├── PowerRun.exe ├── PowerRun.ini ├── app_icon.ico ├── ew └── Remove_SecurityComp_moduled │ ├── MitigationofFaultTorelantHeap.reg │ ├── DisableDevDriveProtection.reg │ ├── DisableMicrosoftVulnerabileDriverBlocklist.reg │ ├── Remove and Disable Microsoft Pluton.reg │ ├── DisableLSAProtection.reg │ ├── DisableTamperProtection.reg │ ├── DisableSpyNetTelemetry.reg │ ├── DisableMaintenanceTaskreportinginSecurityHealthUI.reg │ ├── RemoveWindowsDefenderFirewallRules.reg │ ├── DisableUAC.reg │ ├── RemoveSecurityandMaintenance.reg │ ├── DisableSystemMitigations.reg │ ├── ExploitGuard_d.reg │ ├── DisableSmartScreen.reg │ ├── RemovalofAnti-PhishingServices.reg │ └── DisableVBS.reg ├── Remove_defender_moduled ├── WindowsSettingsPageVisibility.reg ├── RemoveStartupEntries.reg ├── RemoveDefenderTasks.reg ├── RemoveSignatureUpdates.reg ├── RemoverofDefenderContextMenu.reg ├── NomoreDelayandTimeouts.reg ├── RemoveWindowsWebThreat.reg ├── RemoveServices.reg ├── RemoveShellAssociation.reg ├── DisableDefenderandSecurityCenterNotifications.reg ├── DisableAntivirusProtection.reg ├── RemovalofWindowsDefenderAntivirus.reg └── DisableDefenderPolicies.reg ├── LICENSE ├── Remove_SecurityComp_moduled └── DisableUAC.reg ├── @Management └── RegistryUnifier.ps1 ├── .github └── ISSUE_TEMPLATE │ └── defender-remover-issue-report.md ├── RemoveSecHealthApp.ps1 ├── Script_Run.bat ├── README.md ├── Remove_SecurityComp └── Remove_SecurityComp.reg ├── Remove_Defender └── RemoveDefender.reg └── defender_remover13.ps1 /PowerRun.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionuttbara/windows-defender-remover/HEAD/PowerRun.exe -------------------------------------------------------------------------------- /PowerRun.ini: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionuttbara/windows-defender-remover/HEAD/PowerRun.ini -------------------------------------------------------------------------------- /app_icon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionuttbara/windows-defender-remover/HEAD/app_icon.ico -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/MitigationofFaultTorelantHeap.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FTH] 4 | "Enabled"=dword:00000000 -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/DisableDevDriveProtection.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection] 4 | "DisableAsyncScanOnOpen"=dword:00000001 -------------------------------------------------------------------------------- /Remove_defender_moduled/WindowsSettingsPageVisibility.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] 4 | "SettingsPageVisibility"="hide:windowsdefender;" 5 | -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/DisableMicrosoftVulnerabileDriverBlocklist.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config] 4 | "VulnerableDriverBlocklistEnable"=dword:00000000 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | This work is licensed under the Creative Commons Attribution-NonCommercial 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. 2 | -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/Remove and Disable Microsoft Pluton.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlutonHsp2] 4 | 5 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlutonHeci] 6 | 7 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hsp] -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/DisableLSAProtection.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] 4 | "RunAsPPL"=dword:00000000 5 | 6 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] 7 | "LsaConfigFlags"=dword:00000000 8 | "RunAsPPL"=dword:00000000 9 | "RunAsPPLBoot"=dword:00000000 10 | "LmCompatibilityLevel"=- 11 | -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/DisableTamperProtection.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; Remove Defender's Tamper Protection 4 | 5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features] 6 | "MpPlatformKillbitsFromEngine"=hex:00,00,00,00,00,00,00,00 7 | "TamperProtectionSource"=dword:00000000 8 | "MpCapability"=hex:00,00,00,00,00,00,00,00 9 | "TamperProtection"=dword:00000000 10 | -------------------------------------------------------------------------------- /Remove_SecurityComp_moduled/DisableUAC.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; Disable UAC 4 | 5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] 6 | "ConsentPromptBehaviorAdmin"=dword:00000000 7 | "PromptOnSecureDesktop"=dword:00000000 8 | 9 | ; Fix mouse cursor dissapeiring 10 | 11 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] 12 | "EnableCursorSuppression"=dword:00000000 13 | -------------------------------------------------------------------------------- /Remove_defender_moduled/RemoveStartupEntries.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; Remove Defender's Startup Entries 4 | 5 | [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 6 | "Windows Defender"=- 7 | "SecurityHealth"=- 8 | 9 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run] 10 | "Windows Defender"=- 11 | "SecurityHealth"=- 12 | 13 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 14 | "WindowsDefender"=- 15 | "SecurityHealth"=- 16 | -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/DisableSpyNetTelemetry.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet] 4 | "DisableBlockAtFirstSeen"=dword:00000001 5 | "LocalSettingOverrideSpynetReporting"=dword:00000000 6 | "SpynetReporting"=dword:00000000 7 | "SubmitSamplesConsent"=dword:00000002 8 | 9 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet] 10 | "SpyNetReporting"=dword:00000000 11 | "LocalSettingOverrideSpyNetReporting"=dword:00000000 -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/DisableMaintenanceTaskreportinginSecurityHealthUI.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; disables reporting of things from Maintenance Task in Windows Security App 4 | 5 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health] 6 | 7 | [-HKEY_CURRENT_USER\Software\Microsoft\Windows Security Health] 8 | 9 | [HKEY_CURRENT_USER\Software\Microsoft\Windows Security Health\State] 10 | "Disabled"=dword:00000001 11 | 12 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\Platform] 13 | "Registered"=dword:00000000 14 | -------------------------------------------------------------------------------- /Remove_defender_moduled/RemoveDefenderTasks.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0ACC9108-2000-46C0-8407-5FD9F89521E8}] 4 | 5 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D77BCC8-1D07-42D0-8C89-3A98674DFB6F}] 6 | 7 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4A9233DB-A7D3-45D6-B476-8C7D8DF73EB5}] 8 | 9 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B05F34EE-83F2-413D-BC1D-7D5BD6E98300}] 10 | -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/RemoveWindowsDefenderFirewallRules.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System] 4 | "WebThreatDefSvc_Allow_In"=- 5 | "WebThreatDefSvc_Allow_Out"=- 6 | "WebThreatDefSvc_Block_In"=- 7 | "WebThreatDefSvc_Block_Out"=- 8 | 9 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System] 10 | "{2A5FE97D-01A4-4A9C-8241-BB3755B65EE0}"=- 11 | "72e33e44-dc4c-40c5-a688-a77b6e988c69"=- 12 | "b23879b5-1ef3-45b7-8933-554a4303d2f3"=- 13 | -------------------------------------------------------------------------------- /Remove_defender_moduled/RemoveSignatureUpdates.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; this file disables Signature Updates in Windows Defender 4 | 5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates] 6 | "SignatureDisableNotification"=dword:00000001 7 | "RealtimeSignatureDelivery"=dword:00000000 8 | "ForceUpdateFromMU"=dword:00000000 9 | "DisableScheduledSignatureUpdateOnBattery"=dword:00000001 10 | "UpdateOnStartUp"=dword:00000000 11 | "SignatureUpdateCatchupInterval"=dword:00000002 12 | "DisableUpdateOnStartupWithoutEngine"=dword:00000001 13 | "ScheduleTime"=dword:00001440 14 | "DisableScanOnUpdate"=dword:00000001 15 | -------------------------------------------------------------------------------- /Remove_defender_moduled/RemoverofDefenderContextMenu.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}] 4 | 5 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}] 6 | 7 | ; Remove "Scan with Defender" Context Menu 8 | 9 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] 10 | 11 | [-HKEY_CLASSES_ROOT\Folder\shell\WindowsDefender] 12 | 13 | [-HKEY_CLASSES_ROOT\DesktopBackground\Shell\WindowsSecurity] 14 | 15 | [-HKEY_CLASSES_ROOT\Folder\shell\WindowsDefender\Command] 16 | -------------------------------------------------------------------------------- /Remove_defender_moduled/NomoreDelayandTimeouts.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] 4 | "VerboseStatus"=dword:00000000 5 | 6 | [HKEY_CURRENT_USER\Control Panel\Desktop] 7 | "AutoEndTasks"="1" 8 | "MenuShowDelay"="1" 9 | "ForegroundLockTimeout"=dword:00000000 10 | "WaitToKillAppTimeout"="1" 11 | "WaitToKillServiceTimeout"=dword:00000001 12 | "HungAppTimeout"="1000" 13 | 14 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control] 15 | "WaitToKillServiceTimeout"="1" 16 | "DisableRemoteScmEndpoints"=dword:00000000 17 | 18 | [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] 19 | "ThumbnailLivePreviewHoverTime"=dword:00000001 20 | -------------------------------------------------------------------------------- /@Management/RegistryUnifier.ps1: -------------------------------------------------------------------------------- 1 | # Define the folder containing the .reg files and the output file 2 | $sourceFolder = "../Remove_defender_moduled" # Modify this with your source folder path 3 | $outputFile = "../Output.reg" # Specify the output file path 4 | 5 | $combinedContent = @() 6 | $combinedContent += "Windows Registry Editor Version 5.00" 7 | $regFiles = Get-ChildItem -Path $sourceFolder -Recurse -Filter "*.reg" 8 | 9 | foreach ($file in $regFiles) { 10 | $content = Get-Content -Path $file.FullName 11 | $combinedContent += "; File: $($file.FullName)" 12 | $combinedContent += $content[1..($content.Length - 1)] 13 | } 14 | $combinedContent | Set-Content -Path $outputFile -Encoding UTF8 15 | 16 | Write-Host "Combined registry file created at: $outputFile" 17 | -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/DisableUAC.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; Disable UAC 4 | 5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] 6 | "EnableLUA"=dword:00000000 7 | "ConsentPromptBehaviorAdmin"=dword:00000000 8 | "ConsentPromptBehaviorUser"=dword:00000000 9 | "FilterAdministratorToken"=dword:00000001 10 | "LocalAccountTokenFilterPolicy"=dword:00000001 11 | "EnableUIADesktopToggle"=dword:00000000 12 | "ValidateAdminCodeSignatures"=dword:00000001 13 | "EnableSecureUIAPaths"=dword:00000000 14 | "DelayedDesktopSwitchTimemout"=dword:00000000 15 | "PromptOnSecureDesktop"=dword:00000000 16 | 17 | ; Fix mouse cursor dissapeiring 18 | 19 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] 20 | "EnableCursorSuppression"=dword:00000000 21 | -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/RemoveSecurityandMaintenance.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [-HKEY_CLASSES_ROOT\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 4 | 5 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 6 | 7 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 8 | 9 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 10 | 11 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 12 | 13 | [-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 14 | 15 | [-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/defender-remover-issue-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Defender Remover Issue Report 3 | about: Describe the problem there 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## *What* affects the bug ? 11 | 12 | 13 | ## *When* does this occur? 14 | 15 | 16 | ## *In which* version of Windows does this issue happen ? Write version complete. 17 | 18 | 19 | 20 | ## *How* do we replicate the issue? 21 | 22 | 23 | 24 | ## Expected behavior (if you have any solution write here.) 25 | 26 | 27 | 28 | ## Other Comments 29 | -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/DisableSystemMitigations.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsMitigation] 4 | "UserPreference"=dword:00000002 5 | 6 | ; In-kernel Mitigations 7 | 8 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] 9 | "MitigationAuditOptions"=hex:00,00,00,00,00,00,20,22,00,00,00,00,00,00,00,20,00,00,00,00,00,00,00,00 10 | "MitigationOptions"=hex:00,22,22,20,22,20,22,22,20,00,00,00,00,20,00,20,00,00,00,00,00,00,00,00 11 | "KernelSEHOPEnabled"=dword:00000000 12 | 13 | ; Disable Spectre & Meltdown Mitigations 14 | 15 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] 16 | "FeatureSettings"=dword:00000001 17 | "FeatureSettingsOverride"=dword:00000003 18 | "FeatureSettingsOverrideMask"=dword:00000003 19 | 20 | ; Services Mitigations 21 | 22 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig] 23 | "EnableSvchostMitigationPolicy"=hex(b):00,00,00,00,00,00,00,00 24 | -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/ExploitGuard_d.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access] 4 | "EnableControlledFolderAccess"=dword:00000000 5 | 6 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection] 7 | "EnableNetworkProtection"=- 8 | 9 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR] 10 | "ExploitGuard_ASR_Rules"=dword:00000000 11 | 12 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection] 13 | "EnableNetworkProtection"=- 14 | 15 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MpGears] 16 | "HeartbeatTrackingIndex"=dword:00000000 17 | "SpyNetReportingLocation"="0" 18 | 19 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR] 20 | "EnableASRConsumers"=dword:00000000 21 | -------------------------------------------------------------------------------- /Remove_defender_moduled/RemoveWindowsWebThreat.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [-HKEY_CLASSES_ROOT\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] 4 | 5 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] 6 | 7 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] 8 | 9 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] 10 | 11 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Service.UserSessionServiceManager] 12 | 13 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatExperienceManager.ThreatExperienceManager] 14 | 15 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatResponseEngine.ThreatDecisionEngine] 16 | 17 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Configuration.WTDUserSettings] 18 | -------------------------------------------------------------------------------- /Remove_defender_moduled/RemoveServices.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; Remove Defender and Windows Security Services 4 | 5 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecCore] 6 | 7 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc] 8 | 9 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv] 10 | 11 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc] 12 | 13 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter] 14 | 15 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot] 16 | 17 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService] 18 | 19 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmAgent] 20 | 21 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmBroker] 22 | 23 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend] 24 | 25 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection] 26 | "DisallowExploitProtectionOverride"=dword:00000001 27 | 28 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecFlt] 29 | 30 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecWfp] -------------------------------------------------------------------------------- /Remove_defender_moduled/RemoveShellAssociation.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend] 4 | 5 | [-HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\windowsdefender] 6 | 7 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender] 8 | 9 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender] 10 | 11 | [-HKEY_CLASSES_ROOT\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0] 12 | 13 | [-HKEY_CURRENT_USER\Software\Classes\ms-cxh] 14 | 15 | [-HKEY_CLASSES_ROOT\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri] 16 | 17 | [-HKEY_CLASSES_ROOT\WindowsDefender] 18 | 19 | [-HKEY_CURRENT_USER\Software\Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0] 20 | 21 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsDefender] 22 | 23 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Ubpm] 24 | "CriticalMaintenance_DefenderCleanup"=- 25 | "CriticalMaintenance_DefenderVerification"=- 26 | 27 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System] 28 | "WindowsDefender-1"=- 29 | "WindowsDefender-2"=- 30 | "WindowsDefender-3"=- 31 | -------------------------------------------------------------------------------- /Remove_defender_moduled/DisableDefenderandSecurityCenterNotifications.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; Disable Windows Defender Security Center Notifications 4 | 5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableEnhancedNotifications] 6 | "value"=dword:00000001 7 | 8 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableNotifications] 9 | "value"=dword:00000001 10 | 11 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\HideWindowsSecurityNotificationAreaControl] 12 | "value"=dword:00000001 13 | 14 | ; Disable Windows Security Center Notifications 15 | 16 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] 17 | 18 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] 19 | "FirstRunDisabled"=dword:00000001 20 | "AntiVirusOverride"=dword:00000001 21 | "FirewallOverride"=dword:00000001 22 | 23 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications] 24 | "DisableEnhancedNotifications"=dword:00000001 25 | "DisableNotifications"=dword:00000001 26 | 27 | [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance] 28 | "Enabled"=dword:00000000 -------------------------------------------------------------------------------- /Remove_defender_moduled/DisableAntivirusProtection.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; disabling Antivirus 4 | 5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] 6 | "DisableRoutinelyTakingAction"=dword:00000001 7 | "ServiceKeepAlive"=dword:00000000 8 | "AllowFastServiceStartup"=dword:00000000 9 | "DisableLocalAdminMerge"=dword:00000001 10 | 11 | ; disable overwriting real time protection settings 12 | 13 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] 14 | "LocalSettingOverrideDisableOnAccessProtection"=dword:00000000 15 | "LocalSettingOverrideRealtimeScanDirection"=dword:00000000 16 | "LocalSettingOverrideDisableIOAVProtection"=dword:00000000 17 | "LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000 18 | "LocalSettingOverrideDisableIntrusionPreventionSystem"=dword:00000000 19 | "LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000 20 | "DisableIOAVProtection"=dword:00000001 21 | "DisableRealtimeMonitoring"=dword:00000001 22 | "DisableBehaviorMonitoring"=dword:00000001 23 | "DisableOnAccessProtection"=dword:00000001 24 | "DisableScanOnRealtimeEnable"=dword:00000001 25 | "RealtimeScanDirection"=dword:00000002 26 | "DisableInformationProtectionControl"=dword:00000001 27 | "DisableIntrusionPreventionSystem"=dword:00000001 28 | "DisableRawWriteNotification"=dword:00000001 29 | 30 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring] 31 | "value"=dword:00000000 32 | 33 | [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender] 34 | "DisableRoutinelyTakingAction"=dword:00000001 -------------------------------------------------------------------------------- /RemoveSecHealthApp.ps1: -------------------------------------------------------------------------------- 1 | $remove_appx = @("SecHealthUI"); $provisioned = get-appxprovisionedpackage -online; $appxpackage = get-appxpackage -allusers; $eol = @() 2 | $store = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore' 3 | $users = @('S-1-5-18'); if (test-path $store) {$users += $((dir $store -ea 0 |where {$_ -like '*S-1-5-21*'}).PSChildName)} 4 | foreach ($choice in $remove_appx) { if ('' -eq $choice.Trim()) {continue} 5 | foreach ($appx in $($provisioned |where {$_.PackageName -like "*$choice*"})) { 6 | $next = !1; foreach ($no in $skip) {if ($appx.PackageName -like "*$no*") {$next = !0}} ; if ($next) {continue} 7 | $PackageName = $appx.PackageName; $PackageFamilyName = ($appxpackage |where {$_.Name -eq $appx.DisplayName}).PackageFamilyName 8 | ni "$store\Deprovisioned\$PackageFamilyName" -force >''; $PackageFamilyName 9 | foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageName" -force >''} ; $eol += $PackageName 10 | dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >'' 11 | remove-appxprovisionedpackage -packagename $PackageName -online -allusers >'' 12 | } 13 | foreach ($appx in $($appxpackage |where {$_.PackageFullName -like "*$choice*"})) { 14 | $next = !1; foreach ($no in $skip) {if ($appx.PackageFullName -like "*$no*") {$next = !0}} ; if ($next) {continue} 15 | $PackageFullName = $appx.PackageFullName; 16 | ni "$store\Deprovisioned\$appx.PackageFamilyName" -force >''; $PackageFullName 17 | foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageFullName" -force >''} ; $eol += $PackageFullName 18 | dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >'' 19 | remove-appxpackage -package $PackageFullName -allusers >'' 20 | } 21 | } -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/DisableSmartScreen.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; Disable SmartScreen for Microsoft Edge 4 | 5 | [HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter] 6 | "EnabledV9"=dword:00000000 7 | "PreventOverride"=dword:00000000 8 | 9 | [HKEY_CURRENT_USER\Software\Microsoft\Edge] 10 | "SmartScreenEnabled"=dword:00000000 11 | 12 | [HKEY_CURRENT_USER\Software\Microsoft\Edge\SmartScreenEnabled] 13 | @=dword:00000000 14 | 15 | ; Disable SmartScreen in File Explorer and Windows Shell 16 | 17 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer] 18 | "SmartScreenEnabled"="off" 19 | 20 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] 21 | "EnableSmartScreen"=dword:00000000 22 | "ShellSmartScreenLevel"=- 23 | 24 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Browser\AllowSmartScreen] 25 | "value"=dword:00000000 26 | 27 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\SmartScreen\EnableSmartScreenInShell] 28 | "value"=dword:00000000 29 | 30 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\SmartScreen\EnableAppInstallControl] 31 | "value"=dword:00000000 32 | 33 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\SmartScreen\PreventOverrideForFilesInShell] 34 | "value"=dword:00000000 35 | 36 | ; Disable SmartScreen for Microsoft Store Apps 37 | 38 | [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost] 39 | "EnableWebContentEvaluation"=dword:00000000 40 | "PreventOverride"=dword:00000000 41 | 42 | ; Configure App Install Control 43 | 44 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen] 45 | "ConfigureAppInstallControlEnabled"=dword:00000001 46 | "ConfigureAppInstallControl"="Anywhere" 47 | -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/RemovalofAnti-PhishingServices.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\WebThreatDefSvc] 4 | 5 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefsvc] 6 | 7 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc] 8 | 9 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WebThreatDefense] 10 | 11 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] 12 | "WebThreatDefense"=- 13 | 14 | ; From Disabler 15 | 16 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense] 17 | 18 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\AuditMode] 19 | "value"=dword:00000000 20 | 21 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\NotifyUnsafeOrReusedPassword] 22 | "value"=dword:00000000 23 | 24 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\ServiceEnabled] 25 | "value"=dword:00000000 26 | 27 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS] 28 | 29 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components] 30 | "NotifyPasswordReuse"=dword:00000000 31 | 32 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components] 33 | "NotifyMalicious"=dword:00000000 34 | 35 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\AuditMode] 36 | "value"=dword:00000000 37 | 38 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\NotifyUnsafeOrReusedPassword] 39 | "value"=dword:00000000 40 | 41 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\ServiceEnabled] 42 | "value"=dword:00000000 43 | 44 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefsvc] 45 | 46 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc] 47 | 48 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WebThreatDefense] 49 | 50 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] 51 | "WebThreatDefense"=- 52 | -------------------------------------------------------------------------------- /ew/Remove_SecurityComp_moduled/DisableVBS.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; Reset values for Virtualization Settings 4 | 5 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] 6 | 7 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\DeviceGuard] 8 | 9 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\VirtualizationBasedTechnology] 10 | 11 | ; Disable Virtualization Based Security 12 | 13 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] 14 | "EnableVirtualizationBasedSecurity"=dword:00000000 15 | "HypervisorEnforcedCodeIntegrity"=dword:00000000 16 | "HVCIMATRequired"=dword:00000000 17 | "LsaCfgFlags"=dword:00000000 18 | "ConfigureSystemGuardLaunch"=dword:00000002 19 | "RequirePlatformSecurityFeature"=dword:00000000 20 | "CachedDrtmAuthIndex"=dword:00000000 21 | "RequireMicrosoftSignedBootChain"=dword:00000001 22 | "Locked"=dword:00000000 23 | "RequirePlatformSecurityFeatures"=dword:00000000 24 | 25 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity] 26 | "Enabled"=dword:00000000 27 | "Locked"=dword:00000000 28 | "WasEnabledBy"=- 29 | 30 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\VirtualizationBasedTechnology\HypervisorEnforcedCodeIntegrity] 31 | "value"=dword:00000000 32 | 33 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\DeviceGuard\EnableVirtualizationBasedSecurity] 34 | "value"=dword:00000000 35 | 36 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\DeviceGuard\ConfigureSystemGuardLaunch] 37 | "value"=dword:00000000 38 | 39 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\DeviceGuard\LsaCfgFlags] 40 | "value"=dword:00000000 41 | 42 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\DeviceGuard\RequirePlatformSecurityFeatures] 43 | "value"=dword:00000000 44 | 45 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\VirtualizationBasedTechnology\RequireUEFIMemoryAttributesTable] 46 | "value"=dword:00000000 47 | 48 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] 49 | "DeployConfigCIPolicy"=dword:00000000 50 | 51 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard] 52 | "Enabled"=dword:00000000 53 | -------------------------------------------------------------------------------- /Remove_defender_moduled/RemovalofWindowsDefenderAntivirus.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] 4 | 5 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] 6 | 7 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] 8 | 9 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] 10 | 11 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] 12 | 13 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] 14 | 15 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] 16 | 17 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] 18 | 19 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] 20 | 21 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] 22 | 23 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] 24 | 25 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] 26 | 27 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] 28 | 29 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] 30 | 31 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] 32 | 33 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] 34 | 35 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] 36 | 37 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] 38 | 39 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] 40 | 41 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] 42 | 43 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] 44 | 45 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] 46 | 47 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] 48 | 49 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] 50 | 51 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] 52 | 53 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] 54 | 55 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] 56 | 57 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] 58 | 59 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] 60 | 61 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] 62 | 63 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] 64 | 65 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] 66 | 67 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] 68 | 69 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] 70 | 71 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] 72 | 73 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] 74 | 75 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] 76 | 77 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] 78 | 79 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] 80 | 81 | [-HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] 82 | 83 | [-HKEY_CLASSES_ROOT\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] 84 | 85 | [-HKEY_CLASSES_ROOT\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] 86 | 87 | [-HKEY_CLASSES_ROOT\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] 88 | 89 | [-HKEY_CLASSES_ROOT\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] 90 | 91 | [-HKEY_CLASSES_ROOT\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] 92 | 93 | [-HKEY_CLASSES_ROOT\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] 94 | 95 | [-HKEY_CLASSES_ROOT\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] 96 | 97 | [-HKEY_CLASSES_ROOT\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] 98 | 99 | [-HKEY_CLASSES_ROOT\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] 100 | 101 | [-HKEY_CLASSES_ROOT\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] 102 | 103 | [-HKEY_CLASSES_ROOT\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] 104 | 105 | [-HKEY_CLASSES_ROOT\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] 106 | 107 | ; Defender Loggers 108 | 109 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger] 110 | 111 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger] -------------------------------------------------------------------------------- /Remove_defender_moduled/DisableDefenderPolicies.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; Enforce Disabling of Windows Defender Antivirus Policy 4 | 5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection] 6 | "value"=dword:00000000 7 | 8 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] 9 | "PUAProtection"=dword:00000000 10 | "DisableRoutinelyTakingAction"=dword:00000001 11 | "ServiceKeepAlive"=dword:00000000 12 | "AllowFastServiceStartup"=dword:00000000 13 | "DisableLocalAdminMerge"=dword:00000001 14 | "DisableAntiSpyware"=dword:00000001 15 | "RandomizeScheduleTaskTimes"=dword:00000000 16 | 17 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowArchiveScanning] 18 | "value"=dword:00000000 19 | 20 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring] 21 | "value"=dword:00000000 22 | 23 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowCloudProtection] 24 | "value"=dword:00000000 25 | 26 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowEmailScanning] 27 | "value"=dword:00000000 28 | 29 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanOnMappedNetworkDrives] 30 | "value"=dword:00000000 31 | 32 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanRemovableDriveScanning] 33 | "value"=dword:00000000 34 | 35 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIntrusionPreventionSystem] 36 | "value"=dword:00000000 37 | 38 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowOnAccessProtection] 39 | "value"=dword:00000000 40 | 41 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowRealtimeMonitoring] 42 | "value"=dword:00000000 43 | 44 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScanningNetworkFiles] 45 | "value"=dword:00000000 46 | 47 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScriptScanning] 48 | "value"=dword:00000001 49 | 50 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowUserUIAccess] 51 | "value"=dword:00000000 52 | 53 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AvgCPULoadFactor] 54 | "value"=dword:00000032 55 | 56 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CheckForSignaturesBeforeRunningScan] 57 | "value"=dword:00000000 58 | 59 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CloudBlockLevel] 60 | "value"=dword:00000000 61 | 62 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CloudExtendedTimeout] 63 | "value"=dword:00000000 64 | 65 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DaysToRetainCleanedMalware] 66 | "value"=dword:00000000 67 | 68 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupFullScan] 69 | "value"=dword:00000001 70 | 71 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupQuickScan] 72 | "value"=dword:00000001 73 | 74 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableControlledFolderAccess] 75 | "value"=dword:00000000 76 | 77 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableLowCPUPriority] 78 | "value"=dword:00000001 79 | 80 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableNetworkProtection] 81 | "value"=dword:00000000 82 | 83 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\PUAProtection] 84 | "value"=dword:00000000 85 | 86 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\RealTimeScanDirection] 87 | "value"=dword:00000000 88 | 89 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScanParameter] 90 | "value"=dword:00000002 91 | 92 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanDay] 93 | "value"=dword:00000000 94 | 95 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanTime] 96 | "value"=dword:00000000 97 | 98 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\SignatureUpdateInterval] 99 | "value"=dword:00000018 100 | 101 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\SubmitSamplesConsent] 102 | "value"=dword:00000000 103 | 104 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions] 105 | "DisableAutoExclusions"=dword:00000001 106 | 107 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine] 108 | "MpEnablePus"=dword:00000000 109 | "MpCloudBlockLevel"=dword:00000000 110 | "MpBafsExtendedTimeout"=dword:00000000 111 | "EnableFileHashComputation"=dword:00000000 112 | 113 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS] 114 | "ThrottleDetectionEventsRate"=dword:00000000 115 | "DisableSignatureRetirement"=dword:00000001 116 | "DisableProtocolRecognition"=dword:00000001 117 | 118 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager] 119 | "DisableScanningNetworkFiles"=dword:00000001 120 | 121 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] 122 | "DisableRealtimeMonitoring"=dword:00000001 123 | "DisableBehaviorMonitoring"=dword:00000001 124 | "DisableOnAccessProtection"=dword:00000001 125 | "DisableScanOnRealtimeEnable"=dword:00000001 126 | "DisableIOAVProtection"=dword:00000001 127 | "LocalSettingOverrideDisableOnAccessProtection"=dword:00000000 128 | "LocalSettingOverrideRealtimeScanDirection"=dword:00000000 129 | "LocalSettingOverrideDisableIOAVProtection"=dword:00000000 130 | "LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000 131 | "LocalSettingOverrideDisableIntrusionPreventionSystem"=dword:00000000 132 | "LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000 133 | "RealtimeScanDirection"=dword:00000002 134 | "IOAVMaxSize"=dword:00000512 135 | "DisableInformationProtectionControl"=dword:00000001 136 | "DisableIntrusionPreventionSystem"=dword:00000001 137 | "DisableRawWriteNotification"=dword:00000001 138 | 139 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan] 140 | "LowCpuPriority"=dword:00000001 141 | "DisableRestorePoint"=dword:00000001 142 | "DisableArchiveScanning"=dword:00000000 143 | "DisableScanningNetworkFiles"=dword:00000000 144 | "DisableCatchupFullScan"=dword:00000000 145 | "DisableCatchupQuickScan"=dword:00000001 146 | "DisableEmailScanning"=dword:00000000 147 | "DisableHeuristics"=dword:00000001 148 | "DisableReparsePointScanning"=dword:00000001 149 | 150 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates] 151 | "SignatureDisableNotification"=dword:00000001 152 | "RealtimeSignatureDelivery"=dword:00000000 153 | "ForceUpdateFromMU"=dword:00000000 154 | "DisableScheduledSignatureUpdateOnBattery"=dword:00000001 155 | "UpdateOnStartUp"=dword:00000000 156 | "SignatureUpdateCatchupInterval"=dword:00000002 157 | "DisableUpdateOnStartupWithoutEngine"=dword:00000001 158 | "ScheduleTime"=dword:00001440 159 | "DisableScanOnUpdate"=dword:00000001 160 | 161 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet] 162 | "DisableBlockAtFirstSeen"=dword:00000001 163 | "LocalSettingOverrideSpynetReporting"=dword:00000000 164 | "SpynetReporting"=dword:00000000 165 | "SubmitSamplesConsent"=dword:00000002 166 | 167 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration] 168 | "SuppressRebootNotification"=dword:00000001 169 | 170 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access] 171 | "EnableControlledFolderAccess"=dword:00000000 172 | 173 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection] 174 | "EnableNetworkProtection"=dword:00000000 175 | 176 | [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender] 177 | "DisableRoutinelyTakingAction"=dword:00000001 178 | 179 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware] 180 | "ServiceKeepAlive"=dword:00000000 181 | "AllowFastServiceStartup"=dword:00000000 182 | "DisableRoutinelyTakingAction"=dword:00000001 183 | "DisableAntiSpyware"=dword:00000001 184 | "DisableAntiVirus"=dword:00000001 185 | 186 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet] 187 | "SpyNetReporting"=dword:00000000 188 | "LocalSettingOverrideSpyNetReporting"=dword:00000000 189 | 190 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting] 191 | "DisableEnhancedNotifications"=dword:00000001 192 | "DisableGenericRePorts"=dword:00000001 193 | "WppTracingLevel"=dword:00000000 194 | "WppTracingComponents"=dword:00000000 195 | 196 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy] 197 | "VerifiedAndReputablePolicyState"=dword:00000000 198 | -------------------------------------------------------------------------------- /Script_Run.bat: -------------------------------------------------------------------------------- 1 | @set defenderremoverver=12.8.4 2 | @setlocal DisableDelayedExpansion 3 | @echo off 4 | pushd "%CD%" 5 | CD /D "%~dp0" 6 | 7 | :: Arguments Section 8 | IF "%1"== "y" GOTO :removedef 9 | IF "%1"== "Y" GOTO :removedef 10 | IF "%1"== "a" GOTO :removeantivirus 11 | IF "%1"== "A" GOTO :removeantivirus 12 | IF "%1"== "S" GOTO :disablemitigations 13 | IF "%1"== "s" GOTO :disablemitigations 14 | :-------------------------------------- 15 | 16 | 17 | :-------------------------------------- 18 | cls 19 | echo ------ Defender Remover Script , version %defenderremoverver% ------ 20 | echo Select an option: 21 | echo. 22 | echo Do you want to remove Windows Defender and alongside components? After this you'll need to reboot. 23 | echo If you PC have a Microsoft Pluton Chip, you can disable from BIOS anytime. (This script removes the integration of Pluton Chip Support and Processing from Windows.) 24 | echo After confirmation of Removal, your Device will RESTART!! 25 | echo A backup and/or System Restore point is recommended. 26 | echo [Y] Remove Windows Defender Antivirus + Disable All Security Mitigations 27 | echo [A] Remove Windows Defender only, but keep UAC Enabled 28 | echo [S] Disable All Security Mitigations 29 | choice /C:yas /N 30 | if errorlevel==3 goto disablemitigations 31 | if errorlevel==2 goto removeantivirus 32 | if errorlevel==1 goto removedef 33 | :-------------------------------------- 34 | 35 | 36 | :-------------------------------------- 37 | goto :eof 38 | :-------------------------------------- 39 | 40 | :-------------------------------------- 41 | :removedef 42 | CLS 43 | bcdedit /set hypervisorlaunchtype off 44 | 45 | CLS 46 | echo Removing Windows Security UWP App... 47 | Powershell -noprofile -executionpolicy bypass -file "%~dp0\RemoveSecHealthApp.ps1" 48 | 49 | CLS 50 | echo Unregister Windows Defender Security Components... 51 | FOR /R %%f IN (Remove_defender\*.reg) DO PowerRun.exe regedit.exe /s "%%f" 52 | FOR /R %%f IN (Remove_defender\*.reg) DO regedit.exe /s "%%f" 53 | FOR /R %%f IN (Remove_SecurityComp\*.reg) DO PowerRun.exe regedit.exe /s "%%f" 54 | CLS 55 | for %%d in ("C:\Windows\WinSxS\FileMaps\wow64_windows-defender*.manifest" "C:\Windows\WinSxS\FileMaps\x86_windows-defender*.manifest" "C:\Windows\WinSxS\FileMaps\amd64_windows-defender*.manifest" "C:\Windows\System32\SecurityAndMaintenance_Error.png" "C:\Windows\System32\SecurityAndMaintenance.png" "C:\Windows\System32\SecurityHealthSystray.exe" "C:\Windows\System32\SecurityHealthService.exe" "C:\Windows\System32\SecurityHealthHost.exe" "C:\Windows\System32\drivers\SgrmAgent.sys" "C:\Windows\System32\drivers\WdDevFlt.sys" "C:\Windows\System32\drivers\WdBoot.sys" "C:\Windows\System32\drivers\WdFilter.sys" "C:\Windows\System32\wscsvc.dll" "C:\Windows\System32\drivers\WdNisDrv.sys" "C:\Windows\System32\wscsvc.dll" "C:\Windows\System32\wscproxystub.dll" "C:\Windows\System32\wscisvif.dll" "C:\Windows\System32\SecurityHealthProxyStub.dll" "C:\Windows\System32\smartscreen.dll" "C:\Windows\SysWOW64\smartscreen.dll" "C:\Windows\System32\smartscreen.exe" "C:\Windows\SysWOW64\smartscreen.exe" "C:\Windows\System32\DWWIN.EXE" "C:\Windows\SysWOW64\smartscreenps.dll" "C:\Windows\System32\smartscreenps.dll" "C:\Windows\System32\SecurityHealthCore.dll" "C:\Windows\System32\SecurityHealthSsoUdk.dll" "C:\Windows\System32\SecurityHealthUdk.dll" "C:\Windows\System32\SecurityHealthAgent.dll" "C:\Windows\System32\wscapi.dll" "C:\Windows\System32\wscadminui.exe" "C:\Windows\SysWOW64\GameBarPresenceWriter.exe" "C:\Windows\System32\GameBarPresenceWriter.exe" "C:\Windows\SysWOW64\DeviceCensus.exe" "C:\Windows\SysWOW64\CompatTelRunner.exe" "C:\Windows\system32\drivers\msseccore.sys" "C:\Windows\system32\drivers\MsSecFltWfp.sys" "C:\Windows\system32\drivers\MsSecFlt.sys") DO PowerRun cmd.exe /c del /f "%%d" 56 | :: part 2 57 | for %%d in ("C:\Windows\WinSxS\amd64_security-octagon*" "C:\Windows\WinSxS\x86_windows-defender*" "C:\Windows\WinSxS\wow64_windows-defender*" "C:\Windows\WinSxS\amd64_windows-defender*" "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" "C:\ProgramData\Microsoft\Windows Defender" "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" "C:\Program Files\Windows Defender Advanced Threat Protection" "C:\ProgramData\Microsoft\Windows Security Health" "C:\ProgramData\Microsoft\Storage Health" "C:\WINDOWS\System32\drivers\wd" "C:\Program Files (x86)\Windows Defender" "C:\Program Files\Windows Defender" "C:\Windows\System32\SecurityHealth" "C:\Windows\System32\WebThreatDefSvc" "C:\Windows\System32\Sgrm" "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" "C:\Windows\System32\HealthAttestationClient" "C:\Windows\GameBarPresenceWriter" "C:\Windows\bcastdvr" "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim") do PowerRun cmd.exe /c rmdir "%%~d" /s /q 58 | echo Your PC will reboot in 10 seconds.. 59 | timeout 3 60 | shutdown /r /f /t 10 61 | exit 62 | :-------------------------------------- 63 | 64 | 65 | :-------------------------------------- 66 | :removeantivirus 67 | CLS 68 | bcdedit /set hypervisorlaunchtype off 69 | 70 | CLS 71 | echo Removing Windows Security UWP App... 72 | Powershell -noprofile -executionpolicy bypass -file "%~dp0\RemoveSecHealthApp.ps1" 73 | 74 | CLS 75 | echo Unregister Windows Defender Security Components... 76 | FOR /R %%f IN (Remove_defender\*.reg) DO PowerRun.exe regedit.exe /s "%%f" 77 | FOR /R %%f IN (Remove_defender\*.reg) DO regedit.exe /s "%%f" 78 | CLS 79 | for %%d in ("C:\Windows\WinSxS\FileMaps\wow64_windows-defender*.manifest" "C:\Windows\WinSxS\FileMaps\x86_windows-defender*.manifest" "C:\Windows\WinSxS\FileMaps\amd64_windows-defender*.manifest" "C:\Windows\System32\SecurityAndMaintenance_Error.png" "C:\Windows\System32\SecurityAndMaintenance.png" "C:\Windows\System32\SecurityHealthSystray.exe" "C:\Windows\System32\SecurityHealthService.exe" "C:\Windows\System32\SecurityHealthHost.exe" "C:\Windows\System32\drivers\SgrmAgent.sys" "C:\Windows\System32\drivers\WdDevFlt.sys" "C:\Windows\System32\drivers\WdBoot.sys" "C:\Windows\System32\drivers\WdFilter.sys" "C:\Windows\System32\wscsvc.dll" "C:\Windows\System32\drivers\WdNisDrv.sys" "C:\Windows\System32\wscsvc.dll" "C:\Windows\System32\wscproxystub.dll" "C:\Windows\System32\wscisvif.dll" "C:\Windows\System32\SecurityHealthProxyStub.dll" "C:\Windows\System32\smartscreen.dll" "C:\Windows\SysWOW64\smartscreen.dll" "C:\Windows\System32\smartscreen.exe" "C:\Windows\SysWOW64\smartscreen.exe" "C:\Windows\System32\DWWIN.EXE" "C:\Windows\SysWOW64\smartscreenps.dll" "C:\Windows\System32\smartscreenps.dll" "C:\Windows\System32\SecurityHealthCore.dll" "C:\Windows\System32\SecurityHealthSsoUdk.dll" "C:\Windows\System32\SecurityHealthUdk.dll" "C:\Windows\System32\SecurityHealthAgent.dll" "C:\Windows\System32\wscapi.dll" "C:\Windows\System32\wscadminui.exe" "C:\Windows\SysWOW64\GameBarPresenceWriter.exe" "C:\Windows\System32\GameBarPresenceWriter.exe" "C:\Windows\SysWOW64\DeviceCensus.exe" "C:\Windows\SysWOW64\CompatTelRunner.exe" "C:\Windows\system32\drivers\msseccore.sys" "C:\Windows\system32\drivers\MsSecFltWfp.sys" "C:\Windows\system32\drivers\MsSecFlt.sys") DO PowerRun cmd.exe /c del /f "%%d" 80 | :: part 2 81 | for %%d in ("C:\Windows\WinSxS\amd64_security-octagon*" "C:\Windows\WinSxS\x86_windows-defender*" "C:\Windows\WinSxS\wow64_windows-defender*" "C:\Windows\WinSxS\amd64_windows-defender*" "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" "C:\ProgramData\Microsoft\Windows Defender" "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" "C:\Program Files\Windows Defender Advanced Threat Protection" "C:\ProgramData\Microsoft\Windows Security Health" "C:\ProgramData\Microsoft\Storage Health" "C:\WINDOWS\System32\drivers\wd" "C:\Program Files (x86)\Windows Defender" "C:\Program Files\Windows Defender" "C:\Windows\System32\SecurityHealth" "C:\Windows\System32\WebThreatDefSvc" "C:\Windows\System32\Sgrm" "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" "C:\Windows\System32\HealthAttestationClient" "C:\Windows\GameBarPresenceWriter" "C:\Windows\bcastdvr" "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim") do PowerRun cmd.exe /c rmdir "%%~d" /s /q 82 | echo Your PC will reboot in 10 seconds.. 83 | timeout 3 84 | shutdown /r /f /t 10 85 | exit 86 | :-------------------------------------- 87 | 88 | :-------------------------------------- 89 | :disablemitigations 90 | CLS 91 | bcdedit /set hypervisorlaunchtype off 92 | 93 | CLS 94 | echo Disabling Security Mitigations... 95 | FOR /R %%f IN (Remove_SecurityComp\*.reg) DO PowerRun.exe regedit.exe /s "%%f" 96 | CLS 97 | echo Your PC will reboot in 10 seconds.. 98 | timeout 3 99 | shutdown /r /f /t 10 100 | exit 101 | :-------------------------------------- -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ❌️ Defender Remover / Defender Disabler 2 | 3 | 4 | 5 | 6 | Defender Remover 7 | 8 | 9 | 10 | ## ❓️ What does the app do? 11 | 12 | This application removes / disables Windows Defender, including the Windows Security App, Windows Virtualization-Based Security (VBS), Windows SmartScreen, Windows Security Services, Windows Web-Threat Service, Windows File Virtualization (UAC), Microsoft Defender App Guard, Microsoft Driver Block List, System Mitigations and the Windows Defender page in the Settings App on Windows 10 or later. 13 | 14 | 15 | ## ❓️ What components are removing? 16 | 17 | ### Removing Security Components 18 | This script removes/disables following security components: 19 | - support for Windows Security Center including Windows Security Center Service (wscsvc), Windows Security Service (SgrmBroker, Sgrm Drivers) which are needed to run Windows Security App. 20 | - virtualization support. 21 | - Hypervisor startup (this fixes disablation of Virtualization Based Security, this will auto enable if you use Hyper-V and/or WSL (Windows Subsystem for Linux), WSA (Windows Subsystem for Android)) 22 | - LUA (disables File Virtualization and User Account Control, which will run all apps as administrator priviliges (also fixes old app errors)) 23 | - Exploit Guard (something about Exploits) 24 | - Windows Smart Control 25 | - Tamper Protection (for Windows 11 21H2 or earlier) 26 | - SecHealthUI (Windows Security UWP App) 27 | - SmartScreen 28 | - Pluton Support and Pluton Services Support 29 | - System Mitigations 30 | - "Services Mitigations" (search on admx.help for more informations, its policy) 31 | - Spectre and Meltdown Mitigation (for get +30% performance on old Intel CPUs) 32 | - Windows Security Section from Settings App. 33 | 34 | ### Removing Antivirus Components 35 | This script forcily removes following antivirus components: 36 | - Windows Defender Definition Update List (this will disable updating definitions of Defender because its removed) 37 | - Windows Defender SpyNet Telemetry 38 | - Antivirus Service 39 | - Windows Defender Antivirus filter and windows defender rootkit scanner drivers 40 | - Antivirus Scanning Tasks 41 | - Shell Associations (Context Menu) 42 | - Hides Antivirus Protection section from Windows Security App. 43 | 44 | ## 📃 Instructions 45 | 46 | > [!NOTE] 47 | > A system restore point is recommended before you run the script. (if you don't know what are you doing) 48 | 49 | 1. Download the packed script from [Releases](https://github.com/ionuttbara/windows-defender-remover/releases) 50 | 2. Run the ".exe" as administrator 51 | 3. Follow the instructions displayed 52 | 53 | OR 54 | 55 | you can use git 56 | 57 | ``` 58 | git clone https://github.com/ionuttbara/windows-defender-remover.git 59 | cd windows-defender-remover 60 | Script_Run.bat 61 | ``` 62 | 63 | 64 | OR 65 | 66 | you can use download entire source code 67 | 1. Download the source code from [Releases](https://github.com/jbara2002/windows-defender-remover/releases). 68 | 2. Choose the file **Source Code(.zip)** from last version and download it. 69 | 3. Unarchive the file into a folder and run the Script_Run.bat. 70 | 71 | ![cli](https://github.com/drunkwinter/windows-defender-remover/assets/38593134/46007191-0a65-43c2-b451-a993ff90e00e) 72 | 73 | You can file an [issue](https://github.com/ionuttbara/windows-defender-remover/issues) if you experience any problems. 74 | 75 | ## 📃 Automation of the script 76 | 77 | You can remove Defender with arguments. 78 | 79 | #### Removing 80 | 81 | ```PowerShell 82 | # Removal 83 | Defender.Remover.exe /r <# or /R #> 84 | ``` 85 | 86 | 87 | ## Disable or Remove Windows Defender *Application Guard Policies* (advanced) 88 | 89 | If you have any problems when opening an app (*extremely rare*) and get the message "The app can not run because Device Guard" or "Windows Defender Application Guard Blocked this app", you have to remove 4 files with the same name, from different locations. 90 | 91 | 92 | - In EFI Partition 93 | 94 | ```PowerShell 95 | Remove-Item -LiteralPath "$((Get-Partition | ? IsSystem).AccessPaths[0])Microsoft\Boot\WiSiPolicy.p7b" 96 | ``` 97 | 98 | - In Code Integrity Folder 99 | 100 | ```PowerShell 101 | Remove-Item -LiteralPath "$env:windir\System32\CodeIntegrity\WiSiPolicy.p7b" 102 | ``` 103 | 104 | - In Windows Folder 105 | 106 | ```PowerShell 107 | Remove-Item -LiteralPath "$env:windir\Boot\EFI\wisipolicy.p7b" 108 | ``` 109 | 110 | - In WinSxS Folder 111 | 112 | ```PowerShell 113 | Remove-Item -Path "$env:windir\WinSxS" -Include *winsipolicy.p7b* -Recurse 114 | ``` 115 | 116 | ## Creating an ISO with Windows Defender and Services disabled 117 | 118 | You can create an ISO with Windoows Defender and Security Services Disabled. It's easy, so this is a fiie which it can helps you. 119 | Here are the rules: 120 | 1. Mount the ISO and extract it into location. 121 | 2. Open the **sources** folder and create the **$OEM$** folder. (this is needed to run the DefenderRemover part in OOBE). 122 | 3. Open the **$OEM$** folder and create the folder with **$$** name. 123 | 4. Open the **$$** folder and create the folder with **Panther** name. 124 | 5. Open the **Panther** folder. 125 | The path it shown like to 126 | **%location of extracted ISO%\sources\$OEM$\$$\Panther\** 127 | 6. Download the unnatended.xml file from repo in ISO_Maker folder and put it in Panther folder. 128 | 7. Save this as bootable ISO. (for now the script can't do this automaticly, but it will do in next version). 129 | 130 | 131 | ## ❓ Frequently Asked Questions 132 | #### ⭕ How to remove Windows Security Center / Windows SecurityApp from PC without downloading Script? 133 | Paste this code into a powershell file and after **Run as Administrator**. 134 | ``` 135 | $remove_appx = @("SecHealthUI"); $provisioned = get-appxprovisionedpackage -online; $appxpackage = get-appxpackage -allusers; $eol = @() 136 | $store = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore' 137 | $users = @('S-1-5-18'); if (test-path $store) {$users += $((dir $store -ea 0 |where {$_ -like '*S-1-5-21*'}).PSChildName)} 138 | foreach ($choice in $remove_appx) { if ('' -eq $choice.Trim()) {continue} 139 | foreach ($appx in $($provisioned |where {$_.PackageName -like "*$choice*"})) { 140 | $next = !1; foreach ($no in $skip) {if ($appx.PackageName -like "*$no*") {$next = !0}} ; if ($next) {continue} 141 | $PackageName = $appx.PackageName; $PackageFamilyName = ($appxpackage |where {$_.Name -eq $appx.DisplayName}).PackageFamilyName 142 | ni "$store\Deprovisioned\$PackageFamilyName" -force >''; $PackageFamilyName 143 | foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageName" -force >''} ; $eol += $PackageName 144 | dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >'' 145 | remove-appxprovisionedpackage -packagename $PackageName -online -allusers >'' 146 | } 147 | foreach ($appx in $($appxpackage |where {$_.PackageFullName -like "*$choice*"})) { 148 | $next = !1; foreach ($no in $skip) {if ($appx.PackageFullName -like "*$no*") {$next = !0}} ; if ($next) {continue} 149 | $PackageFullName = $appx.PackageFullName; 150 | ni "$store\Deprovisioned\$appx.PackageFamilyName" -force >''; $PackageFullName 151 | foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageFullName" -force >''} ; $eol += $PackageFullName 152 | dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >'' 153 | remove-appxpackage -package $PackageFullName -allusers >'' 154 | } 155 | } 156 | ``` 157 | 158 | #### ⭕ Why is the downloaded executable being flagged as a virus? 159 | 160 | That is a false positive. 161 | 162 | Some security apps flag this app as a virus because of the way the ".exe" files are created. Download with **git** or source code .zip will indicate virus-free. 163 | Starting with Defender 12.6.x , some versions are considered as virus, some are not (its a bug from me, so do not file for this). 164 | 165 | #### ⭕ Why is the patch not working when Windows is updated? 166 | 167 | Windows Update includes a ```Intelligence Update``` which blocks certain actions and modifies Windows Defender/Security policies. 168 | If the script is not working for you, check if you have the Windows Security Intelligence Update installed. If you do, disable tamper protection, and re-run the script. 169 | 170 | #### ⭕ How to use the package remover without downloading the executable from the release? 171 | 172 | Run the desired ".bat" file from cmd with PowerRun (by dragging to the executable). You must reboot for the changes to take effect. 173 | 174 | #### ⭕ How to disable VBS if the removal script does not work 175 | 176 | Disable with this command and reboot. 177 | 178 | ``` 179 | bcdedit /set hypervisorlaunchtype off 180 | ``` 181 | After that you will not be able to use virtual machines. 182 | 183 | #### ⭕ Why VBS is keeping enabling on Windows 11? 184 | 185 | By default the script is disabling VBS to gain performance in your system. The factors which is keeping VBS enabled is Windows Virtualization. 186 | 187 | Apps and features which is used by Windows Virtualization: 188 | 189 | - Windows Subsystem for **Android**/**Linux** 190 | - HyperV Virtual Machine 191 | - Microsoft Emulator (Windows 10X Emulator which you can find in Microsoft Store) 192 | - Android Studio integration in VisuaL Studio or another Emulators (for Windows 10 22H2 with March 2025 Update or newer) 193 | 194 | If you open those one of that app mentioned earlier, VBS will be enabled without user intervention. Its needed to run Virtual Machine engine. If you don't use any virtual machine, you can file an Issue at here. -------------------------------------------------------------------------------- /Remove_SecurityComp/Remove_SecurityComp.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection] 4 | "DisableAsyncScanOnOpen"=dword:00000001 5 | 6 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] 7 | "RunAsPPL"=dword:00000000 8 | 9 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] 10 | "LsaConfigFlags"=dword:00000000 11 | "RunAsPPL"=dword:00000000 12 | "RunAsPPLBoot"=dword:00000000 13 | "LmCompatibilityLevel"=- 14 | 15 | ; disables reporting of things from Maintenance Task in Windows Security App 16 | 17 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health] 18 | 19 | [-HKEY_CURRENT_USER\Software\Microsoft\Windows Security Health] 20 | 21 | [HKEY_CURRENT_USER\Software\Microsoft\Windows Security Health\State] 22 | "Disabled"=dword:00000001 23 | 24 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\Platform] 25 | "Registered"=dword:00000000 26 | 27 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config] 28 | "VulnerableDriverBlocklistEnable"=dword:00000000 29 | 30 | ; Disable SmartScreen for Microsoft Edge 31 | 32 | [HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter] 33 | "EnabledV9"=dword:00000000 34 | "PreventOverride"=dword:00000000 35 | 36 | [HKEY_CURRENT_USER\Software\Microsoft\Edge] 37 | "SmartScreenEnabled"=dword:00000000 38 | 39 | [HKEY_CURRENT_USER\Software\Microsoft\Edge\SmartScreenEnabled] 40 | @=dword:00000000 41 | 42 | ; Disable SmartScreen in File Explorer and Windows Shell 43 | 44 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer] 45 | "SmartScreenEnabled"="off" 46 | 47 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] 48 | "EnableSmartScreen"=dword:00000000 49 | "ShellSmartScreenLevel"=- 50 | 51 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Browser\AllowSmartScreen] 52 | "value"=dword:00000000 53 | 54 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\SmartScreen\EnableSmartScreenInShell] 55 | "value"=dword:00000000 56 | 57 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\SmartScreen\EnableAppInstallControl] 58 | "value"=dword:00000000 59 | 60 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\SmartScreen\PreventOverrideForFilesInShell] 61 | "value"=dword:00000000 62 | 63 | ; Disable SmartScreen for Microsoft Store Apps 64 | 65 | [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost] 66 | "EnableWebContentEvaluation"=dword:00000000 67 | "PreventOverride"=dword:00000000 68 | 69 | ; Configure App Install Control 70 | 71 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen] 72 | "ConfigureAppInstallControlEnabled"=dword:00000001 73 | "ConfigureAppInstallControl"="Anywhere" 74 | 75 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet] 76 | "DisableBlockAtFirstSeen"=dword:00000001 77 | "LocalSettingOverrideSpynetReporting"=dword:00000000 78 | "SpynetReporting"=dword:00000000 79 | "SubmitSamplesConsent"=dword:00000002 80 | 81 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet] 82 | "SpyNetReporting"=dword:00000000 83 | "LocalSettingOverrideSpyNetReporting"=dword:00000000 84 | 85 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsMitigation] 86 | "UserPreference"=dword:00000002 87 | 88 | ; In-kernel Mitigations 89 | 90 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] 91 | "MitigationAuditOptions"=hex:00,00,00,00,00,00,20,22,00,00,00,00,00,00,00,20,00,00,00,00,00,00,00,00 92 | "MitigationOptions"=hex:00,22,22,20,22,20,22,22,20,00,00,00,00,20,00,20,00,00,00,00,00,00,00,00 93 | "KernelSEHOPEnabled"=dword:00000000 94 | 95 | ; Disable Spectre & Meltdown Mitigations 96 | 97 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] 98 | "FeatureSettings"=dword:00000001 99 | "FeatureSettingsOverride"=dword:00000003 100 | "FeatureSettingsOverrideMask"=dword:00000003 101 | 102 | ; Services Mitigations 103 | 104 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig] 105 | "EnableSvchostMitigationPolicy"=hex(b):00,00,00,00,00,00,00,00 106 | 107 | ; Remove Defender's Tamper Protection 108 | 109 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features] 110 | "MpPlatformKillbitsFromEngine"=hex:00,00,00,00,00,00,00,00 111 | "TamperProtectionSource"=dword:00000000 112 | "MpCapability"=hex:00,00,00,00,00,00,00,00 113 | "TamperProtection"=dword:00000000 114 | 115 | ; Disable UAC 116 | 117 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] 118 | "ConsentPromptBehaviorAdmin"=dword:00000000 119 | "PromptOnSecureDesktop"=dword:00000000 120 | 121 | ; Fix mouse cursor dissapeiring 122 | 123 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] 124 | "EnableCursorSuppression"=dword:00000000 125 | 126 | ; Reset values for Virtualization Settings 127 | 128 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] 129 | 130 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\DeviceGuard] 131 | 132 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\VirtualizationBasedTechnology] 133 | 134 | ; Disable Virtualization Based Security 135 | 136 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] 137 | "EnableVirtualizationBasedSecurity"=dword:00000000 138 | "HypervisorEnforcedCodeIntegrity"=dword:00000000 139 | "HVCIMATRequired"=dword:00000000 140 | "LsaCfgFlags"=dword:00000000 141 | "ConfigureSystemGuardLaunch"=dword:00000002 142 | "RequirePlatformSecurityFeature"=dword:00000000 143 | "CachedDrtmAuthIndex"=dword:00000000 144 | "RequireMicrosoftSignedBootChain"=dword:00000001 145 | "Locked"=dword:00000000 146 | "RequirePlatformSecurityFeatures"=dword:00000000 147 | 148 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity] 149 | "Enabled"=dword:00000000 150 | "Locked"=dword:00000000 151 | "WasEnabledBy"=- 152 | 153 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\VirtualizationBasedTechnology\HypervisorEnforcedCodeIntegrity] 154 | "value"=dword:00000000 155 | 156 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\DeviceGuard\EnableVirtualizationBasedSecurity] 157 | "value"=dword:00000000 158 | 159 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\DeviceGuard\ConfigureSystemGuardLaunch] 160 | "value"=dword:00000000 161 | 162 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\DeviceGuard\LsaCfgFlags] 163 | "value"=dword:00000000 164 | 165 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\DeviceGuard\RequirePlatformSecurityFeatures] 166 | "value"=dword:00000000 167 | 168 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\VirtualizationBasedTechnology\RequireUEFIMemoryAttributesTable] 169 | "value"=dword:00000000 170 | 171 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] 172 | "DeployConfigCIPolicy"=dword:00000000 173 | 174 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard] 175 | "Enabled"=dword:00000000 176 | 177 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access] 178 | "EnableControlledFolderAccess"=dword:00000000 179 | 180 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection] 181 | "EnableNetworkProtection"=- 182 | 183 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR] 184 | "ExploitGuard_ASR_Rules"=dword:00000000 185 | 186 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection] 187 | "EnableNetworkProtection"=- 188 | 189 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MpGears] 190 | "HeartbeatTrackingIndex"=dword:00000000 191 | "SpyNetReportingLocation"="0" 192 | 193 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR] 194 | "EnableASRConsumers"=dword:00000000 195 | 196 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FTH] 197 | "Enabled"=dword:00000000 198 | 199 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\WebThreatDefSvc] 200 | 201 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefsvc] 202 | 203 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc] 204 | 205 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WebThreatDefense] 206 | 207 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] 208 | "WebThreatDefense"=- 209 | 210 | ; From Disabler 211 | 212 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense] 213 | 214 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\AuditMode] 215 | "value"=dword:00000000 216 | 217 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\NotifyUnsafeOrReusedPassword] 218 | "value"=dword:00000000 219 | 220 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\ServiceEnabled] 221 | "value"=dword:00000000 222 | 223 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS] 224 | 225 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components] 226 | "NotifyPasswordReuse"=dword:00000000 227 | 228 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components] 229 | "NotifyMalicious"=dword:00000000 230 | 231 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\AuditMode] 232 | "value"=dword:00000000 233 | 234 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\NotifyUnsafeOrReusedPassword] 235 | "value"=dword:00000000 236 | 237 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\ServiceEnabled] 238 | "value"=dword:00000000 239 | 240 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefsvc] 241 | 242 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc] 243 | 244 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WebThreatDefense] 245 | 246 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] 247 | "WebThreatDefense"=- 248 | 249 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlutonHsp2] 250 | 251 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlutonHeci] 252 | 253 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hsp] 254 | 255 | [-HKEY_CLASSES_ROOT\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 256 | 257 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 258 | 259 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 260 | 261 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 262 | 263 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 264 | 265 | [-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 266 | 267 | [-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] 268 | 269 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System] 270 | "WebThreatDefSvc_Allow_In"=- 271 | "WebThreatDefSvc_Allow_Out"=- 272 | "WebThreatDefSvc_Block_In"=- 273 | "WebThreatDefSvc_Block_Out"=- 274 | 275 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System] 276 | "{2A5FE97D-01A4-4A9C-8241-BB3755B65EE0}"=- 277 | "72e33e44-dc4c-40c5-a688-a77b6e988c69"=- 278 | "b23879b5-1ef3-45b7-8933-554a4303d2f3"=- 279 | -------------------------------------------------------------------------------- /Remove_Defender/RemoveDefender.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | ; disabling Antivirus 4 | 5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] 6 | "DisableRoutinelyTakingAction"=dword:00000001 7 | "ServiceKeepAlive"=dword:00000000 8 | "AllowFastServiceStartup"=dword:00000000 9 | "DisableLocalAdminMerge"=dword:00000001 10 | 11 | ; disable overwriting real time protection settings 12 | 13 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] 14 | "LocalSettingOverrideDisableOnAccessProtection"=dword:00000000 15 | "LocalSettingOverrideRealtimeScanDirection"=dword:00000000 16 | "LocalSettingOverrideDisableIOAVProtection"=dword:00000000 17 | "LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000 18 | "LocalSettingOverrideDisableIntrusionPreventionSystem"=dword:00000000 19 | "LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000 20 | "DisableIOAVProtection"=dword:00000001 21 | "DisableRealtimeMonitoring"=dword:00000001 22 | "DisableBehaviorMonitoring"=dword:00000001 23 | "DisableOnAccessProtection"=dword:00000001 24 | "DisableScanOnRealtimeEnable"=dword:00000001 25 | "RealtimeScanDirection"=dword:00000002 26 | "DisableInformationProtectionControl"=dword:00000001 27 | "DisableIntrusionPreventionSystem"=dword:00000001 28 | "DisableRawWriteNotification"=dword:00000001 29 | 30 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring] 31 | "value"=dword:00000000 32 | 33 | [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender] 34 | "DisableRoutinelyTakingAction"=dword:00000001 35 | 36 | ; Disable Windows Defender Security Center Notifications 37 | 38 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableEnhancedNotifications] 39 | "value"=dword:00000001 40 | 41 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableNotifications] 42 | "value"=dword:00000001 43 | 44 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\HideWindowsSecurityNotificationAreaControl] 45 | "value"=dword:00000001 46 | 47 | ; Disable Windows Security Center Notifications 48 | 49 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] 50 | 51 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] 52 | "FirstRunDisabled"=dword:00000001 53 | "AntiVirusOverride"=dword:00000001 54 | "FirewallOverride"=dword:00000001 55 | 56 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications] 57 | "DisableEnhancedNotifications"=dword:00000001 58 | "DisableNotifications"=dword:00000001 59 | 60 | [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance] 61 | "Enabled"=dword:00000000 62 | ; File: E:\Projects\Development\GitHub Repos\Listed Repos\windows-defender-remover\Remove_defender_moduled\DisableDefenderPolicies.reg 63 | 64 | ; Enforce Disabling of Windows Defender Antivirus Policy 65 | 66 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection] 67 | "value"=dword:00000000 68 | 69 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] 70 | "PUAProtection"=dword:00000000 71 | "DisableRoutinelyTakingAction"=dword:00000001 72 | "ServiceKeepAlive"=dword:00000000 73 | "AllowFastServiceStartup"=dword:00000000 74 | "DisableLocalAdminMerge"=dword:00000001 75 | "DisableAntiSpyware"=dword:00000001 76 | "RandomizeScheduleTaskTimes"=dword:00000000 77 | 78 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowArchiveScanning] 79 | "value"=dword:00000000 80 | 81 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring] 82 | "value"=dword:00000000 83 | 84 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowCloudProtection] 85 | "value"=dword:00000000 86 | 87 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowEmailScanning] 88 | "value"=dword:00000000 89 | 90 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanOnMappedNetworkDrives] 91 | "value"=dword:00000000 92 | 93 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanRemovableDriveScanning] 94 | "value"=dword:00000000 95 | 96 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIntrusionPreventionSystem] 97 | "value"=dword:00000000 98 | 99 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowOnAccessProtection] 100 | "value"=dword:00000000 101 | 102 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowRealtimeMonitoring] 103 | "value"=dword:00000000 104 | 105 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScanningNetworkFiles] 106 | "value"=dword:00000000 107 | 108 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScriptScanning] 109 | "value"=dword:00000001 110 | 111 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowUserUIAccess] 112 | "value"=dword:00000000 113 | 114 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AvgCPULoadFactor] 115 | "value"=dword:00000032 116 | 117 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CheckForSignaturesBeforeRunningScan] 118 | "value"=dword:00000000 119 | 120 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CloudBlockLevel] 121 | "value"=dword:00000000 122 | 123 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CloudExtendedTimeout] 124 | "value"=dword:00000000 125 | 126 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DaysToRetainCleanedMalware] 127 | "value"=dword:00000000 128 | 129 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupFullScan] 130 | "value"=dword:00000001 131 | 132 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupQuickScan] 133 | "value"=dword:00000001 134 | 135 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableControlledFolderAccess] 136 | "value"=dword:00000000 137 | 138 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableLowCPUPriority] 139 | "value"=dword:00000001 140 | 141 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableNetworkProtection] 142 | "value"=dword:00000000 143 | 144 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\PUAProtection] 145 | "value"=dword:00000000 146 | 147 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\RealTimeScanDirection] 148 | "value"=dword:00000000 149 | 150 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScanParameter] 151 | "value"=dword:00000002 152 | 153 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanDay] 154 | "value"=dword:00000000 155 | 156 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanTime] 157 | "value"=dword:00000000 158 | 159 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\SignatureUpdateInterval] 160 | "value"=dword:00000018 161 | 162 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\SubmitSamplesConsent] 163 | "value"=dword:00000000 164 | 165 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions] 166 | "DisableAutoExclusions"=dword:00000001 167 | 168 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine] 169 | "MpEnablePus"=dword:00000000 170 | "MpCloudBlockLevel"=dword:00000000 171 | "MpBafsExtendedTimeout"=dword:00000000 172 | "EnableFileHashComputation"=dword:00000000 173 | 174 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS] 175 | "ThrottleDetectionEventsRate"=dword:00000000 176 | "DisableSignatureRetirement"=dword:00000001 177 | "DisableProtocolRecognition"=dword:00000001 178 | 179 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager] 180 | "DisableScanningNetworkFiles"=dword:00000001 181 | 182 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] 183 | "DisableRealtimeMonitoring"=dword:00000001 184 | "DisableBehaviorMonitoring"=dword:00000001 185 | "DisableOnAccessProtection"=dword:00000001 186 | "DisableScanOnRealtimeEnable"=dword:00000001 187 | "DisableIOAVProtection"=dword:00000001 188 | "LocalSettingOverrideDisableOnAccessProtection"=dword:00000000 189 | "LocalSettingOverrideRealtimeScanDirection"=dword:00000000 190 | "LocalSettingOverrideDisableIOAVProtection"=dword:00000000 191 | "LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000 192 | "LocalSettingOverrideDisableIntrusionPreventionSystem"=dword:00000000 193 | "LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000 194 | "RealtimeScanDirection"=dword:00000002 195 | "IOAVMaxSize"=dword:00000512 196 | "DisableInformationProtectionControl"=dword:00000001 197 | "DisableIntrusionPreventionSystem"=dword:00000001 198 | "DisableRawWriteNotification"=dword:00000001 199 | 200 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan] 201 | "LowCpuPriority"=dword:00000001 202 | "DisableRestorePoint"=dword:00000001 203 | "DisableArchiveScanning"=dword:00000000 204 | "DisableScanningNetworkFiles"=dword:00000000 205 | "DisableCatchupFullScan"=dword:00000000 206 | "DisableCatchupQuickScan"=dword:00000001 207 | "DisableEmailScanning"=dword:00000000 208 | "DisableHeuristics"=dword:00000001 209 | "DisableReparsePointScanning"=dword:00000001 210 | 211 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates] 212 | "SignatureDisableNotification"=dword:00000001 213 | "RealtimeSignatureDelivery"=dword:00000000 214 | "ForceUpdateFromMU"=dword:00000000 215 | "DisableScheduledSignatureUpdateOnBattery"=dword:00000001 216 | "UpdateOnStartUp"=dword:00000000 217 | "SignatureUpdateCatchupInterval"=dword:00000002 218 | "DisableUpdateOnStartupWithoutEngine"=dword:00000001 219 | "ScheduleTime"=dword:00001440 220 | "DisableScanOnUpdate"=dword:00000001 221 | 222 | 223 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration] 224 | "SuppressRebootNotification"=dword:00000001 225 | 226 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access] 227 | "EnableControlledFolderAccess"=dword:00000000 228 | 229 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection] 230 | "EnableNetworkProtection"=dword:00000000 231 | 232 | [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender] 233 | "DisableRoutinelyTakingAction"=dword:00000001 234 | 235 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware] 236 | "ServiceKeepAlive"=dword:00000000 237 | "AllowFastServiceStartup"=dword:00000000 238 | "DisableRoutinelyTakingAction"=dword:00000001 239 | "DisableAntiSpyware"=dword:00000001 240 | "DisableAntiVirus"=dword:00000001 241 | 242 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting] 243 | "DisableEnhancedNotifications"=dword:00000001 244 | "DisableGenericRePorts"=dword:00000001 245 | "WppTracingLevel"=dword:00000000 246 | "WppTracingComponents"=dword:00000000 247 | 248 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy] 249 | "VerifiedAndReputablePolicyState"=dword:00000000 250 | ; File: E:\Projects\Development\GitHub Repos\Listed Repos\windows-defender-remover\Remove_defender_moduled\NomoreDelayandTimeouts.reg 251 | 252 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] 253 | "VerboseStatus"=dword:00000000 254 | 255 | [HKEY_CURRENT_USER\Control Panel\Desktop] 256 | "AutoEndTasks"="1" 257 | "MenuShowDelay"="1" 258 | "ForegroundLockTimeout"=dword:00000000 259 | "WaitToKillAppTimeout"="1" 260 | "WaitToKillServiceTimeout"=dword:00000001 261 | "HungAppTimeout"="1000" 262 | 263 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control] 264 | "WaitToKillServiceTimeout"="1" 265 | "DisableRemoteScmEndpoints"=dword:00000000 266 | 267 | [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] 268 | "ThumbnailLivePreviewHoverTime"=dword:00000001 269 | 270 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] 271 | 272 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] 273 | 274 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] 275 | 276 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] 277 | 278 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] 279 | 280 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] 281 | 282 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] 283 | 284 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] 285 | 286 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] 287 | 288 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] 289 | 290 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] 291 | 292 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] 293 | 294 | [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] 295 | 296 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] 297 | 298 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] 299 | 300 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] 301 | 302 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] 303 | 304 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] 305 | 306 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] 307 | 308 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] 309 | 310 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] 311 | 312 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] 313 | 314 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] 315 | 316 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] 317 | 318 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] 319 | 320 | [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] 321 | 322 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] 323 | 324 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] 325 | 326 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] 327 | 328 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] 329 | 330 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] 331 | 332 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] 333 | 334 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] 335 | 336 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] 337 | 338 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] 339 | 340 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] 341 | 342 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] 343 | 344 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] 345 | 346 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] 347 | 348 | [-HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] 349 | 350 | [-HKEY_CLASSES_ROOT\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] 351 | 352 | [-HKEY_CLASSES_ROOT\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] 353 | 354 | [-HKEY_CLASSES_ROOT\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] 355 | 356 | [-HKEY_CLASSES_ROOT\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] 357 | 358 | [-HKEY_CLASSES_ROOT\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] 359 | 360 | [-HKEY_CLASSES_ROOT\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] 361 | 362 | [-HKEY_CLASSES_ROOT\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] 363 | 364 | [-HKEY_CLASSES_ROOT\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] 365 | 366 | [-HKEY_CLASSES_ROOT\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] 367 | 368 | [-HKEY_CLASSES_ROOT\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] 369 | 370 | [-HKEY_CLASSES_ROOT\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] 371 | 372 | [-HKEY_CLASSES_ROOT\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] 373 | 374 | ; Defender Loggers 375 | 376 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger] 377 | 378 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger] 379 | ; File: E:\Projects\Development\GitHub Repos\Listed Repos\windows-defender-remover\Remove_defender_moduled\RemoveDefenderTasks.reg 380 | 381 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0ACC9108-2000-46C0-8407-5FD9F89521E8}] 382 | 383 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D77BCC8-1D07-42D0-8C89-3A98674DFB6F}] 384 | 385 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4A9233DB-A7D3-45D6-B476-8C7D8DF73EB5}] 386 | 387 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B05F34EE-83F2-413D-BC1D-7D5BD6E98300}] 388 | ; File: E:\Projects\Development\GitHub Repos\Listed Repos\windows-defender-remover\Remove_defender_moduled\RemoverofDefenderContextMenu.reg 389 | 390 | [-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}] 391 | 392 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}] 393 | 394 | ; Remove "Scan with Defender" Context Menu 395 | 396 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] 397 | 398 | [-HKEY_CLASSES_ROOT\Folder\shell\WindowsDefender] 399 | 400 | [-HKEY_CLASSES_ROOT\DesktopBackground\Shell\WindowsSecurity] 401 | 402 | [-HKEY_CLASSES_ROOT\Folder\shell\WindowsDefender\Command] 403 | ; File: E:\Projects\Development\GitHub Repos\Listed Repos\windows-defender-remover\Remove_defender_moduled\RemoveServices.reg 404 | 405 | ; Remove Defender and Windows Security Services 406 | 407 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecCore] 408 | 409 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc] 410 | 411 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv] 412 | 413 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc] 414 | 415 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter] 416 | 417 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot] 418 | 419 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService] 420 | 421 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmAgent] 422 | 423 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmBroker] 424 | 425 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend] 426 | 427 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection] 428 | "DisallowExploitProtectionOverride"=dword:00000001 429 | 430 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecFlt] 431 | 432 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecWfp] 433 | ; File: E:\Projects\Development\GitHub Repos\Listed Repos\windows-defender-remover\Remove_defender_moduled\RemoveShellAssociation.reg 434 | 435 | [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend] 436 | 437 | [-HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\windowsdefender] 438 | 439 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender] 440 | 441 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender] 442 | 443 | [-HKEY_CLASSES_ROOT\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0] 444 | 445 | [-HKEY_CURRENT_USER\Software\Classes\ms-cxh] 446 | 447 | [-HKEY_CLASSES_ROOT\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri] 448 | 449 | [-HKEY_CLASSES_ROOT\WindowsDefender] 450 | 451 | [-HKEY_CURRENT_USER\Software\Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0] 452 | 453 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsDefender] 454 | 455 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Ubpm] 456 | "CriticalMaintenance_DefenderCleanup"=- 457 | "CriticalMaintenance_DefenderVerification"=- 458 | 459 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System] 460 | "WindowsDefender-1"=- 461 | "WindowsDefender-2"=- 462 | "WindowsDefender-3"=- 463 | ; File: E:\Projects\Development\GitHub Repos\Listed Repos\windows-defender-remover\Remove_defender_moduled\RemoveSignatureUpdates.reg 464 | 465 | ; this file disables Signature Updates in Windows Defender 466 | 467 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates] 468 | "SignatureDisableNotification"=dword:00000001 469 | "RealtimeSignatureDelivery"=dword:00000000 470 | "ForceUpdateFromMU"=dword:00000000 471 | "DisableScheduledSignatureUpdateOnBattery"=dword:00000001 472 | "UpdateOnStartUp"=dword:00000000 473 | "SignatureUpdateCatchupInterval"=dword:00000002 474 | "DisableUpdateOnStartupWithoutEngine"=dword:00000001 475 | "ScheduleTime"=dword:00001440 476 | "DisableScanOnUpdate"=dword:00000001 477 | 478 | 479 | [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 480 | "Windows Defender"=- 481 | "SecurityHealth"=- 482 | 483 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run] 484 | "Windows Defender"=- 485 | "SecurityHealth"=- 486 | 487 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 488 | "WindowsDefender"=- 489 | "SecurityHealth"=- 490 | 491 | [-HKEY_CLASSES_ROOT\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] 492 | 493 | [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] 494 | 495 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] 496 | 497 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] 498 | 499 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Service.UserSessionServiceManager] 500 | 501 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatExperienceManager.ThreatExperienceManager] 502 | 503 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatResponseEngine.ThreatDecisionEngine] 504 | 505 | [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Configuration.WTDUserSettings] 506 | 507 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] 508 | "SettingsPageVisibility"="hide:windowsdefender;" 509 | -------------------------------------------------------------------------------- /defender_remover13.ps1: -------------------------------------------------------------------------------- 1 | $defenderremoverver = "12.8.2" 2 | 3 | # Arguments Section 4 | if ($args[0] -eq "y" -or $args[0] -eq "Y") { 5 | Remove-Defender 6 | } elseif ($args[0] -eq "a" -or $args[0] -eq "A") { 7 | Remove-Antivirus 8 | } elseif ($args[0] -eq "S" -or $args[0] -eq "s") { 9 | Disable-Mitigation 10 | } else { 11 | Clear-Host 12 | Write-Host "------ Defender Remover Script , version $defenderremoverver ------" 13 | Write-Host "Select an option:`n" 14 | Write-Host "Do you want to remove Windows Defender and alongside components? After this, you'll need to reboot." 15 | Write-Host "If your PC has a Microsoft Pluton Chip, you can disable it from BIOS anytime. (This script removes the integration of Pluton Chip Support and Processing from Windows.)" 16 | Write-Host "After confirmation of Removal, your Device will RESTART!!" 17 | Write-Host "A backup and/or System Restore point is recommended." 18 | Write-Host "[Y] Remove Windows Defender Antivirus + Disable All Security Mitigations" 19 | Write-Host "[A] Remove Windows Defender only, but keep UAC Enabled" 20 | Write-Host "[S] Disable All Security Mitigations" 21 | $choice = Read-Host "Choose an option" 22 | 23 | if ($choice -eq "Y" -or $choice -eq "y") { 24 | Remove-Defender 25 | } elseif ($choice -eq "A" -or $choice -eq "a") { 26 | Remove-Antivirus 27 | } 28 | 29 | } elseif ($choice -eq "S" -or $choice -eq "s") { 30 | Disable-Mitigation 31 | } 32 | 33 | 34 | function RunAsTI ($cmd,$arg) { $id='RunAsTI'; $key="Registry::HKU\$(((whoami /user)-split' ')[-1])\Volatile Environment"; $code=@' 35 | $I=[int32]; $M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal"); $P=$I.module.gettype("System.Int`Ptr"); $S=[string] 36 | $D=@(); $T=@(); $DM=[AppDomain]::CurrentDomain."DefineDynami`cAssembly"(1,1)."DefineDynami`cModule"(1); $Z=[uintptr]::size 37 | 0..5|% {$D += $DM."Defin`eType"("AveYo_$_",1179913,[ValueType])}; $D += [uintptr]; 4..6|% {$D += $D[$_]."MakeByR`efType"()} 38 | $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I) 39 | 0..2|% {$9=$D[0]."DefinePInvok`eMethod"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)} 40 | $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I) 41 | 1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k]."Defin`eField"('f' + $n++, $_, 6)}}; 0..5|% {$T += $D[$_]."Creat`eType"()} 42 | 0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0]."G`etMethod"($1).invoke(0,$2)} 43 | $TI=(whoami /groups)-like'*1-16-16384*'; $As=0; if(!$cmd) {$cmd='control';$arg='admintools'}; if ($cmd-eq'This PC'){$cmd='file:'} 44 | if (!$TI) {'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}} 45 | function M ($1,$2,$3) {$M."G`etMethod"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M "AllocHG`lobal" $I $_} 46 | M "WriteInt`Ptr" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1 47 | $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false) 48 | $Run=@($null, "powershell -win 1 -nop -c iex `$env:R; # $id", 0, 0, 0, 0x0E080600, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5])) 49 | F 'CreateProcess' $Run; return}; $env:R=''; rp $key $id -force; $priv=[diagnostics.process]."GetM`ember"('SetPrivilege',42)[0] 50 | 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$priv.Invoke($null, @("$_",2))} 51 | $HKU=[uintptr][uint32]2147483651; $NT='S-1-5-18'; $reg=($HKU,$NT,8,2,($HKU -as $D[9])); F 'RegOpenKeyEx' $reg; $LNK=$reg[4] 52 | function L ($1,$2,$3) {sp 'HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' 'RunAs' $3 -force -ea 0 53 | $b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)} 54 | function Q {[int](gwmi win32_process -filter 'name="explorer.exe"'|?{$_.getownersid().sid-eq$NT}|select -last 1).ProcessId} 55 | $11bug=($((gwmi Win32_OperatingSystem).BuildNumber)-eq'22000')-AND(($cmd-eq'file:')-OR(test-path -lit $cmd -PathType Container)) 56 | if ($11bug) {'System.Windows.Forms','Microsoft.VisualBasic' |% {[Reflection.Assembly]::LoadWithPartialName("'$_")}} 57 | if ($11bug) {$path='^(l)'+$($cmd -replace '([\+\^\%\~\(\)\[\]])','{$1}')+'{ENTER}'; $cmd='control.exe'; $arg='admintools'} 58 | L ($key-split'\\')[1] $LNK ''; $R=[diagnostics.process]::start($cmd,$arg); if ($R) {$R.PriorityClass='High'; $R.WaitForExit()} 59 | if ($11bug) {$w=0; do {if($w-gt40){break}; sleep -mi 250;$w++} until (Q); [Microsoft.VisualBasic.Interaction]::AppActivate($(Q))} 60 | if ($11bug) {[Windows.Forms.SendKeys]::SendWait($path)}; do {sleep 7} while(Q); L '.Default' $LNK 'Interactive User' 61 | '@; $V='';'cmd','arg','id','key'|%{$V+="`n`$$_='$($(gv $_ -val)-replace"'","''")';"}; sp $key $id $($V,$code) -type 7 -force -ea 0 62 | start powershell -args "-win 1 -nop -c `n$V `$env:R=(gi `$key -ea 0).getvalue(`$id)-join''; iex `$env:R" -verb runas 63 | } 64 | 65 | function Remove-AppxPackages { 66 | param ( 67 | [string[]]$RemoveAppx = @("SecHealthUI"), 68 | [string[]]$Skip = @(), 69 | [string[]]$Users = @('S-1-5-18') 70 | ) 71 | 72 | $Provisioned = Get-AppxProvisionedPackage -Online 73 | $AppxPackage = Get-AppxPackage -AllUsers 74 | $Eol = @() 75 | $Store = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore' 76 | if (Test-Path $Store) { 77 | $Users += $((Dir $Store -Ea 0 | Where-Object { $_ -like '*S-1-5-21*' }).PSChildName) 78 | } 79 | foreach ($Choice in $RemoveAppx) { 80 | if ('' -eq $Choice.Trim()) { continue } 81 | choice 82 | foreach ($Appx in $Provisioned | Where-Object { $_.PackageName -like "*$Choice*" }) { 83 | $Next = $true 84 | foreach ($No in $Skip) { 85 | if ($Appx.PackageName -like "*$No*") { $Next = $false } 86 | } 87 | if (-not $Next) { continue } 88 | $PackageName = $Appx.PackageName 89 | $PackageFamilyName = ($AppxPackage | Where-Object { $_.Name -eq $Appx.DisplayName }).PackageFamilyName 90 | New-Item "$Store\Deprovisioned\$PackageFamilyName" -Force | Out-Null 91 | $PackageFamilyName 92 | foreach ($Sid in $Users) { 93 | New-Item "$Store\EndOfLife\$Sid\$PackageName" -Force | Out-Null 94 | } 95 | $Eol += $PackageName 96 | dism /Online /Set-NonRemovableAppPolicy /PackageFamily:$PackageFamilyName /NonRemovable:0 | Out-Null 97 | Remove-AppxProvisionedPackage -PackageName $PackageName -Online -AllUsers | Out-Null 98 | } 99 | foreach ($Appx in $AppxPackage | Where-Object { $_.PackageFullName -like "*$Choice*" }) { 100 | $Next = $true 101 | foreach ($No in $Skip) { 102 | if ($Appx.PackageFullName -like "*$No*") { $Next = $false } 103 | } 104 | if (-not $Next) { continue } 105 | 106 | $PackageFullName = $Appx.PackageFullName 107 | New-Item "$Store\Deprovisioned\$Appx.PackageFamilyName" -Force | Out-Null 108 | $PackageFullName 109 | foreach ($Sid in $Users) { 110 | New-Item "$Store\EndOfLife\$Sid\$PackageFullName" -Force | Out-Null 111 | } 112 | $Eol += $PackageFullName 113 | dism /Online /Set-NonRemovableAppPolicy /PackageFamily:$PackageFamilyName /NonRemovable:0 | Out-Null 114 | Remove-AppxPackage -Package $PackageFullName -AllUsers | Out-Null 115 | } 116 | } 117 | return $Eol 118 | } 119 | 120 | function Set-WindowsDefenderPolicies { 121 | Write-Host "Applying Windows Defender policy changes..." -ForegroundColor Cyan 122 | 123 | # Helper to create key if missing 124 | function Ensure-Key { 125 | param ([string]$Path) 126 | if (-not (Test-Path $Path)) { 127 | New-Item -Path $Path -Force | Out-Null 128 | } 129 | } 130 | 131 | # Set registry values 132 | $settings = @{ 133 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" = @{"value"=0} 134 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" = @{ 135 | "PUAProtection"=0; "DisableRoutinelyTakingAction"=1; "ServiceKeepAlive"=0; 136 | "AllowFastServiceStartup"=0; "DisableLocalAdminMerge"=1; "DisableAntiSpyware"=1; 137 | "RandomizeScheduleTaskTimes"=0 138 | } 139 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowArchiveScanning" = @{"value"=0} 140 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring" = @{"value"=0} 141 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowCloudProtection" = @{"value"=0} 142 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowEmailScanning" = @{"value"=0} 143 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanOnMappedNetworkDrives" = @{"value"=0} 144 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanRemovableDriveScanning" = @{"value"=0} 145 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIntrusionPreventionSystem" = @{"value"=0} 146 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowOnAccessProtection" = @{"value"=0} 147 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowRealtimeMonitoring" = @{"value"=0} 148 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScanningNetworkFiles" = @{"value"=0} 149 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScriptScanning" = @{"value"=1} 150 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowUserUIAccess" = @{"value"=0} 151 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AvgCPULoadFactor" = @{"value"=50} 152 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\CheckForSignaturesBeforeRunningScan" = @{"value"=0} 153 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\CloudBlockLevel" = @{"value"=0} 154 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\CloudExtendedTimeout" = @{"value"=0} 155 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\DaysToRetainCleanedMalware" = @{"value"=0} 156 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupFullScan" = @{"value"=1} 157 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupQuickScan" = @{"value"=1} 158 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableControlledFolderAccess" = @{"value"=0} 159 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableLowCPUPriority" = @{"value"=1} 160 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableNetworkProtection" = @{"value"=0} 161 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\PUAProtection" = @{"value"=0} 162 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\RealTimeScanDirection" = @{"value"=0} 163 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScanParameter" = @{"value"=2} 164 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanDay" = @{"value"=0} 165 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanTime" = @{"value"=0} 166 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\SignatureUpdateInterval" = @{"value"=24} 167 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\SubmitSamplesConsent" = @{"value"=0} 168 | 169 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" = @{"DisableAutoExclusions"=1} 170 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" = @{ 171 | "MpEnablePus"=0; "MpCloudBlockLevel"=0; "MpBafsExtendedTimeout"=0; "EnableFileHashComputation"=0 172 | } 173 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" = @{ 174 | "ThrottleDetectionEventsRate"=0; "DisableSignatureRetirement"=1; "DisableProtocolRecognition"=1 175 | } 176 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" = @{"DisableScanningNetworkFiles"=1} 177 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" = @{ 178 | "DisableRealtimeMonitoring"=1; "DisableBehaviorMonitoring"=1; "DisableOnAccessProtection"=1; 179 | "DisableScanOnRealtimeEnable"=1; "DisableIOAVProtection"=1; "RealtimeScanDirection"=2; 180 | "IOAVMaxSize"=1298; "DisableInformationProtectionControl"=1; "DisableIntrusionPreventionSystem"=1; 181 | "DisableRawWriteNotification"=1 182 | } 183 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" = @{ 184 | "LowCpuPriority"=1; "DisableRestorePoint"=1; "DisableArchiveScanning"=0; 185 | "DisableScanningNetworkFiles"=0; "DisableCatchupFullScan"=0; "DisableCatchupQuickScan"=1; 186 | "DisableEmailScanning"=0; "DisableHeuristics"=1; "DisableReparsePointScanning"=1 187 | } 188 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" = @{ 189 | "SignatureDisableNotification"=1; "RealtimeSignatureDelivery"=0; "ForceUpdateFromMU"=0; 190 | "DisableScheduledSignatureUpdateOnBattery"=1; "UpdateOnStartUp"=0; 191 | "SignatureUpdateCatchupInterval"=2; "DisableUpdateOnStartupWithoutEngine"=1; 192 | "ScheduleTime"=5184; "DisableScanOnUpdate"=1 193 | } 194 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" = @{ 195 | "DisableBlockAtFirstSeen"=1; "LocalSettingOverrideSpynetReporting"=0; 196 | "SpynetReporting"=0; "SubmitSamplesConsent"=2 197 | } 198 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" = @{"SuppressRebootNotification"=1} 199 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" = @{"EnableControlledFolderAccess"=0} 200 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" = @{"EnableNetworkProtection"=0} 201 | "HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender" = @{"DisableRoutinelyTakingAction"=1} 202 | "HKLM:\SOFTWARE\Policies\Microsoft\Microsoft Antimalware" = @{ 203 | "ServiceKeepAlive"=0; "AllowFastServiceStartup"=0; "DisableRoutinelyTakingAction"=1; 204 | "DisableAntiSpyware"=1; "DisableAntiVirus"=1 205 | } 206 | "HKLM:\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet" = @{ 207 | "SpyNetReporting"=0; "LocalSettingOverrideSpyNetReporting"=0 208 | } 209 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" = @{ 210 | "DisableEnhancedNotifications"=1; "DisableGenericRePorts"=1; "WppTracingLevel"=0; "WppTracingComponents"=0 211 | } 212 | "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy" = @{"VerifiedAndReputablePolicyState"=0} 213 | } 214 | 215 | foreach ($path in $settings.Keys) { 216 | Ensure-Key -Path $path 217 | foreach ($name in $settings[$path].Keys) { 218 | $value = $settings[$path][$name] 219 | Set-ItemProperty -Path $path -Name $name -Value $value -Type DWord -Force 220 | } 221 | } 222 | 223 | Write-Host "All Defender policies have been updated." -ForegroundColor Green 224 | } 225 | 226 | function Disable-WindowsSecurityNotifications { 227 | Write-Host "Disabling Windows Security and Defender notifications..." -ForegroundColor Cyan 228 | 229 | # Set Registry values 230 | $registryChanges = @( 231 | @{ Path = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableEnhancedNotifications"; Name = "value"; Value = 1 }, 232 | @{ Path = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableNotifications"; Name = "value"; Value = 1 }, 233 | @{ Path = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\HideWindowsSecurityNotificationAreaControl"; Name = "value"; Value = 1 }, 234 | @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications"; Name = "DisableEnhancedNotifications"; Value = 1 }, 235 | @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications"; Name = "DisableNotifications"; Value = 1 }, 236 | @{ Path = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance"; Name = "Enabled"; Value = 0 } 237 | ) 238 | 239 | foreach ($change in $registryChanges) { 240 | if (-not (Test-Path $change.Path)) { 241 | New-Item -Path $change.Path -Force | Out-Null 242 | } 243 | New-ItemProperty -Path $change.Path -Name $change.Name -Value $change.Value -PropertyType DWORD -Force | Out-Null 244 | } 245 | 246 | # Delete and recreate HKLM:\SOFTWARE\Microsoft\Security Center 247 | $securityCenterKey = "HKLM:\SOFTWARE\Microsoft\Security Center" 248 | if (Test-Path $securityCenterKey) { 249 | Remove-Item -Path $securityCenterKey -Recurse -Force 250 | Start-Sleep -Milliseconds 500 251 | } 252 | New-Item -Path $securityCenterKey -Force | Out-Null 253 | New-ItemProperty -Path $securityCenterKey -Name "FirstRunDisabled" -Value 1 -PropertyType DWORD -Force | Out-Null 254 | New-ItemProperty -Path $securityCenterKey -Name "AntiVirusOverride" -Value 1 -PropertyType DWORD -Force | Out-Null 255 | New-ItemProperty -Path $securityCenterKey -Name "FirewallOverride" -Value 1 -PropertyType DWORD -Force | Out-Null 256 | 257 | Write-Host "All changes applied successfully." -ForegroundColor Green 258 | } 259 | 260 | function Remove-WindowsDefenderTraces { 261 | Write-Host "Removing Windows Defender traces from registry..." -ForegroundColor Cyan 262 | 263 | # List of registry keys to delete 264 | $keysToDelete = @( 265 | "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend", 266 | "HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\windowsdefender", 267 | "HKLM:\SOFTWARE\Classes\AppUserModelId\Windows.Defender", 268 | "HKLM:\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender", 269 | "HKCR:\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0", 270 | "HKCU:\Software\Classes\ms-cxh", 271 | "HKCR:\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri", 272 | "HKCR:\WindowsDefender", 273 | "HKCU:\Software\Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0", 274 | "HKLM:\SOFTWARE\Classes\WindowsDefender" 275 | ) 276 | 277 | foreach ($key in $keysToDelete) { 278 | if (Test-Path $key) { 279 | try { 280 | Remove-Item -Path $key -Recurse -Force 281 | Write-Host "Deleted: $key" -ForegroundColor Green 282 | } catch { 283 | Write-Warning "Failed to delete: $key. $_" 284 | } 285 | } else { 286 | Write-Host "Key not found: $key" -ForegroundColor Yellow 287 | } 288 | } 289 | 290 | # Remove specific values inside HKLM:\SYSTEM\CurrentControlSet\Control\Ubpm 291 | $ubpmKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Ubpm" 292 | $ubpmValues = @("CriticalMaintenance_DefenderCleanup", "CriticalMaintenance_DefenderVerification") 293 | 294 | foreach ($val in $ubpmValues) { 295 | if (Get-ItemProperty -Path $ubpmKey -Name $val -ErrorAction SilentlyContinue) { 296 | try { 297 | Remove-ItemProperty -Path $ubpmKey -Name $val -Force 298 | Write-Host "Deleted value: $val from Ubpm" -ForegroundColor Green 299 | } catch { 300 | Write-Warning "Failed to delete value $val from Ubpm. $_" 301 | } 302 | } 303 | } 304 | 305 | # Remove specific values inside FirewallPolicy\RestrictedServices\Static\System 306 | $firewallKey = "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" 307 | $firewallValues = @("WindowsDefender-1", "WindowsDefender-2", "WindowsDefender-3") 308 | 309 | foreach ($val in $firewallValues) { 310 | if (Get-ItemProperty -Path $firewallKey -Name $val -ErrorAction SilentlyContinue) { 311 | try { 312 | Remove-ItemProperty -Path $firewallKey -Name $val -Force 313 | Write-Host "Deleted firewall value: $val" -ForegroundColor Green 314 | } catch { 315 | Write-Warning "Failed to delete firewall value $val. $_" 316 | } 317 | } 318 | } 319 | 320 | Write-Host "Windows Defender traces removal completed." -ForegroundColor Cyan 321 | } 322 | 323 | function Set-DefenderSettings { 324 | # Registry keys to disable Windows Defender and related settings 325 | $registryEntries = @( 326 | @{ 327 | Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" 328 | Values = @{ 329 | "SignatureDisableNotification" = 1 330 | "RealtimeSignatureDelivery" = 0 331 | "ForceUpdateFromMU" = 0 332 | "DisableScheduledSignatureUpdateOnBattery" = 1 333 | "UpdateOnStartUp" = 0 334 | "SignatureUpdateCatchupInterval" = 2 335 | "DisableUpdateOnStartupWithoutEngine" = 1 336 | "ScheduleTime" = 51840 # 14 hours in minutes 337 | "DisableScanOnUpdate" = 1 338 | } 339 | }, 340 | @{ 341 | Key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0ACC9108-2000-46C0-8407-5FD9F89521E8}" 342 | Values = @{} 343 | Remove = $true 344 | }, 345 | @{ 346 | Key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D77BCC8-1D07-42D0-8C89-3A98674DFB6F}" 347 | Values = @{} 348 | Remove = $true 349 | }, 350 | @{ 351 | Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" 352 | Values = @{ 353 | "SettingsPageVisibility" = "hide:windowsdefender;" 354 | } 355 | }, 356 | # More entries can be added here for each registry key you provided... 357 | 358 | # Disabling Defender service keys 359 | @{ 360 | Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" 361 | Values = @{ 362 | "DisableRoutinelyTakingAction" = 1 363 | "ServiceKeepAlive" = 0 364 | "AllowFastServiceStartup" = 0 365 | "DisableLocalAdminMerge" = 1 366 | } 367 | }, 368 | @{ 369 | Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" 370 | Values = @{ 371 | "LocalSettingOverrideDisableOnAccessProtection" = 0 372 | "LocalSettingOverrideRealtimeScanDirection" = 0 373 | "LocalSettingOverrideDisableIOAVProtection" = 0 374 | "LocalSettingOverrideDisableBehaviorMonitoring" = 0 375 | "LocalSettingOverrideDisableIntrusionPreventionSystem" = 0 376 | "LocalSettingOverrideDisableRealtimeMonitoring" = 0 377 | "DisableIOAVProtection" = 1 378 | "DisableRealtimeMonitoring" = 1 379 | "DisableBehaviorMonitoring" = 1 380 | "DisableOnAccessProtection" = 1 381 | "DisableScanOnRealtimeEnable" = 1 382 | "RealtimeScanDirection" = 2 383 | "DisableInformationProtectionControl" = 1 384 | "DisableIntrusionPreventionSystem" = 1 385 | "DisableRawWriteNotification" = 1 386 | } 387 | }, 388 | @{ 389 | Key = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring" 390 | Values = @{ 391 | "value" = 0 392 | } 393 | }, 394 | @{ 395 | Key = "HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender" 396 | Values = @{ 397 | "DisableRoutinelyTakingAction" = 1 398 | } 399 | } 400 | ) 401 | 402 | # Loop through the registry entries and apply changes 403 | foreach ($entry in $registryEntries) { 404 | if ($entry.Remove) { 405 | # Remove registry key if specified 406 | Remove-Item -Path $entry.Key -Recurse -Force -ErrorAction SilentlyContinue 407 | Write-Host "Removed registry key: $($entry.Key)" 408 | } else { 409 | # Set registry values 410 | foreach ($name in $entry.Values.Keys) { 411 | Set-ItemProperty -Path $entry.Key -Name $name -Value $entry.Values[$name] -Force 412 | Write-Host "Set $name to $($entry.Values[$name]) in $($entry.Key)" 413 | } 414 | } 415 | } 416 | } 417 | 418 | function Remove-Defenderq { 419 | Write-Host "Removing Defender-related registry keys and values..." -ForegroundColor Cyan 420 | 421 | # Registry KEYS to remove entirely 422 | $keys = @( 423 | # CLSID keys 424 | 'HKCR:\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}', 425 | 'HKCR:\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}', 426 | 'HKLM:\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}', 427 | 'HKLM:\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}', 428 | 429 | # WindowsRuntime classes 430 | 'HKLM:\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Service.UserSessionServiceManager', 431 | 'HKLM:\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatExperienceManager.ThreatExperienceManager', 432 | 'HKLM:\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatResponseEngine.ThreatDecisionEngine', 433 | 'HKLM:\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Configuration.WTDUserSettings', 434 | 435 | # Services 436 | 'HKLM:\SYSTEM\CurrentControlSet\Services\MsSecCore', 437 | 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc', 438 | 'HKLM:\SYSTEM\CurrentControlSet\Services\WdNisDrv', 439 | 'HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc', 440 | 'HKLM:\SYSTEM\CurrentControlSet\Services\WdFilter', 441 | 'HKLM:\SYSTEM\CurrentControlSet\Services\WdBoot', 442 | 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService', 443 | 'HKLM:\SYSTEM\CurrentControlSet\Services\SgrmAgent', 444 | 'HKLM:\SYSTEM\CurrentControlSet\Services\SgrmBroker', 445 | 'HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend', 446 | 'HKLM:\SYSTEM\CurrentControlSet\Services\MsSecFlt', 447 | 'HKLM:\SYSTEM\CurrentControlSet\Services\MsSecWfp', 448 | 449 | # New additions (ShellServiceObjects) 450 | 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}', 451 | 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}', 452 | 453 | # Context menu and Windows Defender keys 454 | 'HKLM:\SOFTWARE\Microsoft\Windows Defender', 455 | 'HKCR:\Folder\shell\WindowsDefender', 456 | 'HKCR:\DesktopBackground\Shell\WindowsSecurity', 457 | 'HKCR:\Folder\shell\WindowsDefender\Command' 458 | ) 459 | 460 | foreach ($key in $keys) { 461 | try { 462 | if (Test-Path $key) { 463 | Remove-Item -Path $key -Force -Recurse 464 | Write-Host "Deleted key: $key" -ForegroundColor Green 465 | } else { 466 | Write-Host "Key not found (already deleted?): $key" -ForegroundColor Yellow 467 | } 468 | } catch { 469 | Write-Host "Failed to delete key: $key. Error: $_" -ForegroundColor Red 470 | } 471 | } 472 | 473 | # Registry VALUES to remove 474 | $valuesToDelete = @( 475 | @{ Path = 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'; Names = @('Windows Defender', 'SecurityHealth') }, 476 | @{ Path = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run'; Names = @('Windows Defender', 'SecurityHealth') }, 477 | @{ Path = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'; Names = @('WindowsDefender', 'SecurityHealth') } 478 | ) 479 | 480 | foreach ($entry in $valuesToDelete) { 481 | $path = $entry.Path 482 | $names = $entry.Names 483 | 484 | foreach ($name in $names) { 485 | try { 486 | if (Get-ItemProperty -Path $path -Name $name -ErrorAction SilentlyContinue) { 487 | Remove-ItemProperty -Path $path -Name $name -Force 488 | Write-Host "Deleted value '$name' from $path" -ForegroundColor Green 489 | } else { 490 | Write-Host "Value '$name' not found in $path" -ForegroundColor Yellow 491 | } 492 | } catch { 493 | Write-Host "Failed to delete value '$name' from $path. Error: $_" -ForegroundColor Red 494 | } 495 | } 496 | } 497 | 498 | # Registry VALUES to modify 499 | try { 500 | $targetPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection' 501 | if (-not (Test-Path $targetPath)) { 502 | New-Item -Path $targetPath -Force | Out-Null 503 | } 504 | Set-ItemProperty -Path $targetPath -Name 'DisallowExploitProtectionOverride' -Value 1 -Type DWord 505 | Write-Host "Set 'DisallowExploitProtectionOverride' to 1 at $targetPath" -ForegroundColor Green 506 | } catch { 507 | Write-Host "Failed to set value 'DisallowExploitProtectionOverride'. Error: $_" -ForegroundColor Red 508 | } 509 | 510 | Write-Host "Registry key and value removal complete." -ForegroundColor Cyan 511 | } 512 | 513 | function Disable-Mitigation { 514 | # Disable Hypervisor 515 | bcdedit /set hypervisorlaunchtype off 516 | 517 | # Disabling Security Mitigations 518 | Write-Host "Disabling Security Mitigations..." 519 | Get-ChildItem "$PSScriptRoot\Remove_SecurityComp" -Recurse -Filter *.reg | ForEach-Object { 520 | Start-Process "regedit.exe" -ArgumentList "/s $_.FullName" -Wait 521 | } 522 | 523 | # Reboot the system 524 | Write-Host "Your PC will reboot in 10 seconds..." 525 | Start-Sleep -Seconds 3 526 | Restart-Computer -Force 527 | } 528 | 529 | 530 | function Disable-WebThreatDefense { 531 | Write-Output "Disabling WebThreatDefense and related services..." 532 | 533 | # Remove specific firewall rules 534 | Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" -Name "WebThreatDefSvc_Allow_In" -ErrorAction SilentlyContinue 535 | Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" -Name "WebThreatDefSvc_Allow_Out" -ErrorAction SilentlyContinue 536 | Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" -Name "WebThreatDefSvc_Block_In" -ErrorAction SilentlyContinue 537 | Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" -Name "WebThreatDefSvc_Block_Out" -ErrorAction SilentlyContinue 538 | 539 | # Remove Configurable firewall rules 540 | Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System" -Name "{2A5FE97D-01A4-4A9C-8241-BB3755B65EE0}" -ErrorAction SilentlyContinue 541 | Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System" -Name "72e33e44-dc4c-40c5-a688-a77b6e988c69" -ErrorAction SilentlyContinue 542 | Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System" -Name "b23879b5-1ef3-45b7-8933-554a4303d2f3" -ErrorAction SilentlyContinue 543 | 544 | # Delete entire services and registry paths 545 | $pathsToDelete = @( 546 | "HKLM:\SYSTEM\CurrentControlSet\Services\PlutonHsp2", 547 | "HKLM:\SYSTEM\CurrentControlSet\Services\PlutonHeci", 548 | "HKLM:\SYSTEM\CurrentControlSet\Services\Hsp", 549 | "HKLM:\SOFTWARE\Microsoft\WindowsRuntime\Server\WebThreatDefSvc", 550 | "HKLM:\SYSTEM\CurrentControlSet\Services\webthreatdefsvc", 551 | "HKLM:\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc", 552 | "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WebThreatDefense", 553 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense", 554 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WTDS" 555 | ) 556 | 557 | foreach ($path in $pathsToDelete) { 558 | if (Test-Path $path) { 559 | Remove-Item -Path $path -Recurse -Force -ErrorAction SilentlyContinue 560 | Write-Output "Removed $path" 561 | } 562 | } 563 | 564 | # Remove value from Svchost 565 | try { 566 | Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" -Name "WebThreatDefense" -ErrorAction SilentlyContinue 567 | Write-Output "Removed WebThreatDefense from Svchost group." 568 | } catch { 569 | Write-Warning "Failed to remove WebThreatDefense value from Svchost." 570 | } 571 | 572 | # Set policy-related values to 0 573 | $policyPaths = @( 574 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\AuditMode", 575 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\NotifyUnsafeOrReusedPassword", 576 | "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\ServiceEnabled", 577 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" 578 | ) 579 | 580 | foreach ($path in $policyPaths) { 581 | if (-not (Test-Path $path)) { 582 | New-Item -Path (Split-Path $path) -Name (Split-Path $path -Leaf) -Force | Out-Null 583 | } 584 | } 585 | 586 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\AuditMode" -Name "value" -Value 0 -Force 587 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\NotifyUnsafeOrReusedPassword" -Name "value" -Value 0 -Force 588 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\ServiceEnabled" -Name "value" -Value 0 -Force 589 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" -Name "NotifyPasswordReuse" -Value 0 -Force 590 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" -Name "NotifyMalicious" -Value 0 -Force 591 | 592 | Write-Output "WebThreatDefense successfully disabled." 593 | } 594 | 595 | 596 | function Disable-SmartScreen { 597 | Write-Host "Disabling SmartScreen settings..." 598 | 599 | # Disable SmartScreen for Microsoft Edge 600 | Set-ItemProperty -Path "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" -Name "EnabledV9" -Value 0 -Type DWord -Force 601 | Set-ItemProperty -Path "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" -Name "PreventOverride" -Value 0 -Type DWord -Force 602 | 603 | Set-ItemProperty -Path "HKCU:\Software\Microsoft\Edge" -Name "SmartScreenEnabled" -Value 0 -Type DWord -Force 604 | New-Item -Path "HKCU:\Software\Microsoft\Edge\SmartScreenEnabled" -Force | Out-Null 605 | Set-ItemProperty -Path "HKCU:\Software\Microsoft\Edge\SmartScreenEnabled" -Name "(default)" -Value 0 -Type DWord 606 | 607 | # Disable SmartScreen in File Explorer and Windows Shell 608 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" -Name "SmartScreenEnabled" -Value "off" -Type String -Force 609 | 610 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Force | Out-Null 611 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableSmartScreen" -Value 0 -Type DWord -Force 612 | Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "ShellSmartScreenLevel" -ErrorAction SilentlyContinue 613 | 614 | # PolicyManager changes 615 | $policyPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default" 616 | New-Item -Path "$policyPath\Browser\AllowSmartScreen" -Force | Out-Null 617 | Set-ItemProperty -Path "$policyPath\Browser\AllowSmartScreen" -Name "value" -Value 0 -Type DWord -Force 618 | 619 | New-Item -Path "$policyPath\SmartScreen\EnableSmartScreenInShell" -Force | Out-Null 620 | Set-ItemProperty -Path "$policyPath\SmartScreen\EnableSmartScreenInShell" -Name "value" -Value 0 -Type DWord -Force 621 | 622 | New-Item -Path "$policyPath\SmartScreen\EnableAppInstallControl" -Force | Out-Null 623 | Set-ItemProperty -Path "$policyPath\SmartScreen\EnableAppInstallControl" -Name "value" -Value 0 -Type DWord -Force 624 | 625 | New-Item -Path "$policyPath\SmartScreen\PreventOverrideForFilesInShell" -Force | Out-Null 626 | Set-ItemProperty -Path "$policyPath\SmartScreen\PreventOverrideForFilesInShell" -Name "value" -Value 0 -Type DWord -Force 627 | 628 | # Disable SmartScreen for Microsoft Store Apps 629 | Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" -Value 0 -Type DWord -Force 630 | Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost" -Name "PreventOverride" -Value 0 -Type DWord -Force 631 | 632 | # Configure App Install Control 633 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" -Force | Out-Null 634 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" -Name "ConfigureAppInstallControlEnabled" -Value 1 -Type DWord -Force 635 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" -Name "ConfigureAppInstallControl" -Value "Anywhere" -Type String -Force 636 | 637 | Write-Host "SmartScreen has been disabled successfully." 638 | } 639 | 640 | 641 | function Disable-SystemMitigations { 642 | Write-Output "Disabling system mitigations and SmartScreen..." 643 | 644 | # Helper function 645 | function Set-RegValue { 646 | param($Path, $Name, $Type, $Value) 647 | if (!(Test-Path $Path)) { New-Item -Path $Path -Force | Out-Null } 648 | Set-ItemProperty -Path $Path -Name $Name -Type $Type -Value $Value -Force 649 | } 650 | 651 | function Remove-RegKey { 652 | param($Path) 653 | if (Test-Path $Path) { 654 | Remove-Item -Path $Path -Recurse -Force -ErrorAction SilentlyContinue 655 | } 656 | } 657 | 658 | # Disable Driver Blocklist 659 | Set-RegValue "HKLM\SYSTEM\CurrentControlSet\Control\CI\Config" "VulnerableDriverBlocklistEnable" DWord 0 660 | 661 | # Disable RunAsPPL 662 | Set-RegValue "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" "RunAsPPL" DWord 0 663 | Set-RegValue "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" "LsaConfigFlags" DWord 0 664 | Set-RegValue "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" "RunAsPPL" DWord 0 665 | Set-RegValue "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" "RunAsPPLBoot" DWord 0 666 | 667 | # UserPreference 668 | Set-RegValue "HKLM\SOFTWARE\Microsoft\WindowsMitigation" "UserPreference" DWord 2 669 | 670 | # Kernel mitigations 671 | Set-RegValue "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" "MitigationAuditOptions" Binary ([byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x22,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 672 | Set-RegValue "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" "MitigationOptions" Binary ([byte[]](0x00,0x22,0x22,0x20,0x22,0x20,0x22,0x22,0x20,0x00,0x00,0x00,0x00,0x20,0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 673 | Set-RegValue "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" "KernelSEHOPEnabled" DWord 0 674 | 675 | # Disable Spectre/Meltdown mitigations 676 | Set-RegValue "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" "FeatureSettings" DWord 1 677 | Set-RegValue "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" "FeatureSettingsOverride" DWord 3 678 | Set-RegValue "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" "FeatureSettingsOverrideMask" DWord 3 679 | 680 | # Disable svchost mitigation 681 | Set-RegValue "HKLM\SYSTEM\CurrentControlSet\Control\SCMConfig" "EnableSvchostMitigationPolicy" Binary ([byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 682 | 683 | # Windows Defender Features 684 | Set-RegValue "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" "MpPlatformKillbitsFromEngine" Binary ([byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 685 | Set-RegValue "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" "TamperProtectionSource" DWord 0 686 | Set-RegValue "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" "MpCapability" Binary ([byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) 687 | Set-RegValue "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" "TamperProtection" DWord 0 688 | 689 | # Exploit Guard 690 | Set-RegValue "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" "EnableControlledFolderAccess" DWord 0 691 | Remove-ItemProperty -Path "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" -Name "EnableNetworkProtection" -ErrorAction SilentlyContinue 692 | Set-RegValue "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" "ExploitGuard_ASR_Rules" DWord 0 693 | Set-RegValue "HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" "EnableASRConsumers" DWord 0 694 | 695 | # MpGears settings 696 | Set-RegValue "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" "HeartbeatTrackingIndex" DWord 0 697 | Set-RegValue "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" "SpyNetReportingLocation" String "0" 698 | 699 | # Fault Tolerant Heap 700 | Set-RegValue "HKLM\SOFTWARE\Microsoft\FTH" "Enabled" DWord 0 701 | Set-RegValue "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" "DisableAsyncScanOnOpen" Dword 1 702 | 703 | # Security Health reporting 704 | Remove-RegKey "HKLM\SOFTWARE\Microsoft\Windows Security Health" 705 | Remove-RegKey "HKCU\Software\Microsoft\Windows Security Health" 706 | Set-RegValue "HKCU\Software\Microsoft\Windows Security Health\State" "Disabled" DWord 1 707 | Set-RegValue "HKLM\SOFTWARE\Microsoft\Windows Security Health\Platform" "Registered" DWord 0 708 | 709 | # Remove specific CLSID keys 710 | $clsid = "{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}" 711 | $keysToDelete = @( 712 | "HKCR\CLSID\$clsid", 713 | "HKCR\WOW6432Node\CLSID\$clsid", 714 | "HKLM\SOFTWARE\Classes\CLSID\$clsid", 715 | "HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\$clsid", 716 | "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\$clsid", 717 | "HKLM\SOFTWARE\WOW6432Node\Classes\CLSID\$clsid", 718 | "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\$clsid" 719 | ) 720 | 721 | foreach ($key in $keysToDelete) { 722 | Remove-RegKey $key 723 | } 724 | 725 | Write-Output "System mitigations disabled successfully." 726 | } 727 | 728 | 729 | function Remove-Defender { 730 | RunAsTI $args[0] $args[1..11] 731 | 732 | # Reboot the system 733 | Write-Host "Your PC will reboot in 10 seconds..." 734 | Start-Sleep -Seconds 3 735 | Restart-Computer -Force 736 | } 737 | 738 | 739 | function Remove-FilesAndFolders { 740 | Write-Output "Removing Windows Defender-related files and directories..." 741 | 742 | # File patterns to delete 743 | $filesToDelete = @( 744 | "C:\Windows\WinSxS\FileMaps\wow64_windows-defender*.manifest", 745 | "C:\Windows\System32\*SecurityHealth*", 746 | "C:\Windows\System32\drivers\*Wd*", 747 | "C:\Windows\System32\smartscreen.dll", 748 | "C:\Windows\System32\wscsvc.dll", 749 | "C:\Windows\System32\wscproxystub.dll", 750 | "C:\Windows\SysWOW64\*smartscreen*", 751 | "C:\Windows\System32\drivers\msseccore.sys" 752 | ) 753 | 754 | foreach ($file in $filesToDelete) { 755 | Get-ChildItem -Path $file -Force -ErrorAction SilentlyContinue | Remove-Item -Force -Recurse -ErrorAction SilentlyContinue 756 | } 757 | 758 | # Directories to delete 759 | $dirsToDelete = @( 760 | "C:\ProgramData\Microsoft\Windows Defender", 761 | "C:\Program Files\Windows Defender", 762 | "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender", 763 | "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" 764 | ) 765 | 766 | foreach ($dir in $dirsToDelete) { 767 | if (Test-Path $dir) { 768 | Remove-Item -Path $dir -Recurse -Force -ErrorAction SilentlyContinue 769 | } 770 | } 771 | 772 | Write-Output "Removal of Defender components completed." 773 | } 774 | 775 | 776 | function Remove-Antivirus { 777 | # Disable Hypervisor 778 | bcdedit /set hypervisorlaunchtype off 779 | RunAsTI $args[0] $args[1..10] 780 | # Reboot the system 781 | Write-Host "Your PC will reboot in 10 seconds..." 782 | Start-Sleep -Seconds 3 783 | Restart-Computer -Force 784 | } 785 | 786 | 787 | write-host args: $args 788 | Set-WindowsDefenderPolicies 789 | Disable-WindowsSecurityNotifications 790 | Remove-WindowsDefenderTraces 791 | Set-DefenderSettings 792 | Remove-Defenderq 793 | Disable-WebThreatDefense 794 | Disable-Mitigation 795 | Disable-WebThreatDefense 796 | Disable-SmartScreen 797 | Remove-FilesAndFolders 798 | Disable-SystemMitigations 799 | --------------------------------------------------------------------------------