How can I check from command line if Defender is currently enabled?
How can I check from command line if Defender is currently enabled AND RealTimeProtection enabled?
I don't know if the tools MSASCui.exe and MpCmdRun.exe are suitable for this task.
If Defender is disabled they probably don't work and can not return a result.
So maybe a Powershell command or other would be more suitable
Hello @Brink
I am unable to completely disable Windows Defender on my PC, can you please check this thread for more info: Unable to disable Windows Defender on 1909
When disabling Windows Defender was blocked in august after an update of the antivirus, i started searching for a way around this. Since i use LTSC (currently latest is 1809) on all my machines, there is no Tamper Protection option, while registry key and and group policy get resetted. Therefore, the only option for LTSC is to enforce the last version of Windows Defender, still respecting the registry key setting. That version is 4.18.2006.10 and is attached to this post (archive is split because of forum’s attachment size limit). However, if Windows Defender already has updated, downgrading isn’t as easy as just extracting the archive somewhere. This is somewhat tricky, so think twice if not familiar with these types of operations.
Windows Defender lives in %programdata%\Microsoft\Windows Defender\Platform, under a version folder. The highest version will be the one used by Windows. There may be other, older, versions there as well, as the OS seems to keep an older backup there for some time as WD gets updated (that’s how i got the version 4.18.2006.10 – it was actually still there on one of the machines as a backup). The trick is to exchange the current version of WD with version 4.18.2006.10, which still respects the regkey setting DisableAntiSpyware, making switching WD on and off possible. As WD is now always running, tampering with that folder from Windows directly isn’t possible. There are, however, ways to do this: a quick and dirty one and a more thorough. I will only be covering the easy way here, as the fine one involves editing the sideloaded registry from a recovery disc and is very dangerous if not done right. I’ve done this on my machines, but the quick and dirty way will work just fine to get this functioning.
- Run services.msc and find Windows Defender antivirus service. Write down the folder name (version) of the executable. This is the version of WD which the OS is currently using. While still in Windows, extract the archive with 4.18.2006.10 to a location of your choice.
- Boot from a Windows recovery disc or thumbdrive – any Windows 7/8/10 one will do. Access DOS prompt, go to the above mentioned home of WD and into the folder which you have written down. Here you need to use your DOS command skills and remove all contents of that folder (including any subfolders), but not the folder itself.
- Now use more of your command skills and copy the contents of the extracted folder into the folder you just emptied. Make sure not create an unnecessary nested subfolder while copying. Check with dir command to see if everything looks right.
- Exit recovery mode and boot back into Windows. Disconnect from the internet so that WD doesn’t update itself. That it will try to do, so the next step is to block that for it. For this %programdata%\Microsoft\Windows Defender\Platform and all its subfolders need have writing rights disabled for all users, including system. This is done in the folder properties and its Security tab – take ownership of the folder, disable inheritance and give all users only reading and executing rights. I’m always running as administrator on my machines, so that wasn’t a problem to do, but if a lower level account is used, this might give errors.
- With blocking of writing rights, Windows Update will no longer be able to upgrade version 4.18.2006.10 to anything newer and the regkey will continue to work. Do not try to substitute the blocking of writing rights with something like making the folder ready-only: OS doesn’t care for this setting and will just update everything on the first occasion, pushing you back to square 1.
- Restore DisableAntiSpyware in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender and run gpupdate /force (or restart). Enable the network connection and enjoy the once again controllable Windows Defender.
Windows Update will try to upgrade it from time to time, by as no accounts have the rights to write in the home folder of WD anymore, the update will just fail every time. However, the threat detection mechanisms will continue to update (at least they successfully complete in Windows Update). Of course, as the WD version will age, the protection will become worse and worse, but on LTSC this is currently the only way to once again get WD under control. May work on other Windows 10 versions as well, though. Yeah, and for those wondering: the fine, but dangerous way, involving sideloaded registry, makes it possible to change where the OS actually looks for WD (its home folder, as seen in services.msc) – therefore allowing, for instance, to actually create the folder 4.18.2006.10-0 and make the OS use that instead of substituting contents of the current version, as described above. Sideloading is necessary as the regkey, containing the home folder of WD, is always locked while OS is running (even if regedit is run with system account privileges). This is, however, just cosmetic, not necessary for the sake of functionality.
4.18.2006.10.part1.rar
4.18.2006.10.part2.rar
Last edited by Poccapx; 30 Oct 2020 at 20:04.
I posted my solution here: Turn On or Off Real-time Protection for Microsoft Defender Antivirus back in August. I feel its easier than Poccapx's method. Easily reversible. Nothing untowards has happened so far... MNG
So I tried to disable Defender Antivirus in my Win10 v2004 (Home) installation.
Yes, I disabled Tamper Protection first.
Then I rebooted and executed the *.reg file (for disabling) from the very first post in this thread.
But nothing happened.
In general: Should be Defender immediately stop after *.reg file application or do I have to reboot?
However: Even after reboot Defender is still up and running.
Is *.reg file stopping not working any more in v2004 or is it not applicable to HOME edition?
Hello tobwen,
It's still working for me.
If you successfully turned off Tamper Protection, the .reg file will get applied immediately when merged.
Of course, if you have Windows Security open, you will need to close and reopen it to refresh and see the change like below.
Sorry, your procedure (with *.reg) file still does NOT work for me (at least not for Win10 v2004 HOME).
At first: Yes, I disabled Tamper Protection.
Then I downloaded your newest *.reg file again (for turning off Defender) from the very first post of this thread and double clicked on it.
After a first prompt if I really want to add the content to registry I proceeded and got an answer:
"....have been successfully added to the registry"
However, Defender is still running. Even after reboot.
Investigating your *.reg script shows that a "1" is added to Registry Key
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
When I peek into my Registry, then there is no such key (even not with value 0).
The only other Registry key here with Property "DisableAntiSpyware" is in (mind the missing "Policies" part):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
...and this Property value cannot be changed due to missing access permissions.
Defender Services is still running.
So again how do I really, really stop MS Defender (completely)?
Maybe there are special work around necessary for v2004 and HOME edition?
I’m pretty sure that if you follow my guide a few posts up, it will work. It may be for LTSC, but since it really is substitution for a Defender of a version which still respects the regkey you talk about, Defender will turn off.
Quote
