[Bug]: Defender is not completely disabled

[Cassandre60]

Description

After I disabled Defender using the 1100 lines script generated by privacy.sexy, I still have : +webthreatdefusersvc_4549a, Web Threat Defense User Service_4549a +WinDefend, Microsoft Defender Antivirus Service +MDCoreSvc, Microsoft Defender Core Service still running.

Is this normal/expected behavior, or does this mean that Windows Defender is still enabled? I'm new to this space of privacy/debloating, so I might get some things wrong.

Reproduction steps

In privacy.sexy, check windows defender and then click run script.

Expected behavior

For Defender to be completely removed.

Screenshots

No response

privacy.sexy environment details

No response

Additional context

In powershell, Get-MpComputerStatus | select AMRunningMode returns AMRunningMode

Normal which as far as I know means Defender is still running.

[undergroundwires]

Great bug report @Cassandre60. A lot of useful information. I will do some research and adding disabling of these services.

I will also increase the aggressiveness by disabling and block execution of executables of this services.

These should help with this issue.

We have #170, but it's not as helpful and concrete as this report which gives me the technical details to be able to go further.

Please keep in mind that these changes will not be fast, so no timelines promised, but hopefully in next patch release.

I will share the code with you once its ready to test if they help with getting rid of these processes/services.

[Cassandre60]

Thanks for the quick reply, no problems on the timeline, just appreciate the work you and your colleagues are doing.

[Silver347]

You could also try "Defender Remover" by ionuttbara (https://github.com/ionuttbara/windows-defender-remover)

only make sure that you disable "Tamper Protection" and all realtime protection in Windows Defender before running it.

[Cassandre60]

My defender is maybe disabled by like 95%, so I'm afraid to mess things up now, since I'm a normal user. On my task manager smartscreen.exe, Windows Defender SmartScreen takes 0% CPU and around 1.5 MB of RAM and MpDefenderCoreService.exe Antimalware Core Service takes 0% CPU and 5.5MB of RAM, so I'm pretty satisfied with what I have. I'll consider your script on a new install, maybe. Btw, I'm on Windows 11 IoT Enterprise LTSC.

[undergroundwires]

Hi,

This should successfully get rid of smartscreen.exe:

Apply script

```batchfile @echo off :: https://privacy.sexy — v0.13.5 — Fri, 12 Jul 2024 11:42:38 GMT :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: Initialize environment setlocal EnableExtensions DisableDelayedExpansion :: ---------------------------------------------------------- :: Disable SmartScreen process (breaks Microsoft Store apps)- :: ---------------------------------------------------------- echo --- Disable SmartScreen process (breaks Microsoft Store apps) :: Check and terminate the running process "smartscreen.exe" tasklist /fi "ImageName eq smartscreen.exe" /fo csv 2>NUL | find /i "smartscreen.exe">NUL && ( echo smartscreen.exe is running and will be killed. taskkill /f /im smartscreen.exe ) || ( echo Skipping, smartscreen.exe is not running. ) :: Configure termination of "smartscreen.exe" immediately upon its startup PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe' /v 'Debugger' /t 'REG_SZ' /d '%WINDIR%\System32\taskkill.exe' /f" :: Add a rule to prevent the executable "smartscreen.exe"" from running via File Explorer PowerShell -ExecutionPolicy Unrestricted -Command "$executableFilename='smartscreen.exe'; try {; $registryPathForDisallowRun='HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun'; $existingBlockEntries = Get-ItemProperty -Path "^""$registryPathForDisallowRun"^"" -ErrorAction Ignore; $nextFreeRuleIndex = 1; if ($existingBlockEntries) {; $existingBlockingRuleForExecutable = $existingBlockEntries.PSObject.Properties | Where-Object { $_.Value -eq $executableFilename }; if ($existingBlockingRuleForExecutable) {; $existingBlockingRuleIndexForExecutable = $existingBlockingRuleForExecutable.Name; Write-Output "^""Skipping, no action needed: `$executableFilename` is already blocked under rule index `"^""$existingBlockingRuleIndexForExecutable`"^""."^""; exit 0; }; $occupiedRuleIndexes = $existingBlockEntries.PSObject.Properties | Where-Object { $_.Name -Match '^\d+$' } | Select -ExpandProperty Name; if ($occupiedRuleIndexes) {; while ($occupiedRuleIndexes -Contains $nextFreeRuleIndex) {; $nextFreeRuleIndex += 1; }; }; }; Write-Output "^""Adding block rule for `"^""$executableFilename`"^"" under rule index `"^""$nextFreeRuleIndex`"^""."^""; if (!(Test-Path $registryPathForDisallowRun)) {; New-Item -Path "^""$registryPathForDisallowRun"^"" -Force -ErrorAction Stop | Out-Null; }; New-ItemProperty -Path "^""$registryPathForDisallowRun"^"" -Name "^""$nextFreeRuleIndex"^"" -PropertyType String -Value "^""$executableFilename"^"" ` -ErrorAction Stop | Out-Null; Write-Output "^""Successfully blocked `"^""$executableFilename`"^"" with rule index `"^""$nextFreeRuleIndex`"^""."^""; } catch {; Write-Error "^""Failed to block `"^""$executableFilename`"^"": $_"^""; Exit 1; }" :: Activate the DisallowRun policy to block specified programs from running via File Explorer PowerShell -ExecutionPolicy Unrestricted -Command "try {; $fileExplorerDisallowRunRegistryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer'; $currentDisallowRunPolicyValue = Get-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -ErrorAction Ignore | Select -ExpandProperty DisallowRun; if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) {; Write-Output "^""Creating DisallowRun policy at `"^""$fileExplorerDisallowRunRegistryPath`"^""."^""; if (!(Test-Path $fileExplorerDisallowRunRegistryPath)) {; New-Item -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Force -ErrorAction Stop | Out-Null; }; New-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -Value 1 -PropertyType DWORD -Force -ErrorAction Stop | Out-Null; Write-Output 'Successfully activated DisallowRun policy.'; Exit 0; }; if ($currentDisallowRunPolicyValue -eq 1) {; Write-Output 'Skipping, no action needed: DisallowRun policy is already in place.'; Exit 0; }; Write-Output 'Updating DisallowRun policy from unexpected value `"^""$currentDisallowRunPolicyValue`"^"" to `"^""1`"^"".'; Set-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -Value 1 -Type DWORD -Force -ErrorAction Stop | Out-Null; Write-Output 'Successfully activated DisallowRun policy.'; } catch {; Write-Error "^""Failed to activate DisallowRun policy: $_"^""; Exit 1; }" :: ---------------------------------------------------------- :: Pause the script to view the final state pause :: Restore previous environment settings endlocal :: Exit the script successfully exit /b 0 ```

Revert script (if you change your mind)

```batchfile @echo off :: https://privacy.sexy — v0.13.5 — Fri, 12 Jul 2024 11:42:38 GMT :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: Initialize environment setlocal EnableExtensions DisableDelayedExpansion :: Disable SmartScreen process (breaks Microsoft Store apps) (revert) echo --- Disable SmartScreen process (breaks Microsoft Store apps) (revert) :: Remove configuration preventing "smartscreen.exe" from starting PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe' /v 'Debugger' /f 2>$null" :: Remove the rule that prevents the executable "smartscreen.exe" from running via File Explorer PowerShell -ExecutionPolicy Unrestricted -Command "$executableFilename='smartscreen.exe'; try {; $blockEntries = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -ErrorAction Ignore; if (-Not $blockEntries) {; Write-Output "^""Skipping, no action needed: No block rules exist, `"^""$executableFilename`"^"" is not blocked."^""; exit 0; }; $blockingRulesForExecutable = @(; $blockEntries.PSObject.Properties | Where-Object { $_.Value -eq $executableFilename }; ); if (-Not $blockingRulesForExecutable) {; Write-Output "^""Skipping, no action needed: `"^""$executableFilename`"^"" is not currently blocked."^""; exit 0; }; foreach ($blockingRuleForExecutable in $blockingRulesForExecutable) {; $blockingRuleIndexForExecutable = $blockingRuleForExecutable.Name; Write-Output "^""Removing rule `"^""$blockingRuleIndexForExecutable`"^"" that blocks `"^""$executableFilename`"^""."^""; Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -Name "^""$blockingRuleIndexForExecutable"^"" -Force -ErrorAction Stop; Write-Output "^""Successfully revoked blocking of `$executableFilename` under rule `"^""$blockingRuleIndexForExecutable`"^""."^""; }; } catch {; Write-Error "^""Failed to revoke blocking of `"^""$executableFilename`"^"": $_"^""; Exit 1; }" :: Restore the File Explorer DisallowRun policy if no other blocks are active PowerShell -ExecutionPolicy Unrestricted -Command "try {; $currentDisallowRunPolicyValue = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'DisallowRun' -ErrorAction Ignore | Select-Object -ExpandProperty 'DisallowRun'; if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) {; Write-Output 'Skipping, no action needed: DisallowRun policy is not active.'; Exit 0; }; if ($currentDisallowRunPolicyValue -ne 1) {; Write-Output "^""Skipping, DisallowRun policy is not configured by privacy.sexy, unexpected value: `"^""$currentDisallowRunPolicyValue`"^""."^""; Exit 0; }; $remainingBlockingRules = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -ErrorAction Ignore; if ($remainingBlockingRules) {; Write-Output 'Skipping deactivating DisallowRun policy, there are still active rules.'; Exit 0; }; Write-Output 'No remaining rules, deleting DisallowRun policy.'; Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'DisallowRun' -Force -ErrorAction Stop; Write-Output 'Successfully restored DisallowRun policy.'; } catch {; Write-Error "^""Failed to restore DisallowRun policy: $_"^""; Exit 1; }" :: ---------------------------------------------------------- :: Pause the script to view the final state pause :: Restore previous environment settings endlocal :: Exit the script successfully exit /b 0 ```

Please test this and let me know if worked. It should persist against reboots. I will add it in next patch if you confirm it works.

[Cassandre60]

I just applied the tool provided by @Silver347, and it removed all the residue, thanks for the suggestion nonetheless.

[undergroundwires]

I'd be happy if anyone else who did not apply any other third party tool give feedback on this to move this issue and solution forward.

[Silver347]

Hi @undergroundwires,thanks for the reply,excuse me for my poor language skills.

First of all I'd like to thank you sincerely for devoting your free time to create this awesome customizable script and I apologize for not really providing any scripted solution for the problem mentioned in the post but instead relying on someone elses project,

The truth is I have no coding skills and as far as I've seen this software (which I recommended) completely removes Windows Defender entirely...which is a problem since there is no way to revert any of this once it's applied.

This script also disables some security mitigations (which I believe are Spectre and Meltdown at the OS level,VBS,UAC) which is not ideal...and I shouldn't have honestly recommended it in the first place.

Most of (if not all of it) are registry tweaks inside the .exe file which can be unziped with any archiving tool such as (WinRAR,7-Zip etc.),which can be used to further improve the project...and again I apologize for not offering any proper solution.