-
-
Save garoto/1614f24016ea11112b7b59ca1fcaa6bd to your computer and use it in GitHub Desktop.
Disable Windows Defender scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| rem A modified version of the disable defender script from: https://pastebin.com/kYCVzZPz | |
| @echo on | |
| rem ========================================== | |
| rem This section will Disable Windows Defender | |
| rem You can ignore error messages | |
| rem 1 - Disable Real-time protection | |
| reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f | |
| rem 0 - Disable Logging | |
| reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f | |
| rem Disable WD Tasks | |
| schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable | |
| schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable | |
| rem Disable WD systray icon | |
| reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f | |
| reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f | |
| rem Remove WD context menu | |
| reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f | |
| reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f | |
| reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f | |
| rem Disable WD services | |
| reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f | |
| reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f | |
| rem Force success exit code | |
| exit /b 0 | |
| rem ========================================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Disable Windows Defender | |
| <# | |
| _ _ | |
| __ ____ _ _ __ _ __ (_)_ __ __ _ | | | |
| \ \ /\ / / _` | '__| '_ \| | '_ \ / _` | | | | |
| \ V V / (_| | | | | | | | | | | (_| | |_| | |
| \_/\_/ \__,_|_| |_| |_|_|_| |_|\__, | (_) | |
| |___/ | |
| This script is NOT a disable/enable solution, I'm a malware analyst, I use it for malware analysis. | |
| It can completely DELETE Defender, and it is NOT REVERSIBLE (that's what I need). | |
| Once you have run it, you will no longer have any sort of antivirus protection, and WILL NOT BE ABLE to reactivate it. | |
| Think twice before running it, or read the blog post to understand and modify it to suit **your** needs. | |
| THIS IS NOT A JOKE. | |
| YOU HAVE BEEN WARNED. | |
| #> | |
| <# | |
| Options : | |
| -Delete : delete the defender related files (services, drivers, executables, ....) | |
| Source : https://bidouillesecurity.com/disable-windows-defender-in-powershell | |
| #> | |
| Write-Host "[+] Disable Windows Defender (as $(whoami))" | |
| ## STEP 0 : elevate if needed | |
| # set HKCU\Software\Sysinternals\PsExec\EulaAccepted to 1 (bypass EULA) | |
| Set-ItemProperty -Path "HKCU:\Software\Sysinternals\PsExec" -Name "EulaAccepted" -Value 1 -Force -ErrorAction SilentlyContinue | |
| if(-Not $($(whoami) -eq "nt authority\system")) { | |
| $IsSystem = $false | |
| # Elevate to admin (needed when called after reboot) | |
| if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { | |
| Write-Host " [i] Elevate to Administrator" | |
| $CommandLine = "-ExecutionPolicy Bypass `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments | |
| Start-Process -FilePath PowerShell.exe -Verb Runas -ArgumentList $CommandLine | |
| Exit | |
| } | |
| # Elevate to SYSTEM if psexec is available | |
| $psexec_path = $(Get-Command PsExec -ErrorAction 'ignore').Source | |
| if($psexec_path) { | |
| Write-Host " [i] Elevate to SYSTEM" | |
| $CommandLine = " /accepteula -i -s powershell.exe -ExecutionPolicy Bypass `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments | |
| Start-Process -WindowStyle Hidden -FilePath $psexec_path -ArgumentList $CommandLine | |
| exit | |
| } else { | |
| Write-Host " [i] PsExec not found, will continue as Administrator" | |
| } | |
| } else { | |
| $IsSystem = $true | |
| } | |
| ## STEP 1 : Disable everything we can with immediate effect | |
| Write-Host " [+] Add exclusions" | |
| # Add the whole system in Defender exclusions | |
| 67..90|foreach-object{ | |
| $drive = [char]$_ | |
| Add-MpPreference -ExclusionPath "$($drive):\" -ErrorAction SilentlyContinue | |
| Add-MpPreference -ExclusionProcess "$($drive):\*" -ErrorAction SilentlyContinue | |
| } | |
| Write-Host " [+] Disable scanning engines (Set-MpPreference)" | |
| Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue | |
| Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue | |
| Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue | |
| Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue | |
| Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue | |
| Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue | |
| Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue | |
| Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue | |
| Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue | |
| Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue | |
| Write-Host " [+] Set default actions to Allow (Set-MpPreference)" | |
| Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue | |
| Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue | |
| Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue | |
| ## STEP 2 : Disable services, we cannot stop them, but we can disable them (they won't start next reboot) | |
| Write-Host " [+] Disable services" | |
| $need_reboot = $false | |
| # WdNisSvc Network Inspection Service | |
| # WinDefend Antivirus Service | |
| # Sense : Advanced Protection Service | |
| $svc_list = @("WdNisSvc", "WinDefend", "Sense") | |
| foreach($svc in $svc_list) { | |
| if($(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc")) { | |
| if( $(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc").Start -eq 4) { | |
| Write-Host " [i] Service $svc already disabled" | |
| } else { | |
| Write-Host " [i] Disable service $svc (next reboot)" | |
| Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" -Name Start -Value 4 | |
| $need_reboot = $true | |
| } | |
| } else { | |
| Write-Host " [i] Service $svc already deleted" | |
| } | |
| } | |
| Write-Host " [+] Disable drivers" | |
| # WdnisDrv : Network Inspection System Driver | |
| # wdfilter : Mini-Filter Driver | |
| # wdboot : Boot Driver | |
| $drv_list = @("WdnisDrv", "wdfilter", "wdboot") | |
| foreach($drv in $drv_list) { | |
| if($(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\$drv")) { | |
| if( $(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$drv").Start -eq 4) { | |
| Write-Host " [i] Driver $drv already disabled" | |
| } else { | |
| Write-Host " [i] Disable driver $drv (next reboot)" | |
| Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$drv" -Name Start -Value 4 | |
| $need_reboot = $true | |
| } | |
| } else { | |
| Write-Host " [i] Driver $drv already deleted" | |
| } | |
| } | |
| # Check if service running or not | |
| if($(GET-Service -Name WinDefend).Status -eq "Running") { | |
| Write-Host " [+] WinDefend Service still running (reboot required)" | |
| $need_reboot = $true | |
| } else { | |
| Write-Host " [+] WinDefend Service not running" | |
| } | |
| ## STEP 3 : Reboot if needed, add a link to the script to Startup (will be runned again after reboot) | |
| $link_reboot = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\disable-defender.lnk" | |
| Remove-Item -Force "$link_reboot" -ErrorAction 'ignore' # Remove the link (only execute once after reboot) | |
| if($need_reboot) { | |
| Write-Host " [+] This script will be started again after reboot." -BackgroundColor DarkRed -ForegroundColor White | |
| $powershell_path = '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"' | |
| $cmdargs = "-ExecutionPolicy Bypass `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments | |
| $res = New-Item $(Split-Path -Path $link_reboot -Parent) -ItemType Directory -Force | |
| $WshShell = New-Object -comObject WScript.Shell | |
| $shortcut = $WshShell.CreateShortcut($link_reboot) | |
| $shortcut.TargetPath = $powershell_path | |
| $shortcut.Arguments = $cmdargs | |
| $shortcut.WorkingDirectory = "$(Split-Path -Path $PSScriptRoot -Parent)" | |
| $shortcut.Save() | |
| } else { | |
| ## STEP 4 : After reboot (we checked that everything was successfully disabled), make sure it doesn't come up again ! | |
| if($IsSystem) { | |
| # Configure the Defender registry to disable it (and the TamperProtection) | |
| # editing HKLM:\SOFTWARE\Microsoft\Windows Defender\ requires to be SYSTEM | |
| Write-Host " [+] Disable all functionnalities with registry keys (SYSTEM privilege)" | |
| # Cloud-delivered protection: | |
| Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0 | |
| # Automatic Sample submission | |
| Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0 | |
| # Tamper protection | |
| Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4 | |
| # Disable in registry | |
| Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 | |
| Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 | |
| } else { | |
| Write-Host " [W] (Optional) Cannot configure registry (not SYSTEM)" | |
| } | |
| if($MyInvocation.UnboundArguments -And $($MyInvocation.UnboundArguments.tolower().Contains("-delete"))) { | |
| # Delete Defender files | |
| function Delete-Show-Error { | |
| $path_exists = Test-Path $args[0] | |
| if($path_exists) { | |
| Remove-Item -Recurse -Force -Path $args[0] | |
| } else { | |
| Write-Host " [i] $($args[0]) already deleted" | |
| } | |
| } | |
| Write-Host "" | |
| Write-Host "[+] Delete Windows Defender (files, services, drivers)" | |
| # Delete files | |
| Delete-Show-Error "C:\ProgramData\Windows\Windows Defender\" | |
| Delete-Show-Error "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\" | |
| # Delete drivers | |
| Delete-Show-Error "C:\Windows\System32\drivers\wd\" | |
| # Delete service registry entries | |
| foreach($svc in $svc_list) { | |
| Delete-Show-Error "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" | |
| } | |
| # Delete drivers registry entries | |
| foreach($drv in $drv_list) { | |
| Delete-Show-Error "HKLM:\SYSTEM\CurrentControlSet\Services\$drv" | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment