[Bug]: Defender is not completely disabled

[Cassandre60]

Description

After I disabled Defender using the 1100 lines script generated by privacy.sexy, I still have :
+webthreatdefusersvc_4549a, Web Threat Defense User Service_4549a
+WinDefend, Microsoft Defender Antivirus Service
+MDCoreSvc, Microsoft Defender Core Service
still running.

Is this normal/expected behavior, or does this mean that Windows Defender is still enabled?
I'm new to this space of privacy/debloating, so I might get some things wrong.

Reproduction steps

In privacy.sexy, check windows defender and then click run script.

Expected behavior

For Defender to be completely removed.

Screenshots

No response

privacy.sexy environment details

No response

Additional context

In powershell,
Get-MpComputerStatus | select AMRunningMode
returns
AMRunningMode

Normal
which as far as I know means Defender is still running.

[undergroundwires]

Great bug report @Cassandre60. A lot of useful information. I will do some research and adding disabling of these services.

I will also increase the aggressiveness by disabling and block execution of executables of this services.

These should help with this issue.

We have #170, but it's not as helpful and concrete as this report which gives me the technical details to be able to go further.

Please keep in mind that these changes will not be fast, so no timelines promised, but hopefully in next patch release.

I will share the code with you once its ready to test if they help with getting rid of these processes/services.

[Cassandre60]

Thanks for the quick reply, no problems on the timeline, just appreciate the work you and your colleagues are doing.

[Silver347]

You could also try "Defender Remover" by ionuttbara (https://github.com/ionuttbara/windows-defender-remover)

only make sure that you disable "Tamper Protection" and all realtime protection in Windows Defender before running it.

[Cassandre60]

My defender is maybe disabled by like 95%, so I'm afraid to mess things up now, since I'm a normal user.
On my task manager smartscreen.exe, Windows Defender SmartScreen takes 0% CPU and around 1.5 MB of RAM and
MpDefenderCoreService.exe Antimalware Core Service takes 0% CPU and 5.5MB of RAM, so I'm pretty satisfied with what I have.
I'll consider your script on a new install, maybe. Btw, I'm on Windows 11 IoT Enterprise LTSC.

[undergroundwires]

Hi,

This should successfully get rid of smartscreen.exe:

Apply script

@echo off
:: https://privacy.sexy — v0.13.5 — Fri, 12 Jul 2024 11:42:38 GMT
:: Ensure admin privileges
fltmc >nul 2>&1 || (
    echo Administrator privileges are required.
    PowerShell Start -Verb RunAs '%0' 2> nul || (
        echo Right-click on the script and select "Run as administrator".
        pause & exit 1
    )
    exit 0
)
:: Initialize environment
setlocal EnableExtensions DisableDelayedExpansion


:: ----------------------------------------------------------
:: Disable SmartScreen process (breaks Microsoft Store apps)-
:: ----------------------------------------------------------
echo --- Disable SmartScreen process (breaks Microsoft Store apps)
:: Check and terminate the running process "smartscreen.exe"
tasklist /fi "ImageName eq smartscreen.exe" /fo csv 2>NUL | find /i "smartscreen.exe">NUL && (
    echo smartscreen.exe is running and will be killed.
    taskkill /f /im smartscreen.exe
) || (
    echo Skipping, smartscreen.exe is not running.
)
:: Configure termination of "smartscreen.exe" immediately upon its startup
PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe' /v 'Debugger' /t 'REG_SZ' /d '%WINDIR%\System32\taskkill.exe' /f"
:: Add a rule to prevent the executable "smartscreen.exe"" from running via File Explorer
PowerShell -ExecutionPolicy Unrestricted -Command "$executableFilename='smartscreen.exe'; try {; $registryPathForDisallowRun='HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun'; $existingBlockEntries = Get-ItemProperty -Path "^""$registryPathForDisallowRun"^"" -ErrorAction Ignore; $nextFreeRuleIndex = 1; if ($existingBlockEntries) {; $existingBlockingRuleForExecutable = $existingBlockEntries.PSObject.Properties | Where-Object { $_.Value -eq $executableFilename }; if ($existingBlockingRuleForExecutable) {; $existingBlockingRuleIndexForExecutable = $existingBlockingRuleForExecutable.Name; Write-Output "^""Skipping, no action needed: `$executableFilename` is already blocked under rule index `"^""$existingBlockingRuleIndexForExecutable`"^""."^""; exit 0; }; $occupiedRuleIndexes = $existingBlockEntries.PSObject.Properties | Where-Object { $_.Name -Match '^\d+$' } | Select -ExpandProperty Name; if ($occupiedRuleIndexes) {; while ($occupiedRuleIndexes -Contains $nextFreeRuleIndex) {; $nextFreeRuleIndex += 1; }; }; }; Write-Output "^""Adding block rule for `"^""$executableFilename`"^"" under rule index `"^""$nextFreeRuleIndex`"^""."^""; if (!(Test-Path $registryPathForDisallowRun)) {; New-Item -Path "^""$registryPathForDisallowRun"^"" -Force -ErrorAction Stop | Out-Null; }; New-ItemProperty -Path "^""$registryPathForDisallowRun"^"" -Name "^""$nextFreeRuleIndex"^"" -PropertyType String -Value "^""$executableFilename"^"" ` -ErrorAction Stop | Out-Null; Write-Output "^""Successfully blocked `"^""$executableFilename`"^"" with rule index `"^""$nextFreeRuleIndex`"^""."^""; } catch {; Write-Error "^""Failed to block `"^""$executableFilename`"^"": $_"^""; Exit 1; }"
:: Activate the DisallowRun policy to block specified programs from running via File Explorer
PowerShell -ExecutionPolicy Unrestricted -Command "try {; $fileExplorerDisallowRunRegistryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer'; $currentDisallowRunPolicyValue = Get-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -ErrorAction Ignore | Select -ExpandProperty DisallowRun; if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) {; Write-Output "^""Creating DisallowRun policy at `"^""$fileExplorerDisallowRunRegistryPath`"^""."^""; if (!(Test-Path $fileExplorerDisallowRunRegistryPath)) {; New-Item -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Force -ErrorAction Stop | Out-Null; }; New-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -Value 1 -PropertyType DWORD -Force -ErrorAction Stop | Out-Null; Write-Output 'Successfully activated DisallowRun policy.'; Exit 0; }; if ($currentDisallowRunPolicyValue -eq 1) {; Write-Output 'Skipping, no action needed: DisallowRun policy is already in place.'; Exit 0; }; Write-Output 'Updating DisallowRun policy from unexpected value `"^""$currentDisallowRunPolicyValue`"^"" to `"^""1`"^"".'; Set-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -Value 1 -Type DWORD -Force -ErrorAction Stop | Out-Null; Write-Output 'Successfully activated DisallowRun policy.'; } catch {; Write-Error "^""Failed to activate DisallowRun policy: $_"^""; Exit 1; }"
:: ----------------------------------------------------------


:: Pause the script to view the final state
pause
:: Restore previous environment settings
endlocal
:: Exit the script successfully
exit /b 0

Revert script (if you change your mind)

@echo off
:: https://privacy.sexy — v0.13.5 — Fri, 12 Jul 2024 11:42:38 GMT
:: Ensure admin privileges
fltmc >nul 2>&1 || (
    echo Administrator privileges are required.
    PowerShell Start -Verb RunAs '%0' 2> nul || (
        echo Right-click on the script and select "Run as administrator".
        pause & exit 1
    )
    exit 0
)
:: Initialize environment
setlocal EnableExtensions DisableDelayedExpansion


:: Disable SmartScreen process (breaks Microsoft Store apps) (revert)
echo --- Disable SmartScreen process (breaks Microsoft Store apps) (revert)
:: Remove configuration preventing "smartscreen.exe" from starting
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe' /v 'Debugger' /f 2>$null"
:: Remove the rule that prevents the executable "smartscreen.exe" from running via File Explorer
PowerShell -ExecutionPolicy Unrestricted -Command "$executableFilename='smartscreen.exe'; try {; $blockEntries = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -ErrorAction Ignore; if (-Not $blockEntries) {; Write-Output "^""Skipping, no action needed: No block rules exist, `"^""$executableFilename`"^"" is not blocked."^""; exit 0; }; $blockingRulesForExecutable = @(; $blockEntries.PSObject.Properties | Where-Object { $_.Value -eq $executableFilename }; ); if (-Not $blockingRulesForExecutable) {; Write-Output "^""Skipping, no action needed: `"^""$executableFilename`"^"" is not currently blocked."^""; exit 0; }; foreach ($blockingRuleForExecutable in $blockingRulesForExecutable) {; $blockingRuleIndexForExecutable = $blockingRuleForExecutable.Name; Write-Output "^""Removing rule `"^""$blockingRuleIndexForExecutable`"^"" that blocks `"^""$executableFilename`"^""."^""; Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -Name "^""$blockingRuleIndexForExecutable"^"" -Force -ErrorAction Stop; Write-Output "^""Successfully revoked blocking of `$executableFilename` under rule `"^""$blockingRuleIndexForExecutable`"^""."^""; }; } catch {; Write-Error "^""Failed to revoke blocking of `"^""$executableFilename`"^"": $_"^""; Exit 1; }"
:: Restore the File Explorer DisallowRun policy if no other blocks are active
PowerShell -ExecutionPolicy Unrestricted -Command "try {; $currentDisallowRunPolicyValue = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'DisallowRun' -ErrorAction Ignore | Select-Object -ExpandProperty 'DisallowRun'; if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) {; Write-Output 'Skipping, no action needed: DisallowRun policy is not active.'; Exit 0; }; if ($currentDisallowRunPolicyValue -ne 1) {; Write-Output "^""Skipping, DisallowRun policy is not configured by privacy.sexy, unexpected value: `"^""$currentDisallowRunPolicyValue`"^""."^""; Exit 0; }; $remainingBlockingRules = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -ErrorAction Ignore; if ($remainingBlockingRules) {; Write-Output 'Skipping deactivating DisallowRun policy, there are still active rules.'; Exit 0; }; Write-Output 'No remaining rules, deleting DisallowRun policy.'; Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'DisallowRun' -Force -ErrorAction Stop; Write-Output 'Successfully restored DisallowRun policy.'; } catch {; Write-Error "^""Failed to restore DisallowRun policy: $_"^""; Exit 1; }"
:: ----------------------------------------------------------


:: Pause the script to view the final state
pause
:: Restore previous environment settings
endlocal
:: Exit the script successfully
exit /b 0

Please test this and let me know if worked. It should persist against reboots. I will add it in next patch if you confirm it works.

[Cassandre60]

I just applied the tool provided by @Silver347, and it removed all the residue, thanks for the suggestion nonetheless.

[undergroundwires]

I'd be happy if anyone else who did not apply any other third party tool give feedback on this to move this issue and solution forward.

[Silver347]

Hi @undergroundwires,thanks for the reply,excuse me for my poor language skills.

First of all I'd like to thank you sincerely for devoting your free time to create this awesome customizable script and I apologize for not really providing any scripted solution for the problem mentioned in the post but instead relying on someone elses project,

The truth is I have no coding skills and as far as I've seen this software (which I recommended) completely removes Windows Defender entirely...which is a problem since there is no way to revert any of this once it's applied.

This script also disables some security mitigations (which I believe are Spectre and Meltdown at the OS level,VBS,UAC) which is not ideal...and I shouldn't have honestly recommended it in the first place.

Most of (if not all of it) are registry tweaks inside the .exe file which can be unziped with any archiving tool such as (WinRAR,7-Zip etc.),which can be used to further improve the project...and again I apologize for not offering any proper solution.

[undergroundwires]

More aggressive SmartScreen disabling will be released as part of next patch.
The code above should get rid of smartscreen.exe.

Using similar way, we can get rid of MpDefenderCoreService.exe, i.e., MDCoreSvc (Microsoft Defender Core Service).

It works according to my tests. I'd be happy if someone (running with latest updates) can this and verify that it works.

1. Go to processes view, ensure "MpDefenderCoreService.exe | MDCoreSvc | Microsoft Defender Core Service" is running.
2. Run the script.
3. Restart the computer.
4. Verify that it is no longer running.

Script to disable Microsoft Defender Core Service

@echo off
:: https://privacy.sexy — v0.13.5 — Wed, 24 Jul 2024 18:11:40 GMT
:: Ensure admin privileges
fltmc >nul 2>&1 || (
    echo Administrator privileges are required.
    PowerShell Start -Verb RunAs '%0' 2> nul || (
        echo Right-click on the script and select "Run as administrator".
        pause & exit 1
    )
    exit 0
)
:: Initialize environment
setlocal EnableExtensions DisableDelayedExpansion


:: ----------------------------------------------------------
:: --Disable Core Service process (`MpDefenderCoreService`)--
:: ----------------------------------------------------------
echo --- Disable Core Service process (`MpDefenderCoreService`)
:: Check and terminate the running process "MpDefenderCoreService.exe"
tasklist /fi "ImageName eq MpDefenderCoreService.exe" /fo csv 2>NUL | find /i "MpDefenderCoreService.exe">NUL && (
    echo MpDefenderCoreService.exe is running and will be killed.
    taskkill /f /im MpDefenderCoreService.exe
) || (
    echo Skipping, MpDefenderCoreService.exe is not running.
)
:: Configure termination of "MpDefenderCoreService.exe" immediately upon its startup
PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpDefenderCoreService.exe' /v 'Debugger' /t 'REG_SZ' /d '%WINDIR%\System32\taskkill.exe' /f"
:: Add a rule to prevent the executable "MpDefenderCoreService.exe"" from running via File Explorer
PowerShell -ExecutionPolicy Unrestricted -Command "$executableFilename='MpDefenderCoreService.exe'; try {; $registryPathForDisallowRun='HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun'; $existingBlockEntries = Get-ItemProperty -Path "^""$registryPathForDisallowRun"^"" -ErrorAction Ignore; $nextFreeRuleIndex = 1; if ($existingBlockEntries) {; $existingBlockingRuleForExecutable = $existingBlockEntries.PSObject.Properties | Where-Object { $_.Value -eq $executableFilename }; if ($existingBlockingRuleForExecutable) {; $existingBlockingRuleIndexForExecutable = $existingBlockingRuleForExecutable.Name; Write-Output "^""Skipping, no action needed: `$executableFilename` is already blocked under rule index `"^""$existingBlockingRuleIndexForExecutable`"^""."^""; exit 0; }; $occupiedRuleIndexes = $existingBlockEntries.PSObject.Properties | Where-Object { $_.Name -Match '^\d+$' } | Select -ExpandProperty Name; if ($occupiedRuleIndexes) {; while ($occupiedRuleIndexes -Contains $nextFreeRuleIndex) {; $nextFreeRuleIndex += 1; }; }; }; Write-Output "^""Adding block rule for `"^""$executableFilename`"^"" under rule index `"^""$nextFreeRuleIndex`"^""."^""; if (!(Test-Path $registryPathForDisallowRun)) {; New-Item -Path "^""$registryPathForDisallowRun"^"" -Force -ErrorAction Stop | Out-Null; }; New-ItemProperty -Path "^""$registryPathForDisallowRun"^"" -Name "^""$nextFreeRuleIndex"^"" -PropertyType String -Value "^""$executableFilename"^"" ` -ErrorAction Stop | Out-Null; Write-Output "^""Successfully blocked `"^""$executableFilename`"^"" with rule index `"^""$nextFreeRuleIndex`"^""."^""; } catch {; Write-Error "^""Failed to block `"^""$executableFilename`"^"": $_"^""; Exit 1; }"
:: Activate the DisallowRun policy to block specified programs from running via File Explorer
PowerShell -ExecutionPolicy Unrestricted -Command "try {; $fileExplorerDisallowRunRegistryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer'; $currentDisallowRunPolicyValue = Get-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -ErrorAction Ignore | Select -ExpandProperty DisallowRun; if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) {; Write-Output "^""Creating DisallowRun policy at `"^""$fileExplorerDisallowRunRegistryPath`"^""."^""; if (!(Test-Path $fileExplorerDisallowRunRegistryPath)) {; New-Item -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Force -ErrorAction Stop | Out-Null; }; New-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -Value 1 -PropertyType DWORD -Force -ErrorAction Stop | Out-Null; Write-Output 'Successfully activated DisallowRun policy.'; Exit 0; }; if ($currentDisallowRunPolicyValue -eq 1) {; Write-Output 'Skipping, no action needed: DisallowRun policy is already in place.'; Exit 0; }; Write-Output 'Updating DisallowRun policy from unexpected value `"^""$currentDisallowRunPolicyValue`"^"" to `"^""1`"^"".'; Set-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -Value 1 -Type DWORD -Force -ErrorAction Stop | Out-Null; Write-Output 'Successfully activated DisallowRun policy.'; } catch {; Write-Error "^""Failed to activate DisallowRun policy: $_"^""; Exit 1; }"
:: Suggest restarting computer for changes to take effect
PowerShell -ExecutionPolicy Unrestricted -Command "$osVersion = [System.Environment]::OSVersion.Version; function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) }; if (Test-IsWindows11) {; $ignoreWindows11 =  $false; if ($ignoreWindows11) {; Exit 0 <# Skip #>; }; }; $osVersion = [System.Environment]::OSVersion.Version; function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) }; if (Test-IsWindows10) {; $ignoreWindows10 =  $false; if ($ignoreWindows10) {; Exit 0 <# Skip #>; }; }; $message = 'For the changes to fully take effect, please restart your computer.'; $warn =  $false; if ($warn) {; Write-Warning "^""$message"^""; } else {; Write-Host "^""Note: "^"" -ForegroundColor Blue -NoNewLine; Write-Output "^""$message"^""; }"
:: ----------------------------------------------------------


:: Pause the script to view the final state
pause
:: Restore previous environment settings
endlocal
:: Exit the script successfully
exit /b 0

Revert: Restore (re-enable) Microsoft Defender Core Service

@echo off
:: https://privacy.sexy — v0.13.5 — Wed, 24 Jul 2024 18:11:40 GMT
:: Ensure admin privileges
fltmc >nul 2>&1 || (
    echo Administrator privileges are required.
    PowerShell Start -Verb RunAs '%0' 2> nul || (
        echo Right-click on the script and select "Run as administrator".
        pause & exit 1
    )
    exit 0
)
:: Initialize environment
setlocal EnableExtensions DisableDelayedExpansion


:: Disable Core Service process (`MpDefenderCoreService`) (revert)
echo --- Disable Core Service process (`MpDefenderCoreService`) (revert)
:: Remove configuration preventing "MpDefenderCoreService.exe" from starting
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpDefenderCoreService.exe' /v 'Debugger' /f 2>$null"
:: Remove the rule that prevents the executable "MpDefenderCoreService.exe" from running via File Explorer
PowerShell -ExecutionPolicy Unrestricted -Command "$executableFilename='MpDefenderCoreService.exe'; try {; $blockEntries = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -ErrorAction Ignore; if (-Not $blockEntries) {; Write-Output "^""Skipping, no action needed: No block rules exist, `"^""$executableFilename`"^"" is not blocked."^""; exit 0; }; $blockingRulesForExecutable = @(; $blockEntries.PSObject.Properties | Where-Object { $_.Value -eq $executableFilename }; ); if (-Not $blockingRulesForExecutable) {; Write-Output "^""Skipping, no action needed: `"^""$executableFilename`"^"" is not currently blocked."^""; exit 0; }; foreach ($blockingRuleForExecutable in $blockingRulesForExecutable) {; $blockingRuleIndexForExecutable = $blockingRuleForExecutable.Name; Write-Output "^""Removing rule `"^""$blockingRuleIndexForExecutable`"^"" that blocks `"^""$executableFilename`"^""."^""; Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -Name "^""$blockingRuleIndexForExecutable"^"" -Force -ErrorAction Stop; Write-Output "^""Successfully revoked blocking of `$executableFilename` under rule `"^""$blockingRuleIndexForExecutable`"^""."^""; }; } catch {; Write-Error "^""Failed to revoke blocking of `"^""$executableFilename`"^"": $_"^""; Exit 1; }"
:: Restore the File Explorer DisallowRun policy if no other blocks are active
PowerShell -ExecutionPolicy Unrestricted -Command "try {; $currentDisallowRunPolicyValue = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'DisallowRun' -ErrorAction Ignore | Select-Object -ExpandProperty 'DisallowRun'; if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) {; Write-Output 'Skipping, no action needed: DisallowRun policy is not active.'; Exit 0; }; if ($currentDisallowRunPolicyValue -ne 1) {; Write-Output "^""Skipping, DisallowRun policy is not configured by privacy.sexy, unexpected value: `"^""$currentDisallowRunPolicyValue`"^""."^""; Exit 0; }; $remainingBlockingRules = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -ErrorAction Ignore; if ($remainingBlockingRules) {; Write-Output 'Skipping deactivating DisallowRun policy, there are still active rules.'; Exit 0; }; Write-Output 'No remaining rules, deleting DisallowRun policy.'; Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'DisallowRun' -Force -ErrorAction Stop; Write-Output 'Successfully restored DisallowRun policy.'; } catch {; Write-Error "^""Failed to restore DisallowRun policy: $_"^""; Exit 1; }"
:: Suggest restarting computer for changes to take effect
PowerShell -ExecutionPolicy Unrestricted -Command "$osVersion = [System.Environment]::OSVersion.Version; function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) }; if (Test-IsWindows11) {; $ignoreWindows11 =  $false; if ($ignoreWindows11) {; Exit 0 <# Skip #>; }; }; $osVersion = [System.Environment]::OSVersion.Version; function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) }; if (Test-IsWindows10) {; $ignoreWindows10 =  $false; if ($ignoreWindows10) {; Exit 0 <# Skip #>; }; }; $message = 'For the changes to fully take effect, please restart your computer.'; $warn =  $false; if ($warn) {; Write-Warning "^""$message"^""; } else {; Write-Host "^""Note: "^"" -ForegroundColor Blue -NoNewLine; Write-Output "^""$message"^""; }"
:: ----------------------------------------------------------


:: Pause the script to view the final state
pause
:: Restore previous environment settings
endlocal
:: Exit the script successfully
exit /b 0

Note:, According to my tests disabling this service through reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t "REG_DWORD" /d "4" /f as administrator or TrustedInstaller does not working, resulting in permission error. The above method should work.

As next step I will look at: webthreatdefusersvc and WinDefend.

@Silver347, thank you for your such a nice comment. It's appreciated that you share knowledge, and it's expected for users to know what they're doing with third party tools.

[femdiya]

@undergroundwires
Sorry for off-topic but, the third-party project mentioned above has tons of Registry tweaks,
I'm sure you'll find it useful (by merging codes from that project to yours)
Just saying, maybe some lines of codes aren't implemented completely? It would be great if you check that out.
https://github.com/ionuttbara/windows-defender-remover/tree/main

[undergroundwires]

@femdiya,

There are various attempts to disable Defender in the wild, but privacy.sexy stands out due to the following:

• Reversibility: Every change made by privacy.sexy is reversible whenever possible (as you already figured out).
• Documentation: All actions are documented with references to official and reputable sources whenever possible.
• Goal-Oriented: Each action serves a clear and defined goal of reaching privacy.

I prefer not to incorporate other projects. Privacy.sexy is used by many non-tech-savvy users, and experimental security modifications without a solid basis is dangerous. Additionally, there are licensing issues that I’d like to avoid.

However, I would appreciate it if you or anyone else could:

• Clearly identify what needs to be done, as @Cassandre60 did with the specific names in this issue.
• Stay around when an issue is created to help guide its implementation.
• If possible, try to provide evidence that these actions relate to disabling Defender specifically, to ensure we don’t inadvertently disable other security components. Privacy.sexy aims to give users control over their data, even if it means reducing security, but we need to have some certainty of what we're doing.
• If possible, supply any relevant documentation.

You don’t need to be tech-savvy or a developer to contribute. You can use language models or search engines. If you find that privacy.sexy is missing a configuration or not functioning correctly, create an issue for that. This approach helps us track, manage, and implement necessary changes efficiently. Here’s how you can contribute effectively:

1. Discover that doing X can help disable Defender.
2. Check if privacy.sexy already implements X.
3. If not, create an issue about doing X, providing as much context as you can.

This kind of contribution would be appreciated by many and be very useful to the community. This way, we can work together to improve privacy.sexy in a way it meets our quality standards and goals.

Thank you for your understanding and support ❤️

[femdiya]

@undergroundwires
Seems nice, I've already found some tweaks related to defender that is not implemented in this project, I'll open a "New Script" for probably all of them.
Also I'll try to explain most of the commands and tweaks as much as possible.

[femdiya]

After I disabled Defender using the 1100 lines script generated by privacy.sexy, I still have : +webthreatdefusersvc_4549a, Web Threat Defense User Service_4549a +WinDefend, Microsoft Defender Antivirus Service +MDCoreSvc, Microsoft Defender Core Service still running.

I did mention some services to be disabled in future updates in following issue created by me: #402
"Additional information -> SIDE NOTE 2"
It includes MDCoreSvc and WinDefend too