use the following Group Policy:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]
"DisableNotifications"=dword:00000001
"DisableEnhancedNotifications"=dword:00000001

; Why would be want to see the icon if the entire thing is now broken anyway?
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray]
"HideSystray"=dword:00000001

So far this seems to have disabled the Windows Defender entirely. I can't find any stray processes. The performance impact from it's real time scan is gone and the context menu entry is also removed and it doesn't appear to reenable itself after a reboot. I assume that major Windows Updates will reset these services but this is as far as we can go I guess.

@Limezero
Copy link

Limezero commented Dec 23, 2020
edited
Loading

On a fresh install of Win 10 LTSC 2019 (Version 1809), I have not been able to find a single script that works, including the one linked in the previous post. The ONLY reliable way of preventing MsMpEng.exe and the WinDefend service from running is to mount the drive in another operating system, bypass the permissions and directly remove the executables (which then immediately get restored on an sfc.exe check or an update). The Group Policy settings turn themselves off after a reboot, and the registry keys cannot be edited from within the operating system, even if I use a third party tool to run regedit.exe under the NT-AUTHORITY\SYSTEM account and attempt to manually set every permission and ownership property that exists.

It's kind of funny how Windows Defender itself acts like a rootkit, going to great lengths to ensure that it cannot be deleted from within the system it resides in, even using a cluster of shady, undocumented services and background tasks to replace itself should anything happen. I miss the days when all it took was a single checkbox, and users were assumed to be competent enough to use antivirus software if they want one. I can understand making it a default, but for God's sake, put a hidden setting or registry key somewhere. Make it flash a red popup for 30 seconds or make it an option you can only select during installation on the Enterprise SKU on every third Wednesday of the month if you must, just have SOMETHING.

Edit: Turns out, PowerRun v1.4 is able to launch a copy of regedit.exe with the necessary permissions for editing Defender's service keys, and a shell with TrustedInstaller permissions which you can use to rename or remove the executables! As always, it's a half-assed measure which is trivial to bypass once you know how. At least until they lock things down even further, and you really are going to need an offline disk/registry editor.

@ponei ponei mentioned this issue Apr 22, 2021
Closed
@mrgreywater
Copy link

Just an fyi, if you start a cmd terminal with TrustedInstaller privileges (PowerRun/RunAsTI), then execute the normal commands, the script disables windows defender as it should.

powershell
cd SCRIPT_PATH
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
.\disable-windows-defender.ps1

@majkinetor
Copy link
Contributor

I confirm its disabled when I run the script within PowerShell run with TrustedInstaller privileges. That was the only way to turn of defender with latest Windows.

@majkinetor
Copy link
Contributor

With latest W10 running as TI produces errors again:

Elevating priviledges for this process
Trying to disable scheduled task Windows Defender Cache Maintenance

TaskPath                                       TaskName                          State
--------                                       --------                          -----
\Microsoft\Windows\Windows Defender\           Windows Defender Cache Mainten... Disabled
Trying to disable scheduled task Windows Defender Cleanup
\Microsoft\Windows\Windows Defender\           Windows Defender Cleanup          Disabled
Trying to disable scheduled task Windows Defender Scheduled Scan
\Microsoft\Windows\Windows Defender\           Windows Defender Scheduled Scan   Disabled
Trying to disable scheduled task Windows Defender Verification
\Microsoft\Windows\Windows Defender\           Windows Defender Verification     Disabled
Disabling Windows Defender via Group Policies
Disabling Windows Defender Services
Exception calling "SetAccessControl" with "1" argument(s): "Attempted to perform an unauthorized operation."
At C:\Work\_\_\Debloat-Windows-10\lib\take-own.psm1:26 char:5
+     $key.SetAccessControl($acl)
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : UnauthorizedAccessException

Exception calling "SetAccessControl" with "1" argument(s): "Attempted to perform an unauthorized operation."
At C:\Work\_\_\Debloat-Windows-10\lib\take-own.psm1:32 char:5
+     $key.SetAccessControl($acl)
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : UnauthorizedAccessException

Set-ItemProperty : Attempted to perform an unauthorized operation.
At C:\Work\_\_\Debloat-Windows-10\scripts\disable-windows-defender.ps1:37 char:1
+ Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Start:String) [Set-ItemProperty], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Set-ItemProperty : Attempted to perform an unauthorized operation.
At C:\Work\_\_\Debloat-Windows-10\scripts\disable-windows-defender.ps1:38 char:1
+ Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (AutorunsDisabled:String) [Set-ItemProperty], UnauthorizedAccessExcept
   ion
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Set-ItemProperty : Attempted to perform an unauthorized operation.
At C:\Work\_\_\Debloat-Windows-10\scripts\disable-windows-defender.ps1:39 char:1
+ Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Start:String) [Set-ItemProperty], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Set-ItemProperty : Attempted to perform an unauthorized operation.
At C:\Work\_\_\Debloat-Windows-10\scripts\disable-windows-defender.ps1:40 char:1
+ Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (AutorunsDisabled:String) [Set-ItemProperty], UnauthorizedAccessExcept
   ion
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@majkinetor @W4RH4WK @mrgreywater @Limezero @chrisliebaer @afirmware @kokotas89