Regkeyvalue hklm software policies microsoft windows defender spynet disableblockatfirstseen

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
«DisableAntiSpyware»=dword:00000001
«DisableRealtimeMonitoring»=dword:00000001
«DisableAntiVirus»=dword:00000001
«DisableSpecialRunningModes»=dword:00000001
«DisableRoutinelyTakingAction»=dword:00000001
«ServiceKeepAlive»=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
«DisableBehaviorMonitoring»=dword:00000001
«DisableOnAccessProtection»=dword:00000001
«DisableScanOnRealtimeEnable»=dword:00000001
«DisableRealtimeMonitoring»=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
«ForceUpdateFromMU»=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
«DisableBlockAtFirstSeen»=dword:00000001

If you don’t like or want Defender on your system and you want it Completely Gone, there is a way BUT! You have to add to the registry. Values and Keys and a lot of them. I disabled Defender and installed another AV for testing. Never liked Defender. To give you an idea of how in-depth this is I’ll past the Values and Keys from Britec. Defender is so embedded into the Windows system that the average user will have no idea how to remove it. So My Post! Would you go this far? Or would you settle for what Microsoft says you need…

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
«DisableAntiSpyware»=dword:00000001
«DisableRealtimeMonitoring»=dword:00000001
«DisableAntiVirus»=dword:00000001
«DisableSpecialRunningModes»=dword:00000001
«DisableRoutinelyTakingAction»=dword:00000001
«ServiceKeepAlive»=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
«DisableBehaviorMonitoring»=dword:00000001
«DisableOnAccessProtection»=dword:00000001
«DisableScanOnRealtimeEnable»=dword:00000001
«DisableRealtimeMonitoring»=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
«ForceUpdateFromMU»=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
«DisableBlockAtFirstSeen»=dword:00000001

What about these few extra’s?

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen]
«ConfigureAppInstallControlEnabled»=dword:00000000
«ConfigureAppInstallControl»=»Anywhere»

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
«SpyNetReporting»=dword:00000000
«SubmitSamplesConsent»=dword:00000002

Have you tried Panda, WiseVector, 360 TSE or Adaware?

I know your voice now, beware.

Panda yes 2 other no

Up to individuals so that’s their choice — but WD is so good now and integrated with OS to use minimal resources I’m not sure what the problem is here or why the OP doesn’t want it.

To me disabling WD seems a bit like saying I want a top of the range BMW but only want a Pinto engine in it.

Cheers
jimbo

If you don’t like or want Defender on your system and you want it Completely Gone, there is a way BUT! You have to add to the registry. Values and Keys and a lot of them. I disabled Defender and installed another AV for testing. Never liked Defender. To give you an idea of how in-depth this is I’ll past the Values and Keys from Britec. Defender is so embedded into the Windows system that the average user will have no idea how to remove it. So My Post! Would you go this far? Or would you settle for what Microsoft says you need…

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
«DisableAntiSpyware»=dword:00000001
«DisableRealtimeMonitoring»=dword:00000001
«DisableAntiVirus»=dword:00000001
«DisableSpecialRunningModes»=dword:00000001
«DisableRoutinelyTakingAction»=dword:00000001
«ServiceKeepAlive»=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
«DisableBehaviorMonitoring»=dword:00000001
«DisableOnAccessProtection»=dword:00000001
«DisableScanOnRealtimeEnable»=dword:00000001
«DisableRealtimeMonitoring»=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
«ForceUpdateFromMU»=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
«DisableBlockAtFirstSeen»=dword:00000001

No need for all this. One simple batch file gets rid of Windows Defender completely from its roots. Running it again would restore it.

Download ToggleDefender

No need for all this. One simple batch file gets rid of Windows Defender completely from its roots. Running it again would restore it.

Download ToggleDefender

That batch feel needs updating. It’s been reported early in the new year it stopped working after a Windows (11) update. That’s why in March Defender Control was updated to 2.1.

It’s not without it’s bugs, but the only way to disable Defender (100%) completely is installing and running Defender Control.

That site has so many «Entrapment links» before you get to the real file download and it doesn’t work anyway.

I’ve found absolutely no way to stop this wretched thing appearing on clean installs of W11 on latest builds whether using local account or not. You can even at first boot see there’s a problem with WD as the store isn’t even shown on the taskbar which it normally is when booting a new systyem ist time.

Картинка с сайта: www.elevenforum.com

Update installs work OK — just clean installs whether using ISO’s from UUPDUMP or the ms site.

I’ve given up with W11 new installs on this computer for the moment — it fails whether as a VM or a real machine, whether on real HDD’s or vhdx files. None of the 10 zillion fixes on google work nor scannow or other commands to fix system files.

If this nonsense is going to happen when bog standard users finally do a mass switch — I wouldn’t like to be I.T admin !!!!

Cheers
jimbo

I have Defender full enabled on my laptop with nvme drives and it idles at 1% cpu and very occasionally blips to a few % when it does a background scan after an update.

In the end running without an AV package is just dumb (It’s like peole saying I have never had an accident, so I never wear a seatbelt).

People can try and justify to the end of time why they feel they are more knowledgeable than hackers but in the end it is bullcrap. There is always some toerag out to get you — why make it easy?

I would not let any user attach a pc to my network if they have disabled all AVs.

The issue is not so much disabling defender — that is easy i.e. install another AV package. When people go out of their way to ask about deleting Defender, they never say why. It always seems to be gamers in pursuit of a tiny fps increase.

I have Defender full enabled on my laptop with nvme drives and it idles at 1% cpu and very occasionally blips to a few % when it does a background scan after an update.

In the end running without an AV package is just dumb (It’s like peole saying I have never had an accident, so I never wear a seatbelt).

People can try and justify to the end of time why they feel they are more knowledgeable than hackers but in the end it is bullcrap. There is always some toerag out to get you — why make it easy?

I would not let any user attach a pc to my network if they have disabled all AVs.

The problem here is that I can’t get into the application to run anything on it at all — even a scan for malware !!!!!!!!

When it’s working WD is excellent — but an OS where the security package fails to open so you can’t even scan or change some settings is just plain useless.

I’m not sure why this app is such a problem —using 100% legal software and this is just after a clean install from an official W11 iso.

Cheers
jimbo

@cls
@echo off
>nul chcp 437
setlocal enabledelayedexpansion
title Group Policy Addins

>nul 2>&1 where powershell || (
echo.
echo Missing Critical files [powershell.exe]
echo.
pause
exit /b
)

rem == Destroy Defender Called from End OF Script
whoami|>nul findstr /i /c:»nt authority\system» && (
echo.
call :RunAtSystemLevel
timeout 6
exit
)

rem Credit ..
rem Bau For Run As TI Script
rem freddie-o, geepnozeex, St1ckys For Defender Script

cd /d «%~dp0»

:::: Run as administrator, AveYo: ps\vbs version
1>nul 2>nul fltmc || (
set «_=call «%~f0″ %*» & powershell -nop -c start cmd -args’/d/x/r’,$env:_ -verb runas || (
>»%temp%\Elevate.vbs» echo CreateObject^(«Shell.Application»^).ShellExecute «%~dpf0», «%*» , «», «runas», 1
>nul «%temp%\Elevate.vbs» & del /q «%temp%\Elevate.vbs» )
exit)

echo.
set Policies=HKEY_LOCAL_MACHINE\SOFTWARE\Policies

set Key=»HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore»
>nul 2>&1 REG ADD !Key! /f /v DisableSR /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v DisableConfig /t REG_DWORD /d 1

set Key=»%Policies%\Microsoft\Windows NT\SystemRestore»
>nul 2>&1 REG ADD !Key! /f /v DisableSR /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v DisableConfig /t REG_DWORD /d 1

echo == Disable Malicious Software Reporting Tool
set Key=»%Policies%\Microsoft\MRT»
>nul 2>&1 REG ADD !Key! /f /v DontReportInfectionInformation /t REG_DWORD /d «1»
>nul 2>&1 REG ADD !Key! /f /v DontOfferThroughWUAU /t REG_DWORD /d «1»

echo == Disable Windows Defender Security Center Notifications
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender Security Center\Notifications» /f /v DisableNotifications /t REG_DWORD /d «1»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender Security Center\Notifications» /f /v DisableEnhancedNotifications /t REG_DWORD /d «1»

echo == Hide Windows Security Systray
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender Security Center\Systray» /f /v HideSystray /t REG_DWORD /d «1»

echo == Turn off Windows Defender
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender» /f /v DisableAntiSpyware /t REG_DWORD /d «1»

echo == Disable smartscreen
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows\System» /f /v EnableSmartScreen /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender\SmartScreen» /f /v ConfigureAppInstallControlEnabled /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender\SmartScreen» /f /v ConfigureAppInstallControl /t REG_SZ /d «Anywhere»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Internet Explorer\PhishingFilter» /f /v Enabled /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Internet Explorer\PhishingFilter» /f /v EnabledV8 /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Internet Explorer\PhishingFilter» /f /v EnabledV9 /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3» /f /v 2301 /t REG_DWORD /d «3»
>nul 2>&1 REG ADD «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Browser\AllowSmartScreen» /f /v value /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer» /f /v SmartScreenEnabled /t REG_SZ /d «Off»

echo == Disable smartscreen for store and apps
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost» /f /v EnableWebContentEvaluation /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost» /f /v PreventOverride /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State» /f /v AppAndBrowser_StoreAppsSmartScreenOff /t REG_DWORD /d «0»

echo == Disable smartscreen for microsoft edge
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge» /f /v SmartScreenEnabled /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge» /f /v SmartScreenPuaEnabled /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State» /f /v AppAndBrowser_EdgeSmartScreenOff /t REG_DWORD /d «0»

call :RunAsTI «%~dpf0»

timeout 10
exit

:RunAtSystemLevel
:RunAtSystemLevel
:RunAtSystemLevel

echo == Delete Windows Defender Services
for %%A IN (WinDefend, WdBoot, WdFilter, Sense, WdNisDrv, WdNisSvc) do (
>nul 2>&1 sc config %%A start=disabled
>nul 2>&1 sc stop %%A
>nul 2>&1 reg delete «HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\%%A» /f
)

echo == Close Windows Defender Application
for %%A IN (SecurityHealthService.exe, SecurityHealthSystray.exe, smartscreen.exe, MpCmdRun.exe) do >nul 2>&1 taskkill /im %%A

echo == Delete Windows Defender scheduled tasks
>nul 2>&1 reg delete «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Defender» /f

echo == Disable Malicious Software Reporting Tool
>nul 2>&1 reg delete «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe» /f

echo == Remove Defender Components
call :export cson > «%temp%\Windows.10.Defender_Uninstall.ps1»
>nul 2>&1 powershell -noprofile -executionpolicy bypass -file «%temp%\Windows.10.Defender_Uninstall.ps1»

echo == Remove Temper Protection
set Key=»HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features»
>nul 2>&1 call :reg_own !key! «» S-1-5-114 «» Allow FullControl
>nul 2>&1 call :reg_own !key! «» S-1-5-32-544 «» Allow FullControl
>nul 2>&1 REG ADD !Key! /f /v DisableAntiSpyware /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v TamperProtection /t REG_DWORD /d 0

echo == Remove Windows Defender Folder
>nul 2>&1 call estryFolder «%ProgramFiles%\Windows Defender»
>nul 2>&1 call estryFolder «%ProgramFiles(x86)%\Windows Defender»
>nul 2>&1 call estryFolder «%ALLUSERSPROFILE%\Windows Defender»
>nul 2>&1 call estryFolder «%ProgramFiles%\Windows Defender Advanced Threat Protection»
>nul 2>&1 call estryFolder «%ProgramFiles(x86)%\Windows Defender Advanced Threat Protection»
>nul 2>&1 call estryFolder «%ALLUSERSPROFILE%\Microsoft\Windows Defender Advanced Threat Protection»

goto :eof

estryFolder
set targetFolder=%*
if exist %targetFolder% (
rd /s /q %targetFolder%
if exist %targetFolder% (
for /f «tokens=*» %%g in (‘dir /b/s /a-d %targetFolder%’) do move /y «%%g» «%temp%»
rd /s /q %targetFolder%
)
)
goto :eof

:export
rem AveYo’s :export text attachments snippet
setlocal enabledelayedexpansion || Prints all text between lines starting with :NAME:[ and :NAME:] — A pure batch snippet by AveYo
set [=&for /f «delims=:» %%s in (‘findstr/nbrc:»:%~1:\[» /c:»:%~1:\]» «%~f0″‘) do if defined [ (set/a ]=%%s-3) else set/a [=%%s-1
<«%~fs0» ((for /l %%i in (0 1 %[%) do set /p =)&for /l %%i in (%[% 1 %]%) do (set txt=&set /p txt=&echo(!txt!)) &endlocal &exit/b

:cson:[

#—————————————————————
# Windows.10.Defender_Uninstall.ps1
# IMPORTANT: Run as Administrator or for the better as TrustedInstaller
# Stuff/Windows.10.Defender_Uninstall.ps1 at main · St1ckys/Stuff
#—————————————————————

Set-ItemProperty -Path «REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*» -Name Visibility -Value «1»
Remove-Item -Path «REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*» -Include *Owner* -Recurse -Force | Out-Null
Get-ChildItem -Path «REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*» -Name | ForEach-Object {dism /online /remove-package /PackageName:$_ /NoRestart}

:cson:]

#:RunAsTI: #1 snippet to run as TI/System, with /high priority, /priv ownership, explorer and HKCU load
set ^ #=& set «0=%~f0″& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split’:RunAsTI\:.*’)[1])& exit/b
$_CAN_PASTE_DIRECTLY_IN_POWERSHELL=’^,^’; function RunAsTI ($cmd) { $id=’RunAsTI’; $sid=((whoami /user)-split’ ‘)[-1]; $code=@’
$ti=(whoami /groups)-like»*1-16-16384*»; $DM=[AppDomain]::CurrentDomain.»DefineDynamicAss`embly»(1,1).»DefineDynamicMod`ule»(1)
$D=@(); 0..5|% {$D+=$DM.»DefineT`ype»(«M$_»,1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype(«System.Int`Ptr»); $U=[uintptr]
$D+=$U; 4..6|% {$D+=$D[$_].»MakeB`yRefType»()};$M=$I.module.gettype(«System.Runtime.Interop`Services.Mar`shal»);$Z=[uintptr]::size
$S=[string]; $F=»kernel»,»advapi»,»advapi»,($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),($U,$S,$I,$I,$D[9]),($U,$S,$I,$I,[byte[]],$I)
0..2|% {$9=$D[0].»DefinePInvokeMeth`od»((«CreateProcess»,»RegOpenKeyEx»,»RegSetValueEx»)[$_],$F[$_]+’32’,8214,1,$S,$F[$_+3],1,4)}
$DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k].»DefineFie`ld»(‘f’+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_].»CreateT`ype»()}
0..5|% {nv «A$_» ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0].»GetMeth`od»($1).invoke(0,$2)};
if (!$ti) { $g=0; «TrustedInstaller»,»lsass»|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
function M($1,$2,$3){$M.»GetMeth`od»($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M «AllocHG`lobal» $I $_};
M «WriteInt`Ptr» ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
$A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M «StructureTo`Ptr» ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600
$out=@($null,»powershell -win 1 -nop -c iex `$env:A»,0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F «CreateProcess» $out
} else { $env:A=»; $PRIV=[uri].module.gettype(«System.Diagnostics.Process»).»GetMeth`ods»(42) |? {$_.Name -eq «SetPrivilege»}
«SeSecurityPrivilege»,»SeTakeOwnershipPrivilege»,»SeBackupPrivilege»,»SeRestorePrivilege» |% {$PRIV.Invoke(0, @(«$_»,2))}
$HKU=[uintptr][uint32]2147483651; $LNK=$HKU; $reg=@($HKU,»S-1-5-18″,8,2,($LNK -as $D[9])); F «RegOpenKeyEx» $reg; $LNK=$reg[4]
function SYM($1,$2){$b=[Text.Encoding]::Unicode.GetBytes(«\Registry\User\$1″);@($2,»SymbolicLinkValue»,0,6,[byte[]]$b,$b.Length)}
F «RegSetValueEx» (SYM $(($key-split’\\’)[1]) $LNK); $EXP=»HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}»
$r=»explorer»; if (!$cmd) {$cmd=’C:\’}; $dir=test-path -lit ((($cmd -split ‘^(«[^»]+»)|^([^\s]+)’) -ne»)[0].trim(‘»‘)) -type 1
if (!$dir) {$r=»start `»$id`» /high /w»}; sp $EXP RunAs » -force; start cmd -args («/q/x/d/r title $id && $r»,$cmd) -wait -win 1
do {sleep 7} while ((gwmi win32_process -filter ‘name=»explorer.exe»‘|? {$_.getownersid().sid -eq «S-1-5-18»}))
F «RegSetValueEx» (SYM «.Default» $LNK); sp $EXP RunAs «Interactive User» -force } # lean and mean snippet by AveYo, 2018-2021
‘@; $key=»Registry::HKEY_USERS\$sid\Volatile Environment»; $a1=»`$id=’$id’;`$key=’$key’;»;$a2=»`$cmd=’$($cmd-replace»‘»,»»»)’;`n»
sp $key $id $($a1,$a2,$code) -type 7 -force; $arg=»$a1 `$env:A=(gi `$key).getvalue(`$id)-join»;rp `$key `$id -force; iex `$env:A»
$_PRESS_ENTER=’^,^’; start powershell -args «-win 1 -nop -c $arg» -verb runas }; <#,#> RunAsTI $env:1; #:RunAsTI:

:reg_own #key [optional] all user owner access permission : call :reg_own «HKCU\My» «» S-1-5-32-544 «» Allow FullControl
powershell -nop -c $A=’%~1′,’%~2′,’%~3′,’%~4′,’%~5′,’%~6′;iex(([io.file]::ReadAllText(‘%~f0′)-split’:Own1\:.*’)[1])&exit/b:Own1:
$D1=[uri].module.gettype(‘System.Diagnostics.Process’).»GetM`ethods»(42) |where {$_.Name -eq ‘SetPrivilege’} #`:no-ev-warn
‘SeSecurityPrivilege’,’SeTakeOwnershipPrivilege’,’SeBackupPrivilege’,’SeRestorePrivilege’|foreach {$D1.Invoke($null, @(«$_»,2))}
$path=$A[0]; $rk=$path-split’\\’,2; $HK=gi -lit Registry::$($rk[0]) -fo; $s=$A[1]; $sps=[Security.Principal.SecurityIdentifier]
$u=($A[2],’S-1-5-32-544′)[!$A[2]];$o=($A[3],$u)[!$A[3]];$w=$u,$o |% {new-object $sps($_)}; $old=!$A[3];$own=!$old; $y=$s-eq’all’
$rar=new-object Security.AccessControl.RegistryAccessRule( $w[0], ($A[5],’FullControl’)[!$A[5]], 1, 0, ($A[4],’Allow’)[!$A[4]] )
$x=$s-eq’none’;function Own1($k){$t=$HK.OpenSubKey($k,2,’TakeOwnership’);if($t){0,4|%{try{$o=$t.GetAccessControl($_)}catch{$old=0}
};if($old){$own=1;$w[1]=$o.GetOwner($sps)};$o.SetOwner($w[0]);$t.SetAccessControl($o); $c=$HK.OpenSubKey($k,2,’ChangePermissions’)
$p=$c.GetAccessControl(2);if($y){$p.SetAccessRuleProtection(1,1)};$p.ResetAccessRule($rar);if($x){$p.RemoveAccessRuleAll($rar)}
$c.SetAccessControl($p);if($own){$o.SetOwner($w[1]);$t.SetAccessControl($o)};if($s){$subkeys=$HK.OpenSubKey($k).GetSubKeyNames()
foreach($n in $subkeys){Own1 «$k\$n»}}}};Own1 $rk[1];if($env:VO){get-acl Registry::$path|fl} #:Own1: lean & mean snippet by AveYo
::-_-::

Disable Temper Protection in defender and use this save as remove defnder.cmd

@cls
@echo off
>nul chcp 437
setlocal enabledelayedexpansion
title Group Policy Addins

>nul 2>&1 where powershell || (
echo.
echo Missing Critical files [powershell.exe]
echo.
pause
exit /b
)

rem == Destroy Defender Called from End OF Script
whoami|>nul findstr /i /c:»nt authority\system» && (
echo.
call :RunAtSystemLevel
timeout 6
exit
)

rem Credit ..
rem Bau For Run As TI Script
rem freddie-o, geepnozeex, St1ckys For Defender Script

cd /d «%~dp0»

:::: Run as administrator, AveYo: ps\vbs version
1>nul 2>nul fltmc || (
set «_=call «%~f0″ %*» & powershell -nop -c start cmd -args’/d/x/r’,$env:_ -verb runas || (
>»%temp%\Elevate.vbs» echo CreateObject^(«Shell.Application»^).ShellExecute «%~dpf0», «%*» , «», «runas», 1
>nul «%temp%\Elevate.vbs» & del /q «%temp%\Elevate.vbs» )
exit)

echo.
set Policies=HKEY_LOCAL_MACHINE\SOFTWARE\Policies

set Key=»HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore»
>nul 2>&1 REG ADD !Key! /f /v DisableSR /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v DisableConfig /t REG_DWORD /d 1

set Key=»%Policies%\Microsoft\Windows NT\SystemRestore»
>nul 2>&1 REG ADD !Key! /f /v DisableSR /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v DisableConfig /t REG_DWORD /d 1

echo == Disable Malicious Software Reporting Tool
set Key=»%Policies%\Microsoft\MRT»
>nul 2>&1 REG ADD !Key! /f /v DontReportInfectionInformation /t REG_DWORD /d «1»
>nul 2>&1 REG ADD !Key! /f /v DontOfferThroughWUAU /t REG_DWORD /d «1»

echo == Disable Windows Defender Security Center Notifications
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender Security Center\Notifications» /f /v DisableNotifications /t REG_DWORD /d «1»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender Security Center\Notifications» /f /v DisableEnhancedNotifications /t REG_DWORD /d «1»

echo == Hide Windows Security Systray
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender Security Center\Systray» /f /v HideSystray /t REG_DWORD /d «1»

echo == Turn off Windows Defender
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender» /f /v DisableAntiSpyware /t REG_DWORD /d «1»

echo == Disable smartscreen
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows\System» /f /v EnableSmartScreen /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender\SmartScreen» /f /v ConfigureAppInstallControlEnabled /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows Defender\SmartScreen» /f /v ConfigureAppInstallControl /t REG_SZ /d «Anywhere»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Internet Explorer\PhishingFilter» /f /v Enabled /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Internet Explorer\PhishingFilter» /f /v EnabledV8 /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Internet Explorer\PhishingFilter» /f /v EnabledV9 /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «%Policies%\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3» /f /v 2301 /t REG_DWORD /d «3»
>nul 2>&1 REG ADD «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Browser\AllowSmartScreen» /f /v value /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer» /f /v SmartScreenEnabled /t REG_SZ /d «Off»

echo == Disable smartscreen for store and apps
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost» /f /v EnableWebContentEvaluation /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost» /f /v PreventOverride /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State» /f /v AppAndBrowser_StoreAppsSmartScreenOff /t REG_DWORD /d «0»

echo == Disable smartscreen for microsoft edge
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge» /f /v SmartScreenEnabled /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge» /f /v SmartScreenPuaEnabled /t REG_DWORD /d «0»
>nul 2>&1 REG ADD «HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health\State» /f /v AppAndBrowser_EdgeSmartScreenOff /t REG_DWORD /d «0»

call :RunAsTI «%~dpf0»

timeout 10
exit

:RunAtSystemLevel
:RunAtSystemLevel
:RunAtSystemLevel

echo == Delete Windows Defender Services
for %%A IN (WinDefend, WdBoot, WdFilter, Sense, WdNisDrv, WdNisSvc) do (
>nul 2>&1 sc config %%A start=disabled
>nul 2>&1 sc stop %%A
>nul 2>&1 reg delete «HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\%%A» /f
)

echo == Close Windows Defender Application
for %%A IN (SecurityHealthService.exe, SecurityHealthSystray.exe, smartscreen.exe, MpCmdRun.exe) do >nul 2>&1 taskkill /im %%A

echo == Delete Windows Defender scheduled tasks
>nul 2>&1 reg delete «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Defender» /f

echo == Disable Malicious Software Reporting Tool
>nul 2>&1 reg delete «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe» /f

echo == Remove Defender Components
call :export cson > «%temp%\Windows.10.Defender_Uninstall.ps1»
>nul 2>&1 powershell -noprofile -executionpolicy bypass -file «%temp%\Windows.10.Defender_Uninstall.ps1»

echo == Remove Temper Protection
set Key=»HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features»
>nul 2>&1 call :reg_own !key! «» S-1-5-114 «» Allow FullControl
>nul 2>&1 call :reg_own !key! «» S-1-5-32-544 «» Allow FullControl
>nul 2>&1 REG ADD !Key! /f /v DisableAntiSpyware /t REG_DWORD /d 1
>nul 2>&1 REG ADD !Key! /f /v TamperProtection /t REG_DWORD /d 0

echo == Remove Windows Defender Folder
>nul 2>&1 call estryFolder «%ProgramFiles%\Windows Defender»
>nul 2>&1 call estryFolder «%ProgramFiles(x86)%\Windows Defender»
>nul 2>&1 call estryFolder «%ALLUSERSPROFILE%\Windows Defender»
>nul 2>&1 call estryFolder «%ProgramFiles%\Windows Defender Advanced Threat Protection»
>nul 2>&1 call estryFolder «%ProgramFiles(x86)%\Windows Defender Advanced Threat Protection»
>nul 2>&1 call estryFolder «%ALLUSERSPROFILE%\Microsoft\Windows Defender Advanced Threat Protection»

goto :eof

estryFolder
set targetFolder=%*
if exist %targetFolder% (
rd /s /q %targetFolder%
if exist %targetFolder% (
for /f «tokens=*» %%g in (‘dir /b/s /a-d %targetFolder%’) do move /y «%%g» «%temp%»
rd /s /q %targetFolder%
)
)
goto :eof

:export
rem AveYo’s :export text attachments snippet
setlocal enabledelayedexpansion || Prints all text between lines starting with :NAME:[ and :NAME:] — A pure batch snippet by AveYo
set [=&for /f «delims=:» %%s in (‘findstr/nbrc:»:%~1:\[» /c:»:%~1:\]» «%~f0″‘) do if defined [ (set/a ]=%%s-3) else set/a [=%%s-1
<«%~fs0» ((for /l %%i in (0 1 %[%) do set /p =)&for /l %%i in (%[% 1 %]%) do (set txt=&set /p txt=&echo(!txt!)) &endlocal &exit/b

:cson:[

#—————————————————————
# Windows.10.Defender_Uninstall.ps1
# IMPORTANT: Run as Administrator or for the better as TrustedInstaller
# Stuff/Windows.10.Defender_Uninstall.ps1 at main · St1ckys/Stuff
#—————————————————————

Set-ItemProperty -Path «REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*» -Name Visibility -Value «1»
Remove-Item -Path «REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*» -Include *Owner* -Recurse -Force | Out-Null
Get-ChildItem -Path «REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*» -Name | ForEach-Object {dism /online /remove-package /PackageName:$_ /NoRestart}

:cson:]

#:RunAsTI: #1 snippet to run as TI/System, with /high priority, /priv ownership, explorer and HKCU load
set ^ #=& set «0=%~f0″& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split’:RunAsTI\:.*’)[1])& exit/b
$_CAN_PASTE_DIRECTLY_IN_POWERSHELL=’^,^’; function RunAsTI ($cmd) { $id=’RunAsTI’; $sid=((whoami /user)-split’ ‘)[-1]; $code=@’
$ti=(whoami /groups)-like»*1-16-16384*»; $DM=[AppDomain]::CurrentDomain.»DefineDynamicAss`embly»(1,1).»DefineDynamicMod`ule»(1)
$D=@(); 0..5|% {$D+=$DM.»DefineT`ype»(«M$_»,1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype(«System.Int`Ptr»); $U=[uintptr]
$D+=$U; 4..6|% {$D+=$D[$_].»MakeB`yRefType»()};$M=$I.module.gettype(«System.Runtime.Interop`Services.Mar`shal»);$Z=[uintptr]::size
$S=[string]; $F=»kernel»,»advapi»,»advapi»,($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),($U,$S,$I,$I,$D[9]),($U,$S,$I,$I,[byte[]],$I)
0..2|% {$9=$D[0].»DefinePInvokeMeth`od»((«CreateProcess»,»RegOpenKeyEx»,»RegSetValueEx»)[$_],$F[$_]+’32’,8214,1,$S,$F[$_+3],1,4)}
$DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k].»DefineFie`ld»(‘f’+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_].»CreateT`ype»()}
0..5|% {nv «A$_» ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0].»GetMeth`od»($1).invoke(0,$2)};
if (!$ti) { $g=0; «TrustedInstaller»,»lsass»|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
function M($1,$2,$3){$M.»GetMeth`od»($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M «AllocHG`lobal» $I $_};
M «WriteInt`Ptr» ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
$A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M «StructureTo`Ptr» ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600
$out=@($null,»powershell -win 1 -nop -c iex `$env:A»,0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F «CreateProcess» $out
} else { $env:A=»; $PRIV=[uri].module.gettype(«System.Diagnostics.Process»).»GetMeth`ods»(42) |? {$_.Name -eq «SetPrivilege»}
«SeSecurityPrivilege»,»SeTakeOwnershipPrivilege»,»SeBackupPrivilege»,»SeRestorePrivilege» |% {$PRIV.Invoke(0, @(«$_»,2))}
$HKU=[uintptr][uint32]2147483651; $LNK=$HKU; $reg=@($HKU,»S-1-5-18″,8,2,($LNK -as $D[9])); F «RegOpenKeyEx» $reg; $LNK=$reg[4]
function SYM($1,$2){$b=[Text.Encoding]::Unicode.GetBytes(«\Registry\User\$1″);@($2,»SymbolicLinkValue»,0,6,[byte[]]$b,$b.Length)}
F «RegSetValueEx» (SYM $(($key-split’\\’)[1]) $LNK); $EXP=»HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}»
$r=»explorer»; if (!$cmd) {$cmd=’C:\’}; $dir=test-path -lit ((($cmd -split ‘^(«[^»]+»)|^([^\s]+)’) -ne»)[0].trim(‘»‘)) -type 1
if (!$dir) {$r=»start `»$id`» /high /w»}; sp $EXP RunAs » -force; start cmd -args («/q/x/d/r title $id && $r»,$cmd) -wait -win 1
do {sleep 7} while ((gwmi win32_process -filter ‘name=»explorer.exe»‘|? {$_.getownersid().sid -eq «S-1-5-18»}))
F «RegSetValueEx» (SYM «.Default» $LNK); sp $EXP RunAs «Interactive User» -force } # lean and mean snippet by AveYo, 2018-2021
‘@; $key=»Registry::HKEY_USERS\$sid\Volatile Environment»; $a1=»`$id=’$id’;`$key=’$key’;»;$a2=»`$cmd=’$($cmd-replace»‘»,»»»)’;`n»
sp $key $id $($a1,$a2,$code) -type 7 -force; $arg=»$a1 `$env:A=(gi `$key).getvalue(`$id)-join»;rp `$key `$id -force; iex `$env:A»
$_PRESS_ENTER=’^,^’; start powershell -args «-win 1 -nop -c $arg» -verb runas }; <#,#> RunAsTI $env:1; #:RunAsTI:

:reg_own #key [optional] all user owner access permission : call :reg_own «HKCU\My» «» S-1-5-32-544 «» Allow FullControl
powershell -nop -c $A=’%~1′,’%~2′,’%~3′,’%~4′,’%~5′,’%~6′;iex(([io.file]::ReadAllText(‘%~f0′)-split’:Own1\:.*’)[1])&exit/b:Own1:
$D1=[uri].module.gettype(‘System.Diagnostics.Process’).»GetM`ethods»(42) |where {$_.Name -eq ‘SetPrivilege’} #`:no-ev-warn
‘SeSecurityPrivilege’,’SeTakeOwnershipPrivilege’,’SeBackupPrivilege’,’SeRestorePrivilege’|foreach {$D1.Invoke($null, @(«$_»,2))}
$path=$A[0]; $rk=$path-split’\\’,2; $HK=gi -lit Registry::$($rk[0]) -fo; $s=$A[1]; $sps=[Security.Principal.SecurityIdentifier]
$u=($A[2],’S-1-5-32-544′)[!$A[2]];$o=($A[3],$u)[!$A[3]];$w=$u,$o |% {new-object $sps($_)}; $old=!$A[3];$own=!$old; $y=$s-eq’all’
$rar=new-object Security.AccessControl.RegistryAccessRule( $w[0], ($A[5],’FullControl’)[!$A[5]], 1, 0, ($A[4],’Allow’)[!$A[4]] )
$x=$s-eq’none’;function Own1($k){$t=$HK.OpenSubKey($k,2,’TakeOwnership’);if($t){0,4|%{try{$o=$t.GetAccessControl($_)}catch{$old=0}
};if($old){$own=1;$w[1]=$o.GetOwner($sps)};$o.SetOwner($w[0]);$t.SetAccessControl($o); $c=$HK.OpenSubKey($k,2,’ChangePermissions’)
$p=$c.GetAccessControl(2);if($y){$p.SetAccessRuleProtection(1,1)};$p.ResetAccessRule($rar);if($x){$p.RemoveAccessRuleAll($rar)}
$c.SetAccessControl($p);if($own){$o.SetOwner($w[1]);$t.SetAccessControl($o)};if($s){$subkeys=$HK.OpenSubKey($k).GetSubKeyNames()
foreach($n in $subkeys){Own1 «$k\$n»}}}};Own1 $rk[1];if($env:VO){get-acl Registry::$path|fl} #:Own1: lean & mean snippet by AveYo
::-_-::

There’s some mis-understanding here — I DON’T WANT WD to be gone, I just want it to WORK — don’t people understand SIMPLE PLAIN ENGLISH here any more.

This is the problem : WD won’t open and says it needs another app !!! Surely people can understand what I posted. !!! It’s not in 12th century Faroese or pre historic Sanscrit —surely.

Please @Master —tell me EXACTLY how I can turn off WD tamper protection if I can’t get into WD in the first place !!!!!.

You might have all the skills on the planet in coding / obscure reg hacks or whatever —but please look at what the original problem actually consists of before providing answers.

Not wanting to be nasty — there’s enough of that around at the moment anyway — but I suggest a lot of failing problems that beset the world in general currently is that people are trying to give answers out before they’ve even understood the problem. Help is always appreciated but it needs to address the actual problem.

Cheers
jimbo

Disable Windows Defender Completely.​