Windows Defender remains active despite being disabled

[AzimsTech]

OS: Windows 10 Pro 22H2 (19045.2673)

[semazurek]

The unstable and not not recommended options are labed red color. Yes and this will save +- 200MB ram. There is no method to completely uninstall/kill defender and edge YET. Without interfering with the system image.

[AzimsTech]

The unstable and not not recommended options are labed red color.

Is there a way to make this information more visible for users in the future?"

There is no method to completely uninstall/kill defender and edge YET. Without interfering with the system image.

Apparently, it is possible with this script: https://github.com/hellzerg/optimizer/blob/master/Optimizer/Resources/Scripts/DisableDefenderSafeMode1903Plus.bat However, it needs to be run in safe mode.

[semazurek]

Yes from safe mode and 1903 build I know hellzerg's Optimizer (1 year old), script is for IT and non IT users if u click on button "Select All" ucan't hilight red options. I would be happy for advice how to make this information about red options more visible for users.

[semazurek]

And code of git up is the same like E.T. but E.T. has got +extras values well.... If u want to try in safe mode good luck I am sure there is methode to reboot into safe mode via command (thats mean I can add this in the future E.T. version)

:chck3
if exist %programdata%\ET\chck3.lbool del %programdata%\ET\chck3.lbool
::  Disable Windows Defender
title %version% [%counter%/%alltodo%] && set /a counter+=1 >nul 2>nul
powershell -Command "Write-Host ' [Disable] Windows Defender' -F darkgray -B black"
::Windows Defender
reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
::WindowsSystemTray
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f >NUL 2>nul
::System Guard
reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
::WebThreatDefSvc
reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
for /f %%i in ('reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2^>nul ^| find /i "webthreatdefusersvc" ') do (
  reg add "%%i" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
)

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%%windir%%\System32\taskkill.exe" /f >NUL 2>nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f >NUL 2>nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f >NUL 2>nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f >NUL 2>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f >NUL 2>nul

:: Disable Logging
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f >NUL 2>nul

:: Disable Tasks
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable >NUL 2>nul
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable >NUL 2>nul
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable >NUL 2>nul
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable >NUL 2>nul
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable >NUL 2>nul

:: Disable systray icon
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f >NUL 2>nul
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f >NUL 2>nul

:: Remove context menu
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f >NUL 2>nul
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f >NUL 2>nul
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f >NUL 2>nul

:: Disable services (it will stop WdFilter.sys as well, better not to disable the driver by itself)
:: reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>nul
goto Start

[AzimsTech]

Yes from safe mode and 1903 build I know hellzerg's Optimizer (1 year old), script is for IT and non IT users if u click on button "Select All" ucan't hilight red options. I would be happy for advice how to make this information about red options more visible for users.

I think grouping the red options separately from the normal options is a good idea.

And code of git up is the same like E.T. but E.T. has got +extras values well.... If u want to try in safe mode good luck I am sure there is methode to reboot into safe mode via command (thats mean I can add this in the future E.T. version)

I just tried rebooting into safe mode using the E.T again and it worked for me.

[semazurek]

Updated and ready to use.

• After fast googling I find out about command way to reboot into safe mode: https://4it.com.au/kb/article/restart-windows-safe-mode-using-command-prompt/ But yet I don't know where and how to do it for users friendly. Maybe I will make extra button in extras or auto-detector.

[AzimsTech]

Updated and ready to use.

This looks awesome. I really appreciate the effort you put into considering my feedback.

• After fast googling I find out about command way to reboot into safe mode: https://4it.com.au/kb/article/restart-windows-safe-mode-using-command-prompt/ But yet I don't know where and how to do it for users friendly. Maybe I will make extra button in extras or auto-detector.

Something like this should work

@echo off

rem Check if running in safe mode
bcdedit /enum | find "safeboot" > nul
if %errorlevel% == 0 (
    rem Already in safe mode, run the command and reboot

    rem Disable Windows Defender commands to be executed in safe mode here

    bcdedit /deletevalue {current} safeboot > nul
    shutdown /r /t 3
) else (
    rem Not in safe mode, set safe mode and reboot
    bcdedit /set {current} safeboot minimal > nul
    rem Add a registry key to run the script at next startup
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v *%~n0 /t REG_SZ /d %~dpnx0
    shutdown /r /t 3
)

exit

[semazurek]

I am always trying to listen others feedback and make changes it's tool for all 👌😊 That code of puting into startup is awesome but still I need to think when E.T. should restart to safe mode like: 1) before all options/changes at start 2) Only after choosing defender option (I think that I will choose 2) second option)

[AzimsTech]

Glad to hear that!

Option 2 sounds like a good choice for safe mode activation, but it's up to your preference. Keep up the good work! 👍

[semazurek]

Check new version with ur code of rebooting into safe mode, I belive everything is fine now 👌

[AzimsTech]

Finally, I got a chance to test it today. I haven't had the opportunity to test it in the past few days.

Unfortunately, it didn't reboot to safe mode. Here are the screenshots from before the reboot:

[semazurek]

When u manually reboot u probably will get safe mode.

FIX that typing:

bcdedit /deletevalue {current} safeboot delete all files in %programdata%\ET

I will make own code to boot script and fix that...

[semazurek]

I just updated the code, the first tests passed without any problems, soon I will test on other machines.

And u need reboot manually computer and after that u will see safe mode windows.

[AzimsTech]

After running the script, I can confirm that it is now working properly as expected.

[semazurek]

Probably the script need improvements but for now it's working at least... sorry for trouble.

[AzimsTech]

Thanks to you for fixing it, now I can use it with other machines. Cheers!

[semazurek]

Give me a second I am still updating + testing becouse of glitches. I will let you know if all is fine.

[semazurek]

Looks promising so far, the edge after updating with windows update is not removable, the rest works. Stable release ready to use/download.