[BUG]: Disabling Windows Defender Services requires NT Authority #74
Comments
ponei
changed the title
|
Thank you for your report. I can reproduce this. I'll add the scripts you suggest in the next minor version. Regarding a better solution, changing protected registry areas can be done using PowerShell which is even used by Microsoft. If I'd appreciate if some could PoC with it and share I'd appreciate. I'm prioritizing #53 which will make it easy to embed larger PowerShell code like this in privacy.sexy. |
|
🎉 I wrote a working PoC with PowerShell. It will be added in privacy.sexy soon. Is there any documentation on exactly which registry keys/tree are protected? Or I'd be happy for if you could share which registry keys that failed for you. |
|
Personally I had problems with ControlSet001, ControlSet002 and CurrentControlSet |
|
Thank you. I tested it and yes you're right. I can reproduce this. They're under I can modify the rights on |
|
Even if all permissions are fine there is a relatively new feature called "tamper protection" that makes disabling defender from scripts (nealry) impossible. See https://techrechard.com/completely-disable-microsoft-defender-in-windows-11/ for a tutorial with pictures |
Windows 11 is fairly new and it changed quite a bit regarding system integrity. Give it some time and people will start messing with it; Then we'll see how it goes. |
This commit renames "smart screen" to "SmartScreen" which is the official name from Microsoft. It categorizes scripts to document the behavior in a more clear way. It adds structured depth. It moves all SmartScreen scripts under Defender, as it's now part of Defender offering since latest branding. In addition, the commit adds more documentation and more scripts such as disabling SmartScreen for Edge.
Adds more scripts to: - disable Windows Defender functions, - remove it from the user interface, - clean its scan history. Improves the documentation: - Adds more documentation reference URLs. - Restructures scripts in a way to better document their behavior. All Defender scripts are now under "Disable Windows Defender" and "Privacy over security". Changes recommendations, and simply recommends less: - Defender cloud configurations are now only documented on "Strict" mode. - Watson event sending with "DisableGenericReports" is disabled due to lack of documentation and depreciation.
Add new ways to disable Defender on Windows: 1. Disable through renaming required files 2. Disable using registry changes 3. Disable using TrustedInstaller user Add support for running code as TrustedInstaller 🥳. It allows running commands in OS-protected areas. It is written in PowerShell and it uses PowerShell syntax like backticks that are inlined in special way. So the commit extends inlining support and allows writing PowerShell using: - Comments - Here-strings - Backticks Add disabling of more Defender service Improve documentation and categorization of services.
|
privacy.sexy 0.11.0 is now released with the fix 🥳 It can now disable Defender and SmartScreen, tested in both Windows 10 and Windows 11. As you suggested @ponei, I added more registry changes. We have now more than 80 additional changes to disable it. Anything that are documented to be disabled are disabled now, there's references to documentation for each script. Now we have the richest pool compared to other scripts shared. Also proud to implement a way of running as TrustedInstaller 🎉. First I thought it was not possible as I did not see single open-source script without third party dependencies that can disable those services, but in the end I could get it working. Thank you again @ponei for the issue explaining the root cause of the problem, it saved lots of time. @ChrisDek, I tested on Windows 11 and tamper protection in W11 does hinder us. Also in this version we have a script ( More improvements to these scripts are planned, feel free to create new issues for ideas or something unexpected. Note for other open-source developers: Feel free to use my code, but please show a reference to privacy.sexy somewhere visible to give credit. |
Describe the bug
Windows Defender service disabling scripts don't work under normal admin permissions; Changing some registry keys require NT Authority.
OS
Edition Windows 10 Home Single Language
Version 20H2
Compilação do SO 19042.928
Experiência Windows Feature Experience Pack 120.2212.551.0
Scripts
The whole "Disable Windows Defender Services" group
Additional information
I used a tool called PowerRun (https://www.sordum.org/9416/powerrun-v1-4-run-with-highest-privileges/) that emulates a process being called from TrustedInstaller, giving those extra permissions -- then the script ran without any errors. Also, consider adding more registry changes for better disabling (W4RH4WK/Debloat-Windows-10#273 (comment)).
The text was updated successfully, but these errors were encountered: