Forked from pe3zx/disable_windows_defender.bat
Last active
December 25, 2023 10:48
-
-
Save Averroes/bc8d71077515dc2f564aa1601f2dd592 to your computer and use it in GitHub Desktop.
Disable Windows Defender on Windows 10 1903
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!! | |
| rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference | |
| rem To also disable Windows Defender Security Center include this | |
| rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f | |
| rem 1 - Disable Real-time protection | |
| reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f | |
| rem 0 - Disable Logging | |
| reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f | |
| rem Disable WD Tasks | |
| schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable | |
| rem Disable WD systray icon | |
| reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f | |
| reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f | |
| reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f | |
| rem Remove WD context menu | |
| reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f | |
| reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f | |
| reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f | |
| rem Disable WD services | |
| reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f | |
| rem Run "Disable WD.bat" again to disable WD services |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # From https://isc.sans.edu/diary/Bypassing+UAC+to+Install+a+Cryptominer/25644 | |
| Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction Ignore; | |
| Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction Ignore; | |
| Set-MpPreference -DisableBlockAtFirstSeen $true -ErrorAction Ignore; | |
| Set-MpPreference -DisableIOAVProtection $true -ErrorAction Ignore; | |
| Set-MpPreference -DisablePrivacyMode $true -ErrorAction Ignore; | |
| Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -ErrorAction Ignore; | |
| Set-MpPreference -DisableArchiveScanning $true -ErrorAction Ignore; | |
| Set-MpPreference -DisableIntrusionPreventionSystem $true -ErrorAction Ignore; | |
| Set-MpPreference -DisableScriptScanning $true -ErrorAction Ignore; | |
| Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction Ignore; | |
| Set-MpPreference -MAPSReporting 0 -ErrorAction Ignore; | |
| Set-MpPreference -HighThreatDefaultAction 6 -Force -ErrorAction Ignore; | |
| Set-MpPreference -ModerateThreatDefaultAction 6 -ErrorAction Ignore; | |
| Set-MpPreference -LowThreatDefaultAction 6 -ErrorAction Ignore; | |
| Set-MpPreference -SevereThreatDefaultAction 6 -ErrorAction Ignore; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!! | |
| rem Reverse script to re-enable Windows Defender features and services | |
| rem To also re-enable Windows Defender Security Center include this | |
| rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "2" /f | |
| rem 1 - Enable Real-time protection | |
| reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
| rem The following reg add commands are not needed as deleting the above key resets settings to default | |
| rem Re-enable WD Tasks | |
| schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Enable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Enable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Enable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Enable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Enable | |
| rem Enable WD systray icon | |
| rem Note: These entries may not exist by default and do not necessarily need to be re-added | |
| rem Re-add WD context menu | |
| rem Note: These entries may not exist by default and do not necessarily need to be re-added | |
| rem Enable WD services | |
| reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "2" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "2" /f | |
| rem The SecurityHealthService should be set to start automatically (2) | |
| reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "2" /f | |
| rem Run "Enable WD.bat" to re-enable WD services |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Set-MpPreference -DisableRealtimeMonitoring $false -ErrorAction Ignore; | |
| Set-MpPreference -DisableBehaviorMonitoring $false -ErrorAction Ignore; | |
| Set-MpPreference -DisableBlockAtFirstSeen $false -ErrorAction Ignore; | |
| Se-MpPreference -DisableIOAVProtection $false -ErrorAction Ignore; | |
| Set-MpPreference -DisablePrivacyMode $false -ErrorAction Ignore; | |
| Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $false -ErrorAction Ignore; | |
| Set-MpPreference -DisableArchiveScanning $false -ErrorAction Ignore; | |
| Set-MpPreference -DisableIntrusionPreventionSystem $false -ErrorAction Ignore; | |
| Set-MpPreference -DisableScriptScanning $false -ErrorAction Ignore; | |
| Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction Ignore; | |
| Set-MpPreference -MAPSReporting 1 -ErrorAction Ignore; | |
| Set-MpPreference -HighThreatDefaultAction 0 -Force -ErrorAction Ignore; | |
| Set-MpPreference -ModerateThreatDefaultAction 0 -ErrorAction Ignore; | |
| Set-MpPreference -LowThreatDefaultAction 0 -ErrorAction Ignore; | |
| Set-MpPreference -SevereThreatDefaultAction 0 -ErrorAction Ignore; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment