Difficult to disable Windows Defender [online]

[357mag]

Just to be clear, I have not made my custom NTLite setup disk yet. I am simply still using my computer the way it came. I asked Copilot to give me a .reg file that would disable Windows Defender. Didn't work. I have tried several different ways that Copilot recommended (like merging the file while in safe mode), but Defender continues to run.

What I have not tried is merging the .reg file that was posted in the Disabling Windows Defender thread (I think Garlin posted it).

Shall I try that file next?

 

[garlin]

All you need to disable the 5 Defender services. Everything else is moot because nothing is running in the background.

The reason many scripts or reg files fail is because Tamper Protection is running on a live system to prevent you from using reg changes to disable Defender. MS requires you to enter Security Center and use the UI to disable it. Otherwise you have to boot into WinPE or Recovery, before you can disable Tamper Protection in the mounted registry.

With an offline image, there is no live system and reg values are unprotected.

 

[357mag]

If I tried to merge that .reg file you posted in that thread would that work? If not how does one disable the 5 defender services (not using help from NTLite) but just doing it within Windows itself?

Actually, I'm starting to think that you have to use NTLite to disable those 5 services. I was planning on using the method using the options within NTLite according to post #31 in that thread.

 

[garlin]

If you wanted to test the reg file:
1. Open Security Center.
2. Disable Tamper Protection in the UI. Reboot to make the change effective, Tamper Protection is only enabled at boot time.
3. reg import the reg file.
4. Reboot again (or manually disable the same services by hand).

 

[357mag]

I tried importing your .reg but it didn't work. I tried it in safe mode too. I got this:

When I clicked on Merge it said "cannot import..." "Not all data was successfully written to the registry. Some keys are open by the system or other processes, or you have insufficient privileges to perform this operations."

 

[garlin]

You may need a tool like PowerRun to give yourself TrustedInstaller rights.

 

[357mag]

I tried that. It looked like it partially worked. When I ran this command to test if Defender was disabled, it gave me only 2 false entries. The third entry was still true:

Get-MpComputerStatus | Select-Object AMServiceEnabled, AntivirusEnabled, RealTimeProtectionEnabled

When I looked in Task Manager, MsMpEng.exe was still there and running.

When I looked in Windows Security it said something about No active anti-virus provider. Your system is vulnerable.

So I'm thinking it partially worked, but maybe not totally.

 

[garlin]

Starting state after installing a clean ISO:

AMServiceEnabled          : True
AntivirusEnabled          : True
RealTimeProtectionEnabled : True

1. Turn off Tamper Protection. Restart.
2. PowerRun reg import (partial error). Restart.
3. PowerRun reg import (no errors). Restart.

AMServiceEnabled          : False
AntivirusEnabled          : False
RealTimeProtectionEnabled : False

Spoiler

PS C:\Windows\System32> (Get-Process).Name | sort | select -unique
audiodg
cmd
conhost
csrss
ctfmon
dllhost
dwm
explorer
fontdrvhost
Idle
lsass
Memory Compression
MicrosoftEdgeUpdate
msdtc
msedge
msedgewebview2
OneDrive
powershell
Registry
RuntimeBroker
SearchHost
SearchIndexer
SearchProtocolHost
SecurityHealthService
SecurityHealthSystray
services
ShellHost
sihost
smartscreen
smss
spoolsv
StartMenuExperienceHost
svchost
System
taskhostw
VGAuthService
vm3dservice
vmtoolsd
VSSVC
Widgets
WidgetService
wininit
winlogon
WmiApSrv
WmiPrvSE

 

[garlin]

None of these extra steps are required if you integrated the reg file directly from the Registry screen. All the settings are "baked in", so the mutual protection the services provide each other are canceled out, when Windows runs the first time.

And Security Center still works for all the other settings.

 

[357mag]

I tried opening up the Registry Editor and choosing import, and importing your registry file, but I still get the same error message. But I'm not working with a clean install of Windows either.

 

[garlin]

You need to launch RegEdit from PowerRun.

 

[357mag]

If it works, what is to prevent Windows from simply re-enabling it later on?

 

[garlin]

Nothing. But Windows doesn't re-enable Defender services on its own. Defender is solely responsible for "defending itself".

No one has complained they need to run a scheduled task to play Defender whack-a-mole after the services are properly disabled.