Toggle Windows Defender real time protection via Desktop shortcut

Unfortunately sometimes it is needed to disable (and later enable again) the (excellent) Windows defender real time protection.

I require 7 clicks to enable or disable Defender real time protection: Systray -> double on icon -> "Virus & threat protection" -> "Virus & threat protection settings" -> Toggle "Real-time protection" -> User Account Control "Yes".

Is there a simpler way to create a desktop shortcut that minimizes the number of clicks needed?

janpio

Posted 2017-10-05T15:42:49.707

Reputation: 975

I'd think you can maybe toggle a service, can you explain why you need to disable/enable it? – djsmiley2k TMW – 2017-10-05T15:48:47.963

The process is requiring too much CPU, slowing processes stuff down. I couldn't find out which files/processes are causing this. See my related question: https://superuser.com/q/1256548/25933

– janpio – 2017-10-05T15:51:35.590

I doubt there will be such a simple way to disable Windows Defender. There is a reason for this. If there was a simple way to disable Windows Defender malware authors would know all about it and the protection it provides would be nullified. The interactive process used cannot be easily duplicated with software. The Windows Defender service cannot be directly stopped by even an elevated admin account. – LMiller7 – 2017-10-05T18:06:13.383

It actually can, but @djsmiley2k unfortunately posted the answer in the wrong question: https://superuser.com/a/1256561/25933

– janpio – 2017-10-05T18:15:06.443

Answers

To actually toggle the real-time monitoring state put the following in a PowerShell script (must be run as administrator):

$preferences = Get-MpPreference
Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)

To make this into a desktop shortcut, right-click on the Desktop, choose "New" and then "Shortcut" and enter the following for the item (substituting the location of the script you created for the -File argument)

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File "C:\Users\yuji\Documents\toggle-monitoring.ps1"

And in the Advanced options, enable Run as administrator.

yuji

Posted 2017-10-05T15:42:49.707

Reputation: 125

1You are absolutely right, this works perfect! Thank you. – janpio – 2018-01-22T12:54:12.527

This does not work anymore, at least on Windows 10 v1903. – martixy – 2019-07-27T16:26:58.640

1After a successful educated guess, I discovered the reason it does not work anymore: **Defender has a new feature called Tamper Protection. Turning that off allows Defender to be controlled externally - e.g. via this script or group policy.** – martixy – 2019-07-27T16:36:17.013

"UAC is not a security boundary" -Microsoft. Hence Tamper Protection is and has been just a marketing buzzword, while not actually protecting Defender from being uninstalled / incapacitated / toggled. For example, here's an updated script to toggle it: https://pastebin.com/hLsCCZQY

– AveYo – 2020-02-12T15:28:17.657

It seems you can do this in powershell:

Set-MpPreference -DisableRealtimeMonitoring $true

Obviously, set it to $false to turn it back on.

This answer on StackExchange discusses how to turn this into a shortcut if that's how you choose to proceed.

djsmiley2k TMW

Posted 2017-10-05T15:42:49.707

Reputation: 5 937

Worked like a charm, pulled it together in a blog post: http://betamode.de/2017/10/05/disable-windows-defender-real-time-protection-with-a-desktop-shortcut/

– janpio – 2017-10-06T14:34:54.080