[BUG]: Disable Windows Defender does not work

[Fuewburvpoa]

Description

Today i've noticed that windows defender services are running. I've installed windows in February 2022, and one of the first things i did was "Privacy over security > Disable windows defender" script. I would leave windows security & patch updates and looks like after August monthly update, windows defender is working again, but this script does not work anymore to disable defender. Policy to disable defender is ignored.

OS

Edition: Windows 10 Enterprise LTSC Version: 21H2 OS Build: 19044.2006

Scripts

DisableDefender.txt

Screenshots

Additional information

I guess time to disable "security" updates forever. My hatred of MS is on its all time high.

[undergroundwires]

Thank you for very nice bug report with all necessary information.

I tested this and can reproduce it. Defender is still crippled heavily but not gotten rid of completely as before.

privacy.sexy has been the only open-source tool that could successfully stop Defender service according to my intensive research when I wrote the code, this was thanks to the community that showed the way and a PoC in #74, but Microsoft seems to have patched it in 21H2 for Windows 10 and 22H2 for Windows 11.

This has become cat and mouse game with Microsoft. I am unsure if I would prioritize this anytime soon over building new features, and improving other aspects of the project that the people have been asking for years now. Let's tag this issue and keep it open for other contributions. For the researches that wants to debug this, it has started with #74 and the idea was to disable these services as TrustedInstaller, you can see the privilege escalation here and search for RunInlineCodeAsTrustedInstaller in the same file to see how we disabled these services.

Some of scripts that utilize this method that worked fine before but started failing in new Windows versions:

Windows 10 21H2:

• Turn off tamper protection
• Disable Windows Defender Antivirus service
• Disable Microsoft Defender Antivirus Mini-Filter Driver service

Windows 11 22H2:

• Turn off tamper protection (this did not work before too)
• Disable Windows Defender Antivirus service
• Disable Microsoft Defender Antivirus Network Inspection service
• Disable Microsoft Defender Antivirus Network Inspection System Driver service
• Disable Microsoft Defender Antivirus Mini-Filter Driver service
• Disable Microsoft Defender Antivirus Boot Driver service

[Fuewburvpoa]

Just a little update on how i solved this issue for now.

• download a tool called NSudo that allows you to run programs as TrustedInstaller
• launch registry editor with this tool nsudo -U:T -P:E regedit
• navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
• change value of "Start" key to 4
• reboot

[LordNoteworthy]

@Fuewburvpoa it won't work on Win 10 22H2. As @undergroundwires pointed out.

You need to boot in SafeMode ...

[undergroundwires]

Most scripts started working with new versions. However, in Windows 11, tamper protection needs to be manually disabled before running disable defender script from privacy.sexy for effective disabling. I could not find any way to programmatically fix this yet, nor found any other project that successfully does this. One way would be actually mimicking user input to set this on settings but it feels so hacky.

Manually disable tamper protection: