I can't find any information on how to disable Windows Defender in Windows 10. There is some information about how to do it in the previews, but the configuration pages have changed with the final release.

Specifically, I want to stop and disable the Windows Defender Service.

Using net stop windefend from an elevated command prompt gives "access denied"
Stop and startup type are greyed out in sevices.msc, even when logged on as administrator
There doesn't seem to be a GUI way to disable UAC in Windows 10

Has anyone figured out how to disable Defender in Windows 10?

Todd Wilcox

Posted 2015-07-30T20:52:37.983

Reputation: 711

3Simplest method. Just install a paid/free security suite and it will automatically disable itself. Outside of that just go toUpdate and Security and disable the Real-Time protection. You cannot disable UAC in Windows 8 and above to the same degree as you could in Windows 7. Of course I am not sure what the UAC has to do with Windows Defender. – Ramhound – 2015-07-30T20:58:55.013

I mentioned UAC because it seemed possible that UAC was preventing me from disabling Defender. I haven't deployed the latest Kaspersky that supports Windows 10 yet, and frankly I'm not so confident that Kaspersky will install well with Defender running. Plus I want to be able to disabled it on principle in case I need or want to for other reasons. – Todd Wilcox – 2015-07-30T21:02:15.083

I opened Update & Security and I am able to disable Windows Defender. Personally I was able to disable the service though after I do that. – Ramhound – 2015-07-30T21:08:30.013

Windows Defender is designed to be easily replacable, just install another AV and it should automatically turn off. – gronostaj – 2015-07-30T21:15:18.187

@Ramhound I was still not able to disable the service after turning off the real-time scanning. – Todd Wilcox – 2015-07-30T21:25:31.537

3@gronostaj If my question were how to replace Windows Defender with another A/V solution, I would suggest you post your comment as an answer and I'd accept it, except your comment is the same as Ramhound's, so I'd really suggest he do it. But that's not what I'm trying to do. – Todd Wilcox – 2015-07-30T21:26:57.063

@Abraxas I just realized the powershell answer I mentioned is your answer (which I upvoted, BTW). No need to comment and answer the same thing at the same time, IMHO. – Todd Wilcox – 2016-01-14T19:44:37.507

@ToddWilcox Good point, edited the powershell answer to give you service control as well. – Abraxas – 2016-01-14T20:35:42.990

Answers

You are able to do this using a Group Policy.

open gpedit.msc

navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender

Turn off Windows Defender = Enabled

If you then try to open Windows Defender you'll see this:

And even though in Settings it may appear to be on, the Service is not running:

more info:

http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html

and http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350

Aaron Hoffman

Posted 2015-07-30T20:52:37.983

Reputation: 336

I can't believe I didn't find this on my own. Thanks! – Todd Wilcox – 2015-09-03T14:26:43.583

2Is this also for Windows Home? I can't find gpedit.msc – Stijn de Witt – 2016-01-04T10:14:05.863

2No, it does not work for home users. Pro/Enterprise/Education only – sloosecannon – 2016-12-06T22:00:38.297

3Tried this... however service is still running in task manager. – Brig – 2017-03-25T19:00:51.467

In my computer I do not have "windows defender" under "windows components". I have "Windows defender antivirus" and a bunch of other "Windows Defender XXXX" . Under "Windows defender antivirus" I have "Turn off real-time protection", I did enable that but MsMpEng.exe is still running. – Millemila – 2020-01-21T19:43:34.470

This answer if not working in fact. You need to stop WD services in registry (other answer below) to succeed. You can't stop WD service in services.msc or via sc.exe. Windows Pro x64 ver. 10.0.18363.628. – pbies – 2020-02-12T14:28:34.080

I found another way using the registry.

Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:

Browse the registry to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.
Change the Start value for each service to 0x4 (hex 4, decimal 4).
Reboot.

Todd Wilcox

Posted 2015-07-30T20:52:37.983

Reputation: 711

5I am logged in as administrator and I still get the error "Error writing start. Error writing the value's new contents." – Mark – 2015-08-27T08:44:37.053

2Me too with the same error "Error writing start. Error writing the value's new contents. Any work around for us @Todd Wilcox? – Nam G VU – 2015-10-21T02:33:16.200

2Have you tried right-clicking on regedit and running as administrator? – Todd Wilcox – 2015-10-21T03:48:02.000

2unfortunately on Win10 Home Single Language, I get the same error even if I started regedit as admin, any other other workaround. I'm really starting to depise windows 10 now. – gideon – 2018-01-02T13:18:59.013

If getting Error writing (...), close regedit and reopen. – Marc.2377 – 2019-01-12T00:06:28.350

I was able to modify the registry keys without any problem, but it seems that it didn't actually disable anything, and Set-MpPreference -DisableRealtimeMonitoring $true still had an effect (v1803). – mic – 2019-07-24T22:41:49.697

Original link (https://support.microsoft.com/en-us/kb/103000) is dead (404), replaced with internet archive link>>>https://web.archive.org/web/20150324142918/https://support.microsoft.com/en-us/kb/103000

– Moab – 2019-12-27T05:48:36.660

Short version

Download
Extract
Double-click DisableDefender.reg

Explanation

By far the most effective and clean way to permanently disable Windows Defender in Windows 10 is via Group Policy, as described by Aaron Hoffman. Unfortunately, Windows 10 Home lacks the necessary tools.

Here's a registry file that contains the changes made by gpedit.msc on a Windows 10 Pro machine. It's been tested on Windows 10 Home as well. Save the file as DisableDefender.reg with Windows-style line endings and double-click it to import it into your registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001

If you ever want to re-enable Defender, change 00000001 to 00000000 on both lines.

You can download the files to disable and re-enable defender from Gist.

Zenexer

Posted 2015-07-30T20:52:37.983

Reputation: 1 022

1You win the Internet today, sir. – ivan_bilan – 2016-10-24T12:11:10.400

I had re-enable WD by the regedit the value to 00000000, results WD Real-time protection is off because you are using another AV. In fact I do not have any antivirus installed. How to fix this? Thanks – Santosa Sandy – 2016-11-17T10:22:16.207

@SantosaSandy That could happen for a number of reasons, including malware. You should start a separate question. – Zenexer – 2016-11-17T15:41:24.113

Thanks Mr. PB. In an emergency and lack of error investigating clue, I just update the windows and run registry cleaner (e.g. CCleaner). The Windows Defender is active again. Thanks – Santosa Sandy – 2016-11-21T04:41:01.300

It would be helpful to understand why you cannot stop a particular service.

I'm the administrator; worse than failure can't the Administrator administrate?!

It's because of the security permissions on the WinDefend service.

Note: WinDefend is the actual name of the "Windows Defender Antivirus Service"

Viewing Permissions

If you run from a command line:

>sc sdshow WinDefend

where

sdshow means "Displays a service's security descriptor."

You'll get the security descriptor:

C:\Users\Ian>sc sdshow WinDefend

D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:

D:
   (A;;CCLCSWRPLOCRRC;;;BU)
   (A;;CCLCSWRPLOCRRC;;;SY)
   (A;;CCLCSWRPLOCRRC;;;BA)
   (A;;CCLCSWRPLOCRRC;;;IU)
   (A;;CCLCSWRPLOCRRC;;;SU)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

The D: means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):

D: discretionary access control list
- ACE1: A;;CCLCSWRPLOCRRC;;;BU
- ACE2: A;;CCLCSWRPLOCRRC;;;SY
- ACE3: A;;CCLCSWRPLOCRRC;;;BA
- ACE4: A;;CCLCSWRPLOCRRC;;;IU
- ACE5: A;;CCLCSWRPLOCRRC;;;SU
- ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
- ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.

Looking first at who they apply to, a random blog article decode some of them (archive.is):

BU: Built-in users
SY: Local System
BA: Built-in administrators
UI: Interactively logged-on user
SU: Service logon user
S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: Trusted Installer
S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736:

You can get the name associated with an SID by running:

>wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name

Each ACE contains a list of permissions that the user is being allowed or denied.

D: discretionary access control list
- ACE 1: A;;CCLCSWRPLOCRRC;;; Built-in users
- ACE 2: A;;CCLCSWRPLOCRRC;;; Local system
- ACE 3: A;;CCLCSWRPLOCRRC;;; Built-in administrators
- ACE 4: A;;CCLCSWRPLOCRRC;;; Interactive user
- ACE 5: A;;CCLCSWRPLOCRRC;;; Service logon user
- ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; Trusted installer
- ACE 7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

Breaking down the remaining semicolon separated sections in an ACE:

ACE: A;;CCLCSWRPLOCRRC;;;
- AceType: A ACCESS_ALLOWED_ACE_TYPE
- AceFlags: (none)
- AccessMask: CC LC SW RP LO CR RC
  - CC: CREATE_CHILD
  - LC: LIST_CHILDREN
  - SW: SELF_WRITE
  - RP: READ_PROPERTY
  - LO: LIST_OBJECT
  - CR: CONTROL_ACCESS
  - RC: READ_CONTROL
- ObjectGuid: (none)
- InheritObjectGuid: (none)

The leading A means Allowed, and the permissions are two-letter codes:

D: discretionary access control list
- ACE 1: Allow, CC LC SW RP LO CR RC, Built-in users
- ACE 2: Allow, CC LC SW RP LO CR RC, Local system
- ACE 3: Allow, CC LC SW RP LO CR RC, Built-in administrators
- ACE 4: Allow, CC LC SW RP LO CR RC, Interactive user
- ACE 5: Allow, CC LC SW RP LO CR RC, Service logon user
- ACE 6: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, Trusted installer
- ACE 7: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.

Spoiler:

sc sdset WinDefend [newSDLString]

Bonus Reading

How to specify permissions to services in Windows by using SDDL? *(archive.is)
How to Convert SID to Username and Vice Versa (archive.is)
The Security Descriptor Definition Language of Love (Part 2) (archive.is)
Microsoft Security Descriptor Language - 2.5.1.1 Syntax (archive.is)

Ian Boyd

Posted 2015-07-30T20:52:37.983

Reputation: 18 244

To disable Windows Defender completely (not just the Real-Time protection) you can:

Install another security suite (as Ramhound mentioned).
If you're willing to use a third party application, you could use NoDefender: http://msft.gq/pub/apps/NoDefender.zip

More information about NoDefender can be found here: http://winaero.com/blog/nodefender-disable-windows-defender-in-windows-10-with-few-clicks/

user5071535

Posted 2015-07-30T20:52:37.983

Reputation: 380

I suspect NoDefender might just be an automated way to edit the registry, which I have done manually. – Todd Wilcox – 2015-07-30T21:29:02.200

@ToddWilcox, Your method is better than mine then! One less third party application to worry about. – user5071535 – 2015-07-30T21:49:39.730

1i still see antimalware service running, which runs windows defender. I have avg free edition installed – shorif2000 – 2015-08-15T19:25:11.883

2Exactly, @Sharif I'd like to see any confirmations that the antimalware service is also disabled. – Mark – 2015-08-27T08:39:12.967

I have written the batch file and registry files that should completely disable Windows Defender in Windows 10.

Save the following files into the same folder.
Run Disable Windows Defender.bat as administrator.
After the batch file is done, restart.
Run Disable Windows Defender.bat again as administrator.
Windows Defender should be completely disabled now.

Disable Windows Defender.bat

@echo off

call :main %*
goto :eof

:main
    setlocal EnableDelayedExpansion

    rem Check if Windows Defender is running.
    tasklist /fi "imageName eq "MsMpEng.exe"" | find /i "MsMpEng.exe" > nul 2> nul
    if %errorLevel% equ 0 (
        rem Windows Defender is running.
        echo Windows Defender is running.

        rem Performable operations while Windows Defender is running.
        rem Disable Windows Defender drivers.
        echo Disabling Windows Defender drivers...
        set "drivers="%SystemRoot%\System32\drivers\WdBoot.sys";"%SystemRoot%\System32\drivers\WdFilter.sys";"%SystemRoot%\System32\drivers\WdNisDrv.sys""
        set "drivers=!drivers:""="!"

        set "wasDriverDisabled=false"
        for %%d in (!drivers!) do (
            if exist "%%~d" (
                echo Disabling Windows Defender driver "%%~d"...
                call :disableFile "%%~d"
                set "wasDriverDisabled=true"
            )
        )

        rem Disable Windows Defender objects.
        echo Disabling Windows Defender objects...
        call :importRegistry "Disable Windows Defender objects.reg"

        rem Require restart to unload Windows Defender drivers and objects.
        echo.
        echo Restart required.
    ) else (
        rem Windows Defender is not running.
        echo Windows Defender is not running.

        rem Performable operations while Windows Defender is not running.
        rem Disable Windows Defender features.
        echo Disabling Windows Defender features...
        call :importRegistry "Disable Windows Defender features.reg"
        rem Disable Windows Defender services.
        echo Disabling Windows Defender services...
        call :importRegistry "Disable Windows Defender services.reg"

        rem Disable Windows Defender files.
        echo Disabling Windows Defender files...
        ren "%ProgramFiles%\Windows Defender" "Windows Defender.bak"
        ren "%ProgramFiles(x86)%\Windows Defender" "Windows Defender.bak"
        ren "%ProgramData%\Microsoft\Windows Defender" "Windows Defender.bak"
    )

    endlocal
    goto :eof

:ownFile
    setlocal
    set "filePath=%~1"
    set "user=%~2"
    takeown /f "%filePath%" /a
    icacls "%filePath%" /grant "%user%:F"
    endlocal
    goto :eof

:disableFile
    setlocal
    set "filePath=%~1"
    call :ownFile "%filePath%" "Administrators"
    ren "%filePath%" "%~nx1.bak"
    endlocal
    goto :eof

:importRegistry
    setlocal
    set "filePath=%~1"
    call OwnRegistryKeys.bat "%filePath%"
    @echo off
    regedit /s "%filePath%"
    endlocal
    goto :eof

Disable Windows Defender objects.reg

Windows Registry Editor Version 5.00

; Disable "Scan with Windows Defender..." right click context menu.
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]

; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]

; Disable "DefenderCSP.dll".
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}]

; Disable Windows Defender IOfficeAntiVirus implementation ("MpOav.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]

; Disable InfectionState WMI Provider ("MpProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]

; Disable Status WMI Provider ("MpProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}]

; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]

; Disable Microsoft Windows Defender ("MsMpCom.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
[-HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF43B}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF43B}]

; Disable Windows Defender WMI Provider ("ProtectionManagement.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]

; Disable AMMonitoring WMI Provider ("AMMonitoringProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}]

; Disable MP UX Host ("MpUxSrv.exe").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]

Disable Windows Defender features.reg

Windows Registry Editor Version 5.00

; Disable Windows Defender features.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ProductStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Real-Time Protection]
"DisableAntiSpywareRealtimeProtection"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"ScheduleDay"=dword:00000008

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\UX Configuration]
"AllowNonAdminFunctionality"=dword:00000000
"DisablePrivacyMode"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ProductStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection]
"DisableAntiSpywareRealtimeProtection"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"ScheduleDay"=dword:00000008

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\UX Configuration]
"AllowNonAdminFunctionality"=dword:00000000
"DisablePrivacyMode"=dword:00000001

Disable Windows Defender services.reg

Windows Registry Editor Version 5.00

; Disable "Windows Defender" services.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

OwnRegistryKeys.bat

@echo off

rem Get the location of the PowerShell file.
for /f "usebackq tokens=*" %%f in (`where "OwnRegistryKeys.ps1"`) do (
    rem Run command for each argument.
    for %%a in (%*) do (
        powershell -executionPolicy bypass -file "%%~f" "%%~a"
    )
)

OwnRegistryKeys.ps1

$script:baseKey = @{
    "HKEY_CLASSES_ROOT" = @{
        "name" = "HKEY_CLASSES_ROOT";
        "shortName" = "HKCR";
        "key" = [Microsoft.Win32.Registry]::ClassesRoot
    };
    "HKEY_CURRENT_CONFIG" = @{
        "name" = "HKEY_CURRENT_CONFIG";
        "shortName" = "HKCC";
        "key" = [Microsoft.Win32.Registry]::CurrentConfig
    };
    "HKEY_CURRENT_USER" = @{
        "name" = "HKEY_CURRENT_USER";
        "shortName" = "HKCU";
        "key" = [Microsoft.Win32.Registry]::CurrentUser
    };
    "HKEY_DYN_DATA" = @{
        "name" = "HKEY_DYN_DATA";
        "shortName" = "HKDD";
        "key" = [Microsoft.Win32.Registry]::DynData
    };
    "HKEY_LOCAL_MACHINE" = @{
        "name" = "HKEY_LOCAL_MACHINE";
        "shortName" = "HKLM";
        "key" = [Microsoft.Win32.Registry]::LocalMachine
    };
    "HKEY_PERFORMANCE_DATA" = @{
        "name" = "HKEY_PERFORMANCE_DATA";
        "shortName" = "HKPD";
        "key" = [Microsoft.Win32.Registry]::PerformanceData
    };
    "HKEY_USERS" = @{
        "name" = "HKEY_USERS";
        "shortName" = "HKU";
        "key" = [Microsoft.Win32.Registry]::Users
    }
}

function enablePrivilege {
    param(
        # The privilege to adjust. This set is taken from:
        # http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
        [validateSet(
            "SeAssignPrimaryTokenPrivilege",
            "SeAuditPrivilege",
            "SeBackupPrivilege",
            "SeChangeNotifyPrivilege",
            "SeCreateGlobalPrivilege",
            "SeCreatePagefilePrivilege",
            "SeCreatePermanentPrivilege",
            "SeCreateSymbolicLinkPrivilege",
            "SeCreateTokenPrivilege",
            "SeDebugPrivilege",
            "SeEnableDelegationPrivilege",
            "SeImpersonatePrivilege",
            "SeIncreaseBasePriorityPrivilege",
            "SeIncreaseQuotaPrivilege",
            "SeIncreaseWorkingSetPrivilege",
            "SeLoadDriverPrivilege",
            "SeLockMemoryPrivilege",
            "SeMachineAccountPrivilege",
            "SeManageVolumePrivilege",
            "SeProfileSingleProcessPrivilege",
            "SeRelabelPrivilege",
            "SeRemoteShutdownPrivilege",
            "SeRestorePrivilege",
            "SeSecurityPrivilege",
            "SeShutdownPrivilege",
            "SeSyncAgentPrivilege",
            "SeSystemEnvironmentPrivilege",
            "SeSystemProfilePrivilege",
            "SeSystemtimePrivilege",
            "SeTakeOwnershipPrivilege",
            "SeTcbPrivilege",
            "SeTimeZonePrivilege",
            "SeTrustedCredManAccessPrivilege",
            "SeUndockPrivilege",
            "SeUnsolicitedInputPrivilege"
        )]
        $privilege,

        # The process on which to adjust the privilege. Defaults to the current process.
        $processId = $pid,

        # Switch to disable the privilege, rather than enable it.
        [switch] $disable
    )

    # Taken from P/Invoke.NET with minor adjustments.
    $definition = @'
using System;
using System.Runtime.InteropServices;

public class AdjustPrivilege {
    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
    internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
    internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

    [DllImport("advapi32.dll", SetLastError = true)]
    internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    internal struct TokPriv1Luid {
        public int Count;
        public long Luid;
        public int Attr;
    }

    internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
    internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
    internal const int TOKEN_QUERY = 0x00000008;
    internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

    public static bool EnablePrivilege(long processHandle, string privilege, bool disable) {
        bool result;
        TokPriv1Luid tp;
        IntPtr hproc = new IntPtr(processHandle);
        IntPtr htok = IntPtr.Zero;
        result = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
        tp.Count = 1;
        tp.Luid = 0;
        if (disable) {
            tp.Attr = SE_PRIVILEGE_DISABLED;
        } else {
            tp.Attr = SE_PRIVILEGE_ENABLED;
        }
        result = LookupPrivilegeValue(null, privilege, ref tp.Luid);
        result = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
        return result;
    }
}
'@

    $processHandle = (get-process -id $processId).handle
    $type = add-type $definition -passThru
    $type[0]::EnablePrivilege($processHandle, $privilege, $disable)
}

function getKeyNames {
    param(
        [parameter(mandatory = $true)]
        [string[]] $filePaths = $null
    )

    return (get-content $filePaths | select-string -pattern "\[\-?(.*)\]" -allMatches | forEach-object {$_.matches.groups[1].value} | get-unique)
}

function splitKeyName {
    param(
        [parameter(mandatory = $true)]
        [string] $keyName = $null
    )

    $names = $keyName.split("\\/", 2)

    $rootKeyName = $names[0]
    $subKeyName = $names[1]

    $keyPart = @{
        root = $baseKey[$rootKeyName];
        subKey = @{
            name = $subKeyName
        }
    }

    return $keyPart
}

function ownRegistryKey {
    param(
        [parameter(mandatory = $true)]
        [string] $keyName = $null
    )

    write-host """$keyName"""

    # Check if the key exists.
    if ($(try { test-path -path "Registry::$keyName".trim() } catch { $false })) {
        write-host "    Opening..."

        $keyPart = splitKeyName -keyName $keyName
        $ownableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
        if ($ownableKey -ne $null) {
            # Set the owner.
            write-host "    Setting owner..."
            $acl = $ownableKey.getAccessControl([System.Security.AccessControl.AccessControlSections]::None)
            $owner = [System.Security.Principal.NTAccount] "Administrators"
            $acl.setOwner($owner)
            $ownableKey.setAccessControl($acl)

            # Set the permissions.
            write-host "    Setting permissions..."
            $acl = $ownableKey.getAccessControl()
            $person = [System.Security.Principal.NTAccount] "Administrators"
            $access = [System.Security.AccessControl.RegistryRights] "FullControl"
            $inheritance = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit"
            $propagation = [System.Security.AccessControl.PropagationFlags] "None"
            $type = [System.Security.AccessControl.AccessControlType] "Allow"

            $rule = new-object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)
            $acl.setAccessRule($rule)
            $ownableKey.setAccessControl($acl)

            $ownableKey.close()

            write-host "    Done."

            # Own children subkeys.
            $readableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadSubTree, [System.Security.AccessControl.RegistryRights]::ReadKey)
            if ($readableKey -ne $null) {
                $subKeyNames = ($readableKey.getSubKeyNames() | forEach-object { "$keyName\$_" })
                $readableKey.close()
                if ($subKeyNames -ne $null) {
                    ownRegistryKeys -keyNames $subKeyNames
                }
            } else {
                write-host "    Unable to open children subkeys."
            }
        } else {
            write-host "    Unable to open subkey."
        }
    } else {
        write-host "    Key does not exist."
    }

    write-host
}

function ownRegistryKeys {
    param(
        [parameter(mandatory = $true)]
        [string[]] $keyNames = $null
    )

    $keyName = $null
    foreach ($keyName in $keyNames) {
        # Own parent key and children subkeys.
        ownRegistryKey -keyName $keyName
    }
}

function requestPrivileges {
    $numberOfRetries = 10

    $privilegeResult = $false
    for ($r = 0; !$privilegeResult -band $r -lt $numberOfRetries; $r += 1) {
        $privilegeResult = enablePrivilege -privilege "SeTakeOwnershipPrivilege"
    }

    if (!$privilegeResult) {
        write-host "Unable to receive privilege."
        exit 1
    }
}

function main {
    param(
        [parameter(mandatory = $true)]
        [string[]] $filePaths = $null
    )

    requestPrivileges

    $keyNames = getKeyNames -filePaths $filePaths
    ownRegistryKeys -keyNames $keyNames
}

main $args

XP1

Posted 2015-07-30T20:52:37.983

Reputation: 924

Thanks! BTW:This requires English version of windows to work correctly – M. Abdelhafid – 2018-09-13T19:04:00.033

The easy powershell method is here from an answer I posted on a question later marked duplicate for this.

The easiest way to do this would be to use powershell to disable it, the command you probably want is this

Set-MpPreference -DisableRealtimeMonitoring $true
Get-Service WinDefend | stop-service

For an article on using powershell to disable/enable Windows Defender check here: http://wmug.co.uk/wmug/b/pwin/archive/2015/05/12/quickly-disable-windows-defender-on-windows-10-using-powershell

Here is the technet article for a more detailed look at available defender cmdlets: https://technet.microsoft.com/en-us/library/dn433280.aspx

Abraxas

Posted 2015-07-30T20:52:37.983

Reputation: 3 704

I don't believe this would stop and disable the service itself. It just disables the real-time capabilities of Windows Defender which an be simply be done through Settings no need for a PowerShell applet. – Ramhound – 2016-01-14T19:48:16.880

@Ramhound edited for service mgmt with powershell. I'm not 100% it will stop the service without the same issue as net stop service but I have had more luck with powershell and don't believe get/stop-service alias to net-stop – Abraxas – 2016-01-14T19:57:04.203

I found that the following procedure works well; it doesn't remove or disable Windows Defender, but it disables Windows Defender SERVICE, stops all start-up and real-time scanning, and prevents Windows Defender Real-Time Scan from turning itself back on. (It leaves Windows Defender in-place, so you can use it to perform on-demand scanning of suspicious files.)

PROCEDURE:

Find, download, install "SysInternals" program suite.
Run program "AutoRuns".
Find "Windows Defender Service".
Uncheck the box.
Restart your computer.

After doing that, my startup time decreased from 20min to 5min, and memory usage after startup (before launching any apps) decreased from 2.1GB to 1.2GB. And when I looked in "Services", I found that "Windows Defender Service", while still there, is now marked "NOT running, Disabled".

Robbie Hatley

Posted 2015-07-30T20:52:37.983

Reputation: 11

Gives "access is denied", even running as Administrator – pgr – 2019-11-30T12:18:55.203

It is not so easy to reliably and totally disable the Windows Defender. There is a PowerShell script that uninstalls Windows Defender, but you may not be able later to install it back. This script requires two reboots.

Just download the Debloat-Windows-10 and follow these steps, provided by the author:

Unpack the archive;
Enable execution of PowerShell scripts:

PS> Set-ExecutionPolicy Unrestricted
Unblock PowerShell scripts and modules within this directory:

PS > ls -Recurse *.ps1 | Unblock-File PS > ls -Recurse *.psm1 | Unblock-File
Run scripts\disable-windows-defender.ps1
Reboot the computer (either usual way or via the PS > Restart-Computer)
Run scripts\disable-windows-defender.ps1 one more time.
Reboot the computer again.

This is not the easiest way, but very reliable and resilient.

There are also the scripts to remove unnecessary programs like BingFinance, Skype, OneDrive, etc - if you don't need them.

The archive does also contain lot of scripts that you may find useful.

Please be aware that these scripts irreversible delete files and can delete vital functions of Windows. For example, they may totally disable the Start menu!

Don't run disable-ShellExperienceHost.bat from this package, otherwise the Start Menu will stop opening.

Maxim Masiutin

Posted 2015-07-30T20:52:37.983

Reputation: 69

The easiest way I've found is to open an administrator command prompt and run:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /t REG_DWORD /v DisableAntiSpyware /f /d 1

Then reboot. I have not been able to find away to shutdown the service once it is started with out a reboot.

jcoffland

Posted 2015-07-30T20:52:37.983

Reputation: 197

In my experience setting the Group Policy is the most reliable way to stop Windows Defender and its Antimalware Service Executable. However, I recently encountered a situation where setting a Group Policy had no effect, and the Antimalware executable kept running and eating into my CPU.

I ended up writing a small script to take ownership of the executable and deny read and execute access rights for it. This solved the problem. The script is below.

@echo off

echo.
echo Disabling Windows Defender Antimalware Executable
echo Note: must be run with Admin permissions
echo.

rem taking ownership of Windows Defender files so that we can change their permissions
takeown /f "%PROGRAMDATA%\Microsoft\Windows Defender\Platform" /A /r /d y > takeown-result.txt

rem denying read and execute for all MsMpEng.exe files found in the directory structure (there may be multiple versions)
icacls %PROGRAMDATA%"\Microsoft\Windows Defender\Platform\*MsMpEng.exe" /deny SYSTEM:(RX) /T /C  /deny Administrators:(RX) /T /C   /deny Users:(RX) /T /C

@echo on

Andy

Posted 2015-07-30T20:52:37.983

Reputation: 203

This worked for me on Windows 10 Pro [Version 10.0.18362.476], and survived a reboot. But my path was c:\Program Files\Windows Defender\MsMpEng.exe – pgr – 2019-11-30T15:48:54.400

I managed to disable it using Autoruns; under the services tab there is an entry WinDefend, untick the box and reboot.

FreddyFlares

Posted 2015-07-30T20:52:37.983

Reputation: 111

Gives "access is denied", even running as Administrator – pgr – 2019-11-30T12:19:38.973

Disable Windows Defender in Windows 10

Answers

Short version

Explanation

Viewing Permissions

Bonus Reading