Skip to content

Instantly share code, notes, and snippets.

@sir-pinecone

sir-pinecone/disable_windows_defender.bat

Last active June 20, 2023 02:17
Show Gist options
  • Save sir-pinecone/bf7c1653c7fc4e678a805fc97b887844 to your computer and use it in GitHub Desktop.
Save sir-pinecone/bf7c1653c7fc4e678a805fc97b887844 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
disable_windows_defender.bat
@setlocal enableextensions enabledelayedexpansion
@echo off
rem Make sure we're running as admin. Got this garbage from https://stackoverflow.com/a/40388766
if not "%1"=="am_admin" (
powershell -Command "Start-Process -Verb RunAs -FilePath '%0' -ArgumentList 'am_admin'"
exit /b
)
rem NOTE: Defender may see this file as malware, so you might need to exclude this before things can be disabled.
rem
rem Modified version of
rem https://raw.githubusercontent.com/mattreecebentley/win10_disable_defender/main/win10_enable_defender.bat
rem https://gist.github.com/xezrunner/a7a42dbc1096a40b0c78f09488fe5a2b
reg query HKLM\SYSTEM\Setup /v DisabledDefenderServices | find "0x1"
if %errorlevel% == 0 goto already_patched
echo.
echo Please note that Defender can only be disabled in Win10 v2004 and upwards if Tamper Protection is disabled.
echo This setting can be found in Window settings (hint: search for 'tamper'). Please do this now and then,
pause
echo.
echo Disabling Windows Defender
rem from: https://pastebin.com/kYCVzZPz
rem Disable Tamper Protection First - on WIn10 vers which allow for this (not from 2004 onwards)
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
rem To disable System Guard Runtime Monitor Broker
rem reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
rem To disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
echo.
echo Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
echo.
echo Disable Logging
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
echo.
echo Disable WD Tasks
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
echo.
echo Disable WD systray icon
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
echo.
echo Remove WD context menu
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
echo.
echo Disable WD services
reg add HKLM\SYSTEM\CurrentControlSet\Services\wscsvc /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\wdFilter" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
echo.
echo Disable Security system tray icon
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f
echo.
echo Finishing up...
reg add HKLM\SYSTEM\Setup /v DisabledDefenderServices /t REG_DWORD /d 1 /f
echo.
echo Windows Defender has (hopefully) been disabled.
echo You might still be able to scan files going forward depending on your version of Windows. Also, the Antimalware Service Executable should immediately stop using CPU cycles.
echo Please restart your computer to see all changes.
goto eof
:already_patched
echo Defender has already been disabled by this script.
:eof
echo.
pause
Raw
enable_windows_defender.bat
@setlocal enableextensions enabledelayedexpansion
@echo off
rem Make sure we're running as admin. Got this garbage from https://stackoverflow.com/a/40388766
if not "%1"=="am_admin" (
powershell -Command "Start-Process -Verb RunAs -FilePath '%0' -ArgumentList 'am_admin'"
exit /b
)
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem
rem Modified version of
rem https://raw.githubusercontent.com/mattreecebentley/win10_disable_defender/main/win10_enable_defender.bat
rem https://gist.github.com/xezrunner/a7a42dbc1096a40b0c78f09488fe5a2b
rem
rem Resources:
rem https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=win10-ps
rem https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection
rem https://github.com/AndyFul/ConfigureDefender
rem https://github.com/AndyFul/Hard_Configurator
echo.
echo Enabling Windows Defender
reg query HKLM\SYSTEM\Setup /v DisabledDefenderServices | find "0x0"
if %errorlevel% == 0 goto already_patched
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "\"%windir%\system32\SecurityHealthSystray.exe\"" /f
echo.
echo Restore WD shell
reg add "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\EPP" /ve /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKLM\Software\Classes\Drive\shellex\ContextMenuHandlers\EPP" /ve /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\EPP" /ve /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
echo.
echo Enable WD services
reg add "HKLM\System\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\wdFilter" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "2" /f
echo.
echo 1 - Enable Logging
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f
echo.
echo Enable WD Tasks
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Enable
echo.
echo Setting various preferences
rem CloudExtendedTimeout / 1 - 50 / block a suspicious file for up to 60 seconds (Default is 10)
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d "0" /f
rem CloudBlockLevel / 0 - Default / 2 - High / 4 - High+ / 6 - Zero tolerance (block all unknown executables)
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f
rem 1 - Potentially Unwanted Application protection (PUP) is enabled, the applications with unwanted behavior will be blocked at download and install-time
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "1" /f
rem Block at First Sight / 0 - Enable / 1 - Disable
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "0" /f
rem Cloud-based Protection / 0 - Disable / 1 - Basic / 2 - Advanced
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "1" /f
rem Send file samples when further analysis is required / 0 - Always prompt / 1 - Send safe samples automatically / 2 - Never send / 3 - Send all samples automatically
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
echo.
echo Attempting to enable Tamper Protection. If this fails then you need to do it manually.
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "1" /f
rem To prevent WD using too much CPU, add this file to the exclusion list:
rem C:\Program Files\Windows Defender\MsMpEng.exe
echo.
echo Attempting to exclude MsMpEng.exe to reduce CPU usage
reg add "HKLM\Software\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files\Windows Defender\MsMpEng.exe" /t REG_DWORD /d "0" /f
echo.
echo Finishing up...
reg add HKLM\SYSTEM\Setup /v DisabledDefenderServices /t REG_DWORD /d 0 /f
echo Windows Defender has (hopefully) been enabled.
echo The Antimalware Service Executable should be active again.
echo Restart your computer to see all changes.
goto eof
:already_patched
echo Defender has already been enabled by this script.
:eof
echo.
pause
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment