diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index 5b68d154..f5c78204 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -13608,7 +13608,7 @@ actions: deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Malicious Software Reporting Tool" diagnostic data - recommend: strict # Does not contribute to security + recommend: strict # No significant security gains docs: |- # refactor-with-variables: Same • Security/Privacy Trade-off Caution This script disables the diagnostic data sent by Microsoft's Malicious Software Removal Tool (MSRT) [1]. @@ -13633,7 +13633,7 @@ actions: deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Defender Watson event reporting - recommend: strict # Does not contribute to security + recommend: strict # No significant security gains docs: |- This script prevents Microsoft Defender from sending Watson events to Microsoft. @@ -13674,6 +13674,115 @@ actions: dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Defender telemetry + recommend: strict # No significant security gains + docs: |- + This script disables telemetry collection by Defender, enhancing user privacy. + + By default, Microsoft collects telemetry data from Microsoft Defender Antivirus and other + Defender software [1]. + This data collection is referred to as 1DS telemetry [1]. + Microsoft's One Data Strategy (1DS) centralizes and collects telemetry from various + Microsoft services and tools [2]. + The strategy collects data from various Microsoft services and tools [2]. + The Microsoft Defender Core Service collects telemetry for Microsoft Defender Antivirus and + Microsoft Defender for Endpoint [1]. + + Disabling telemetry enhances privacy by reducing the data sent to Microsoft about your + system and Defender usage. + It may also boost performance by reducing resource usage for telemetry collection. + However, this action may limit Microsoft's ability to improve its antivirus service and address + issues using user data [1]. + + This script modifies following settings: + + - Using the Defender CLI to set the `DisableCoreService1DSTelemetry` preference [1]. + - Setting `HKLM\Software\Policies\Microsoft\Windows Defender\Features\DisableCoreService1DSTelemetry` [1] + registry key to disable telemetry collection via Group Policy Object (GPO) [1]. + - Setting `HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\DisableCoreService1DSTelemetry` + registry key. + This key directly controls the feature. + It exists by default in modern Windows versions but is not officially documented. + + [1]: https://web.archive.org/web/20240728143438/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-core-service-overview "Microsoft Defender Core service overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240728143740/https://github.com/microsoft/cpp_client_telemetry/blob/main/README.md "microsoft/cpp_client_telemetry: 1DS C++ SDK | github.com" + call: + - + function: SetMpPreference + parameters: + # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' + property: DisableCoreService1DSTelemetry # Status: Get-MpPreference | Select-Object -Property DisableCoreService1DSTelemetry + value: "$False" # Set: Set-MpPreference -Force -DisableCoreService1DSTelemetry $False + default: "$True" # Default: 0 (Disabled) | Remove-MpPreference -Force -DisableCoreService1DSTelemetry | Set-MpPreference -DisableCoreService1DSTelemetry "$True" + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Features + valueName: DisableCoreService1DSTelemetry + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValueAsTrustedInstaller + # Without TrustedInstaller: + # - ❌ Fails with "ERROR: Access is denied." on Windows 11 Pro (>= 23H2) + # - ❌ Fails with "ERROR: Access is denied." on Windows 10 Pro (>= 22H2) + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService + valueName: DisableCoreService1DSTelemetry + dataType: REG_DWORD + data: '1' + dataOnRevert: '0' # 0 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Defender experimentation and remote configurations + recommend: strict # No significant security gains + docs: |- # TODO: Docs revise, resaerch done + ECS: Microsoft Defender Core service configurations and experimentation (ECS) + https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-core-service-overview + https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-core-service-configurations-and-experimentation + + These experiments aNd remote configurations are executed through **Microsoft Defender Core Service**. + Microsoft Defender Core service is a component to help with the stability and performance of + **Microsoft Defender Antivirus** and **Microsoft Defender for Endpoint** [2]. + + This script configures: + + - `HKLM\Software\Policies\Microsoft\Windows Defender\Features!DisableCoreServiceECSIntegration` + registry key to set-up GPO [2]. + - Using the Defender CLI to set the `DisableCoreService1DSTelemetry` preference [2]. + - `HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService!DisableCoreServiceECSIntegration` + to control the feature. + This key exists by default on modern versions of Windows, but not officially documented. + + [2]: https://web.archive.org/web/20240728143438/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-core-service-overview "Microsoft Defender Core service overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + - + function: SetMpPreference + parameters: + # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' + property: DisableCoreServiceECSIntegration # Status: Get-MpPreference | Select-Object -Property DisableCoreServiceECSIntegration + value: "$False" # Set: Set-MpPreference -Force -DisableCoreServiceECSIntegration $False + default: "$True" # Default: 0 (Disabled) | Remove-MpPreference -Force -DisableCoreServiceECSIntegration | Set-MpPreference -DisableCoreServiceECSIntegration "$True" + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Features + valueName: DisableCoreServiceECSIntegration + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValueAsTrustedInstaller + # Without TrustedInstaller: + # - ❌ Fails with "ERROR: Access is denied." on Windows 11 Pro (>= 23H2) + # - ❌ Fails with "ERROR: Access is denied." on Windows 10 Pro (>= 22H2) + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService + valueName: DisableCoreServiceECSIntegration # TODO: Undocumented I found my self + dataType: REG_DWORD + data: '1' + # TODO: dataOnRevert: '0' # 0 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Microsoft Defender firewall docs: |- @@ -14566,7 +14675,7 @@ actions: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender valueName: ServiceKeepAlive dataType: REG_DWORD - data: '1' + data: '1' # TODO: Is this settin the opposito value?, yes it is, fix it https://github.com/undergroundwires/privacy.sexy/issues/393 deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # Too good to disable # category: Disable Microsoft Defender "Device Guard" and "Credential Guard" @@ -16089,20 +16198,43 @@ actions: # 3. Try `DisableServiceInRegistryAsTrustedInstaller` as last effort. children: - - name: Disable "Microsoft Defender Antivirus Service" - # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender - # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: - # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` - # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` + name: Disable "Microsoft Defender Antivirus Service" (breaks `Set-MpPreference` cmdlet) docs: |- - https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ + This script disables the "Microsoft Defender Antivirus Service" and its associated process (`MsMpEng.exe`). - ### Overview of default service statuses + This service is known both as "Microsoft Defender Antivirus Service" [1] [2] and "Windows Defender Service" [2]. + It is the primary component of Microsoft Defender Antivirus [2], essential for its functionality [1] [3]. + It runs the `MsMpEng.exe` executable [4] [5]. + This executable is also known as "Microsoft Defender Antivirus service executable" [6] or "Antimalware Service Executable" [1]. + The executable is located at `%PROGRAMFILES%\Windows Defender` [4] [5] [6] on modern Windows versions + and at `%PROGRAMFILES%\Microsoft Security Client` on older versions [6]. + It is crucial for the functionality of Microsoft Defender for Endpoint [6]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | - | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + Disabling this service interrupts the `Set-MpPreference` PowerShell cmdlet. + This cmdlet configures preferences for Windows Defender scans and updates [7]. + Attempting to use this cmdlet after disabling the service results in an error. + Here is an example: + + ``` + $ Set-MpPreference -Force -MAPSReporting 0 + + Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. + Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference. + ``` + + Disabling this service may optimize system performance by reducing resource usage. + + > **Caution:** Disabling this service: + > - May impair your ability to configure Defender scans and updates using PowerShell. + > - Decreases your security by affecting real-time malware protection. + + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240609150337/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide "Microsoft Defender Antivirus on Windows Server - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240609145030/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide "Troubleshoot Microsoft Defender for Endpoint onboarding issues - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ "Microsoft Defender Antivirus Service - Windows 10 Service - batcmd.com | batcmd.com" + [5]: https://web.archive.org/web/20240609144111/https://batcmd.com/windows/11/services/windefend/ "Microsoft Defender Antivirus Service - Windows 11 Service - batcmd.com | batcmd.com" + [6]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [7]: https://web.archive.org/web/20240609150331/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" call: - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` @@ -16111,15 +16243,24 @@ actions: parameters: serviceName: WinDefend # Check: (Get-Service -Name 'WinDefend').StartType defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual - # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 + # - + # # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 + # # Marked: SoftDeleteFilesAsTrustedInstaller + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. # function: SoftDeleteFiles # parameters: # fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MsMpEng.exe - category: Disable Defender kernel-level drivers children: - # - Skipping wdnsfltr ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only + # Exclusions: + # - `wdnsfltr`: + # ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only - name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service docs: |- @@ -16282,11 +16423,175 @@ actions: parameters: serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SecurityHealthService.exe - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable "Windows Security Center" service + docs: |- # TODO: Add doc, tODO in rebranding branch somewhere "Disable Windows Security, mov e this and SecurityHealthService.exe there? Cuz these ar not Defender " + https://batcmd.com/windows/11/services/wscsvc/ + call: + - + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (23H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller # TODO: not tested + parameters: + serviceName: wscsvc # Check: (Get-Service -Name 'wscsvc').StartType + defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\wscsvc.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + category: Disable Microsoft Defender Core Service + docs: |- + TODO: Add some sentences + children: + - + name: Disable Microsoft Defender Core Service (`MDCoreSvc`) + docs: |- + This script disables the Microsoft Defender Core service (`MDCoreSvc`). + + The Microsoft Defender Core service is a component of Microsoft Defender Antivirus [1] [2] + and Microsoft Defender for Endpoint [1] [2] [3]. + It contributes to the stability and performance of Microsoft Defender Antivirus [1]. + + The service is technically identified as `MDCoreSvc` [1] [2] [4] [5]. + Its executable is `MpDefenderCoreService.exe` [1] [2] [5] [6]. + This process is also known as "Antimalware Core Service" [1] [2] [6]. + It's typically located in the `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\\` folder [6]. + It is found on modern versions of Windows [5]. + + This script improves privacy by disabling this service. + It reduces data collection associated with Microsoft Defender Antivirus and Microsoft Defender for Endpoint. + It may also increase system performance by removing a background process. + However, disabling this service may reduce system security. + As a core operating system component, its removal may also affect system stability. + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | + | Windows 11 (≥ 23H2) | 🟡 Missing | N/A | + + [1]: https://web.archive.org/web/20240728143438/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-core-service-overview "Microsoft Defender Core service overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240728143825/https://learn.microsoft.com/en-sg/answers/questions/1778162/how-to-fully-uninstall-clean-up-microsoft-defender "How to fully Uninstall/Clean-up Microsoft Defender Endpoint - Microsoft Q&A | learn.microsoft.com" + [4]: https://web.archive.org/web/20240728143822/https://github.com/undergroundwires/privacy.sexy/issues/385 "[Bug]: Defender is not completely disabled · Issue #385 · undergroundwires/privacy.sexy | github.com" + [5]: https://web.archive.org/web/20240724234608/https://techcommunity.microsoft.com/t5/public-sector-blog/december-2023-microsoft-365-us-public-sector-roadmap-newsletter/ba-p/4010161 "December 2023 - Microsoft 365 US Public Sector Roadmap Newsletter - Microsoft Community Hub | techcommunity.microsoft.com" + [6]: https://web.archive.org/web/20240724234556/https://www.file.net/process/mpdefendercoreservice.exe.html "MpDefenderCoreService.exe Windows process - What is it? | file.net" + call: + # - + # Commented out because it does not work due to permission errors. + # function: DisableServiceInRegistryAsTrustedInstaller + # parameters: + # # Note: Always get "Permission Denied", could not find a way., https://github.com/undergroundwires/privacy.sexy/issues/385 + # # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ❌ `DisableServiceInRegistryAsTrustedInstaller` + # # Windows 11 (23H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ❌ `DisableServiceInRegistryAsTrustedInstaller` + # serviceName: MDCoreSvc # Check: (Get-Service -Name 'MDCoreSvc').StartType + # defaultStartupMode: Automatic + - + function: TerminateAndBlockExecution + # Successfully disables Microsoft Defender Core Service + # and prevents it from running in the background. + # Tested and verified since Windows 10 Pro 22H2 and Windows 11 Pro 23H2 + # using Windows Defender Antivirus antimalware platform - Version 4.8.2001.100. + # It requires computer restart as it cannot terminate the process but can prevent its future execution. + parameters: + executableNameWithExtension: MpDefenderCoreService.exe + # - + # Commented out because it does not work due to permission errors. + # # Marked: SoftDeleteFilesAsTrustedInstaller + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpDefenderCoreService.exe' + # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + function: ShowComputerRestartSuggestion + - + category: Disable antivirus service # Highly undocumented seas.. + children: + # TODO: ServiceKeepAlive should be here? + # TODO: What is Windows Defender\IsServiceRunning? + # https://answers.microsoft.com/en-us/windows/forum/all/stealthy-malware-suspected/7cce4f76-f984-48af-90ed-317d9b4e1a1e + # https://answers.microsoft.com/en-us/windows/forum/all/malware-or-hardware-defect-or-both/4521a86f-6640-433b-a485-2d4c9a73abc9 + - + name: Disable Defender automatic service Launch + docs: |- + `0` means its turned off [1]. + `1` means Microsoft Defender Antivirus doesn't start [2] + + Online guides usually recommend setting it to `1` [5] [6]. + + Usual default state seams to be `1`. + + It's read by `MpSvc.dll` [3] and `MpClient.dll` [4]. + It means they relate to Defender Antivirus. + + Running another third-party antivirus causes Windows to set the sate to `0` [7]. + Once the antivirus id sisabled, its set back to `1` [7]. + This shows that this gets value `0` once Defender is disabled, because Defender disables + itself when a third-party AV is installed [7]. + + [1]: https://www.windowsphoneinfo.com/threads/windows-defender-randomly-turning-off-sometimes.383757/ + [2]: https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating + [3]: https://github.com/WinDLLsExports/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings#L7793 + [4]: https://github.com/WinDLLsExports/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpClient.dll.strings#L2871 + [5]: https://www.ubackup.com/windows-11/turn-off-windows-defender-windows-11.html + [6]: https://www.alphr.com/disable-windows-defender-windows-11/ + [7]: https://www.bleepingcomputer.com/forums/t/770901/defender-detects-but-cant-clean-trojano97mmountsicml/?p=5354622 + [8]: https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 + call: + function: SetRegistryValueAsTrustedInstaller + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender + valueName: ServiceStartStates + dataType: REG_DWORD + data: '1' # TODO :Many guides tell this, but doesn't `0` make more sense? + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Defender running state + docs: |- + `1` means Microsoft Defender Antivirus doesn't start [1]. + Says oppposite `1` means running [2] [3] + + It restarts when defender updates [4] + + This script sets current state of the service as not running to ensure + stuff depending on it do not run. + + Its read by `MpClient.dll` [5] and `MpSvc.dll` [7]. + It means they relate to Defender Antivirus. + + Windows deletes this key during shut-down or it causes false-positIve dirty shutdown [8]. + + A dirty shutdown is when a computer system is shut down without going through the proper shutdown process [6]. + + [1]: https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating + [2]: https://answers.microsoft.com/en-us/windows/forum/all/windows-defender/38f15492-0a80-4ecc-bf59-946ae6f0b591 + [3]: https://answers.microsoft.com/en-us/windows/forum/all/offline-scan-done-event-log-shows-a-problem/06615685-255e-49e5-9541-0c0d0dff1cfa + [4]: https://malwaretips.com/threads/configuredefender-utility-for-windows-10-11.79039/page-44 + [5]: https://github.com/WinDLLsExports/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings#L3499 + [6]: https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/event-id-41-restart + [7]: https://github.com/WinDLLsExports/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings#L7837 + [8]: https://github.com/WinDLLsExports/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings#L7852 + call: + function: SetRegistryValueAsTrustedInstaller + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender + valueName: IsServiceRunning + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable SmartScreen docs: |- # refactor-with-variables: • SmartScreen Caution