From 19774930c00337a465f0a0f26427989ba64de103 Mon Sep 17 00:00:00 2001 From: undergroundwires Date: Sun, 27 Oct 2024 18:51:57 +0100 Subject: [PATCH] win: fix Defender service $128 $385 $393 $402 $426 This commit adds disabling missing low-level Defender service/drivers, improve disabling existing ones, and improve their documentation. Key changes: - Add disabling missing Defender services. - Add disabling missing Defender processes. - Add soft-deleting of missing service files - Fix `ServiceKeepAlive` value $393, $426 - Add disabling system modification restrictions for persistent Disable service disabling. Other supporting changes: - Add more documentation for related scripts. - Move disabling `SecHealthUI` to disabling Windows Security. - Fix `DisableService` attempting to disable the service even though its disabled. - Add ability to disable service on revert in `DisableServiceInRegistry`. - Improve categorization for simplicity, add new categories for new scripts. - Add ability to run `DeleteRegistryValue` as `TrustedInstaller`. --- src/application/collections/windows.yaml | 7049 ++++++++++++++++------ 1 file changed, 5068 insertions(+), 1981 deletions(-) diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index ddd1ed86..314f8047 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -14918,14 +14918,14 @@ actions: Privacy concerns include: - Sending personal data to Microsoft for analysis [1] [2] [9]. - This allows Microsoft to collect and potentially access your sensitive information. + This allows Microsoft to collect and potentially access your sensitive information. - Flagging attempts to block Microsoft's telemetry (data collection) as security threats [3] [10]. - This prevents users from controlling what data Microsoft collects about them. + This prevents users from controlling what data Microsoft collects about them. - Incorrectly identifying privacy-enhancing scripts from privacy.sexy as malicious software [4]. - This discourages users from using tools designed to protect their privacy. + This discourages users from using tools designed to protect their privacy. - Defender itself may introduce vulnerabilities [11] [12]. - This can potentially allow attackers to exploit Defender's own features or implementation flaws. - Despite being a security product, it increases your system's attack surface. + This can potentially allow attackers to exploit Defender's own features or implementation flaws. + Despite being a security product, it increases your system's attack surface. Turning off Defender also improves your computer's speed by freeing up system resources [5]. @@ -14937,7 +14937,7 @@ actions: These scripts mainly target the built-in Defender features. Most Defender services that come with Microsoft 365 subscriptions remain largely unaffected [7] [8]. However, the scripts may impact additional Defender products not included in the standard Windows - installation, such as Defender for Endpoint. + installation, such as **Defender for Endpoint**. > **Caution**: > These scripts **may reduce your security** and **cause issues with software** relying on them. @@ -15377,12 +15377,14 @@ actions: recommend: strict # Part of MAPS/SypNet/Cloud Protection that sends personal data to Microsoft docs: |- This script disables Defender's automatic submission of file samples to Microsoft for analysis. - - Automatic file submission is a feature of **Defender Antivirus** [1] [2] [3] [4] [€]. + + Automatic file submission is a feature of **Defender Antivirus** [1] [2] [3] [4] [5] [6]. By default, Defender automatically sends 'safe' file samples to Microsoft for analysis [1] [2]. + This action is part of **Microsoft's Advanced Protection Service (MAPS)** [1] [2]. Previously, this service was known as **Microsoft SpyNet** [1] [2]. It is now referred to as **cloud protection** [3]. + This automatic collection and submission can include your personal information [3]. This script sets the sample submission setting to "Never send" (value `2`), preventing any automatic @@ -15403,8 +15405,8 @@ actions: - Using the Defender CLI to set the `SubmitSamplesConsent` preference [3] [4]. - `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent` to configure the Group Policy (GPO) setting [1] [2]. - - `HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent`: - This registry key is undocumented but present in recent versions of Windows. + - `HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent` [7]. + It has enabled value of `1` in recent versions of Windows [7]. Tests show that changing this value via the CLI also alters the registry value. [1]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#submitsamplesconsent "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" @@ -15412,7 +15414,7 @@ actions: [3]: https://web.archive.org/web/20240728193037/https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75207 "Windows Defender AV must be configured to only send safe samples for MAPS telemetry. | stigviewer.com" [4]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-submitsamplesconsent "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#submitsamplesconsent "MSFT_MpPreference - powershell.one | powershell.one" - [6]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowcloudprotection "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" call: # 0 = 'Always Prompt', 1 = 'Send safe samples automatically' (default), 2 = 'Never send', 3 = 'Send all samples automatically' - @@ -15697,97 +15699,589 @@ actions: data: '1' dataOnRevert: '0' elevateToTrustedInstaller: 'true' # Without TrustedInstaller: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 23H2) + - + name: Disable Defender Antivirus Azure data collection + recommend: strict # No significant security gains + docs: |- + This script disables the Azure data collection library by removing `MpAzSubmit.dll` + + Microsoft refers to this library as the **MpAzSubmit Module** [1] [2] and **Microsoft Malware Protection** [2]. + + This file is responsible for: + + - Sending data to Azure storage [3] + - HTTP communications and REST APIs [3] + - It logs events and errors [3] + + This script enhances privacy by preventing **Defender Antivirus** from sending potentially sensitive data to Microsoft's cloud services. + It may also slightly improve boot performance by reducing the components loaded during startup. + + However, this action may reduce system security. + **Defender Antivirus** uses this module to submit suspicious files for analysis, enhancing its threat detection. + Disabling it may make your system more vulnerable to new or emerging threats. + + > **Caution:** + > This action impacts **Defender Antivirus** functionality and may make your system more vulnerable to malware. + + ### Technical Details + + The script removes the `MpAzSubmit.dll` file from its default location: + + - `%PROGRAMFILES%\Windows Defender\MpAzSubmit.dll` [1] [2] [4] + + On older versions of Windows, this file is located at: + + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpAzSubmit.dll` [2] + + [1]: https://archive.ph/2024.10.27-163806/https://www.exefiles.com/en/dll/mpazsubmit-dll/ "How to Fix Issues with MpAzSubmit.dll (Free Download) | www.exefiles.com" + [2]: https://archive.ph/2024.10.27-163810/https://www.pconlife.com/viewfileinfo/mpazsubmit-dll/ "mpazsubmit.dll File Download & Fix For All Windows OS | www.pconlife.com" + [3]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpAzSubmit.dll.strings "10_0_22622_601/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpAzSubmit.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [4]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + call: + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpAzSubmit.dll' + # grantPermissions: 'true' # ❌ Does not work on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - category: Disable Defender Antivirus + category: Disable system modification restrictions docs: |- - This category provides scripts to disable Defender Antivirus. + This category disables features that restrict system modifications in Windows. - Defender Antivirus, integrated into Windows, provides protection against viruses, ransomware, and other - types of malware [1] [2] [3]. - - Disabling Defender Antivirus may improve system performance and privacy by stopping related data collection - However, disabling it may severely compromise your system's security if not complemented by proper security practices. - Carefully consider the trade-off before proceeding. + This enables deeper system modifications, enhancing privacy by allowing the removal or disabling + of data-collecting components like **Defender**. - **Defender Antivirus** comes with following concerns: + These features raise several concerns: - - It sends files and personal data [4] to **Microsoft's Cloud Protection Service (MAPS)** - (also known as **Microsoft Active Protection Service** or **Microsoft SpyNet**) for analysis [5] [6]. - - Recent Windows versions deeply integrate Defender with mechanisms like **Early Boot Anti-Malware**, - **Tamper Protection**, making it extremely difficult to remove or uninstall [7] [8]. - This means that even if you want to stop using Defender for privacy reasons, these features make it - very difficult to do so using standard methods, keeping Microsoft's security and data collection systems - in place on your device. - - In 2020, Defender began flagging modifications to the hosts file that block Microsoft telemetry - as a security risk [8] [9]. - This prevents you from easily stopping Microsoft's data collection on your device. - - It flags privacy scripts as malicious, even though their purpose is to enhance privacy [8] [9]. - This discourages the use of tools designed to protect your personal data. - - Some reports suggest that Defender may consume significant system resources [10]. + - Less user control: + - Users can't fully control what software runs on their own machines. + - It moves security control from device owners to hardware manufacturers and software vendors. + - Vendor lock-in: + - It restricts the ability to use, develop, and distribute third-party or open source software [1]. + - DRM can be enforced at the hardware level [1]. + - Privacy: + - These systems can uniquely identify hardware [2]. + - They can enable detailed tracking of user activities. + - Remote attestation features may expose user behavior to third parties [3]. - **Defender Antivirus** evolution milestones: + Disabling these restrictions provides several privacy benefits: - - Originally launched as **Windows AntiSpyware**, later renamed to **Windows Defender** [11]. - - Replaced **Microsoft Security Essentials** in Windows 8 [12]. - - **Windows Defender** is renamed to **Windows Defender Antivirus** in Windows 10 version 1703 [13]. - - First included in **Windows Security Center (WSC)** in the 1809 update [14]. - Later, it became part of the **Windows Security** suite [4] [5] [6]. - - Renamed to **Microsoft Defender Antivirus** in the 2004 update [15]. - However, it's still frequently referred to as Windows Defender, even by Microsoft in its current - documentation [1]. + - Prevents system monitoring and data collection + - Stops sharing of system integrity data with Microsoft + - Allows modification of protected system components + - Enables deeper privacy customizations that are normally restricted - To check if Defender Antivirus is active, you can use the following commands in a PowerShell prompt: + The scripts in this category may also improve system performance by: - - `Get-MpComputerStatus`: Displays the current state of Defender Antivirus [18]. - - `Get-MpPreference`: Shows the current configuration settings of Defender Antivirus [19]. + - Reducing background monitoring processes + - Removing security checks during boot and operation + - Eliminating virtualization overhead + - Decreasing system resource usage - > **Caution:** - > Disabling antivirus protection may significantly reduce your system's security. - > Consider having alternative security measures in place and practicing safe computing habits. + Potential security trade-offs: - [1]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" - [2]: https://web.archive.org/web/20240819080500/https://support.microsoft.com/en-us/office/stay-protected-with-windows-security-ae70cc96-a9cd-4443-a210-e41cb973d3a6 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" - [3]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" - [4]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" - [5]: https://web.archive.org/web/20240409170914/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Cloud protection and Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" - [6]: https://web.archive.org/web/20240409170815/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide "Microsoft Defender for Endpoint data storage and privacy | Microsoft Learn | learn.microsoft.com" - [7]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" - [8]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" - [9]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" - [10]: https://web.archive.org/web/20240819092823/https://www.dell.com/support/kbdoc/en-us/000128249/windows-defender-resolving-high-hard-disk-drive-and-cpu-usage-during-scans "Resolving High Hard Disk Drive and CPU Usage During Scans by Windows Defender | Dell US | www.dell.com" - [11]: https://web.archive.org/web/20051123220536/https://blogs.technet.com/antimalware/archive/2005/11/04/413700.aspx "Anti-Malware Engineering Team : What's in a name?? A lot!! Announcing Windows Defender! | blogs.technet.com" - [12]: https://web.archive.org/web/20200812011954/http://answers.microsoft.com/en-us/protect/forum/protect_start/windows-defender-and-microsoft-security-essentials/5309cb8d-02e1-40e8-974f-0dcedb9ab9fd - [13]: https://web.archive.org/web/20170602091134/https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1703 "What's in Windows 10, version 1703 | Microsoft Docs | docs.microsoft.com" - [14]: https://web.archive.org/web/20240819081301/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1809#windows-security-center "What's new in Windows 10, version 1809 - Windows 10 | Microsoft Learn | learn.microsoft.com" - [15]: https://web.archive.org/web/20240819092635/https://blogs.windows.com/windows-insider/2019/07/26/announcing-windows-10-insider-preview-build-18945/ "Announcing Windows 10 Insider Preview Build 18945 | Windows Insider Blog | blogs.windows.com" - [16]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" - [17]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" - [18]: https://web.archive.org/web/20240725111617/https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps "Get-MpComputerStatus (Defender) | Microsoft Learn | learn.microsoft.com" - [19]: https://web.archive.org/web/20240819105412/https://learn.microsoft.com/en-us/powershell/module/defender/get-mppreference?view=windowsserver2022-ps "Get-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" + - May make the system more vulnerable to malware + - May reduce protection against unauthorized system changes + - May weaken defenses against kernel-level attacks + - May allow tampering with security features + + > **Caution:** This action may reduce security and can expose your system to potential threats + + [1]: https://archive.ph/2024.10.27-163838/https://www.fsf.org/news/lifes-better-together-when-you-avoid-windows-11 "Life's better together when you avoid Windows 11 — Free Software Foundation — Working together for free software | www.fsf.org" + [2]: https://archive.ph/2024.10.27-163852/https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/how-windows-uses-the-tpm "How Windows uses the TPM | Microsoft Learn | learn.microsoft.com" + [3]: https://archive.ph/2024.10.27-163859/https://www.tandfonline.com/doi/full/10.1080/0144929X.2024.2374889 "Full article: Building trust in remote attestation through transparency – a qualitative user study on observable attestation | www.tandfonline.com" children: + - + name: Disable Defender Antivirus minifilter driver + docs: |- + This script disables Defender's core monitoring component that tracks and controls your system activities. + + This component has several names, including: + + - **Windows Defender Mini-Filter Driver** [1] [2] + - **Microsoft antimalware file system filter driver** [3] + - **Microsoft Defender Antivirus On-Access Malware Protection Mini-Filter Driver** [3] [4] + - **Windows Defender Real-Time scanning filesystem filter driver** [5] + - **Windows Defender On-Access Malware Protection Mini-Filter Driver** [2] + - **Microsoft Defender Antivirus Mini-Filter Driver** [4] + + This driver is a required component of **Defender Antivirus** [6] [7] [8] and **Defender for Endpoint** [9]. + It runs at the deepest level of Windows and monitors your system activities [10]. + + The driver has these primary functions: + + - Monitors and restricts activities such as: + - File system operations [10] [11] [12] [13] + - Process creation and termination [10] [11] [12] [13] [14] [15] + - Windows registry operations [11] [12] [13] [16] [17] + - System drivers and boot processes [15] + - Storage volumes used for development (**Dev Drive**) [18] + - Collects and reports telemetry on system activity [11] + - Enables communication between Defender components [11] [12] [19] such as `MsMpEng.exe` [13] [15] [19] + - Provides security features such as: + - **Endpoint Detection and Response (EDR)** capabilities [6], sending telemetry [20] + - **Data Loss Prevention (DLP)** [11] to prevent unauthorized data sharing + - **Tamper Protection** to restrict system modifications [16] + - **Host Intrusion Prevention System (HIPS)** [14] + + This script enhances privacy by: + + - Stopping continuous system monitoring by Windows Defender + - Blocking the collection of system activity data + - Reducing telemetry sent to Microsoft + - Limiting surveillance capabilities + - Allowing deeper privacy configurations, including disabling Defender + + This script may improve system performance by: + + - Reducing background activities + - Using less system resources + - Removing file system slowdowns + + This script may increase system stability. + This driver can sometimes cause system crashes (blue screen errors) [3] [5] [12]. + Disabling it may prevent these issues [1] [21]. + + However, it may reduce your security by: + + - Impairing real-time malware protection + - Removing protection against unauthorized system changes + - Stopping monitoring of suspicious process activities + - Disabling protection of sensitive system files + + > **Caution:** This action may leave your system more vulnerable to malware and unwanted changes. + + ### Technical Details + + The driver is installed by Windows-Defender-Drivers package [22]. + + This script: + + - Removes `HKLM\SYSTEM\CurrentControlSet\Services\WdFilter\Instances\WdFilter Instance!Altitude` [16] + - This method worked on older versions of Defender Antivirus before April 2024 [16] + - Tests show on modern Windows versions (Windows 10 Pro ≥ 22H2, Windows 11 Pro ≥ 21H2), the operation reports + success but the value remains unchanged. + - Disables the `WdFilter` driver service [2] [3] + - Removes the driver file at `%SYSTEMROOT%\System32\drivers\WdFilter.sys` [2] [3] [4] + + #### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Boot | + | Windows 11 (≥ 23H2) | 🟢 Running | Boot | + + [1]: https://archive.ph/2024.10.27-163912/https://www.thewindowsclub.com/page-fault-in-nonpaged-area-wdfilter-sys "PAGE FAULT IN NONPAGED AREA (WdFilter.sys) Blue Screen | thewindowsclub.com" + [2]: http://archive.today/2024.10.27-163919/https://batcmd.com/windows/8/services/wdfilter/ "Windows Defender Mini-Filter Driver - Windows 8 Service - batcmd.com | batcmd.com" + [3]: http://archive.today/2024.10.27-163923/https://batcmd.com/windows/11/services/wdfilter/ "Microsoft Defender Antivirus Mini-Filter Driver - Windows 11 Service - batcmd.com | batcmd.com" + [4]: https://archive.ph/2024.10.27-163930/https://batcmd.com/windows/10/services/wdfilter/ "Microsoft Defender Antivirus Mini-Filter Driver - Windows 10 Service - batcmd.com | batcmd.com" + [5]: https://archive.ph/2024.10.27-163936/https://triplescomputers.com/blog/uncategorized/solution-bootrec-fixboot-access-is-denied/ "SOLUTION: bootrec /fixboot Access is Denied | Triple-S Computers Blog – Louisville, KY computer repair specialist | triplescomputers.com" + [6]: https://archive.ph/2024.10.27-163942/https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs "When the hunter becomes the hunted: Using custom callbacks to disable EDRs | www.alteredsecurity.com" + [7]: http://archive.today/2024.10.27-165820/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/customize/uwf-antimalware-support "Antimalware support on UWF-protected devices | Microsoft Learn | learn.microsoft.com" + [8]: https://archive.ph/2024.10.27-164210/https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/security/antivirus-and-sql-server "Configure antivirus software to work with SQL Server - SQL Server | Microsoft Learn | learn.microsoft.com" + [9]: https://web.archive.org/web/20240717094647/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding "Troubleshoot Microsoft Defender for Endpoint onboarding issues - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [10]: https://web.archive.org/web/20240930174756/https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world "An unexpected journey into Microsoft Defender's signature World — retooling_ | retooling.io" + [11]: https://archive.ph/2024.10.27-164028/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/drivers/WdFilter.sys.strings "10_0_22622_601/C/Windows/System32/drivers/WdFilter.sys.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [12]: https://archive.ph/2024.10.27-164137/https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ "Dissecting the Windows Defender Driver - WdFilter (Part 1) :: Up is Down and Black is White — n4r1b | n4r1b.com" + [13]: https://archive.ph/2024.10.27-164049/https://n4r1b.com/posts/2020/02/dissecting-the-windows-defender-driver-wdfilter-part-2/ "Dissecting the Windows Defender Driver - WdFilter (Part 2) :: Up is Down and Black is White — n4r1b | n4r1b.com" + [14]: https://archive.ph/2024.10.27-164055/https://saza.re/posts/handle_exploration/ "Windows Defender Handle Exploration - saza.RE | saza.re" + [15]: https://archive.ph/2024.10.27-164102/https://n4r1b.com/posts/2020/03/dissecting-the-windows-defender-driver-wdfilter-part-3/ "Dissecting the Windows Defender Driver - WdFilter (Part 3) :: Up is Down and Black is White — n4r1b | n4r1b.com" + [16]: https://web.archive.org/web/20240725101722/https://www.alteredsecurity.com/post/disabling-tamper-protection-and-other-defender-mde-components?ref=news.risky.biz "Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components | alteredsecurity.com" + [17]: https://archive.ph/2024.10.27-164114/https://n4r1b.com/posts/2020/04/dissecting-the-windows-defender-driver-wdfilter-part-4/ "Dissecting the Windows Defender Driver - WdFilter (Part 4) :: Up is Down and Black is White — n4r1b | n4r1b.com" + [18]: https://web.archive.org/web/20241007150442/https://learn.microsoft.com/en-us/windows/dev-drive/ "Set up a Dev Drive on Windows 11 | Microsoft Learn | learn.microsoft.com" + [19]: https://archive.ph/2024.10.27-164443/https://windows-internals.com/investigating-filter-communication-ports/ "Investigating Filter Communication Ports – Winsider Seminars & Solutions Inc. | windows-internals.com" + [20]: https://archive.ph/2024.10.27-164213/https://www.microsoft.com/en-us/security/business/security-101/what-is-edr-endpoint-detection-response "What Is EDR? Endpoint Detection and Response | Microsoft Security | www.microsoft.com" + [21]: https://archive.ph/2024.10.27-164210/https://wvdvegt.wordpress.com/2019/05/30/wdfilter-sys-boot-loop/ "WdFilter.sys & boot loop | Wim's Space | wvdvegt.wordpress.com" + [22]: https://archive.ph/2024.10.27-164219/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22621.1_none_5262daf3e8f76071.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22621.1_none_5262daf3e8f76071.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + call: + - + function: DeleteRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\WdFilter\Instances\WdFilter Instance + valueName: Altitude + dataTypeOnRevert: REG_SZ + dataOnRevert: '328010' # `328010` by default on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + function: DisableServiceInRegistry + parameters: + serviceName: WdFilter # Check: (Get-Service -Name 'WdFilter').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + # notStoppable: true # See `sc queryex WdFilter`, tested since Windows 10 22H2, Windows 11 22H2. + elevateToTrustedInstaller: 'true' + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable Defender Antivirus boot driver + docs: |- + This script disables the Windows Defender boot driver (`WdBoot`) to reduce system monitoring and enhance your privacy and control. + + This driver is also known as: + + - **Windows Defender Boot Driver** [2] + - **Microsoft Defender Antivirus Boot Driver** [3] + - **Early Launch Anti-malware (ELAM) boot driver** [5] + - **Windows Defender ELAM Driver** [7] [10] + - **Microsoft antimalware boot driver** [9] + - **Early Launch Antimalware (ELAM) driver** [19] + + The driver was introduced in Windows 8 as a security feature [7]. + Windows includes this driver by default [2] [3] [10]. + It is part of **Defender Antivirus** [10] [11] [12] [15] [19] and **Defender for Endpoint** [11] [12] [19]. + It's part of Microsoft's supported third-party security product anti-tampering mechanism [18]. + + It starts before other boot-start drivers [6] [18] [19]. + It helps Windows kernel decide if other drivers are safe to run [19]. + It is also activated by **Limited Periodic Scanning** [14]. + + The driver supports **Early Launch Anti-malware (ELAM)** [10]. + **ELAM** is a feature that allows antimalware software to start before other third-party components [6]. + ELAM can load an anti-malware driver before other non-Microsoft boot drivers and applications [10]. + It protects the system by helping to preserve the chain of trust established by **Secure Boot** and **Trusted Boot** [10]. + + ELAM works as follows: + + - Antimalware drivers load first and can block unknown drivers from starting [6] + - ELAM examines every boot driver to check if it's on the list of trusted drivers [10] + - If a driver is not trusted, Windows will not load it [10] + - After boot drivers start and storage becomes available, antimalware software continues blocking malware [6] + + The driver monitors the Windows boot process by: + + - Checking other drivers before they can start during Windows boot [7] [8] [10] [19] + - Verifying driver certificates and hashes against its database [5] [7] [8] [18] + - Managing a malware signature database [5] [6] [8] + - Monitoring and rolling back changes to Defender's main driver (`WdFilter.sys`) as temper protection [7] [5] [10] [18] + - Storing information for later analysis [7] [8] + - Notifying other components [5] [7] [10] like `WdFilter.sys` [5] [7] + + This script improves privacy by: + + - Reduces system monitoring during boot + - Allows deeper system modifications [10] to increase privacy such as disabling Defender + - Prevents Microsoft from controlling which processes can run with antimalware protection [18] + + This script may improve system performance by: + + - Improving boot time by removing additional verification steps + - Preventing system crashes (Blue Screen of Death) associated with this driver [4] [16] + + However, this script may reduce security in the following ways: + + - Reducing protection against malicious boot drivers [10] + - Removing early-boot malware detection [6] [8] [18] + - Creating an unsupported system configuration [11] [12] that may cause stability issues [17] + + > **Caution:** + > Disabling this feature removes security checks during system startup, which could may malicious software to run during boot. + + ### Technical Details + + This driver installs as part of the `Windows-Defender-Drivers` package [1]. + + This script: + + - Disables the `wdboot` service [2] [3] [11] [12] + - Removes driver files from: + - `%SYSTEMROOT%\System32\drivers\WdBoot.sys` [2] [3] [5] [8] [9] [13] [15] + - `C:\Windows\ELAMBKUP\WdBoot.sys` [19] + - Removes registry configuration at `HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch!BackupPath` [19] + - Deletes signature database at `%SYSTEMROOT%\System32\Config\elam` [8] + + On older systems, this driver file may be found at `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys` [13] [16] + + #### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🔴 Stopped | Boot | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Boot | + + [1]: https://archive.ph/2024.10.27-164219/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22621.1_none_5262daf3e8f76071.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22621.1_none_5262daf3e8f76071.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [2]: http://archive.today/2024.10.27-165733/https://batcmd.com/windows/8/services/wdboot/ "Windows Defender Boot Driver - Windows 8 Service - batcmd.com | batcmd.com" + [3]: http://archive.today/2024.10.27-165849/https://batcmd.com/windows/11/services/wdboot/ "Microsoft Defender Antivirus Boot Driver - Windows 11 Service - batcmd.com | batcmd.com" + [4]: https://answers.microsoft.com/ru-ru/windows/forum/all/%D0%BD%D0%B5/f15e0e1b-06be-45ce-a3f5-c0f63c6428d1 "Не запускается Windows 10 из-за wdboot.sys, ошибка 0x000007b - Сообщество Microsoft | answers.microsoft.com" + [5]: http://archive.today/2024.10.27-165804/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/drivers/WdBoot.sys.strings "10_0_22622_601/C/Windows/System32/drivers/WdBoot.sys.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [6]: http://archive.today/2024.10.27-165810/https://learn.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware "Overview of Early Launch AntiMalware - Windows drivers | Microsoft Learn | learn.microsoft.com" + [7]: http://archive.today/2024.10.27-165818/https://n4r1b.netlify.app/posts/2019/11/understanding-wdboot-windows-defender-elam/ "Understanding WdBoot (Windows Defender ELAM) :: Up is Down and Black is White — n4r1b | n4r1b.netlify.app" + [8]: https://web.archive.org/web/20230731224608/https://hal.science/hal-03088315/document "ELAM: The Windows Defender ELAM Driver | hal.science" + [9]: http://archive.today/2024.10.27-165826/https://systemexplorer.net/file-database/file/wdboot-sys/15452761 "What is wdboot.sys from Microsoft Corporation? (id:15452761) | systemexplorer.net" + [10]: http://archive.today/2024.10.27-170051/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices "Control the health of Windows devices | Microsoft Learn | learn.microsoft.com" + [11]: https://web.archive.org/web/20240717094647/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding "Troubleshoot Microsoft Defender for Endpoint onboarding issues - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [12]: http://archive.today/2024.10.27-165840/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating "Troubleshoot Microsoft Defender Antivirus while migrating from a non-Microsoft solution - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [13]: http://archive.today/2024.10.27-165848/https://learn.microsoft.com/en-us/azure/attestation/tpm-attestation-sample-policies "Examples of an Azure TPM Attestation policy | Microsoft Learn | learn.microsoft.com" + [14]: http://archive.today/2024.10.27-165901/https://www.winhelponline.com/blog/windows-defender-running-alongside-antivirus-program-limited-periodic-scanning/ "Why Is Windows Defender Running Alongside my Antivirus Program? » Winhelponline | www.winhelponline.com" + [15]: http://archive.today/2024.10.27-165901/https://learn.microsoft.com/en-us/archive/blogs/dubaisec/elam-driver "ELAM Driver | Microsoft Learn | learn.microsoft.com" + [16]: http://archive.today/2024.10.27-165906/https://www.deploycentral.com/topic/1131-wdbootsys-bsod/ "WDBoot.sys BSOD - SmartDeploy Enterprise - DeployCentral | www.deploycentral.com" + [17]: http://archive.today/2024.10.27-165908/https://groups.google.com/g/uk.comp.homebuilt/c/wC8YeAgPKAg "Help repairing an unbootable Windows 10 system - wdboot.sys missing | groups.google.com" + [18]: https://i.blackhat.com/USA-22/Thursday/US-22-Graeber-Living-Off-the-Walled-Garden.pdf "Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem | Matt Graeber | PowerPoint Presentation | i.blackhat.com" + [19]: http://archive.today/2024.10.27-165922/https://learn.microsoft.com/en-us/defender-endpoint/elam-on-mdav "Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + # Excluding: + # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: 🔍 Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + function: DisableServiceInRegistry + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 22H2) + serviceName: WdBoot # Check: (Get-Service -Name 'WdBoot').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + elevateToTrustedInstaller: 'true' + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 22H2) + fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 (≥ 22H2) | 🔒️ Protected on Windows 11 (≥ 22H2) + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 22H2) + fileGlob: '%SYSTEMROOT%\ELAMBKUP\WdBoot.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 (≥ 22H2) | 🔒️ Protected on Windows 11 (≥ 24H2) + - + function: DeleteRegistryValue + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 22H2) + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch + valueName: 'BackupPath' + dataTypeOnRevert: REG_SZ + dataOnRevert: '%SYSTEMROOT%\ELAMBKUP' # `C:\Windows\ELAMBKUP` by default on Windows 10 Pro (≥ 22H2) and Windows 11 (≥ 24H2) + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 22H2) + fileGlob: '%SYSTEMROOT%\System32\Config\elam' + - + name: Disable Microsoft Security Events Component File System Filter Driver + docs: |- # TODO: Archive + This script disables the Microsoft Security Events Component File System Filter Driver (`MsSecFlt.sys`). + + This driver is known by different names: + + - **Microsoft Security Events Component File System Filter Driver** [1] [2] + - **MSSense: Microsoft Defender for Endpoint for EDR Sensor** [3] + - **Microsoft Security Eve Kernel** [4] + - **Microsoft Security Events Component Minifilter** [5] [6] [7] + - **Microsoft Security Events Component Minifilter driver** [8] + - `MsSecFlt` [5] [6] [9]. + + It is a **minifilter** that inspects the file system [1]. + **Minifilter** is also known as **file system filter driver** [10]. + It targets a file system or another file system filter driver [10]. + A minifilter intercepts requests before they reach their target, modifying or extending functionality [10]. + + It is used by Windows to monitor security-related events [2]. + It monitors the following activities: + + - File system operations [1] [11] [12] + - Process activities [1] [11] [13] [14] + - Registry changes [1] [12] + - Network interactions [1] + - Kernel structure and components [13] [14] + + It protects these components from tampering and detects unauthorized modifications [13] [14]. + It performs continuous integrity checks on system components [1] [13] [14]. + It detects and responds to tampering or corruption of kernel components [13] [14] + + This component exposes system data. + It logs events using **Event Tracing for Windows (ETW)** [1] [2]. + These logs provide security data for other Microsoft and third-party tools [2]. + It additionally provides kernel telemetry data [15]. + + It's a core **Defender** component [1] [7] [16] [17] [18]. + It comes as part of: + + - **Defender for Endpoint** suite [1] [3] [19] (formerly **Windows Advanced Threat Protection** [20] [21] [22]). + - **Defender Antivirus** [23]. + - **Endpoint Detection and Response (EDR)** system [11] [19], which monitors and responds to potential security threats. + - **Dev Drive** [3]. + It's used when using **Let antivirus filters protect Dev Drives** option is neabled [24]. + **Dev Drive** is a proprietary storage volume designed to enhance performance for developer workloads on Windows [3]. + - **Microsoft Purview** for **Data Loss Prevention (DLP)** functionality [12]. + + By disabling this driver, you may enhance your privacy by preventing the collection and logging + of detailed security events related to your system's activities. + Reducing kernel telemetry helps protect your system data. + Disabling this protection enables deeper system modifications, potentially enhancing privacy. + These modifications may include disabling data-collecting components like **Defender** or enabling additional + privacy features that are otherwise restricted. + + Disabling the driver may improve system performance by preventing it from loading at startup and reducing monitoring overhead. + + However, disabling this driver can reduce your system's security. + It may expose your system to malware, unauthorized changes, and attacks like **DLL hijacking** [25]. + + > **Caution**: + > Disabling this driver may limit your system's ability to detect and respond to security threats, + > increasing vulnerability to malware, unauthorized access, and other risks. + + ### Technical Details + + This script performs the following actions: + + - Disables the `MsSecFlt` service [5] [6] [9]. + - Removes the driver file located at `C:\Windows\system32\drivers\MsSecFlt.sys` [5] [6] [9] [16]. + - Removes the associated library file at `%SYSTEMROOT%\system32\mssecuser.dll` [9] [22] [26]. + + `mssecuser.dll` is also known as **Microsoft Security Events Component Library** [12] [26]. + It provides a user-space library to the driver [9]. + This library communicates with the kernel-level driver (`MsSecFlt`) [12]. + It monitors and filters file and registry activities, helping with code integrity features to ensure the system is trusted [12]. + + These components are installed by `Windows-SECDriver` package [9]. + + #### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | + | Windows 11 (21H2) | 🟢 Running | Boot | + | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | + + [1]: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/System32/drivers/mssecflt.sys.strings "10_0_22000_1165/C/Windows/System32/drivers/mssecflt.sys.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d · privacysexy-forks/10_0_22000_1165 | github.com" + [2]: https://web.archive.org/web/20241007124239/https://crash.software/STRLCPY/Conferences/~raw/main/Offensivecon%202023%20slides/Yarden%20Shafir_Your%20Mitigations%20are%20My%20Opportunities.pdf + [3]: https://web.archive.org/web/20241007150442/https://learn.microsoft.com/en-us/windows/dev-drive/ "Set up a Dev Drive on Windows 11 | Microsoft Learn | learn.microsoft.com" + [4]: https://answers.microsoft.com/en-us/windows/forum/all/new-build-windows-11-computer-not-going-to-sleep/f88b8d66-f115-4172-aa7c-4861f52ba29a "New Build windows 11 computer not going to sleep - Microsoft Community | answers.microsoft.com" + [5]: https://batcmd.com/windows/10/services/mssecflt/ "Microsoft Security Events Component Minifilter - Windows 10 Service - batcmd.com | batcmd.com" + [6]: https://revertservice.com/10/mssecflt/ "Microsoft Security Events Component Minifilter (MsSecFlt) Service Defaults in Windows 10 | revertservice.com" + [7]: https://web.archive.org/web/20241006130508/http://blog.syscall.party/2022/08/02/inside-windows-defender-system-guard-runtime-monitor.html "Inside Windows Defender System Guard Runtime Monitor | $~ lloydlabs | blog.syscall.party" + [8]: https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes "Review events and errors using Event Viewer - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [9]: https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-secdriver_31bf3856ad364e35_10.0.22621.1_none_1fc1fcfdfbd26b7b.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-secdriver_31bf3856ad364e35_10.0.22621.1_none_1fc1fcfdfbd26b7b.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [10]: https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/ "File Systems and Filter Driver Design Guide - Windows drivers | Microsoft Learn | learn.microsoft.com" + [11]: https://tierzerosecurity.co.nz/2024/03/27/blind-edr.html "Abusing MiniFilter Altitude to blind EDR | Penetration Testing - Red Teaming - Purple Teaming - Security Training | Tier Zero Security, New Zealand | tierzerosecurity.co.nz" + [12]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/mssecuser.dll.strings "10_0_22622_601/C/Windows/System32/mssecuser.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [13]: https://github.com/privacysexy-forks/ExecutiveCallbackObjects/blob/master/542875F90F9B47F497B64BA219CACF69/README.md "ExecutiveCallbackObjects/542875F90F9B47F497B64BA219CACF69/README.md at master · privacysexy-forks/ExecutiveCallbackObjects | github.com" + [14]: https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf "Updated Analysis of PatchGuard on Microsoft Windows 10 RS4 | A use case of REVEN, the Timeless Analysis Tool | Author : Luc Reginato | Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf | blog.tetrane.com" + [15]: https://www.x33fcon.com/slides/x33fcon24_-_Sebastian_Feldmann_and_Philipp_Schmied_-_Busting_Redteam_Trends_with_Style_-_Lessons_Learned_from_Building_an_ETW_based_Sysmon_Replacement_from_Scratch.pdf "Busting Red Team Trends With Style | Lessons Learned From Building an ETW Based Sysmon Replacement From Scratch | Philipp Schmied, Sebas0an Feldmann | x33fcon24_-_Sebastian_Feldmann_and_Philipp_Schmied_-_Busting_Redteam_Trends_with_Style_-_Lessons_Learned_from_Building_an_ETW_based_Sysmon_Replacement_from_Scratch.pdf | www.x33fcon.com" + [16]: https://archive.ph/2024.10.09-113246/https://support.citrix.com/s/article/CTX691481-specific-defender-files-are-missing-from-the-published-image?language=en_US "Specific Defender files are missing from the published image | support.citrix.com" + [17]: https://answers.microsoft.com/en-us/windows/forum/all/how-do-i-disable-microsoft-defender-antivirus/14725d12-3611-48ba-a82e-b51a47726034 "How do I disable Microsoft Defender Antivirus - Microsoft Community | answers.microsoft.com" + [18]: https://github.com/privacysexy-forks/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Defense%20evasion/PotentialMicrosoftDefenderTampering%5BSolarigate%5D.yaml "Azure-Sentinel/Hunting Queries/Microsoft 365 Defender/Defense evasion/PotentialMicrosoftDefenderTampering[Solarigate].yaml at master · privacysexy-forks/Azure-Sentinel | github.com" + [19]: https://archive.ph/2024.10.27-163942/https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs "When the hunter becomes the hunted: Using custom callbacks to disable EDRs | www.alteredsecurity.com" + [20]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com" + [21]: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defender-for-endpoint-onboarding-2012r2-via-local-script-md4ws/m-p/3273553/highlight/true "Re: Defender for Endpoint | Onboarding 2012R2 via local script | md4ws.msi with error id 15 - Microsoft Community Hub | techcommunity.microsoft.com" + [22]: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/onboard-mde-windows-2019-ms-sense-is-missing-error-15/m-p/3925000 "Onboard MDE - Windows 2019 - MS Sense is missing / Error 15 - Microsoft Community Hub | techcommunity.microsoft.com" + [23]: https://archive.ph/2024.10.27-164210/https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/security/antivirus-and-sql-server "Configure antivirus software to work with SQL Server - SQL Server | Microsoft Learn | learn.microsoft.com" + [24]: https://learn.microsoft.com/en-us/windows/dev-drive/group-policy "Configure Dev Drive policy for enterprise business devices | Microsoft Learn | learn.microsoft.com" + [25]: https://windows-internals.com/faxing-your-way-to-system/ "Faxing Your Way to SYSTEM — Part Two – Winsider Seminars & Solutions Inc. | windows-internals.com" + [26]: https://strontic.github.io/xcyclopedia/library/mssecuser.dll-4C0B2D44270EAA444B96CC1A10CF920A.html "mssecuser.dll | Microsoft Security Events Component Library | STRONTIC | strontic.github.io" + call: + - + function: DisableService + parameters: + serviceName: MsSecFlt # Check: (Get-Service -Name 'MsSecFlt').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%SYSTEMROOT%\System32\drivers\MsSecFlt.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 (≥ 22H2) | 🔒️ Protected on Windows 11 (≥ 21H2) + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%SYSTEMROOT%\System32\mssecuser.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 (≥ 22H2) | 🔒️ Protected on Windows 11 (≥ 21H2) + - + name: Disable Microsoft Security Core Boot Driver + docs: |- + This script disables the **Microsoft Security Core Boot Driver** (`msseccore.sys`). + + This driver is a kernel-mode component that enforces security policies during the boot process [1] [2]. + It was introduced in Windows 11 22H2, starting with Insider Preview Build 25188 [2] [3] [4]. + It operates as a **Secure Boot** driver [4]. + **Secure Boot** is a feature that prevents unauthorized software from loading at startup and requires compatible hardware [5]. + + The driver handles several security-related tasks: + + - Conducts boot-time security checks [1] [2]. + A malfunction may cause **blue screen of death (BSOD)** with the stop code + `MSSECCORE_ASSERTION_FAILURE`, blocking proper Windows boot [2] [4]. + - Verifies code integrity and digital signatures [1] [2]. + It checks system processes and files to prevent tampering [1]. + It enforces security policies by suspending processes that violate them and controlling file system operations [1]. + - Protects critical memory regions [1]. + - Interacts with other security components such as the **Kernel Shim Engine** for security enhancements [1]. + - Provides notifications of security-relevant system events [1], + delivering these to other security tools [6]. + + Disabling this driver may enhance privacy by allowing system modifications that are otherwise restricted. + Some privacy improvements require changes to system files or integrity checks enforced by this driver. + + The script may also improve boot speed by bypassing these security checks. + + However, this comes with a trade-off: + + - Disabling the driver may lower system security by removing protections against unauthorized code execution and tampering. + - You may receive fewer security alerts about system changes or potential threats, + potentially reducing your awareness of important security events. + + > **Caution**: + > This action may lower your system's security, increasing its vulnerability to malicious software. + + ### Technical Details + + This script disables: + + - The driver's service, identified as `MsSecCore` [3]. + - The driver's file, located at `%SYSTEMROOT%\System32\drivers\msseccore.sys` [1] [3] + + #### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Boot | + | Windows 11 (21H2) | 🟡 Missing | N/A | + | Windows 11 (≥ 22H2) | 🟢 Running | Boot | + + [1]: https://web.archive.org/web/20241008140128/https://github.com/privacysexy-forks/10_0_25197_1000/blob/40c2bd1b216c06e28578a227b520a1bcf6531406/C/Windows/System32/drivers/msseccore.sys.strings "10_0_25197_1000/C/Windows/System32/drivers/msseccore.sys.strings at 40c2bd1b216c06e28578a227b520a1bcf6531406 · privacysexy-forks/10_0_25197_1000 | github.com" + [2]: https://web.archive.org/web/20241008140135/https://learn.microsoft.com/en-us/answers/questions/1282926/msseccore-assertion-failure "MSSECCORE_ASSERTION_FAILURE - Microsoft Q&A | learn.microsoft.com" + [3]: https://web.archive.org/web/20241008140128/https://batcmd.com/windows/11/services/msseccore/ "Microsoft Security Core Boot Driver - Windows 11 Service - batcmd.com | batcmd.com" + [4]: https://web.archive.org/web/20241008140213/https://windoh.wordpress.com/2022/08/25/3-new-windows-insider-builds-released-for-windows-11/ "3 new Windows Insider builds released for Windows 11 « WinDoh | windoh.wordpress.com" + [5]: https://web.archive.org/web/20241008140216/https://support.microsoft.com/en-us/windows/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad "Windows 11 and Secure Boot - Microsoft Support | support.microsoft.com" + [6]: https://web.archive.org/web/20241007124239/https://crash.software/STRLCPY/Conferences/~raw/main/Offensivecon%202023%20slides/Yarden%20Shafir_Your%20Mitigations%20are%20My%20Opportunities.pdf + call: + - + function: DisableService + parameters: + serviceName: MsSecCore # Check: (Get-Service -Name 'MsSecCore').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | 🔍 Missing on Windows 11 Pro (21H2) | ✅ Windows 11 Pro (≥ 22H2) + fileGlob: '%SYSTEMROOT%\System32\drivers\msseccore.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 (≥ 22H2) | 🔒️ Protected on Windows 11 (≥ 22H2) - name: Disable Tamper Protection docs: |- - This script disables Tamper Protection in Microsoft Defender Antivirus. + This script disables **Tamper Protection** in **Defender Antivirus**. - Tamper Protection is a security feature that blocks unauthorized changes to key Microsoft Defender Antivirus settings [1] [2]. + **Tamper Protection** is a security feature that blocks unauthorized changes to key **Defender Antivirus** settings [1] [2]. These settings include real-time protection [1] [2], behavior monitoring [2], and cloud-delivered protection [1]. - By default, Tamper Protection is enabled [1]. + By default, **Tamper Protection** is enabled [1]. It is available in all editions of Windows since Windows 10, version 1903 [3]. - Disabling Tamper Protection may increase privacy and control over your system by allowing you to: + Disabling **Tamper Protection** may increase privacy and control over your system by allowing you to: - - Change protected Microsoft Defender Antivirus settings to enhance privacy [1] [3] - - Disable Microsoft Defender Antivirus entirely [1] [3] to increase privacy + - Change protected **Defender Antivirus** settings to enhance privacy [1] [3] + - Disable **Defender Antivirus** entirely [1] [3] to increase privacy - Improve system performance by adjusting or disabling certain security features - However, turning off Tamper Protection may reduce your system's security by: + However, turning off **Tamper Protection** may reduce your system's security by: - Making your device more vulnerable to malware that attempts to disable security features - Allowing potentially harmful changes to important security settings - With Tamper Protection enabled, users can modify protected settings through the Windows Security app [1]. - Disabling Tamper Protection allows changes through scripts and third-party apps such as privacy.sexy [1]. + With **Tamper Protection** enabled, users can modify protected settings through the **Windows Security** app [1]. + Disabling **Tamper Protection** allows changes through scripts and third-party apps such as privacy.sexy [1]. ### Technical Details @@ -15796,8 +16290,8 @@ actions: - `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtection` [4] [5] [6]. - `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtectionSource` [7] - These keys interact with the `MpClient.dll` library within Microsoft Defender Antivirus [8]. - The script sets values to replicate changes made through the Windows Security interface [5]. + These keys interact with the `MpClient.dll` library within **Defender Antivirus** [8]. + The script sets values to replicate changes made through the **Windows Security** interface [5]. Tests reveal the following values for various Windows versions: @@ -15808,12 +16302,12 @@ actions: | `TamperProtectionSource` | Windows 10 Pro (>= 22H2) | No value | No value | No value (Or 2 [7]) | | `TamperProtectionSource` | Windows 11 Pro (>= 23H2) | 5 | 2 | 2 | - `TamperProtectionSource` value `2` means that the tamper protection is based on signatures. + `TamperProtectionSource` value `2` means that the **Tamper Protection** is based on signatures. Other recorded values in various installations include `ATP` [9], `Service Init` [10], `Intune` [11], and `E5 transition` [12]. However, these values lack official public documentation [13]. - To check the current Tamper Protection source, use this command: + To check the current **Tamper Protection** source, use this command: ```batchfile wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list | findstr "TamperProtectionSource" @@ -15832,10 +16326,10 @@ actions: [5]: https://web.archive.org/web/20240523053136/https://www.elevenforum.com/t/turn-on-or-off-tamper-protection-for-microsoft-defender-antivirus-in-windows-11.3973/ "Turn On or Off Tamper Protection for Microsoft Defender Antivirus in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" [6]: https://web.archive.org/web/20240725111337/https://www.ghacks.net/2019/10/14/microsoft-enables-tamper-protection-on-windows-10-for-all-home-users/ "Microsoft enables Tamper Protection on Windows 10 for all Home users - gHacks Tech News | ghacks.net" [7]: https://web.archive.org/web/20240725111606/https://wirediver.com/disable-windows-defender-in-powershell/ "Disable Windows Defender in powershell - a script to finally get rid of itWireDiver | wirediver.com" - [8]: https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings#L4520-L4521 "10_0_22623_1020/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com" + [8]: https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings "10_0_22623_1020/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com" [9]: https://web.archive.org/web/20240725111557/https://jeffreyappel.nl/microsoft-defender-for-endpoint-series-validate-defender-protection-and-additional-troubleshooting-part6/ "Validate Defender for Endpoint protection and additional troubleshooting | jeffreyappel.nl" [10]: https://web.archive.org/web/20240725111814/https://blog.51sec.org/2022/03/microsoft-defender-for-endpoint.html "Microsoft Defender for Endpoint Configurations and Training Resources - NETSEC | blog.51sec.org" - [11]: https://github.com/privacysexy-forks/ClientInspectorV2/blob/main/README.md "ClientInspectorV2/README.md at main · privacysexy-forks/ClientInspectorV2 | github.com" + [11]: https://archive.ph/2024.09.25-234850/https://github.com/privacysexy-forks/ClientInspectorV2/blob/main/README.md "ClientInspectorV2/README.md at main · privacysexy-forks/ClientInspectorV2 | github.com" [12]: https://web.archive.org/web/20240725111617/https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps "Get-MpComputerStatus (Defender) | Microsoft Learn | learn.microsoft.com" [13]: https://web.archive.org/web/20240725111550/https://247tech.co.uk/intune-disables-tamper-protection-by-default/ "Intune disables Tamper Protection by default – 247 TECH | 247tech.co.uk" call: @@ -15843,7 +16337,7 @@ actions: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features - valueName: "TamperProtection" + valueName: TamperProtection dataType: REG_DWORD data: "4" dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) @@ -15852,562 +16346,686 @@ actions: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features - valueName: "TamperProtectionSource" + valueName: TamperProtectionSource dataType: REG_DWORD data: "2" dataOnRevert: "5" # Default value: 🔍 Missing on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) elevateToTrustedInstaller: 'true' # Without TrustedInstaller: ✅ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2) - - name: Disable outdated Defender Antivirus # Deprecated since Windows 10 version 1903 - docs: - - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender - valueName: DisableAntiSpyware - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable Potentially Unwanted Application (PUA) protection # Already disabled as default - docs: - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 - - https://web.archive.org/web/20240314124740/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide - - https://web.archive.org/web/20160410000519/https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/ - - https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - call: + category: Disable Defender System Guard + docs: |- + This category disables **Defender System Guard**, a security feature in Windows. + + This feature is referred to as **Windows Defender System Guard** [1] [2], **System Guard** [3], + and internally within Microsoft as **Octagon** [4]. + Introduced in Windows 10, version 1709 [1] [4], it is a set of system integrity features [1] [2]. + + **System Guard** acts as an anti-tampering mechanism [4]. + It is a Windows component that protects system integrity during startup and runtime [1] [2] [3]. + It is included as part of the **Defender for Endpoint** suite [2]. + + It features: + + - **System Integrity Protection:** + - Protects and maintains system integrity during startup and runtime [1] [2] [3] + - Validates system integrity through local and remote verification [1] [2] [3] + - Ensures only signed and secure Windows files and drivers can start [1] [2] + - **Critical Resource Protection:** + - Safeguards critical resources (e.g., authentication stack, biometric stack) [2] [3] + - Protects against System Management Mode (SMM) attacks [3] + - **Hardware-Based Security:** + - Uses hardware-based security features to prevent unauthorized software from running before Windows starts [1] [3] + - Takes integrity measurements during boot using TPM 2.0 [2] [3] + - **Remote Management and Analysis:** + - Enables remote analysis of device integrity [1] [2] + - Allows management systems (e.g., Intune, SCCM) to acquire integrity data [1] [2] [3] + - Enables remote actions (e.g., denying resource access) for compromised devices [1] [2] [3] + - This capability works by sending system integrity data to the Microsoft cloud and other third parties [5]. + + Disabling System Guard enhances privacy by preventing remote analysis of your system. + It also gives users more control, allowing changes to system components that are normally protected. + This enables privacy modifications that require system-level changes, such as disabling other Defender features. + + However, disabling System Guard may reduce overall system security. + It removes safeguards that prevent unauthorized system changes and malware infections during startup. + This may increase your system's vulnerability to attacks. + Using this on a work or school computer may violate organizational policies. + + > **Caution:** This action may expose your system to increased security risks. + + [1]: https://web.archive.org/web/20240607103322/https://www.microsoft.com/en-us/security/blog/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/ "Hardening the system and maintaining integrity with Windows Defender System Guard | Microsoft Security Blog | www.microsoft.com" + [2]: https://web.archive.org/web/20241003222911/https://learn.microsoft.com/en-us/training/modules/manage-defender-endpoint/7-explore-windows-defender-system-guard "Explore Windows Defender System Guard - Training | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20241003222858/https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows "How System Guard helps protect Windows | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20241006130508/http://blog.syscall.party/2022/08/02/inside-windows-defender-system-guard-runtime-monitor.html "Inside Windows Defender System Guard Runtime Monitor | $~ lloydlabs | blog.syscall.party" + [5]: https://web.archive.org/web/20241006131949/https://www.microsoft.com/en-us/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/ "Introducing Windows Defender System Guard runtime attestation | Microsoft Security Blog | microsoft.com" + children: - - function: SetMpPreference - parameters: - # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' - property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection - value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0 - default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0 - - - function: SetRegistryValue # For legacy versions: Windows 10 v1809 and Windows Server 2019 - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine - valueName: MpEnablePus - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue # For newer Windows versions - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender - valueName: PUAProtection - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable file hash computation feature # Added in Windows 10, version 2004 - docs: - - https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation - - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine - valueName: EnableFileHashComputation - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable network inspection system features - children: - - - name: Disable protocol recognition - docs: - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS - valueName: DisableProtocolRecognition - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable definition retirement - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS - valueName: DisableSignatureRetirement - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Minimize rate of detection events - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate + name: Disable System Guard Secure Launch + docs: |- + This script disables **System Guard Secure Launch**, a security feature in Windows. + + **Secure Launch** is also known as **Virtualization Based Security (VBS)** [1] or **firmware protection [2]**. + This feature enhances startup security on Windows systems [2]. + It was initially introduced in Windows 10 version 1809 [3]. + + It protects the **Virtualization Based Security (VBS)** environment from vulnerabilities in device firmware [4]. + **VBS**, in Windows, refers to a security technology that uses hardware virtualization to create isolated and secure environments, + specifically for running sensitive operations and storing critical data [5]. + + **Secure Launch** requires specific hardware support and is not compatible with all processors [2]. + It uses Intel **Trusted Execution Technology (TXT)** and **Runtime BIOS Resilience** to prevent firmware vulnerabilities + from impacting the Windows VBS environment [4]. + All drivers on the system must be compatible with this feature, or the system may crash [4]. + + Disabling it may enhance privacy by reducing the isolation of certain system components. + This limits the system's ability to collect and potentially share data about the boot process and system state. + Additionally, it increases user control over low-level system settings. + This allows for more extensive privacy-focused configurations that may otherwise be restricted or overridden by + the secure environment. + + Disabling this feature may also improve system performance by reducing the overhead of maintaining isolated environments. + + However, this comes at the cost of potentially decreased protection against specific types of attacks. + The Center for Internet Security (CIS) recommends enabling this feature for additional security on supported processors [4]. + + > **Caution**: This action may weaken device security by removing protection from specific firmware-based attacks. + + ### Technical Details + + This script configures the following registry values: + + - `HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!ConfigureSystemGuardLaunch` [1] to configure the Group Policy setting. + - `HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard!Enabled` [2] to configure the system setting. + + [1]: https://web.archive.org/web/20241006211540/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch "DeviceGuard Policy CSP | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20241006211547/https://learn.microsoft.com/en-us/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection "System Guard Secure Launch and SMM protection | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20241003222858/https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows#secure-launchthe-dynamic-root-of-trust-for-measurement-drtm "How System Guard helps protect Windows | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20241006212106/https://www.tenable.com/audits/items/CIS_Microsoft_Intune_for_Windows_10_v3.0.1_Next_Generation_Windows_Security.audit:90dfab8e223ebdb026bde4d1041cf8c2 "23.4 (NG) Ensure 'Configure System Guard Launch' is set to 'Un... | Tenable® | www.tenable.com" + [5]: https://web.archive.org/web/20241006131949/https://www.microsoft.com/en-us/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/ "Introducing Windows Defender System Guard runtime attestation | Microsoft Security Blog | microsoft.com" call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS - valueName: ThrottleDetectionEventsRate - dataType: REG_DWORD - data: "10000000" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable real-time protection - children: - - - name: Disable real-time monitoring - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227 - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring - call: # Enabled by default (DisableRealtimeMonitoring is false) - - function: SetMpPreference + function: SetRegistryValue parameters: - property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring - value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True - # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected - default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False - + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + valueName: ConfigureSystemGuardLaunch + dataType: REG_DWORD + data: '2' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableRealtimeMonitoring + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard + valueName: Enabled dataType: REG_DWORD - data: "1" + data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable intrusion prevention system (IPS) - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem + name: Disable System Guard Runtime Monitor Broker Service + docs: |- + This script disables the **System Guard Runtime Monitor Broker** service and its associated process. + + The **System Guard Runtime Monitor Broker** service monitors and verifies Windows platform integrity [1] [2] [3] [4]. + It handles attestation and reporting functions [4] [5]. + It assists assertions of **System Guard Runtime Monitor (SGRM)** [4]. + This enables management systems such as **Intune** and **SCCM** to collect integrity data [4] [6] [7] [8]. + It supports remote actions such as blocking access to compromised devices [6] [7] [8]. + + The service manages communication between the **System Guard Runtime Monitor Broker** and other parts of Windows + using Remote Procedure Calls (RPC) [4] [5]. + It uses **Event Tracing for Windows (ETW)** events, controlling and configuring ETW sessions [4] [5]. + This means the service collects and logs events. + + Disabling this service may enhance privacy by preventing system integrity data collection and reporting. + It can also boost performance by reducing the service's resource usage. + + However, disabling this service may reduce security by preventing Windows from verifying system integrity + and addressing threats. + This may make the system more vulnerable to attacks. + Additionally, using this script on a work or school computer may violate your organization's policies. + + > **Caution:** Disabling this service may decrease your system's security and make it more susceptible to threats. + + ### Technical Details + + This script: + + - Disables the service (`SgrmBroker`). + - Prevents its process (`SgrmBroker.exe`) from running. + - Deletes its executable file (`SgrmBroker.exe`). + + This service is installed by the Windows package `Security-Octagon-Broker` [9]. + + The service's process is located at: + + - `%SYSTEMROOT%\System32\SgrmBroker.exe` [2] [5] [10] on Windows 10 and Windows 11 21H2. + - `%SYSTEMROOT%\System32\Sgrm\SgrmBroker.exe` [3] [9] on Windows 11 22H2 and above. + + `SgrmBroker.exe` is one of the user-mode components of the **System Guard Runtime Monitor**, + and runs as a service named `OctBroker` (or `SgrmBroker`) [4]. + + #### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | + | Windows 11 (21H2) | 🟢 Running | Automatic | + | Windows 11 (22H2) | 🔴 Stopped | Disabled | + | Windows 11 (23H2) | 🔴 Stopped | Disabled | + | Windows 11 (≥ 24H2) | 🔴 Stopped | Disabled | + + [1]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" + [2]: https://web.archive.org/web/20241004104202/https://www.file.net/process/sgrmbroker.exe.html "SgrmBroker.exe Windows process - What is it? | www.file.net" + [3]: https://web.archive.org/web/20241004104231/https://batcmd.com/windows/11/services/sgrmbroker/ "System Guard Runtime Monitor Broker - Windows 11 Service - batcmd.com | batcmd.com" + [4]: https://web.archive.org/web/20241006130508/http://blog.syscall.party/2022/08/02/inside-windows-defender-system-guard-runtime-monitor.html "Inside Windows Defender System Guard Runtime Monitor | $~ lloydlabs | blog.syscall.party" + [5]: https://web.archive.org/web/20241004103608/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/Sgrm/SgrmBroker.exe.strings "10_0_22622_601/C/Windows/System32/Sgrm/SgrmBroker.exe.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [6]: https://web.archive.org/web/20240607103322/https://www.microsoft.com/en-us/security/blog/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/ "Hardening the system and maintaining integrity with Windows Defender System Guard | Microsoft Security Blog | www.microsoft.com" + [7]: https://web.archive.org/web/20241003222911/https://learn.microsoft.com/en-us/training/modules/manage-defender-endpoint/7-explore-windows-defender-system-guard "Explore Windows Defender System Guard - Training | Microsoft Learn | learn.microsoft.com" + [8]: https://web.archive.org/web/20241003222858/https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows "How System Guard helps protect Windows | Microsoft Learn | learn.microsoft.com" + [9]: https://web.archive.org/web/20241006131040/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_security-octagon-broker_31bf3856ad364e35_10.0.22621.1_none_bba10aa18098da8c.manifest "nickel-x64/WinSxS/Manifests/amd64_security-octagon-broker_31bf3856ad364e35_10.0.22621.1_none_bba10aa18098da8c.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [10]: https://web.archive.org/web/20241004103552/https://strontic.github.io/xcyclopedia/library/SgrmBroker.exe-C51AA0BB954EA45E85572E6CC29BA6F4.html "SgrmBroker.exe | System Guard Runtime Monitor Broker Service | STRONTIC | strontic.github.io" call: - - function: SetMpPreference + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` + # Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` + function: DisableServiceInRegistry parameters: - property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem - value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True - # ❌ Windows 11 and Windows 10: Does not fail but does not change the value - default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False - # ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set + serviceName: SgrmBroker # Check: (Get-Service -Name 'SgrmBroker').StartType + defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual + maximumWindowsVersion: 'Windows11-21H2' - - function: SetRegistryValue + function: DisableServiceInRegistry parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableIntrusionPreventionSystem - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + serviceName: SgrmBroker + defaultStartupMode: Disabled + minimumWindowsVersion: 'Windows11-22H2' + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (21H2) | ❌ Windows 11 Pro (≥ 23H2) + fileGlob: '%SYSTEMROOT%\System32\SgrmBroker.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 (≥ 22H2) + maximumWindowsVersion: 'Windows11-21H2' + - + function: SoftDeleteFiles + parameters: + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (21H2) | ✅ Windows 11 Pro (≥ 22H2) + fileGlob: '%SYSTEMROOT%\System32\Sgrm\SgrmBroker.exe' + # grantPermissions: false # 📂 Unprotected on Windows 11 Pro (≥ 21H2) + minimumWindowsVersion: 'Windows11-22H2' + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SgrmBroker.exe - - name: Disable Information Protection Control (IPC) - docs: https://web.archive.org/web/20231207105520/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl + name: Disable System Guard Secure Enclave + docs: |- + This script disables the **Secure Enclave**, a component of the **System Guard** feature in Windows. + + The **Secure Enclave** is also known as the **assertion engine** [1] [2]. + It continuously monitors and checks system integrity during runtime, assessing the system's security state [2]. + It is a core component of **System Guard** [1] [2]. + This engine can send collected data to cloud or third-party providers [1] [2]. + + This script enhances privacy by preventing system integrity data from being shared externally. + It may also improve system performance by reducing background tasks. + However, disabling this feature may decrease system security, as it is designed to detect potential threats. + + > **Caution:** Disabling this feature may reduce system security by stopping the continuous monitoring of system integrity. + + ### Technical Details + + The **Secure Enclave** is a core component of the **System Guard Runtime Monitor (SGRM)** [1]. + It uses Lua scripts to perform assertions, which are loaded by a broker to avoid direct file I/O for security reasons [1]. + + The System Guard Runtime Monitor Broker uses two DLL files as its assertion engine [1]: + + - `SgrmEnclave.dll` + - `SgrmEnclave_secure.dll` + + These files are located in: + + - `%SYSTEMROOT%\Windows\System32\` on Windows 10 (version 22H2 and above) and Windows 11 (version 21H2) + - `%SYSTEMROOT%\Windows\System32\Sgrm\` on Windows 11 (version 22H2 and above) + + [1]: https://web.archive.org/web/20241006130508/http://blog.syscall.party/2022/08/02/inside-windows-defender-system-guard-runtime-monitor.html "Inside Windows Defender System Guard Runtime Monitor | $~ lloydlabs | blog.syscall.party" + [2]: https://web.archive.org/web/20241006131949/https://www.microsoft.com/en-us/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/ "Introducing Windows Defender System Guard runtime attestation | Microsoft Security Blog | microsoft.com" call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableInformationProtectionControl - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender monitoring of behavior - children: - - name: Disable behavior monitoring - docs: - - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229 - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring - call: - - - function: SetMpPreference - parameters: - property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring - value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True - # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected - default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableBehaviorMonitoring - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (21H2) | ❌ Windows 11 Pro (≥ 23H2) + fileGlob: '%SYSTEMROOT%\System32\SgrmEnclave.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 (≥ 22H2) and Windows 11 Pro (21H2) + maximumWindowsVersion: 'Windows11-21H2' - - name: Disable sending raw write notifications to behavior monitoring - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableRawWriteNotification - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable monitoring of downloads and attachments in Defender - children: + function: SoftDeleteFiles + parameters: + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (21H2) | ✅ Windows 11 Pro (≥ 22H2) + fileGlob: '%SYSTEMROOT%\System32\Sgrm\SgrmEnclave.dll' + # grantPermissions: 'false' # 📂 Unprotected on Windows 11 Pro (≥ 22H2) + minimumWindowsVersion: 'Windows11-22H2' - - name: Disable scanning of all downloaded files and attachments - docs: - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225 - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection - call: - - - function: SetMpPreference - parameters: - property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection - value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True - # ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected - default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableIOAVProtection - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (21H2) | ❌ Windows 11 Pro (≥ 23H2) + fileGlob: '%SYSTEMROOT%\System32\SgrmEnclave_secure.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 (≥ 22H2) and Windows 11 Pro (21H2) + maximumWindowsVersion: 'Windows11-21H2' - - name: Disable scanning files larger than 1 KB (minimum possible) - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: IOAVMaxSize - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender monitoring of file and program activity - children: - - - name: Disable file and program activity monitoring - docs: - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableWindowsSpotlightFeatures - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable bidirectional scan for incoming and outgoing file and program activities - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#realtimescandirection - call: - # 0='Both': bi-directional (full on-access, default) - # 1='Incoming': scan only incoming (disable on-open) - # 2='Outcoming': scan only outgoing (disable on-close) - - - function: SetMpPreference - parameters: - property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection - value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1 - default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0 - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: RealTimeScanDirection - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable real-time protection process scanning - docs: - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableScanOnRealtimeEnable - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender remediation - children: - - - name: Disable routine remediation - docs: - - https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableroutinelytakingaction - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender - valueName: DisableRoutinelyTakingAction - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable running scheduled auto-remediation - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#remediationscheduleday - call: - # 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never' - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Remediation - valueName: Scan_ScheduleDay - dataType: REG_DWORD - data: "8" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference + function: SoftDeleteFiles parameters: - property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay - value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8 - default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0 + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (21H2) | ✅ Windows 11 Pro (≥ 22H2) + fileGlob: '%SYSTEMROOT%\System32\Sgrm\SgrmEnclave_secure.dll' + # grantPermissions: 'false' # 📂 Unprotected on Windows 11 Pro (≥ 22H2) + minimumWindowsVersion: 'Windows11-22H2' - - name: Disable remediation actions - docs: - - https://web.archive.org/web/20240314124221/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - # None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10 - call: # Not using ThreatIdDefaultAction as it requires known threat IDs - - - function: SetMpPreference - # https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction - parameters: - property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction - # Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value): - # `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`. - # E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed. - # Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction` - value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9 - # Default: 0 (none) - # Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction` - # works on both Windows 10 and Windows 11 + name: Disable System Guard Runtime Monitor LPAC + docs: |- + This script disables the **System Guard Runtime Monitor LPAC (Least-Privileged AppContainer)** process. + + This process is part of the **System Guard Runtime Monitor (SGRM)** functionality [1] [2]. + SGRM is a Windows security feature that monitors the system for potential tampering [1]. + LPAC (Least-Privileged AppContainer) means this component operates in a restricted environment for enhanced security [2]. + + Its exposes information through: + + - It uses RPC (Remote Procedure Call) functionality [1] [2]. + RPC allows different software programs to communicate, even if they are on different computers. + The RPC endpoint can be called by anyone under the IID `a13a9961-953f-4157-8a29-e65e29be510d`, + and makes use of the common `Wininet!Http*` family of APIs for the requests [1]. + - It communicates over the Internet [1] [2]. + It reports tampering attempts and sends system and regional information to Microsoft [1]. + - It logs information and uses **Windows ETW** (Event Tracing for Windows) for potential telemetry [2]. + + It runs automatically in the background, triggered by the **System Guard Runtime Monitor Broker Service** (`SgrmBroker.exe`) [1]. + + This script improves your privacy by preventing Windows from sending system integrity data to third parties. + It can also enhance system performance by reducing background processes. + + However, disabling this component may reduce system security by removing a mechanism designed to detect system tampering. + This may leave the system more vulnerable to certain types of attacks. + + > **Caution**: Disabling this feature weakens your system's protection against tampering and unauthorized modifications. + + ### Technical Details + + This script: + + - Deletes the `SgrmLpac.exe` executable file + - Prevents `SgrmLpac.exe` from running + + The file location varies by Windows version: + + - `%SYSTEMROOT%\System32\SgrmLpac.exe` [2] [3] Windows 10 22H2 and Windows 11 21H2 + - `%SYSTEMROOT%\System32\Sgrm\SgrmLpac.exe` [4] Windows 11 22H2 and and above + + This file is installed by the `Security-Octagon-Broker` package . + It is described by Microsoft as **System Guard Runtime Monitor LPAC** [3]. + + [1]: https://web.archive.org/web/20241006130508/http://blog.syscall.party/2022/08/02/inside-windows-defender-system-guard-runtime-monitor.html "Inside Windows Defender System Guard Runtime Monitor | $~ lloydlabs | blog.syscall.party" + [2]: https://web.archive.org/web/20241006170442/https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/System32/SgrmLpac.exe.strings "10_0_22000_1165/C/Windows/System32/SgrmLpac.exe.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d · privacysexy-forks/10_0_22000_1165 | github.com" + [3]: https://web.archive.org/web/20241006160611/https://strontic.github.io/xcyclopedia/library/SgrmLpac.exe-E80C9493ECAD0A51AD02EC11417F1F14.html "SgrmLpac.exe | System Guard Runtime Monitor LPAC | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20241006131040/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_security-octagon-broker_31bf3856ad364e35_10.0.22621.1_none_bba10aa18098da8c.manifest "nickel-x64/WinSxS/Manifests/amd64_security-octagon-broker_31bf3856ad364e35_10.0.22621.1_none_bba10aa18098da8c.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [5]: https://web.archive.org/web/20241006170531/https://learn.microsoft.com/en-us/hololens/security-adminless-os "Admin-less operating system security | Microsoft Learn | learn.microsoft.com" + call: - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats - valueName: Threats_ThreatSeverityDefaultAction - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (21H2) | ❌ Windows 11 Pro (≥ 23H2) + fileGlob: '%SYSTEMROOT%\System32\SgrmLpac.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 (≥ 22H2) and Windows 11 Pro (21H2) + maximumWindowsVersion: 'Windows11-21H2' - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - valueName: "5" - dataType: REG_SZ - data: "9" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (21H2) | ✅ Windows 11 Pro (≥ 22H2) + fileGlob: '%SYSTEMROOT%\System32\Sgrm\SgrmLpac.exe' + # grantPermissions: 'false' # 📂 Unprotected on Windows 11 Pro (≥ 22H2) + minimumWindowsVersion: 'Windows11-22H2' - - function: SetRegistryValue + function: TerminateAndBlockExecution parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - valueName: "4" - dataType: REG_SZ - data: "9" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + executableNameWithExtension: SgrmLpac.exe + - + name: Disable "System Guard Runtime Monitor Agent" kernel driver + docs: |- + This script disables the **System Guard Runtime Monitor Agent**, a kernel driver within Windows' security infrastructure. + + The **System Guard Runtime Monitor Agent** is a kernel-mode component of System Guard that runs in the **Secure Kernel** [1]. + The Secure Kernel operates in a more secure and isolated environment called `VTL1` (Virtual Trust Level 1), + while the normal NT kernel runs in a virtualized environment called `VTL0` [2]. + This separation adds another layer of security. + + It provides essential functionality to **System Guard** through various **assists** [1] [3] [4]. + These assists enable **System Guard**'s Lua-based assertion engine to interact with and validate system information [4]. + The driver gathers data from core system components like the NT kernel to monitor their integrity [4]. + It provides functionality to `SgrmBroker` (**System Guard Runtime Monitor Broker Service**) [3] [4]. + + The agent performs security functions such as: + + - Checks for signed and trusted processes [4] + - Enforces security policies [4] + - Utilizes mitigation techniques like **Control Flow Guard** to prevent unauthorized code execution [4] + - Provides kernel-level assists to the `SgrmBroker` assist engine, which runs in user-mode [4] + - Prevents DLL hijacking attacks [7] + + Disabling this driver may enhance privacy by stopping system monitoring and data collection. + It may also improve system performance by reducing background processes. + However, it may reduce system security by disabling a component that protects against specific attacks. + + > **Caution**: Disabling this driver weakens your system's defenses against malware and unauthorized code execution. + + ### Technical Details + + This script: + + - Disables the "System Guard Runtime Monitor Agent" service (`SgrmAgent`) + - Deletes the "System Guard Runtime Monitor Agent" (`SgrmAgent.sys`) file + + The `SgrmAgent.sys` file is located at `%SYSTEMROOT%\System32\drivers\SgrmAgent.sys` [3] [4] [5] [6]. + This service is installed by a Windows package called "Security-Octagon-Agent" [6]. + + #### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Boot | + | Windows 10 (21H2) | 🟢 Running | Boot | + | Windows 11 (22H2) | 🔴 Stopped | Disabled | + | Windows 11 (23H2) | 🔴 Stopped | Disabled | + | Windows 11 (≥ 24H2) | 🔴 Stopped | Disabled | + + [1]: https://web.archive.org/web/20241006131949/https://www.microsoft.com/en-us/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/ "Introducing Windows Defender System Guard runtime attestation | Microsoft Security Blog | microsoft.com" + [2]: https://web.archive.org/web/20241006211212/https://www.microsoft.com/en-us/security/blog/2020/07/08/introducing-kernel-data-protection-a-new-platform-security-technology-for-preventing-data-corruption/ "Introducing Kernel Data Protection, a new platform security technology for preventing data corruption | Microsoft Security Blog | www.microsoft.com" + [3]: https://web.archive.org/web/20241006130508/http://blog.syscall.party/2022/08/02/inside-windows-defender-system-guard-runtime-monitor.html "Inside Windows Defender System Guard Runtime Monitor | $~ lloydlabs | blog.syscall.party" + [4]: https://web.archive.org/web/20241006191914/https://github.com/privacysexy-forks/10_0_17763_1/blob/6151931b169f55ce8b8581c39bb508a661e4085b/C/Windows/System32/drivers/SgrmAgent.sys.strings "10_0_17763_1/C/Windows/System32/drivers/SgrmAgent.sys.strings at 6151931b169f55ce8b8581c39bb508a661e4085b · privacysexy-forks/10_0_17763_1 | github.com" + [5]: https://web.archive.org/web/20241006160645/https://batcmd.com/windows/11/services/sgrmagent/ "System Guard Runtime Monitor Agent - Windows 11 Service - batcmd.com | batcmd.com" + [6]: https://web.archive.org/web/20241006191906/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_security-octagon-agent_31bf3856ad364e35_10.0.22621.1_none_611e8a0ed84a25b2.manifest "nickel-x64/WinSxS/Manifests/amd64_security-octagon-agent_31bf3856ad364e35_10.0.22621.1_none_611e8a0ed84a25b2.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [7]: https://windows-internals.com/faxing-your-way-to-system/ + call: - - function: SetRegistryValue + function: DisableService parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - valueName: "3" - dataType: REG_SZ - data: "9" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + serviceName: SgrmAgent # Check: (Get-Service -Name 'SgrmAgent').StartType + defaultStartupMode: Boot # Alowed values: Boot | System | Automatic | Manual + maximumWindowsVersion: 'Windows11-21H2' - - function: SetRegistryValue + function: DisableService parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - valueName: "2" - dataType: REG_SZ - data: "9" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + serviceName: SgrmAgent # Check: (Get-Service -Name 'SgrmAgent').StartType + defaultStartupMode: Disabled + minimumWindowsVersion: 'Windows11-22H2' - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - valueName: "1" - dataType: REG_SZ - data: "9" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%SYSTEMROOT%\System32\drivers\SgrmAgent.sys' + grantPermissions: 'true' # 🔒️ Protected Windows 10 Pro (≥ 22H2) | 📂 Unprotected on Windows 11 Pro (≥ 21H2) - - name: Enable automatically purging items from quarantine folder - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#quarantinepurgeitemsafterdelay + name: Disable System Guard assertions + docs: |- + This script disables System Guard assertions. + + **System Guard assertions** are measurements of sensitive system properties in real time [1]. + They help detect subtle security threats by assessing the system's security [1]. + However, this monitoring may compromise privacy by sharing system health data with external services [1]. + + This script enhances privacy by preventing the sharing of system health data. + It may also improve performance by reducing the overhead from security checks. + However, disabling these assertions may reduce your protection against advanced threats. + + > **Caution**: This script may weaken your system's ability to detect threats. + + ### Technical Details + + The script removes key files: + + - `SgrmAssertions.bin` [2] [3]: A compiled Lua script containing the assertions [2] [3] + - `SgrmAssertions.cat` [2] [3]: A certificate used to verify the legitimacy of the assertions [2] [3] + + Located in `C:\Windows\System32\Sgrm\` [3] these files exist on Windows 10 (version 22H2 and later) and Windows 11 (version 21H2 and later). + These files are part of the `Security-Octagon-SgrmAssertions` package [3]. + + [1]: https://web.archive.org/web/20241006131949/https://www.microsoft.com/en-us/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/ "Introducing Windows Defender System Guard runtime attestation | Microsoft Security Blog | microsoft.com" + [2]: https://web.archive.org/web/20241006130508/http://blog.syscall.party/2022/08/02/inside-windows-defender-system-guard-runtime-monitor.html "Inside Windows Defender System Guard Runtime Monitor | $~ lloydlabs | blog.syscall.party" + [3]: https://web.archive.org/web/20241006153435/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_security-octagon-sgrmassertions_31bf3856ad364e35_10.0.22621.1_none_697721a6693216ad.manifest "nickel-x64/WinSxS/Manifests/amd64_security-octagon-sgrmassertions_31bf3856ad364e35_10.0.22621.1_none_697721a6693216ad.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" call: - # Values: - # Default: 90 on both Windows 10 21H1 and Windows 11 21H2 - # Minimum: 1 - # 0 means indefinitely - - function: SetMpPreference + function: SoftDeleteFiles parameters: - property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay - value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1 - default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90 - setDefaultOnWindows11: 'true' # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11 + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%SYSTEMROOT%\System32\Sgrm\SgrmAssertions.bin' + grantPermissions: 'true' # 🔒️ Protected Windows 10 Pro (≥ 22H2) and Windows 11 Pro (21H2) | 📂 Unprotected on Windows 11 Pro (≥ 23H2) - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine - valueName: PurgeItemsAfterDelay - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%SYSTEMROOT%\System32\Sgrm\SgrmAssertions.cat' + grantPermissions: 'true' # 🔒️ Protected Windows 10 Pro (≥ 22H2) and Windows 11 Pro (21H2) | 📂 Unprotected on Windows 11 Pro (≥ 23H2) - - name: Disable always running antimalware service - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender - valueName: ServiceKeepAlive - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - # Too good to disable - # category: Disable Microsoft Defender "Device Guard" and "Credential Guard" - # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 - # children: - # - - # name: Disable LSA protection (disabled by default) - # docs: - # - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection - # - https://itm4n.github.io/lsass-runasppl/ - # - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags - # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard - # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool - # call: - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa - # valueName: LsaCfgFlags - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\Software\Policies\Microsoft\Windows\DeviceGuard - # valueName: LsaCfgFlags - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + name: Disable virtualization-based security (VBS) + docs: |- # TODO: Archive + This script disables **Virtualization-based Security (VBS)** in Windows. + + Virtualization-based security (VBS) uses hardware virtualization to create an isolated, secure environment [1]. + This environment helps protect vital system and operating system resources, as well as security assets like + authenticated user credentials [1]. + VBS requires **Secure Boot** to run [1] [2]. + + VBS includes a memory **integrity feature** [1], also called **hypervisor-protected code integrity (HVCI)** [1] + and **hypervisor enforced code integrity** [1]. + It protects Windows by running kernel mode code integrity within the isolated virtual environment [1]. + + Initially released as part of **Defender Device Guard** [1] + this feature is now part of **Defender Application Control** [3] [4]. + Although the **Device Guard** brand is no longer used, it still appears in some Windows registry settings [1] [5]. + VBS and its memory integrity feature now operate independently [5]. + + This script may enhance privacy by giving you more control over your system. + VBS isolates kernel mode drivers and executables, preventing modifications [1]. + For example, you may want to disable Defender, which collects telemetry and personal data [6]. + Disabling Defender requires disabling its kernel drivers [7], which are protected by VBS. + Disabling VBS allows for deeper system-level changes to improve privacy. + + This script may also improve system performance. + VBS can slow down apps and games by 5 to 15% [8]. + + However, disabling VBS has security implications: + + - It reduces protection against credential theft. + - It makes the system more vulnerable to certain types of malware. + - If you disable VBS, you will automatically disable **Credential Guard**, which relies on VBS [9]. + **Credential Guard** uses VBS to store credentials and other secrets in a protected environment [10]. + This environment is isolated from the operating system [10]. + + > **Caution**: + > This action may reduce system security by removing protections that block malicious code from accessing critical components. + + ### Technical Details + + This script modifies multiple registry keys to disable VBS and its features: + + - Disables VBS through: + - `HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!EnableVirtualizationBasedSecurity` [8] [9] [11] [12] [13] [14] + - `HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!EnableVirtualizationBasedSecurity` [2] + - Disables **Secure Boot** and **DMA** protection [2] [9] [11] through: + - `HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!RequirePlatformSecurityFeatures` [2] [9] [11] [12] [13] [14] + - `HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!RequirePlatformSecurityFeatures` [2] + - Disables **memory integrity** [2] [11] through: + - `HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!Enabled` [11] [12] [13] [14] + - Disables **UEFI lock** [11] through: + - `HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Locked` [11] [14] + - `HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Unlocked` [13] + - `HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!NoLock` [14] + - `HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!Locked` [14] + - Disables boot prevention if VBS modules fail [11] through: + - `HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Mandatory` [11] + - Disables signature check: + - `HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!RequireMicrosoftSignedBootChain` [12] + - Disable Hypervisor-Protected Code Integrity (HVCI): + - `HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!HVCIMATRequired` [12] + - `HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!HVCIMATRequired` [2] + + [1]: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs "Virtualization-based Security (VBS) | Microsoft Learn | learn.microsoft.com" + [2]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::VirtualizationBasedSecurity "Turn On Virtualization Based Security | admx.help" + [3]: https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager "Manage Windows Defender Application Control - Configuration Manager | Microsoft Learn | learn.microsoft.com" + [4]: https://coligo.se/allt-om-guard-funktionerna-i-windows-10/ "Allt om Guard-funktionerna i Windows 10 - Coligo | coligo.se" + [5]: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol "App Control for Business and virtualization-based code integrity | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240409170914/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Cloud protection and Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20240314062047/https://batcmd.com/windows/10/services/wdfilter/ "Microsoft Defender Antivirus Mini-Filter Driver - Windows 10 Service - batcmd.com | batcmd.com" + [8]: https://www.tomshardware.com/how-to/disable-vbs-windows-11 "How to Disable VBS and Speed Up Windows 11 or 10 | Tom's Hardware | www.tomshardware.com" + [9]: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure "Configure Credential Guard | Microsoft Learn | learn.microsoft.com" + [10]: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/ "Credential Guard overview | Microsoft Learn | learn.microsoft.com" + [11]: https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity "Enable memory integrity | Microsoft Learn | learn.microsoft.com" + [12]: https://github.com/privacysexy-forks/MSLab/blob/9ffe26645187515e0ff40c517cb06eb92786e267/Scenarios/DeviceGuard/VBS/readme.md "MSLab/Scenarios/DeviceGuard/VBS/readme.md at 9ffe26645187515e0ff40c517cb06eb92786e267 · privacysexy-forks/MSLab | github.com" + [13]: https://web.archive.org/web/20161201052946/https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security "Deploy Device Guard - enable virtualization-based security (Windows 10) | technet.microsoft.com" + [14]: https://web.archive.org/web/20221123184040/https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool "Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool | Microsoft Learn | learn.microsoft.com" + call: + # Virtualization features + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + valueName: EnableVirtualizationBasedSecurity + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + valueName: EnableVirtualizationBasedSecurity + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + valueName: RequirePlatformSecurityFeatures + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + valueName: RequirePlatformSecurityFeatures + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # UEFI lock: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + valueName: Locked + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + valueName: NoLock + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + valueName: Unlocked + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity + valueName: Locked + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Signature check (RequireMicrosoftSignedBootChain): + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + valueName: RequireMicrosoftSignedBootChain + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 24H2) + # Memory Integrity (HypervisorEnforcedCodeIntegrity): + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + valueName: HypervisorEnforcedCodeIntegrity + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Disable boot prevention: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + valueName: Mandatory + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Hypervisor-Protected Code Integrity (HVCI): + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity + valueName: HVCIMATRequired + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + valueName: HVCIMATRequired + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - # Too good to disable + # category: Disable Microsoft Defender "Device Guard" and "Credential Guard" + # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 + # children: # - - # name: Disable virtualization-based security (disabled by default) + # name: Disable LSA protection (disabled by default) # docs: + # - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection + # - https://itm4n.github.io/lsass-runasppl/ + # - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags + # - https://web.archive.org/web/20221123184040/https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool - # - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity # call: - # # Virtualization features - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard - # valueName: EnableVirtualizationBasedSecurity - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard - # valueName: RequirePlatformSecurityFeatures - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # # Lock: - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard - # valueName: Locked - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard - # valueName: NoLock - # dataType: REG_DWORD - # data: '1' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # # HypervisorEnforcedCodeIntegrity: - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard - # valueName: HypervisorEnforcedCodeIntegrity - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity - # valueName: Enabled - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # function: SetRegistryValue # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity - # valueName: Locked + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa + # valueName: LsaCfgFlags # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # name: Disable System Guard Secure Launch - # docs: - # - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection - # - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch - # call: - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - # valueName: ConfigureSystemGuardLaunch - # dataType: REG_DWORD - # data: '2' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # function: SetRegistryValue # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard - # valueName: Enabled + # keyPath: HKLM\Software\Policies\Microsoft\Windows\DeviceGuard + # valueName: LsaCfgFlags # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) @@ -16429,457 +17047,1855 @@ actions: # function: DeleteFiles # parameters: # fileGlob: '%WINDIR%\System32\CodeIntegrity\SIPolicy.p7b' + - + category: Disable Defender Antivirus + docs: |- + This category provides scripts to disable Defender Antivirus. + + Defender Antivirus, integrated into Windows, provides protection against viruses, ransomware, and other + types of malware [1] [2] [3]. + + Disabling Defender Antivirus may improve system performance and privacy by stopping related data collection + However, disabling it may severely compromise your system's security if not complemented by proper security practices. + Carefully consider the trade-off before proceeding. + + **Defender Antivirus** comes with following concerns: + + - It sends files and personal data [4] to **Microsoft's Cloud Protection Service (MAPS)** + (also known as **Microsoft Active Protection Service** or **Microsoft SpyNet**) for analysis [5] [6]. + - Recent Windows versions deeply integrate Defender with mechanisms like **Early Boot Anti-Malware**, + **Tamper Protection**, making it extremely difficult to remove or uninstall [7] [8]. + This means that even if you want to stop using Defender for privacy reasons, these features make it + very difficult to do so using standard methods, keeping Microsoft's security and data collection systems + in place on your device. + - In 2020, Defender began flagging modifications to the hosts file that block Microsoft telemetry + as a security risk [8] [9]. + This prevents you from easily stopping Microsoft's data collection on your device. + - It flags privacy scripts as malicious, even though their purpose is to enhance privacy [8] [9]. + This discourages the use of tools designed to protect your personal data. + - Some reports suggest that Defender may consume significant system resources [10]. + + **Defender Antivirus** evolution milestones: + + - Originally launched as **Windows AntiSpyware**, later renamed to **Windows Defender** [11]. + - Replaced **Microsoft Security Essentials** in Windows 8 [12]. + - **Windows Defender** is renamed to **Windows Defender Antivirus** in Windows 10 version 1703 [13]. + - First included in **Windows Security Center (WSC)** in the 1809 update [14]. + Later, it became part of the **Windows Security** suite [1] [2] [3] [7] [13]. + - Renamed to **Microsoft Defender Antivirus** in the 2004 update [15]. + However, it's still frequently referred to as Windows Defender, even by Microsoft in its current + documentation [1]. + + To check if Defender Antivirus is active, you can use the following commands in a PowerShell prompt: + + - `Get-MpComputerStatus`: Displays the current state of Defender Antivirus [18]. + - `Get-MpPreference`: Shows the current configuration settings of Defender Antivirus [19]. + + > **Caution:** + > Disabling antivirus protection may significantly reduce your system's security. + > Consider having alternative security measures in place and practicing safe computing habits. + + [1]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240819080500/https://support.microsoft.com/en-us/office/stay-protected-with-windows-security-ae70cc96-a9cd-4443-a210-e41cb973d3a6 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" + [5]: https://web.archive.org/web/20240409170914/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Cloud protection and Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240409170815/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide "Microsoft Defender for Endpoint data storage and privacy | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" + [8]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" + [9]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" + [10]: https://web.archive.org/web/20240819092823/https://www.dell.com/support/kbdoc/en-us/000128249/windows-defender-resolving-high-hard-disk-drive-and-cpu-usage-during-scans "Resolving High Hard Disk Drive and CPU Usage During Scans by Windows Defender | Dell US | www.dell.com" + [11]: https://web.archive.org/web/20051123220536/https://blogs.technet.com/antimalware/archive/2005/11/04/413700.aspx "Anti-Malware Engineering Team : What's in a name?? A lot!! Announcing Windows Defender! | blogs.technet.com" + [12]: https://web.archive.org/web/20200812011954/http://answers.microsoft.com/en-us/protect/forum/protect_start/windows-defender-and-microsoft-security-essentials/5309cb8d-02e1-40e8-974f-0dcedb9ab9fd + [13]: https://web.archive.org/web/20170602091134/https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1703 "What's in Windows 10, version 1703 | Microsoft Docs | docs.microsoft.com" + [14]: https://web.archive.org/web/20240819081301/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1809#windows-security-center "What's new in Windows 10, version 1809 - Windows 10 | Microsoft Learn | learn.microsoft.com" + [15]: https://web.archive.org/web/20240819092635/https://blogs.windows.com/windows-insider/2019/07/26/announcing-windows-10-insider-preview-build-18945/ "Announcing Windows 10 Insider Preview Build 18945 | Windows Insider Blog | blogs.windows.com" + [16]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" + [17]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" + [18]: https://web.archive.org/web/20240725111617/https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps "Get-MpComputerStatus (Defender) | Microsoft Learn | learn.microsoft.com" + [19]: https://web.archive.org/web/20240819105412/https://learn.microsoft.com/en-us/powershell/module/defender/get-mppreference?view=windowsserver2022-ps "Get-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" + children: - - name: Disable Defender auto-exclusions + name: Disable outdated Defender Antivirus # Deprecated since Windows 10 version 1903 docs: - - https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide - - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions + - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender + valueName: DisableAntiSpyware + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Potentially Unwanted Application (PUA) protection # Already disabled as default + docs: + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 + - https://web.archive.org/web/20240314124740/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide + - https://web.archive.org/web/20160410000519/https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/ + - https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions call: - function: SetMpPreference parameters: - property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions - value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True - default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False - setDefaultOnWindows11: 'true' # `Remove-MpPreference` has no affect (does not change the value) in Windows 11 + # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' + property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection + value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0 + default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0 - - function: SetRegistryValue + function: SetRegistryValue # For legacy versions: Windows 10 v1809 and Windows Server 2019 parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions - valueName: DisableAutoExclusions + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine + valueName: MpEnablePus dataType: REG_DWORD - data: '1' + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue # For newer Windows versions + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: PUAProtection + dataType: REG_DWORD + data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable Defender scans + name: Disable file hash computation feature # Added in Windows 10, version 2004 + docs: + - https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation + - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine + valueName: EnableFileHashComputation + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable network inspection children: - - category: Disable scan actions + name: Disable protocol recognition + docs: + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS + valueName: DisableProtocolRecognition + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable definition retirement + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS + valueName: DisableSignatureRetirement + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Minimize rate of detection events + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS + valueName: ThrottleDetectionEventsRate + dataType: REG_DWORD + data: "10000000" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable real-time protection + children: + - + name: Disable real-time monitoring + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227 + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring + call: # Enabled by default (DisableRealtimeMonitoring is false) + - + function: SetMpPreference + parameters: + property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring + value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True + # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected + default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False + + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableRealtimeMonitoring + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable intrusion prevention system (IPS) + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem + call: + - + function: SetMpPreference + parameters: + property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem + value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True + # ❌ Windows 11 and Windows 10: Does not fail but does not change the value + default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False + # ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableIntrusionPreventionSystem + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Information Protection Control (IPC) + docs: https://web.archive.org/web/20231207105520/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableInformationProtectionControl + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender monitoring of behavior children: - - name: Disable signature verification before scanning # Default configuration + name: Disable behavior monitoring docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan + - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229 # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring call: - function: SetMpPreference parameters: - property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan - value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False - default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False + property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring + value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True + # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected + default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False - function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: CheckForSignaturesBeforeRunningScan + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableBehaviorMonitoring dataType: REG_DWORD - data: '0' + data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable creation of daily system restore points # Default behavior - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint + name: Disable sending raw write notifications to behavior monitoring + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification call: - - - function: SetMpPreference - parameters: - property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint - value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True - default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableRestorePoint - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableRawWriteNotification + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable monitoring of downloads and attachments in Defender + children: - - name: Minimize retention time for files in scan history + name: Disable scanning of all downloaded files and attachments docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225 # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay - call: # Default is 15, minimum is 0 which means never removing items + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection + call: - function: SetMpPreference parameters: - property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay - value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1 - default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15 + property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection + value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True + # ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected + default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False - function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: PurgeItemsAfterDelay + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableIOAVProtection dataType: REG_DWORD - data: '1' + data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable scanning files larger than 1 KB (minimum possible) + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: IOAVMaxSize + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable catch-up scans + category: Disable Defender monitoring of file and program activity children: - - name: Maximize days until mandatory catch-up scan - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup - # Default and minimum is 2, maximum is 20 + name: Disable file and program activity monitoring + docs: + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection call: function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: MissedScheduledScanCountBeforeCatchup + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableOnAccessProtection dataType: REG_DWORD - data: '20' + data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable catch-up full scans # Disabled by default + name: Disable bidirectional scan for incoming and outgoing file and program activities docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#realtimescandirection call: + # 0='Both': bi-directional (full on-access, default) + # 1='Incoming': scan only incoming (disable on-open) + # 2='Outcoming': scan only outgoing (disable on-close) - function: SetMpPreference parameters: - property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan - value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True - default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True + property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection + value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1 + default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0 - function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableCatchupFullScan + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: RealTimeScanDirection dataType: REG_DWORD - data: '1' + data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable catch-up quick scans - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan + - + name: Disable real-time protection process scanning + docs: + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableScanOnRealtimeEnable + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Defender Antivirus "Real-time Protection" library + docs: |- # TODO: Archive + This script disables the **Defender Antivirus** Real-time Protection (RTP) module by + removing its core library, `MpRtp.dll`. + + The `MpRtp.dll` library is also known as **AntiMalware Realtime Monitor** [1]. + It is a crucial component of **Defender Antivirus** [2] [3] [4] [5]. + It works with the **Microsoft Defender Antivirus Mini-Filter Driver** (`WdFilter.sys`) to intercept and + scan file operations [5] [6]. + It functions as the **Real-time Protection** module [5] [7]. + It constantly monitors your system for threats [8]. + + It includes features like: + + - **Device Control** policies to restrict the use of removable devices and printers [5]. + - **Data Loss Prevention (DLP)** capabilities to prevent sensitive data from being leaked [5]. + - Monitors your system [9], including scanning files and processes [5] + - Management of exclusions for files and processes that should not be scanned [5]. + - Real-time threat detection and actions based on configuration settings (e.g., block, allow, audit) [5]. + - Cloud-based protection and file submission to Microsoft [5] + - Integration with Office applications and browsers for additional protection [5]. + - Communication with other Defender components [5] + - Browser protection and network scanning [5] + - **Controlled Folder Access** to protect against ransomware + - Using Event Tracing for Windows (ETW) providers for security logging [3] [5] + + This script improves privacy by removing capabilities like sample submission and cloud communications. + It prevents the system from monitoring processes for suspicious activities and logging events related to threat detections. + It may also improve system performance, as some users have reported high CPU usage linked to this module [4]. + However, this may reduce your system's security by disabling real-time protection against malware and other threats. + + > **Caution**: + > Disabling real-time protection may expose your system to significant security risks. + + ### Technical Details + + This script deletes the `MpRtp.dll` library from `%PROGRAMFILES%\Windows Defender\MpRtp.dll` [1] [2]. + On older versions of Windows, this file is located at `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpRtp.dll` [3]. + + The `MpRtp.dll` library registers Event Tracing for Windows (ETW) providers for security logging [3] [5]. + It implements the following ETW providers [3]: + + | ETW Provider GUID | ETW Provider Name | + | ----------------- | ----------------- | + | `8E92DEEF-5E17-413B-B927-59B2F06A3CFC` | `Microsoft-Antimalware-RTP` | + | `7AF898D7-7E0E-518D-5F96-B1E79239484C` | `Microsoft.Windows.Defender` | + + [1]: https://systemexplorer.net/file-database/file/mprtp-dll "What is mprtp.dll ? | System Explorer | systemexplorer.net" + [2]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [3]: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/Microsoft_Antivirus.pdf?__blob=publicationFile&v=2 "Microsoft Defender Antivirus | Federal Office for Information Security Germany | www.bsi.bund.de" + [4]: https://superuser.com/questions/1115395/windows-10-upgrade-cpu-100/1116367#1116367 "Windows 10 upgrade = CPU 100% - Super User | superuser.com" + [5]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpRtp.dll.strings "10_0_22622_601/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpRtp.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [6]: https://m.blog.naver.com/codecrusader/110133772276 "Windows 8 - Windows Defender : 네이버 블로그 | m.blog.naver.com" + [7]: https://n4r1b.com/posts/2020/04/dissecting-the-windows-defender-driver-wdfilter-part-4/ "Dissecting the Windows Defender Driver - WdFilter (Part 4) :: Up is Down and Black is White — n4r1b | n4r1b.com" + [8]: https://www.lenovo.com/us/en/glossary/windows-defender/ "Windows Defender: How Does Windows Defender Work? Do I Need To Install It? | Lenovo US | www.lenovo.com" + [9]: https://readmedium.com/windows-defender-memory-scan-feature-analysis-3f9242f00132 "Windows Defender Memory Scan Feature Analysis | readmedium.com" + [10]: https://troopers.de/downloads/troopers24/TR24_Deep_Dive_into_Windows_Defender_MSXP97.pdf "Deep Dive into Windows Defender: SmartApp Control and ET | PowerPoint Presentation | troopers.de" + call: + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpRtp.dll' + # grantPermissions: 'true' # ❌ Does not work on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) + - + category: Disable Defender remediation + children: + - + name: Disable routine remediation + docs: + - https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableroutinelytakingaction + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: DisableRoutinelyTakingAction + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable running scheduled auto-remediation + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#remediationscheduleday + call: + # 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Remediation + valueName: Scan_ScheduleDay + dataType: REG_DWORD + data: "8" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay + value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8 + default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0 + - + name: Disable remediation actions + docs: + - https://web.archive.org/web/20240314124221/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + # None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10 + call: # Not using ThreatIdDefaultAction as it requires known threat IDs + - + function: SetMpPreference + # https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction + parameters: + property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction + # Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value): + # `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`. + # E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed. + # Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction` + value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9 + # Default: 0 (none) + # Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction` + # works on both Windows 10 and Windows 11 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats + valueName: Threats_ThreatSeverityDefaultAction + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "5" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "4" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "3" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "2" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "1" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Enable automatically purging items from quarantine folder + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#quarantinepurgeitemsafterdelay + call: + # Values: + # Default: 90 on both Windows 10 21H1 and Windows 11 21H2 + # Minimum: 1 + # 0 means indefinitely + - + function: SetMpPreference + parameters: + property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay + value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1 + default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90 + setDefaultOnWindows11: 'true' # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine + valueName: PurgeItemsAfterDelay + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Defender auto-exclusions + docs: + - https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide + - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions + call: + - + function: SetMpPreference + parameters: + property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions + value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True + default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False + setDefaultOnWindows11: 'true' # `Remove-MpPreference` has no affect (does not change the value) in Windows 11 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions + valueName: DisableAutoExclusions + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender scans + children: + - + category: Disable scan actions + children: + - + name: Disable signature verification before scanning # Default configuration + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan call: - function: SetMpPreference parameters: - property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan - value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True - default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True + property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan + value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False + default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableCatchupQuickScan + valueName: CheckForSignaturesBeforeRunningScan + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable creation of daily system restore points # Default behavior + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint + call: + - + function: SetMpPreference + parameters: + property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint + value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True + default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableRestorePoint + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Minimize retention time for files in scan history + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay + call: # Default is 15, minimum is 0 which means never removing items + - + function: SetMpPreference + parameters: + property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay + value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1 + default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: PurgeItemsAfterDelay dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable Defender scan options + category: Disable catch-up scans + children: + - + name: Maximize days until mandatory catch-up scan + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup + # Default and minimum is 2, maximum is 20 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: MissedScheduledScanCountBeforeCatchup + dataType: REG_DWORD + data: '20' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable catch-up full scans # Disabled by default + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan + call: + - + function: SetMpPreference + parameters: + property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan + value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True + default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableCatchupFullScan + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable catch-up quick scans + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan + call: + - + function: SetMpPreference + parameters: + property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan + value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True + default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableCatchupQuickScan + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender scan options + children: + - + name: Disable scan heuristics + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableHeuristics + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable intensive CPU usage during Defender scans + children: + - + name: Minimize CPU usage during scans + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanavgcpuloadfactor + call: + # Default: 50, minimum 1 + - + function: SetMpPreference + parameters: + property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor + value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1 + default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: AvgCPULoadFactor + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Minimize CPU usage during idle scans + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + call: + - + function: SetMpPreference + parameters: + property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans + value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False + default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableCpuThrottleOnIdleScans + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable scanning when not idle # Default OS setting + docs: + - https://web.archive.org/web/20231206191436/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled + call: + - + function: SetMpPreference + parameters: + property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled + value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True + default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ScanOnlyIfIdle + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable scheduled anti-malware scanner (MRT) + docs: |- + This script disables the scheduled scans by the Malicious Software Removal Tool (MSRT) provided by Microsoft. + + Starting from version 5.39 in August 2016, MSRT sends a "Heartbeat Report" to Microsoft every time it runs [1]. This behavior occurs even if certain user + preferences like the Customer Experience Improvement Program (CEIP) are turned off or if "DiagTrack" is not on the computer [1]. A record of this "Successfully + Submitted Heartbeat Report" can be checked in the MRT log, found at `%windir%\debug\mrt.log` [1]. + + By using this script, users enhance their privacy by preventing such automatic data transmissions to Microsoft. + + [1]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\MRT + valueName: DontOfferThroughWUAU + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Minimize scanned areas + children: + - + name: Disable e-mail scanning # Disabled by default + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning + call: + - + function: SetMpPreference + parameters: + property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning + value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False + default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableEmailScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable script scanning + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning + call: + function: SetMpPreference + parameters: + property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning + value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True + # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected + default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False + - + name: Disable reparse point scanning + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableReparsePointScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable scanning mapped network drives during full scan + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableScanningMappedNetworkDrivesForFullScan + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan + value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False + default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True + - + name: Disable network file scanning + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableScanningNetworkFiles + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles + value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True + default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False + - + name: Disable scanning packed executables + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisablePackedExeScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable scanning archive files + children: + - + name: Disable Defender archive file scanning + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableArchiveScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning + value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True + default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False + - + name: Minimize scanning depth of archive files + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ArchiveMaxDepth + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Minimize file size for scanning archive files + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ArchiveMaxSize + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable scanning removable drives + docs: + # Disabled by default + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableRemovableDriveScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning + value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False + default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True + - + category: Disable auto-scans + children: + - + name: Disable scheduled scans + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay + - https://web.archive.org/web/20240314122526/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanscheduleday + call: + # Options are: + # 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday', + # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ScheduleDay + dataType: REG_DWORD + data: '8' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay + value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8' + default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0' + - + name: Disable randomizing scheduled task times + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: RandomizeScheduleTaskTimes + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes + value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False + default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True + - + name: Disable scheduled full-scans + docs: + - https://web.archive.org/web/20240314122452/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanparameters + call: + # Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ScanParameters + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters + value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1' + default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1' + setDefaultOnWindows11: 'true' # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11 + - + name: Minimize daily quick scan frequency + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: QuickScanInterval + dataType: REG_DWORD + data: '24' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable scanning after security intelligence (signature) update + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: DisableScanOnUpdate + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Antimalware Scan Interface (AMSI) + docs: |- + This category contains scripts that disable various components of + the Antimalware Scan Interface (AMSI) in Windows. + + AMSI is a standard interface that allows applications and services to + integrate with antimalware products on Windows systems [1] [2] [3] [4] [5]. + It functions as an interception engine, enabling software to work with Defender + and other antivirus solutions to detect potentially malicious scripts and content [1] [2] [3] [5]. + + Key features of AMSI include: + + - Scanning scripts and macros for malicious content before execution [1] [2] [3] [5] + - Providing an additional layer of security against script-based attacks [1] [2] [3] [5] + - Allowing different antivirus vendors to conduct scanning operations [1] [3] [4] [5] + + Disabling AMSI components may enhance privacy by: + + - Reducing the amount of data collected and analyzed by antimalware services + [1] [3] [5] + - Limiting the sharing of potentially sensitive information with security + providers [1] [2] [3] [4] [5] + + It may also improve system performance by: + + - Reducing script scanning overhead [5] + - Decreasing background scanning activities + + However, disabling AMSI carries significant security risks: + + - Reduced protection against malicious scripts, including PowerShell commands and + Microsoft Office macros [1] [2] [3] [5] + - Weakened ability to detect and prevent malware, especially obfuscated threats [2] [3] [5] + - Increased vulnerability to script-based attacks and potentially harmful software gaining + control over the system + + > **Caution:** + > Disabling AMSI components may significantly reduce your system's security. + > It weakens defenses against malware and script-based threats, potentially exposing your system + > to various security risks. + + [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240828134325/https://blog.f-secure.com/hunting-for-amsi-bypasses/ "Hunting for AMSI bypasses - F-Secure Blog | blog.f-secure.com" + [3]: https://web.archive.org/web/20240828115324/https://redcanary.com/blog/threat-detection/better-know-a-data-source/amsi/ "Better know a data source: Antimalware Scan Interface | redcanary.com" + [4]: https://web.archive.org/web/20240828115433/https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371 "More about AMSI integration with Exchange Server - Microsoft Community Hub | techcommunity.microsoft.com" + [5]: https://web.archive.org/web/20240828115459/https://pentestlaboratories.com/2021/06/01/threat-hunting-amsi-bypasses/ "Threat Hunting AMSI Bypasses | Pentest Laboratories" + children: + - + name: Disable Defender AMSI provider + docs: |- + This script disables the Antimalware Scan Interface (AMSI) provider for Defender. + + The AMSI provider is part of the **Antimalware Scan Interface (AMSI)** [1] [2]. + AMSI adds security against malicious scripts in Windows [2]. + It enables various antivirus programs to scan for script-based attacks [2]. + AMSI provides interface to integrate antimalware modules [1] [3]. + + By default, Defender uses AMSI to block potentially harmful PowerShell scripts, JavaScript, and + VBA macros [2]. + Windows registers an AMSI provider for **Defender Antivirus** to enable this functionality [1] [2] [4] [5]. + + The main file for the AMSI provider is `MpOav.dll` [1] [3] [6] [7]. + This file: + - Collects Defender's health data and logs [8] + - Decides about content from applications [3] + - May inject itself into other processes [8] + - Scans system memory [3] + + Disabling the Defender AMSI provider may enhance your privacy by limiting the data Defender collects and analyzes. + It may also improve system performance by reducing script scanning overhead. + + > **Caution:** + > This script may reduce your security by disabling a protection mechanism against malicious scripts. + + ### Technical Details + + This script removes the following components: + + - COM objects: + - `MpOav.dll` COM class (CLSID: `{2781761E-28E0-4109-99FE-B9D127C57AFE}`) [3] [4] [5] [6] + - Outdated `MpOav.dll` COM class (CLSID: `2781761E-28E1-4109-99FE-B9D127C57AFE`) [7] + - AMSI provider registration at `HKLM\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}` [2] [3] [6] + - `MpOav.dll` File: + - Current location: `%PROGRAMFILES%\Windows Defender\MpOav.dll` [4] [6]. + - According to tests, this file exists on Windows 10 (≥ 22H2) and Windows 11 (≥ 23H2). + - Previous locations (no longer used in modern Windows versions and not targeted by this script): + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpOav.dll` [1] [3] [9] + - `%PROGRAMFILES%\Microsoft Security Client\MpOAv.dll` [7] + - Internet Explorer Related Entries: + - Current registration: `HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}` [5] [10] + - Legacy associations: + - `HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE}` [7] + - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2781761E-28E1-4109-99FE-B9D127C57AFE}` [7] + + [1]: https://web.archive.org/web/20240828115433/https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371 "More about AMSI integration with Exchange Server - Microsoft Community Hub | techcommunity.microsoft.com" + [2]: https://web.archive.org/web/20240828115459/https://pentestlaboratories.com/2021/06/01/threat-hunting-amsi-bypasses/ "Threat Hunting AMSI Bypasses | Pentest Laboratories" + [3]: https://web.archive.org/web/20240828115324/https://redcanary.com/blog/threat-detection/better-know-a-data-source/amsi/ "Better know a data source: Antimalware Scan Interface | redcanary.com" + [4]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [5]: https://web.archive.org/web/20240830100517/https://skanthak.hier-im-netz.de/offender.html "Vulnerabilities Introduced by Windows Defender | skanthak.hier-im-netz.de" + [6]: https://web.archive.org/web/20240828115241/https://strontic.github.io/xcyclopedia/library/clsid_2781761E-28E0-4109-99FE-B9D127C57AFE.html "CLSID 2781761E-28E0-4109-99FE-B9D127C57AFE | Windows Defender IOfficeAntiVirus implementation | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20240831103818/https://serverfault.com/questions/643718/acrobat-reader-xi-addon-gets-disabled-periodically-in-internet-explorer-within-w/666205#666205 "Acrobat Reader XI addon gets disabled periodically in Internet Explorer within Windows domain - Server Fault | serverfault.com" + [8]: https://web.archive.org/web/20240828115306/https://dexpacks.lakesidesoftware.com/articles/troubleshooting/Defender-s-MpOav-dll-Injects-Itself-into-SysTrack-Processes-1632490263859 "Defender's MpOav.dll Injects Itself into SysTrack Processes | Lakeside Software Customer Gateway | Lakeside Software, LLC | dexpacks.lakesidesoftware.com" + [9]: https://web.archive.org/web/20240828115310/https://www.file.net/process/mpoav.dll.html "MpOav.dll Windows process - What is it? | www.file.net" + [10]: https://web.archive.org/web/20240830100359/https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/dn301826(v=vs.85) "IExtensionValidation interface (Windows) | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpOav.dll' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... + # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # Unable to test, but usually files in this folder requires TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 23H2) + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2781761E-28E1-4109-99FE-B9D127C57AFE} + - + name: Disable Defender UAC AMSI provider + docs: |- + This script disables the Defender UAC (User Account Control) AMSI (Antimalware Scan Interface) provider. + + The UAC AMSI provider allows Defender to scan and analyze UAC elevation requests for potential security + threats [1]. + UAC manages the elevation of privileges for executables, COM objects, MSI packages, + and ActiveX installations [1]. + UAC elevation on Windows is a security feature that asks for permission before allowing + changes that could affect the system's operation. + + Disabling this provider may enhance privacy by reducing the amount of data scanned and analyzed + during UAC elevation requests. + It may also improve system performance by removing this security check. + However, disabling this component may reduce your system's ability to detect and prevent malware exploiting UAC elevation. + + > **Caution:** + > This script may reduce your computer's security by disabling a feature that helps prevent + > harmful software from gaining more control over your system. + + ### Technical Details + + This script targets the **Windows Defender IAmsiUacProvider** implementation [2] [3]. + This provider integrates with the `WinDefend` service [3] [4] [5]. + The `WinDefend` service runs `MpSvc.dll` [6], which utilizes this component as a UAC provider [5]. + + The script removes the application COM registration for CLSID and AppID + `2781761E-28E2-4109-99FE-B9D127C57AFE` [2] [4] [7] by deleting the following registry keys: + + - `HKLM\Software\Classes\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [3] [7] + - `HKLM\Software\Classes\Wow6432Node\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [7] + - `HKLM\Software\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [3] [7] + - `HKLM\Software\Classes\Wow6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [7] + + It also removes the UacProviders registration under: + `HKLM\Software\Microsoft\AMSI\UacProviders\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [5] [7]. + + [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240829090059/https://strontic.github.io/xcyclopedia/library/clsid_2781761E-28E2-4109-99FE-B9D127C57AFE.html "CLSID 2781761E-28E2-4109-99FE-B9D127C57AFE | Windows Defender IAmsiUacProvider implementation | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20240829090053/https://github.com/privacysexy-forks/juicy-potato/blob/master/CLSID/Windows_10_Enterprise/README.md "juicy-potato/CLSID/Windows_10_Enterprise/README.md at master · privacysexy-forks/juicy-potato | github.com" + [5]: https://web.archive.org/web/20240917123620/https://raw.githubusercontent.com/privacysexy-forks/10_0_22622_601/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings "10_0_22622_601/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [6]: https://web.archive.org/web/20240829090503/https://www.shouldiblockit.com/mpsvc.dll-cf318f60a84f15af352439465a8d05f4.aspx "MpSvc.dll - Should I Block It? (MD5 cf318f60a84f15af352439465a8d05f4) | www.shouldiblockit.com" + [7]: https://web.archive.org/web/20240829090236/https://www.bleepingcomputer.com/forums/t/655746/windows-10-has-been-infected-and-i-need-help-please/ "Windows 10 has been infected and i need help, please! - Am I infected? What do I do? | www.bleepingcomputer.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Microsoft\AMSI\UacProviders\{2781761E-28E2-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\Wow6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\Wow6432Node\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + name: Disable Antimalware Scan Interface (AMSI) for current user + docs: |- + This script disables the Antimalware Scan Interface (AMSI) for the current user, preventing + the integration of applications and services with antimalware products. + + AMSI is a standard interface that integrates applications and services with antimalware products + on Windows machines [1]. + It helps detect potentially malicious scripts, such as harmful PowerShell commands or Microsoft + Office macros, even if they are obfuscated [2]. + + When AMSI is enabled, antivirus programs can scan scripts before they run [2]. + If a known malicious pattern is detected, the script may be blocked [2]. + + Disabling AMSI may enhance privacy by limiting data shared with antimalware services. + It may also boost system performance by reducing background scanning activities. + + However, disabling AMSI poses significant security risks: + + 1. Reduced protection from script-based attacks + 2. Weakened detection of malicious macros + 3. Increased vulnerability to obfuscated malware + + > **Caution:** + > Disabling AMSI weakens your defense against malware and script-based threats. + + ### Technical Details + + This script modifies the Windows Registry by setting the `AmsiEnable` value to `0` + under the `HKCU\Software\Microsoft\Windows Script\Settings` key [2] [3] [4]. + + [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240828134325/https://blog.f-secure.com/hunting-for-amsi-bypasses/ "Hunting for AMSI bypasses - F-Secure Blog | blog.f-secure.com" + [3]: https://web.archive.org/web/20240828134331/https://redcanary.com/threat-detection-report/techniques/modify-registry// "Modify Registry - Red Canary Threat Detection Report | redcanary.com" + [4]: https://web.archive.org/web/20240828134538/https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/ "Macros and More with SharpShooter v2.0 - MDSec | www.mdsec.co.uk" + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Windows Script\Settings + valueName: AmsiEnable + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender Antivirus remote management + docs: |- + This category contains scripts to disable remote management capabilities of Defender Antivirus. + + Remote management allows administrators or management systems to control Defender settings and receive information remotely. + This includes applying configurations, running scans, and collecting device security data. + + Disabling remote management enhances your privacy by: + + - Preventing remote access to your Defender settings and data. + - Reducing the amount of information shared with management systems. + - Giving you more control over your local security settings. + + It also increases your security by: + + - Reducing potential attack surface for remote exploits. + - Preventing unauthorized changes to your Defender settings. + + It can also boost system performance by removing associated components. + + However, disabling remote management can interfere with organizational settings and potentially reduce security by: + + - Preventing automatic application of security policies. + - Limiting the ability of IT administrators to manage and monitor security across devices. + - Potentially missing important security updates or configurations. + + > **Caution**: + > Disabling Defender remote management may violate organizational policies and impair the IT department's + > ability to protect and manage your device. + children: + - + name: Disable Defender Antivirus remote configuration + recommend: strict # No clear security benefits, potential risks for personal use + docs: |- + This script disables Windows Defender's ability to receive remote configurations. + + Windows Defender Management uses this feature to remotely control Defender's behavior [1]. + It uses a Configuration Service Provider (CSP) as an interface between the device's settings and + specified configurations [2]. + CSPs, like Group Policy client-side extensions, enable reading, setting, modifying, or deleting + settings for specific features [2]. + Mobile device management (MDM) service providers commonly use these CSPs [2]. + + Disabling this feature enhances privacy and user control by blocking remote modifications to your + Defender settings. + This action may also improve system performance by reducing background processes related to + checking and applying remote configurations. + + However, this action may reduce security by: + + - Preventing potentially important security updates from being applied automatically. + - Limiting the ability of IT administrators to manage Defender settings across devices. + + > **Caution:** + > Disabling this feature may make your computer less secure and reduce the ability of management + > systems to adjust security settings automatically. + + ### Technical Details + + The script targets the COM registration for the CLSID `195B4D07-3DE2-4744-BBF2-D90121AE785B` [1] [3]. + This application registers the `DefenderCSP.dll` library [1] [3]. + This component is used by the Defender service (`MpSvc`) [4]. + The DLL file is located in the `%PROGRAMFILES%\Windows Defender` folder [1] [3]. + + This script performs a soft deletion of: + + - The COM registration for the CLSID (`195B4D07-3DE2-4744-BBF2-D90121AE785B`) [1] [3]. + - The `DefenderCSP.dll` file. + + For more information on related configurations and the full range of settings affected, see the official + Microsoft documentation on the Defender CSP [5]. + + [1]: https://web.archive.org/web/20240917101148/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-mdm_31bf3856ad364e35_10.0.22621.1_none_a3f646ff3d52d348.manifest#L14-L29 "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-mdm_31bf3856ad364e35_10.0.22621.1_none_a3f646ff3d52d348.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · colorsci/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20240829084136/https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers "Configuration service providers for IT pros | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240829084308/https://strontic.github.io/xcyclopedia/library/clsid_195B4D07-3DE2-4744-BBF2-D90121AE785B.html "CLSID 195B4D07-3DE2-4744-BBF2-D90121AE785B | Defender CSP | STRONTIC | strontic.github.io" + [4]: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpSvc.dll.strings#L6494 "10_0_22000_1165/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpSvc.dll.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d · privacysexy-forks/10_0_22000_1165 | github.com" + [5]: https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp "Defender CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\DefenderCSP.dll' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... + # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + name: Disable Defender Antivirus remote commands + recommend: strict # No clear security benefits, potential risks for personal use + docs: |- + This script disables Defender's remote management capabilities. + + The script specifically targets a component known as the **Microsoft Security Client Antimalware Provider** [1]. + + This component allows PowerShell to manage Defender remotely, often through + **System Center Endpoint Protection (SCEP)** [2] [3] [4]. + + Disabling this component enhances your privacy by preventing remote access to your Defender settings and data. + It may also enhance system performance by reducing background processes associated with remote management. + However, it may decrease security in managed environments by limiting remote management of your system's security settings. + + > **Caution:** This action may reduce security on work or school computers and other managed devices. + + ### Technical Details + + The script disables these components: + + - The `MpProvider.dll` file located at `%PROGRAMFILES%\Windows Defender\MpProvider.dll` [5]. + - **InfectionState WMI Provider** COM object with CLSID `361290c0-cb1b-49ae-9f3e-ba1cbe5dab35` [5] [6]. + - **Status WMI Provider** COM object with CLSID `8a696d12-576b-422e-9712-01b9dd84b446` [5] [7]. + - **AMMonitoring WMI Provider** COM object with CLSID `DACA056E-216A-4FD1-84A6-C306A017ECEC` [5] [8]. + + These components are part of the Windows Defender Management package [5]. + + [1]: https://web.archive.org/web/20240829150549/https://systemexplorer.net/file-database/file/mpprovider-dll "What is mpprovider.dll ? | System Explorer | systemexplorer.net" + [2]: https://web.archive.org/web/20240829150629/https://learn.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical "Assessment checks for endpoint detection and response - Microsoft Defender for Cloud | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240829150639/https://www.verboon.info/2014/04/managing-windows-defender-system-center-endpoint-security-with-powershell/ "Managing Windows Defender / System Center Endpoint Security with PowerShell – Anything about IT | www.verboon.info" + [4]: https://web.archive.org/web/20240829150603/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection-client-faq "Endpoint Protection client frequently asked questions - Configuration Manager | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240829150445/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-v1_31bf3856ad364e35_10.0.22621.1_none_7c3b5e29fc07cee1.manifest#L96-L104 "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-v1_31bf3856ad364e35_10.0.22621.1_none_7c3b5e29fc07cee1.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [6]: https://web.archive.org/web/20240829150513/https://strontic.github.io/xcyclopedia/library/clsid_361290c0-cb1b-49ae-9f3e-ba1cbe5dab35.html "CLSID 361290c0-cb1b-49ae-9f3e-ba1cbe5dab35 | InfectionState WMI Provider | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20240829180050/https://strontic.github.io/xcyclopedia/library/clsid_8a696d12-576b-422e-9712-01b9dd84b446.html "CLSID 8a696d12-576b-422e-9712-01b9dd84b446 | Status WMI Provider | STRONTIC | strontic.github.io" + [8]: https://web.archive.org/web/20240829180219/https://strontic.github.io/xcyclopedia/library/clsid_DACA056E-216A-4FD1-84A6-C306A017ECEC.html "CLSID DACA056E-216A-4FD1-84A6-C306A017ECEC | AMMonitoring WMI Provider | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpProvider.dll' + # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + name: Disable Defender Antivirus WMI management + recommend: null # Impacts local management + docs: |- + This script disables Defender's ability to be managed through Windows Management Instrumentation (WMI). + + WMI enables the management and automation of tasks on Windows computers [1]. + WMI is primarily used for remote management and monitoring but it can also operate locally [1]. + + Disabling Defender's WMI management enhances privacy by preventing unauthorized remote modifications + to Defender settings. + It may also improve system performance by reducing background processes related to WMI management. + + However, this change comes with trade-offs: + + - It may disrupt local management scripts on your computer [1]. + - It can impact computers managed by enterprise software such as **System Center Operations Manager** + or **Windows Remote Management** [1]. + - It may reduce security by limiting the ability to manage Defender remotely in enterprise environments. + + > **Caution:** + > This script may interfere with system management tools and potentially reduce security in enterprise environments. + + ### Technical Details + + This script removes specific components of the `Windows-Defender-Management-Onecore` package [2]: + + - File `%PROGRAMFILES%\Windows Defender\ProtectionManagement.dll` [2] [3] + - COM class **Windows Defender WMI Provider** (CLSID: `A7C452EF-8E9F-42EB-9F2B-245613CA0DC9`) [2] [3] + + [1]: https://web.archive.org/web/20240830103531/https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page "Windows Management Instrumentation - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240830103651/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-onecore_31bf3856ad364e35_10.0.22621.1_none_35c9afe78c9d9fdd.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-onecore_31bf3856ad364e35_10.0.22621.1_none_35c9afe78c9d9fdd.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240830103709/https://strontic.github.io/xcyclopedia/library/clsid_A7C452EF-8E9F-42EB-9F2B-245613CA0DC9.html "CLSID A7C452EF-8E9F-42EB-9F2B-245613CA0DC9 | Windows Defender WMI Provider | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\ProtectionManagement.dll' + # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + name: Disable Microsoft Security Client Policy Configuration Tool + recommend: null # Impacts local management + docs: |- # TODO: Archive + This script disables the `ConfigSecurityPolicy.exe` process. + + This process is also known as **Microsoft Security Client Policy Configuration Tool** [1] [2] [3] [4] [5] [6]. + It was formerly known as **Microsoft Security Client Policy Configure** [7]. + + This tool is part of **Defender Antivirus** [3] [8] [9], **Defender for Endpoint** [1] [2] and the **Security Configuration Engine** [5]. + The **Security Configuration Engine** handles security configuration requests on Windows [10]. + The engine functions as an extension of the **Local Group Policy Editor** for security settings [10]. + + It is used for managing security policies and settings [3] [4] [5] [8] [9] [11] [12]. + These settings include user account control, password policies, audit policies, and other security-related settings [11]. + + The tool allows remote management over the Internet [3] [5] [13] through: + + - **Configuration Manager** [4] [8] + - **Microsoft Intune** [4] [8] + - **System Center Endpoint Protection** [12] + + It tracks and logs the status of policy enforcement [9], which may expose system data. + + This script improves your privacy by: + + - Preventing automatic policy updates from Microsoft servers + - Reducing data collection and communication with Microsoft services + - Limiting remote management capabilities that may be used to monitor system behavior + + This script also improves your security by removing a potential attack target. + Malicious actors may exploit this tool to: + + - Download harmful software [3] [5] + - Extract sensitive data [3] [5] + - Execute unauthorized code [5] + - Disable security features [5] + + This script may improve system performance by: + + - Reducing background processes + - Decreasing startup time + - Lowering system resource usage + + However, disabling this tool presents the following security risks: + + - May prevent automatic security policy updates + - May leave the system vulnerable to threats that could be blocked by updated policies + - May prevent administrators from managing security settings in work or school environments, potentially violating organizational policies + + > **Caution**: + > Disabling this tool may reduce protection against malware and other security threats. + + ### Technical Details + + File locations: + + - Modern Windows: `%PROGRAMFILES%\Windows Defender\ConfigSecurityPolicy.exe` [1] [13] + - Older versions: + - `%PROGRAMFILES%\Microsoft Security Client\ConfigSecurityPolicy.exe` [1] [7] [8] + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\ConfigSecurityPolicy.exe` [3] [13] + + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [3]: https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/ "Configsecuritypolicy | LOLBAS | lolbas-project.github.io" + [4]: https://learn.microsoft.com/en-us/mem/configmgr/hotfix/2309/25858444 "Update rollup for Microsoft Configuration Manager version 2309 - Configuration Manager | Microsoft Learn | learn.microsoft.com" + [5]: https://www.manageengine.com/log-management/correlation-rules/suspicious-execution-configsecuritypolicy.html "Suspicious Execution of ConfigSecurityPolicy | www.manageengine.com" + [6]: https://strontic.github.io/xcyclopedia/library/ConfigSecurityPolicy.exe-F5C7871AE44E7EFF31C44EBEBDF60A5D.html "ConfigSecurityPolicy.exe | Microsoft Security Client Policy Configuration Tool | STRONTIC | strontic.github.io" + [7]: https://systemexplorer.net/file-database/file/configsecuritypolicy-exe "What is configsecuritypolicy.exe ? | System Explorer | systemexplorer.net" + [8]: https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client "Configure Endpoint Protection on a standalone client - Configuration Manager | Microsoft Learn | learn.microsoft.com" + [9]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-management-v1_31bf3856ad364e35_10.0.22621.1_none_7c3b5e29fc07cee1/ConfigSecurityPolicy.exe.strings "10_0_22622_601/C/Windows/WinSxS/amd64_windows-defender-management-v1_31bf3856ad364e35_10.0.22621.1_none_7c3b5e29fc07cee1/ConfigSecurityPolicy.exe.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [10]: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/security-policy-settings "Security policy settings - Windows 10 | Microsoft Learn | learn.microsoft.com" + [11]: https://spyshelter.com/exe/microsoft-windows-configsecuritypolicy-exe "What is ConfigSecurityPolicy.exe (Microsoft Security Client Policy Configuration Tool)? 4 reasons to/NOT trust it | spyshelter.com" + [12]: https://www.verboon.info/2013/03/how-to-install-system-center-2012-endpoint-protection-on-a-standalone-client/ "How to install System Center 2012 Endpoint Protection on a standalone client – Anything about IT | www.verboon.info" + [13]: https://inflight.dope.security/dope.console/dope.swg-policy/default-bypass-list "Default Bypass List | dope.security documentation | inflight.dope.security" + call: + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: ConfigSecurityPolicy.exe + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\ConfigSecurityPolicy.exe' + # grantPermissions: 'true' # ❌ Does not work on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) + - + name: Disable Defender Antivirus "Microsoft Endpoint DLP command-line utility" process + docs: |- # TODO: Archive + This script disables the `MpDlpCmd.exe` process. + + The executable `MpDlpCmd.exe` is the **Microsoft Endpoint DLP command-line utility** [1] [2] [3] [6]. + The process is part of **Defender Antivirus** [1] [5] [6] and **Defender for Endpoint** [2] [4]. + + It offers Data Loss Prevention (DLP) features [6]. + DLP is designed to prevent unauthorized sharing or leakage of sensitive data [7]. + + The utility: + + - Monitors and controls data sharing within an organization [9] + - Blocks file operations and requires users to justify their actions based on security policies [5] + - Logs user activity [5] and communicates with Microsoft servers [5] [8] + + This script improves your privacy by: + + - Preventing Microsoft from monitoring your file operations + - Stopping automated data collection about your file usage + - Reducing background network communication + - Preventing logging of your data and actions + + This script may also enhance system performance by: + + - Removing a constantly running background process + - Reducing system resource usage during file operations + - Decreasing startup time + + If your organization relies on DLP policies, disabling this tool will reduce security by: + + - Sensitive data may be shared without oversight + - Security policies for file handling may not be enforced + - Data breach prevention capabilities may be limited + + > **Caution**: Disabling this feature may reduce protection against unauthorized data sharing and increase the risk of data leaks. + + ### Technical Details + + `MpDlpCmd.exe` is a command-line tool that may display dialogs or notifications [6]. + It is loaded by `SvcHost.exe` as a Windows service [9] and loads `MpClient.dll` [9]. + + It is located at: + + - `%PROGRAMFILES%\Windows Defender\MpDlpCmd.exe` on Windows 10 or Windows Server 2019 and above [2] [5]. + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpDlpCmd.exe` on older versions of Windows [3] + + Tests show this file exists starting from Windows 11 version 23H2, but not on Windows 10 version 22H2 and later. + + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [3]: https://strontic.github.io/xcyclopedia/library/MpDlpCmd.exe-DB96C707FEBDFE8B5F6F11C2DD78073C.html "MpDlpCmd.exe | Microsoft Malware Protection DLP Command Line Utility | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20230905160547/https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268 "Microsoft Defender Endpoint (MDE) for SAP Applications on Windows Server | techcommunity.microsoft.com" + [5]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [6]: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpDlpCmd.exe.strings "10_0_22000_1165/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpDlpCmd.exe.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d · WinDLLsExports/10_0_22000_1165 | github.com" + [7]: https://www.microsoft.com/en-us/security/business/security-101/what-is-data-loss-prevention-dlp "Microsoft Purview Data Loss Prevention | Microsoft Security | www.microsoft.com" + [8]: https://inflight.dope.security/dope.console/dope.swg-policy/default-bypass-list "Default Bypass List | dope.security documentation | inflight.dope.security" + [9]: https://s.itho.me/ccms_slides/2023/5/24/c1633689-1c8f-4871-a1a9-2923fd92348d.pdf "Hack The Real Box | An Analysis of Multiple Campaigns by APT41’s Subgroup, Earth Longzhi | Hiroaki Hara and Ted L | Trend Micro | s.itho.me" + call: + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MpDlpCmd.exe + - + function: SoftDeleteFiles + parameters: + # Availability: 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpDlpCmd.exe' + minimumWindowsVersion: Windows11-21H2 + # grantPermissions: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ❌ Does not work on Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) + - + category: Disable Defender updates + children: + - + category: Disable Defender Security Intelligence (signature) updates children: - - name: Disable scan heuristics - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics + name: Disable forced security intelligence (signature) updates from Microsoft Update + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU call: function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableHeuristics + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: ForceUpdateFromMU dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable intensive CPU usage during Defender scans - children: - - - name: Minimize CPU usage during scans - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanavgcpuloadfactor - call: - # Default: 50, minimum 1 - - - function: SetMpPreference - parameters: - property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor - value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1 - default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50 - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: AvgCPULoadFactor - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Minimize CPU usage during idle scans - docs: - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - call: - - - function: SetMpPreference - parameters: - property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans - value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False - default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableCpuThrottleOnIdleScans - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable scanning when not idle # Default OS setting - docs: - - https://web.archive.org/web/20231206191436/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled - call: - - - function: SetMpPreference - parameters: - property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled - value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True - default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: ScanOnlyIfIdle - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable scheduled anti-malware scanner (MRT) - docs: |- - This script disables the scheduled scans by the Malicious Software Removal Tool (MSRT) provided by Microsoft. - - Starting from version 5.39 in August 2016, MSRT sends a "Heartbeat Report" to Microsoft every time it runs [1]. This behavior occurs even if certain user - preferences like the Customer Experience Improvement Program (CEIP) are turned off or if "DiagTrack" is not on the computer [1]. A record of this "Successfully - Submitted Heartbeat Report" can be checked in the MRT log, found at `%windir%\debug\mrt.log` [1]. - - By using this script, users enhance their privacy by preventing such automatic data transmissions to Microsoft. - - [1]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" + name: Disable security intelligence (signature) updates when running on battery power + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery call: function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\MRT - valueName: DontOfferThroughWUAU + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: DisableScheduledSignatureUpdateOnBattery dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Minimize scanned areas - children: - - - name: Disable e-mail scanning # Disabled by default - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning - call: - - - function: SetMpPreference - parameters: - property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning - value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False - default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableEmailScanning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable script scanning - docs: - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning - call: - function: SetMpPreference - parameters: - property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning - value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True - # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected - default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False - - name: Disable reparse point scanning - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning + name: Disable startup check for latest virus and spyware security intelligence (signature) + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup call: function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableReparsePointScanning + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: UpdateOnStartUp dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable scanning mapped network drives during full scan - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableScanningMappedNetworkDrivesForFullScan - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan - value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False - default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True - - - name: Disable network file scanning + name: Disable catch-up security intelligence (signature) updates # default is one day docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdatecatchupinterval call: + # Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc - function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableScanningNetworkFiles + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: SignatureUpdateCatchupInterval dataType: REG_DWORD - data: '1' + data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: - property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles - value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True - default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False - - - name: Disable scanning packed executables - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisablePackedExeScanning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable scanning archive files - children: - - - name: Disable Defender archive file scanning - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableArchiveScanning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning - value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True - default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False - - - name: Minimize scanning depth of archive files - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: ArchiveMaxDepth - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Minimize file size for scanning archive files - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: ArchiveMaxSize - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval + value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0' + default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1' - - name: Disable scanning removable drives + name: Minimize spyware security intelligence (signature) updates # default is one day, recommended is 7 days + # Maximize period when spyware security intelligence (signature) is considered up-to-dates docs: - # Disabled by default - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: ASSignatureDue + dataType: REG_DWORD + data: '4294967295' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Minimize virus security intelligence (signature) updates # default is one day, recommended is 7 days + # Maximize period when virus security intelligence (signature) is considered up-to-date + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue + - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: AVSignatureDue + dataType: REG_DWORD + data: '4294967295' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable security intelligence (signature) update on startup + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine call: - function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableRemovableDriveScanning + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: DisableUpdateOnStartupWithoutEngine dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: - property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning - value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False - default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True - - - category: Disable auto-scans - children: + property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine + value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True + default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False - - name: Disable scheduled scans + name: Disable automatic checks for security intelligence (signature) updates # Already disabled by default docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay - - https://web.archive.org/web/20240314122526/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanscheduleday + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturescheduleday call: - # Options are: - # 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday', - # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' + # Options: + # 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday' + # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default) - function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: ScheduleDay dataType: REG_DWORD data: '8' @@ -16887,871 +18903,1466 @@ actions: - function: SetMpPreference parameters: - property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay - value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8' - default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0' + property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay + value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8' + default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8' - - name: Disable randomizing scheduled task times + name: Minimize checks for security intelligence (signature) updates docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes + - https://web.archive.org/web/20240314122335/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval call: + # Valid values range from 1 (every hour) to 24 (once per day). + # If not specified (0), parameter, Microsoft Defender checks at the default interval - function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender - valueName: RandomizeScheduleTaskTimes + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: SignatureUpdateInterval dataType: REG_DWORD - data: '0' + data: '24' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: - property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes - value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False - default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True + property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval + value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24' + default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0' - - name: Disable scheduled full-scans - docs: - - https://web.archive.org/web/20240314122452/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanparameters - call: - # Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan' + category: Disable alternate definition updates + children: - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: ScanParameters - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + name: Disable definition updates via WSUS and Microsoft Malware Protection Center + docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: CheckAlternateHttpLocation + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SetMpPreference - parameters: - property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters - value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1' - default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1' - setDefaultOnWindows11: 'true' # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11 + name: Disable definition updates through both WSUS and Windows Update + docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: CheckAlternateDownloadLocation + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Minimize Defender updates to completed gradual release cycles + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + call: + function: SetMpPreference + parameters: + # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) + property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease + value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True + default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease + - + name: Minimize Defender engine updates to completed release cycles + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + call: + function: SetMpPreference + parameters: + # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) + property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel + value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad' + # Valid values: + # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' + # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' + default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'" + - + name: Minimize Defender platform updates to completed release cycles + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + call: + function: SetMpPreference + parameters: + # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) + property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel + value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad' + # Valid values: + # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' + # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' + default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'" + - + name: Minimize Defender definition updates to completed gradual release cycles + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + call: + # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) + function: SetMpPreference + parameters: + property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel + # Its former name was "SignaturesUpdatesChannel" + value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad' + # 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged' + # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' + default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" + - + category: Disable Defender reporting + children: + - + name: Disable Windows Defender boot logging + docs: |- + This script disables **Defender Antivirus**'s boot-time logging. + + **Defender Antivirus** uses AutoLogger sessions [1]. + The **AutoLogger** event tracing session records events that occur early in the operating system boot process [2]. + Applications and device drivers can use the AutoLogger session to capture traces before the user logs in [2]. + + Disabling these loggers reduces the data **Defender Antivirus** collects during system startup. + This may increase privacy by limiting the information gathered about your system's early boot process. + Disabling these boot-time loggers may improve startup performance by reducing logging overhead during boot. + + However, this script may have security implications: + + - **Reduced threat detection:** + Disabling these boot loggers may limit **Defender Antivirus**'s ability to detect and respond to early-stage + malware or threats that activate during system startup. + - **Decreased diagnostic capabilities:** + These boot logs can be useful for troubleshooting system issues. + Disabling them may make it more difficult to diagnose certain problems if they occur. + + > **Caution**: This action may reduce malware detection during system startup, potentially increasing security risks. + + ### Technical Details + + Defender registers: + + - `DefenderApiLogger` with GUID `6B4012D0-22B6-464D-A553-20E9618403A2` [1] + - `DefenderAuditLogger` with GUID `6B4012D0-22B6-464D-A553-20E9618403A1` [1] + + This script configures: + + - `HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger!Start` [1] + - `HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger!Start` [1] + + [1]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20231027164510/https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session "Configuring and Starting an AutoLogger Session - Win32 apps | Microsoft Learn | learn.microsoft.com" + call: - - name: Minimize daily quick scan frequency - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: QuickScanInterval - dataType: REG_DWORD - data: '24' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + function: SetRegistryValue + parameters: + keyPath: HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger + valueName: Start + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - name: Disable scanning after security intelligence (signature) update - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: DisableScanOnUpdate - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + function: SetRegistryValue + parameters: + keyPath: HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger + valueName: Start + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + name: Disable Defender ETW provider (Windows Event Logs) + docs: + - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ + - https://web.archive.org/web/20240314124054/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational + valueName: Enabled + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC + valueName: Enabled + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - category: Disable Antimalware Scan Interface (AMSI) + name: Minimize Windows software trace preprocessor (WPP Software Tracing) + docs: + - https://web.archive.org/web/20240314123926/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting + valueName: WppTracingLevel + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender services and drivers + # Windows Defender services are protected, requiring escalated methods to disable them: + # 1. Try `DisableService` first, as this is the standard method recommended for disabling services. + # 2. Try `DisableServiceInRegistry` if the first attempt fails due to access errors. + # 3. Try `DisableServiceInRegistry` with `elevateToTrustedInstaller` option as last effort. + children: + # Exclusions: + # - `wdnsfltr`: (Windows Defender Network Stream Filter Driver) It's Windows 1709 only + # - `MpFilter`: (Microsoft antimalware file system filter driver) Does not exists on modern Windows (10 ≥ 22H2 and 11 ≥ 23H2) + - + category: Disable Defender Antivirus service docs: |- - This category contains scripts that disable various components of - the Antimalware Scan Interface (AMSI) in Windows. + This category disables the Defender Antivirus service and its related components. - AMSI is a standard interface that allows applications and services to - integrate with antimalware products on Windows systems [1] [2] [3] [4] [5]. - It functions as an interception engine, enabling software to work with Defender - and other antivirus solutions to detect potentially malicious scripts and content [1] [2] [3] [5]. - - Key features of AMSI include: - - - Scanning scripts and macros for malicious content before execution [1] [2] [3] [5] - - Providing an additional layer of security against script-based attacks [1] [2] [3] [5] - - Allowing different antivirus vendors to conduct scanning operations [1] [3] [4] [5] - - Disabling AMSI components may enhance privacy by: - - - Reducing the amount of data collected and analyzed by antimalware services - [1] [3] [5] - - Limiting the sharing of potentially sensitive information with security - providers [1] [2] [3] [4] [5] + This service is also referred to as **Microsoft Defender Antivirus Service** [1] [2] and **Windows Defender Service** [2]. + It is a core component of Microsoft Defender Antivirus, essential for its operation [1] [3]. - It may also improve system performance by: + Using these scripts offers two benefits: - - Reducing script scanning overhead [5] - - Decreasing background scanning activities + - **Enhanced Privacy:** Limits Microsoft's data collection on your files and system activity. + - **Improved Performance:** Reduces system resource usage by limiting background processes and scans. - However, disabling AMSI carries significant security risks: + However, disabling these components may reduce your system's security: - - Reduced protection against malicious scripts, including PowerShell commands and - Microsoft Office macros [1] [2] [3] [5] - - Weakened ability to detect and prevent malware, especially obfuscated threats [2] [3] [5] - - Increased vulnerability to script-based attacks and potentially harmful software gaining - control over the system + - No immediate alerts when malware or viruses are detected. + - Weakened defense against ransomware and other cyber threats. + - Increased vulnerability to emerging security threats. + - Some Windows security features may stop working. - > **Caution:** - > Disabling AMSI components may significantly reduce your system's security. - > It weakens defenses against malware and script-based threats, potentially exposing your system - > to various security risks. + > **Caution:** Disabling Microsoft Defender Antivirus may expose your system to malware and other security threats. - [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240828134325/https://blog.f-secure.com/hunting-for-amsi-bypasses/ "Hunting for AMSI bypasses - F-Secure Blog | blog.f-secure.com" - [3]: https://web.archive.org/web/20240828115324/https://redcanary.com/blog/threat-detection/better-know-a-data-source/amsi/ "Better know a data source: Antimalware Scan Interface | redcanary.com" - [4]: https://web.archive.org/web/20240828115433/https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371 "More about AMSI integration with Exchange Server - Microsoft Community Hub | techcommunity.microsoft.com" - [5]: https://web.archive.org/web/20240828115459/https://pentestlaboratories.com/2021/06/01/threat-hunting-amsi-bypasses/ "Threat Hunting AMSI Bypasses | Pentest Laboratories" + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240609150337/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide "Microsoft Defender Antivirus on Windows Server - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240609145030/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide "Troubleshoot Microsoft Defender for Endpoint onboarding issues - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" children: - - name: Disable Defender AMSI provider + name: >- + Disable Defender Antivirus service + (breaks `Set-MpPreference` cmdlet) docs: |- - This script disables the Microsoft Defender Antimalware Scan Interface (AMSI) provider, - which is a component of Defender. - - The AMSI provider is part of the **Antimalware Scan Interface (AMSI)** [1] [2]. - AMSI adds security against malicious scripts in Windows [2]. - It allows different antivirus vendors to conduct scanning operations for script-based attacks [2]. - AMSI provides interface to integrate antimalware modules [1] [3]. - By default, Defender uses AMSI to block potentially harmful PowerShell scripts, JavaScript, and - VBA macros [2] - - The main file for the AMSI provider is `MpOav.dll` [1] [3] [4] [5]. - This file: - - Collects Defender's health data and logs [6] - - Decides about content from applications [3] - - May inject itself into other processes [6] - - Scans system memory [3] - - Disabling the AMSI provider may improve your privacy by reducing the amount of data - collected and analyzed by Defender. - It may also improve system performance by reducing script scanning overhead. + This script disables the **Microsoft Defender Antivirus Service** and its associated process (`MsMpEng.exe`). - > **Caution:** This script may reduce your security by disabling a protection mechanism against malicious scripts. + This service is known both as **Microsoft Defender Antivirus Service** [1] [2] and **Windows Defender Service** [2]. + It is the primary component of Defender Antivirus [2], essential for its functionality [1] [3]. - ### Technical Details + Disabling this service has the following benefits: - This script deletes: + - It enhances privacy by preventing Microsoft from collecting data about your system and files for malware analysis. + - It improves system performance by reducing background processes and resource usage. - - COM objects: - - `MpOav.dll` COM class (CLSID: `{2781761E-28E0-4109-99FE-B9D127C57AFE}`) [3] [4] [7] [8] - - Outdated `MpOav.dll` COM class (CLSID: `2781761E-28E1-4109-99FE-B9D127C57AFE`) [5] - - AMSI provider registration at `HKLM\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}` [2] [3] [4] - - `MpOav.dll` File: - - Current location: `%PROGRAMFILES%\Windows Defender\MpOav.dll` [4]. - According to tests, this file exists on Windows 10 (≥ 22H2) and Windows 11 (≥ 23H2). - - Previous locations (no longer used in modern Windows versions and not targeted by this script): - - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpOav.dll` [1] [3] [9] - - `%PROGRAMFILES%\Microsoft Security Client\MpOAv.dll` [5] - - Internet Explorer Related Entries: - - Current registration: `HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}` [8] [10] - - Legacy associations: - - `HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE}` [5] - - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2781761E-28E1-4109-99FE-B9D127C57AFE}` [5] + Disabling this service comes at a cost: - [1]: https://web.archive.org/web/20240828115433/https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371 "More about AMSI integration with Exchange Server - Microsoft Community Hub | techcommunity.microsoft.com" - [2]: https://web.archive.org/web/20240828115459/https://pentestlaboratories.com/2021/06/01/threat-hunting-amsi-bypasses/ "Threat Hunting AMSI Bypasses | Pentest Laboratories" - [3]: https://web.archive.org/web/20240828115324/https://redcanary.com/blog/threat-detection/better-know-a-data-source/amsi/ "Better know a data source: Antimalware Scan Interface | redcanary.com" - [4]: https://web.archive.org/web/20240828115241/https://strontic.github.io/xcyclopedia/library/clsid_2781761E-28E0-4109-99FE-B9D127C57AFE.html "CLSID 2781761E-28E0-4109-99FE-B9D127C57AFE | Windows Defender IOfficeAntiVirus implementation | STRONTIC | strontic.github.io" - [5]: https://web.archive.org/web/20240831103818/https://serverfault.com/questions/643718/acrobat-reader-xi-addon-gets-disabled-periodically-in-internet-explorer-within-w/666205#666205 "Acrobat Reader XI addon gets disabled periodically in Internet Explorer within Windows domain - Server Fault | serverfault.com" - [6]: https://web.archive.org/web/20240828115306/https://dexpacks.lakesidesoftware.com/articles/troubleshooting/Defender-s-MpOav-dll-Injects-Itself-into-SysTrack-Processes-1632490263859 "Defender's MpOav.dll Injects Itself into SysTrack Processes | Lakeside Software Customer Gateway | Lakeside Software, LLC | dexpacks.lakesidesoftware.com" - [7]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" - [8]: https://web.archive.org/web/20240830100517/https://skanthak.hier-im-netz.de/offender.html "Vulnerabilities Introduced by Windows Defender | skanthak.hier-im-netz.de" - [9]: https://web.archive.org/web/20240828115310/https://www.file.net/process/mpoav.dll.html "MpOav.dll Windows process - What is it? | www.file.net" - [10]: https://web.archive.org/web/20240830100359/https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/dn301826(v=vs.85) "IExtensionValidation interface (Windows) | Microsoft Learn | learn.microsoft.com" - call: - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE} - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE} - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE} - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - function: SoftDeleteFiles - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - fileGlob: '%PROGRAMFILES%\Windows Defender\MpOav.dll' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE} - elevateToTrustedInstaller: 'true' # Unable to test, but usually files in this folder requires TrustedInstaller - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE} - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 23H2) - keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2781761E-28E1-4109-99FE-B9D127C57AFE} - - - name: Disable Defender UAC AMSI provider - docs: |- - This script disables the Defender UAC (User Account Control) AMSI (Antimalware Scan Interface) provider. + - It reduces your system's security by removing real-time malware protection. + - It may also impair other Defender products, such as **Defender for Endpoint** [4]. + - It interrupts the functionality of the `Set-MpPreference` PowerShell cmdlet. + This cmdlet is used to configure Defender scans and updates [5]. - The UAC AMSI provider allows Defender to scan and analyze UAC elevation requests for potential security - threats [1]. - UAC manages the elevation of privileges for executables, COM objects, MSI packages, - and ActiveX installations [1]. - UAC elevation on Windows is a security feature that asks for permission before allowing - changes that could affect the system's operation. + > **Caution:** Disabling this service reduces your computer's security against malware, may affect other protective + > features, and can prevent you from changing Defender settings. - Disabling this provider may enhance privacy by reducing the amount of data scanned and analyzed - during UAC elevation requests. - It may also improve system performance by removing this security check. - However, disabling this component may reduce your system's ability to detect and prevent malware exploiting UAC elevation. + ### Technical Details - > **Caution:** - > This script may reduce your computer's security by disabling a feature that helps prevent - > harmful software from gaining more control over your system. + This service runs the `MsMpEng.exe` executable [6] [7]. + This executable is also known as **Microsoft Defender Antivirus service executable** [4] or **Antimalware Service Executable** [1]. + It's located at: - ### Technical Details + - On modern Windows versions: + - `%PROGRAMFILES%\Windows Defender` [4] [6] [7] + - On older versions of Windows: + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MsMpEng.exe` [8] + - `%PROGRAMFILES%\Microsoft Security Client` on older versions [4]. - This script targets the **Windows Defender IAmsiUacProvider** implementation [2], - This provider integrates with the `WinDefend` service [3] [4] [5]. - The `WinDefend` service runs `MpSvc.dll` [6], which utilizes this component as a UAC provider [4]. + Attempting to use the `Set-MpPreference` cmdlet in PowerShell after disabling the service results in an error. + Here's an example: - The script removes the application COM registration for CLSID and AppID - `2781761E-28E2-4109-99FE-B9D127C57AFE` [2] [3] [7] by deleting the following registry keys: + ``` + $ Set-MpPreference -Force -MAPSReporting 0 - - `HKLM\Software\Classes\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [5] [7] - - `HKLM\Software\Classes\Wow6432Node\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [7] - - `HKLM\Software\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [5] [7] - - `HKLM\Software\Classes\Wow6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [7] + Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. + Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference. + ``` - It also removes the UacProviders registration under: - `HKLM\Software\Microsoft\AMSI\UacProviders\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [4] [7]. + #### Overview of default service statuses - [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240829090059/https://strontic.github.io/xcyclopedia/library/clsid_2781761E-28E2-4109-99FE-B9D127C57AFE.html "CLSID 2781761E-28E2-4109-99FE-B9D127C57AFE | Windows Defender IAmsiUacProvider implementation | STRONTIC | strontic.github.io" - [3]: https://web.archive.org/web/20240829090053/https://github.com/privacysexy-forks/juicy-potato/blob/master/CLSID/Windows_10_Enterprise/README.md "juicy-potato/CLSID/Windows_10_Enterprise/README.md at master · privacysexy-forks/juicy-potato | github.com" - [4]: https://web.archive.org/web/20240917095611/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings#L9020 "10_0_22622_601/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" - [5]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" - [6]: https://web.archive.org/web/20240829090503/https://www.shouldiblockit.com/mpsvc.dll-cf318f60a84f15af352439465a8d05f4.aspx "MpSvc.dll - Should I Block It? (MD5 cf318f60a84f15af352439465a8d05f4) | www.shouldiblockit.com" - [7]: https://web.archive.org/web/20240829090236/https://www.bleepingcomputer.com/forums/t/655746/windows-10-has-been-infected-and-i-need-help-please/ "Windows 10 has been infected and i need help, please! - Am I infected? What do I do? | www.bleepingcomputer.com" + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | + | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240609150337/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide "Microsoft Defender Antivirus on Windows Server - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240609145030/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide "Troubleshoot Microsoft Defender for Endpoint onboarding issues - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [5]: https://web.archive.org/web/20240609150331/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ "Microsoft Defender Antivirus Service - Windows 10 Service - batcmd.com | batcmd.com" + [7]: https://web.archive.org/web/20240609144111/https://batcmd.com/windows/11/services/windefend/ "Microsoft Defender Antivirus Service - Windows 11 Service - batcmd.com | batcmd.com" + [8]: https://web.archive.org/web/20240925234238/https://answers.microsoft.com/en-us/windows/forum/all/is-this-the-normal-path-for-msmpengexe/5a369636-b3d0-432e-a16d-609a3ae5867e "Is this the normal path for MsMpEng.exe? - Microsoft Community | answers.microsoft.com" call: - - function: SoftDeleteRegistryKey - parameters: - # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Microsoft\AMSI\UacProviders\{2781761E-28E2-4109-99FE-B9D127C57AFE} - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - function: SoftDeleteRegistryKey + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + function: DisableServiceInRegistry parameters: - # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\Wow6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + serviceName: WinDefend # Check: (Get-Service -Name 'WinDefend').StartType + defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual + elevateToTrustedInstaller: 'true' - - function: SoftDeleteRegistryKey + function: SoftDeleteFiles parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' + # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + # grantPermissions: false # ❌ Does not work on Windows 10 22H2 and Windows 11 22H2 + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 11 23H2 | ✅ Works on Windows 10 22H2 - - function: SoftDeleteRegistryKey + function: TerminateAndBlockExecution parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\Wow6432Node\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + executableNameWithExtension: MsMpEng.exe - - name: Disable Antimalware Scan Interface (AMSI) for current user - docs: |- - This script disables the Antimalware Scan Interface (AMSI) for the current user, preventing - the integration of applications and services with antimalware products. - - AMSI is a standard interface that integrates applications and services with antimalware products - on Windows machines [1]. - It helps detect potentially malicious scripts, such as harmful PowerShell commands or Microsoft - Office macros, even if they are obfuscated [2]. + name: Disable Defender Antivirus service in Safe Mode + docs: |- # TODO: Archive + This script disables **Defender Antivirus** from running in Safe Mode. - When AMSI is enabled, antivirus programs can scan scripts before they run [2]. - If a known malicious pattern is detected, the script may be blocked [2]. + **Safe Mode** is also known as **Safe Boot** [1]. + It starts Windows in a limited state where only essential services and drivers are loaded [1]. + By default, the Defender Antivirus service is set to run in this mode [1] [2]. - Disabling AMSI may enhance privacy by limiting data shared with antimalware services. - It may also boost system performance by reducing background scanning activities. + This script improves privacy by preventing Defender Antivirus from: - However, disabling AMSI poses significant security risks: + - Collecting system data + - Scanning files + - Sending telemetry data to Microsoft + + This also increases system speed in Safe Mode by reducing background processes and memory usage. - 1. Reduced protection from script-based attacks - 2. Weakened detection of malicious macros - 3. Increased vulnerability to obfuscated malware + However, running this script may compromise your security by leaving your system unprotected from malware and other threats, even in Safe Mode. - > **Caution:** - > Disabling AMSI weakens your defense against malware and script-based threats. + > **Caution**: + > This script removes protection against viruses and other threats in Safe Mode. ### Technical Details - This script modifies the Windows Registry by setting the `AmsiEnable` value to `0` - under the `HKCU\Software\Microsoft\Windows Script\Settings` key [2] [3] [4]. - - [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240828134325/https://blog.f-secure.com/hunting-for-amsi-bypasses/ "Hunting for AMSI bypasses - F-Secure Blog | blog.f-secure.com" - [3]: https://web.archive.org/web/20240828134331/https://redcanary.com/threat-detection-report/techniques/modify-registry// "Modify Registry - Red Canary Threat Detection Report | redcanary.com" - [4]: https://web.archive.org/web/20240828134538/https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/ "Macros and More with SharpShooter v2.0 - MDSec | www.mdsec.co.uk" - call: - function: SetRegistryValue - parameters: - keyPath: HKCU\Software\Microsoft\Windows Script\Settings - valueName: AmsiEnable - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender remote management - docs: |- - This category contains scripts to disable remote management capabilities of Defender - - Remote management allows administrators or management systems to control Defender settings and receive information remotely. - This includes applying configurations, running scans, and collecting device security data. - - Disabling remote management enhances your privacy by: + The script deletes two registry keys: - - Preventing remote access to your Defender settings and data. - - Reducing the amount of information shared with management systems. - - Giving you more control over your local security settings. + - `HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend` [2] + - `HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinDefend` [2] - It also increases your security by: + These registry keys are created by the Windows Defender Service (`Windows-Defender-Service.Resources`) package + to enable antivirus functionality in Safe Mode [2]. - - Reducing potential attack surface for remote exploits. - - Preventing unauthorized changes to your Defender settings. + [1]: https://support.microsoft.com/en-us/windows/windows-startup-settings-1af6ec8c-4d4a-4b23-adb7-e76eef0b847f "Windows startup settings - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinDefend + - + name: Disable Defender Antivirus service communication with apps + docs: |- # TODO: Archive + This script prevents **Defender Antivirus** from communicating with other applications. - It can also boost system performance by removing associated components. + The script blocks communication by removing components that allow Defender Antivirus to share data with other programs. + Windows enables applications to communicate and share data using *interprocess communications (IPC)* [1]. + This communication is achieved through the *Component Object Model (COM)* [1]. + COM enables software components to communicate with other components, including those not yet developed [1]. + Components interact as objects and clients [1], while Distributed COM expands this model across networks [1]. - However, disabling remote management can interfere with organizational settings and potentially reduce security by: + This script enhances privacy by limiting system monitoring and data collection. + It may also improve system performance by reducing background processes and resource usage. - - Preventing automatic application of security policies. - - Limiting the ability of IT administrators to manage and monitor security across devices. - - Potentially missing important security updates or configurations. + However, disabling these components may significantly reduce system security. + Without these components, your system becomes vulnerable to malware, ransomware, and other cyber attacks. - > **Caution**: - > Disabling Defender remote management may violate organizational policies and impair the IT department's - > ability to protect and manage your device. - children: - - - name: Disable Defender remote configuration - recommend: strict # No clear security benefits, potential risks for personal use - docs: |- - This script disables Windows Defender's ability to receive remote configurations. + > **Caution:** This action disables your antivirus protection, exposing your computer to viruses and other cyber threats. - Windows Defender Management uses this feature to remotely control Defender's behavior [1]. - It uses a Configuration Service Provider (CSP) as an interface between the device's settings and - specified configurations [2]. - CSPs, like Group Policy client-side extensions, enable reading, setting, modifying, or deleting - settings for specific features [2]. - Mobile device management (MDM) service providers commonly use these CSPs [2]. + ### Technical Details - Disabling this feature enhances privacy and user control by blocking remote modifications to your - Defender settings. - This action may also improve system performance by reducing background processes related to - checking and applying remote configurations. + These components belong to **Defender Antivirus** and its main service [2]. + + The script disables the following components: + + - **Microsoft Windows Defender** COM application with CLSID `A2D75874-6750-4931-94C1-C99D3BC9D0C7` [2] [3] + and AppID `A79DB36D-6218-48e6-9EC9-DCBA9A39BF0F` [2] [3]. + It is component of Defender Antivirus (`WinDefend`) [2] [4]. + Its file is at `%PROGRAMFILES%\Windows Defender\MpAsDesc.dll` [2] [3]. + It also uses `MsMpCom.dll` for in-process COM servers [2] [3]. + - Microsoft Windows Defender COM Utility Type Library (`8C389764-F036-48F2-9AE2-88C260DCF43B`) [2] + - DLL files: + - `MpAsDesc.dll` located at `%PROGRAMFILES%\Windows Defender\MpAsDesc.dll` [2] [3] + Defender services like `WdNisDrv`, `WdBoot`, `WinDefend`, `WdNisSvc` all depends on this file [5]. + - `MsMpCom.dll` located at `%PROGRAMFILES%\Windows Defender\MsMpCom.dll` [2] [3] + - COM interfaces: + - `IMsMpComFactory` (`AC30C2BA-0109-403D-9D8E-140BB470379C`) [2] + - `IMsMpClientUtils` (`E2D74550-8E41-460E-BB51-52E1F9522134`) [2] + - `IMsMpSimpleConfig` (`CDFED399-7999-4309-B064-1EDE04BC580D`) [2] + + [1]: https://learn.microsoft.com/en-us/windows/win32/ipc/interprocess-communications "Interprocess communications - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240829212450/https://strontic.github.io/xcyclopedia/library/clsid_A2D75874-6750-4931-94C1-C99D3BC9D0C7.html "CLSID A2D75874-6750-4931-94C1-C99D3BC9D0C7 | Microsoft Windows Defender | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20240829212436/https://learn.microsoft.com/en-us/defender-endpoint/configure-server-endpoints#known-issues-and-limitations-in-the-new-unified-solution-package-for-windows-server-2016-and-windows-server-2012-r2 "Onboard Windows servers to the Microsoft Defender for Endpoint service - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240829212123/https://github.com/privacysexy-forks/SchoolNotes/blob/af823cecc159021e1a54fb5ca15d54ce35734ee9/ifs4102/Assignments/Assignment-2/a2system.txt "SchoolNotes/ifs4102/Assignments/Assignment-2/a2system.txt at af823cecc159021e1a54fb5ca15d54ce35734ee9 · privacysexy-forks/SchoolNotes | github.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\AppID\{A79DB36D-6218-48e6-9EC9-DCBA9A39BF0F} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF43B} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteFiles # ❌ TrustedInstaller is not enough; requires safe mode or disabled protection + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpAsDesc.dll' + # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpCom.dll' + # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{AC30C2BA-0109-403D-9D8E-140BB470379C} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 21H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{E2D74550-8E41-460E-BB51-52E1F9522134} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 21H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{CDFED399-7999-4309-B064-1EDE04BC580D} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 21H2) + - + name: Disable Defender Antivirus service always-on state + docs: |- + This script ensures Windows stops the Defender Antivirus service when antivirus protection is disabled. - However, this action may reduce security by: + The **Microsoft Defender Antivirus service** was formerly called the **Antimalware Service** [1]. + This service is one of the core components of Defender Antivirus [1] [2]. + This service raises privacy concerns because it sends files to Microsoft servers for analysis [2]. - - Preventing potentially important security updates from being applied automatically. - - Limiting the ability of IT administrators to manage Defender settings across devices. + By default, Windows stops this when antivirus features are disabled [3] [4] [5]. + This script enforces this default behavior to consistently and persistently. + This behavior is recommended by Microsoft [3] [4] [5]. - > **Caution:** - > Disabling this feature may make your computer less secure and reduce the ability of management - > systems to adjust security settings automatically. + This script enhances privacy by reducing potential security monitoring. + It may also improve system performance by freeing up resources when the antivirus is not in use. - ### Technical Details + ### Technical Details - The script targets the COM registration for the CLSID `195B4D07-3DE2-4744-BBF2-D90121AE785B` [1] [3]. - This application registers the `DefenderCSP.dll` library [1] [3]. - This component is used by the Defender service (`MpSvc`) [4]. - The DLL file is located in the `%PROGRAMFILES%\Windows Defender` folder [1] [3]. + After applying this script: - This script performs a soft deletion of: + - The Defender Antivirus service stops when both antivirus and antispyware protections are disabled [3] [4] [5]. + - If the computer restarts, the service restarts if set to automatic [3] [4] [5]. + - The system will then check if antivirus and antispyware security intelligence are enabled [3] [4] [5]. + - If at least one is enabled, the service will continue running [3] [4] [5]. + - If both are disabled, the service stops [3] [4] [5]. - - The COM registration for the CLSID (`195B4D07-3DE2-4744-BBF2-D90121AE785B`) [1] [3]. - - The `DefenderCSP.dll` file. + This script sets the following registry keys to configure GPO: - For more information on related configurations and the full range of settings affected, see the official - Microsoft documentation on the Defender CSP [5]. + - `HKLM\Software\Policies\Microsoft\Windows Defender!ServiceKeepAlive` [3] [4] for modern versions of Windows + - `HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware!ServiceKeepAlive` [5] for older versions of Windows - [1]: https://web.archive.org/web/20240917101148/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-mdm_31bf3856ad364e35_10.0.22621.1_none_a3f646ff3d52d348.manifest#L14-L29 "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-mdm_31bf3856ad364e35_10.0.22621.1_none_a3f646ff3d52d348.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · colorsci/nickel-x64 | github.com" - [2]: https://web.archive.org/web/20240829084136/https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers "Configuration service providers for IT pros | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20240829084308/https://strontic.github.io/xcyclopedia/library/clsid_195B4D07-3DE2-4744-BBF2-D90121AE785B.html "CLSID 195B4D07-3DE2-4744-BBF2-D90121AE785B | Defender CSP | STRONTIC | strontic.github.io" - [4]: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpSvc.dll.strings#L6494 "10_0_22000_1165/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpSvc.dll.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d · privacysexy-forks/10_0_22000_1165 | github.com" - [5]: https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp "Defender CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" - call: - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240609150337/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide "Microsoft Defender Antivirus on Windows Server - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#ux_configuration_notification_suppress "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240924234521/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive "Allow antimalware service to remain running always | admx.help" + [5]: https://web.archive.org/web/20240924234500/https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::system_center_endpoint_protection_servicekeepalive "Allow antimalware service to remain running always | admx.help" + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: ServiceKeepAlive + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware + valueName: ServiceKeepAlive + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SoftDeleteFiles - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - fileGlob: '%PROGRAMFILES%\Windows Defender\DefenderCSP.dll' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - name: Disable Defender remote commands - recommend: strict # No clear security benefits, potential risks for personal use - docs: |- - This script disables Defender's remote management capabilities. - - The script specifically targets a component known as the **Microsoft Security Client Antimalware Provider** [1]. + name: Disable Defender Antivirus service high-priority startup + docs: |- + This script configures **Windows Defender Antivirus** to start with a lower priority. - This component allows PowerShell to manage Defender remotely, often through - **System Center Endpoint Protection (SCEP)** [2] [3] [4]. + By default, Windows runs the Defender Antivirus service (also called the **Antimalware Service** [1]) + with normal priority [2] [3] [4] [5]. + This script changes the startup priority to low [2] [3] [4] [5]. - Disabling this component enhances your privacy by preventing remote access to your Defender settings and data. - It may also enhance system performance by reducing background processes associated with remote management. - However, it may decrease security in managed environments by limiting remote management of your system's security settings. + This enhances privacy by reducing background scanning and potentially limiting data collection during Windows startup. + This may improve system performance by reducing resource usage for the antivirus during startup [2] [3] [4] [5]. - > **Caution:** This action may reduce security on work or school computers and other managed devices. + Lowering the priority may delay antivirus initialization, potentially leaving a brief window where the system is less protected. + However, MITRE, a leading cybersecurity organization, does not consider this a security vulnerability [5]. - ### Technical Details + > **Caution:** This action may delay antivirus protection initialization. - The script disables these components: + ### Technical Details - - The `MpProvider.dll` file located at `%PROGRAMFILES%\Windows Defender\MpProvider.dll` [5]. - - **InfectionState WMI Provider** COM object with CLSID `361290c0-cb1b-49ae-9f3e-ba1cbe5dab35` [5] [6]. - - **Status WMI Provider** COM object with CLSID `8a696d12-576b-422e-9712-01b9dd84b446` [5] [7]. - - **AMMonitoring WMI Provider** COM object with CLSID `DACA056E-216A-4FD1-84A6-C306A017ECEC` [5] [8]. + This script sets the following registry keys to configure Group Policy Objects (GPO): - These components are part of the Windows Defender Management package [5]. + - For recent Windows versions: `HKLM\Software\Policies\Microsoft\Windows Defender!AllowFastServiceStartup` [2] [4] + - For older Windows versions: `HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware!AllowFastServiceStartup` [3] - [1]: https://web.archive.org/web/20240829150549/https://systemexplorer.net/file-database/file/mpprovider-dll "What is mpprovider.dll ? | System Explorer | systemexplorer.net" - [2]: https://web.archive.org/web/20240829150629/https://learn.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical "Assessment checks for endpoint detection and response - Microsoft Defender for Cloud | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20240829150639/https://www.verboon.info/2014/04/managing-windows-defender-system-center-endpoint-security-with-powershell/ "Managing Windows Defender / System Center Endpoint Security with PowerShell – Anything about IT | www.verboon.info" - [4]: https://web.archive.org/web/20240829150603/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection-client-faq "Endpoint Protection client frequently asked questions - Configuration Manager | Microsoft Learn | learn.microsoft.com" - [5]: https://web.archive.org/web/20240829150445/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-v1_31bf3856ad364e35_10.0.22621.1_none_7c3b5e29fc07cee1.manifest#L96-L104 "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-v1_31bf3856ad364e35_10.0.22621.1_none_7c3b5e29fc07cee1.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" - [6]: https://web.archive.org/web/20240829150513/https://strontic.github.io/xcyclopedia/library/clsid_361290c0-cb1b-49ae-9f3e-ba1cbe5dab35.html "CLSID 361290c0-cb1b-49ae-9f3e-ba1cbe5dab35 | InfectionState WMI Provider | STRONTIC | strontic.github.io" - [7]: https://web.archive.org/web/20240829180050/https://strontic.github.io/xcyclopedia/library/clsid_8a696d12-576b-422e-9712-01b9dd84b446.html "CLSID 8a696d12-576b-422e-9712-01b9dd84b446 | Status WMI Provider | STRONTIC | strontic.github.io" - [8]: https://web.archive.org/web/20240829180219/https://strontic.github.io/xcyclopedia/library/clsid_DACA056E-216A-4FD1-84A6-C306A017ECEC.html "CLSID DACA056E-216A-4FD1-84A6-C306A017ECEC | AMMonitoring WMI Provider | STRONTIC | strontic.github.io" - call: - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240925232039/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::AllowFastServiceStartup "Allow antimalware service to startup with normal priority | admx.help" + [3]: https://web.archive.org/web/20240925232016/https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::system_center_endpoint_protection_allowfastservicestartup "Allow antimalware service to startup with normal priority | admx.help" + [4]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#allowfastservicestartup "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240925231950/https://www.scaprepo.com/view.jsp?id=CCE-96698-6 "SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF) | www.scaprepo.com" + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: AllowFastServiceStartup + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware + valueName: AllowFastServiceStartup + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SoftDeleteFiles - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - fileGlob: '%PROGRAMFILES%\Windows Defender\MpProvider.dll' - # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - name: Disable Defender WMI management - recommend: null # Impacts local management - docs: |- - This script disables Defender's ability to be managed through Windows Management Instrumentation (WMI). - - WMI enables the management and automation of tasks on Windows computers [1]. - WMI is primarily used for remote management and monitoring but it can also operate locally [1]. + name: Disable Defender Antivirus service automatic launch + docs: |- + This script prevents the Defender Antivirus service from starting automatically. - Disabling Defender's WMI management enhances privacy by preventing unauthorized remote modifications - to Defender settings. - It may also improve system performance by reducing background processes related to WMI management. + By default, Windows may automatically start the Defender Antivirus service (also called the + **Antimalware Service** [1]) under specific conditions. + This script allows you to control when the service runs. - However, this change comes with trade-offs: + This script enhances privacy by limiting unexpected Defender activations that may collect or scan your data. + It may also improve system performance by preventing the service from starting and consuming resources without + your explicit consent. - - It may disrupt local management scripts on your computer [1]. - - It can impact computers managed by enterprise software such as **System Center Operations Manager** - or **Windows Remote Management** [1]. - - It may reduce security by limiting the ability to manage Defender remotely in enterprise environments. + However, it may reduce security by stopping Defender from automatically activating against potential threats. - > **Caution:** - > This script may interfere with system management tools and potentially reduce security in enterprise environments. + > **Caution:** + > Disabling automatic launch may leave your system vulnerable if you forget to manually activate Defender when needed. - ### Technical Details + ### Technical Details - This script removes specific components of the `Windows-Defender-Management-Onecore` package [2]: + This script sets the `ServiceStartStates` registry value to `0` in the Windows Defender registry key. Here's what this means: - - File `%PROGRAMFILES%\Windows Defender\ProtectionManagement.dll` [2] [3] - - COM class **Windows Defender WMI Provider** (CLSID: `A7C452EF-8E9F-42EB-9F2B-245613CA0DC9`) [2] [3] + - `0` indicates the service is turned off and won't start automatically; `1` means it will [2]. + - When a third-party antivirus is installed, Windows typically sets this value to `0` [3]. + - Default values can vary; tests show that it is missing in fresh installations of both Windows 11 and Windows 10 [4]. + - The `MpSvc.dll` [5] and `MpClient.dll` [6] files read this registry value to manage Defender Antivirus operations. - [1]: https://web.archive.org/web/20240830103531/https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page "Windows Management Instrumentation - Win32 apps | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240830103651/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-onecore_31bf3856ad364e35_10.0.22621.1_none_35c9afe78c9d9fdd.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-onecore_31bf3856ad364e35_10.0.22621.1_none_35c9afe78c9d9fdd.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" - [3]: https://web.archive.org/web/20240830103709/https://strontic.github.io/xcyclopedia/library/clsid_A7C452EF-8E9F-42EB-9F2B-245613CA0DC9.html "CLSID A7C452EF-8E9F-42EB-9F2B-245613CA0DC9 | Windows Defender WMI Provider | STRONTIC | strontic.github.io" - call: - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - function: SoftDeleteFiles - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - fileGlob: '%PROGRAMFILES%\Windows Defender\ProtectionManagement.dll' - # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - category: Disable Defender updates - children: - - - category: Disable Defender Security Intelligence (signature) updates - children: - - - name: Disable forced security intelligence (signature) updates from Microsoft Update - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: ForceUpdateFromMU - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable security intelligence (signature) updates when running on battery power - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240925233249/https://www.windowsphoneinfo.com/threads/windows-defender-randomly-turning-off-sometimes.383757/ "Windows Defender randomly turning off sometimes | www.windowsphoneinfo.com" + [3]: https://web.archive.org/web/20240925233603/https://www.bleepingcomputer.com/forums/t/770901/defender-detects-but-cant-clean-trojano97mmountsicml/page-2#entry5354622 "Defender detects but can't clean - Trojan:O97M/Mountsi.C!ml - Page 2 - Virus, Trojan, Spyware, and Malware Removal Help | www.bleepingcomputer.com" + [4]: https://web.archive.org/web/20240926000343/https://github.com/undergroundwires/privacy.sexy/issues/393 "[Bug]: \"Disable always running antimalware service\" is wrong. · Issue #393 · undergroundwires/privacy.sexy | github.com" + [5]: https://web.archive.org/web/20240917123620/https://raw.githubusercontent.com/privacysexy-forks/10_0_22622_601/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings "10_0_22622_601/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [6]: https://web.archive.org/web/20240925233553/https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpClient.dll.strings "10_0_22000_1165/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpClient.dll.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d · privacysexy-forks/10_0_22000_1165 | github.com" + [7]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" call: function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: DisableScheduledSignatureUpdateOnBattery + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender + valueName: ServiceStartStates dataType: REG_DWORD - data: '1' + data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + elevateToTrustedInstaller: 'true' # Without TrustedInstaller: ✅ Windows 10 Pro (>= 22H2) | ❌ Windows 11 Pro (>= 23H2) - - name: Disable startup check for latest virus and spyware security intelligence (signature) - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup + name: Disable Defender Antivirus Service active state + docs: |- + This script disables the running state of the Defender Antivirus service. + + Setting the service to 'not running' prevents activation of any components dependent on the Defender Service + (also called the **Antimalware Service** [1]). + This gives you more control over Defender's operations. + + This script enhances privacy by preventing Defender from running in the background, which stops potential + unwanted data collection and system scans. + It may also boost system performance by stopping Defender-related processes from using system resources. + + However, this may reduce security by keeping Defender inactive, which may increase your system's vulnerability to threats. + + > **Caution:** Disabling the running state of Defender may leave your system unprotected against malware and other security threats. + + ### Technical Details + + This script sets the `IsServiceRunning` registry value in the Windows Defender registry key to `0`. + + This modification means: + + - `0` means the service is not running; `1` means it is running [2] [3] [4]. + - The default value varies: tests show that it is `1` on a fresh installation of Windows 11, but absent on Windows 10 [4]. + - This registry value is read by `MpClient.dll` [5] and `MpSvc.dll` [6], which are related to Defender Antivirus operations. + - Windows typically deletes this key during shutdown to prevent false-positive dirty shutdown detections [6]. + A **dirty shutdown** happens when a computer is shut down without completing the proper shutdown process [7]. + - The value may change automatically when Defender updates [8]. + + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240925234842/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender/38f15492-0a80-4ecc-bf59-946ae6f0b591 "Windows Defender - Microsoft Community < answers.microsoft.com" + [3]: https://web.archive.org/web/20240925234720/https://answers.microsoft.com/en-us/windows/forum/all/offline-scan-done-event-log-shows-a-problem/06615685-255e-49e5-9541-0c0d0dff1cfa "Offline scan done, event log shows a problem? - Microsoft Community | answers.microsoft.com" + [4]: https://web.archive.org/web/20240926000343/https://github.com/undergroundwires/privacy.sexy/issues/393 "[Bug]: \"Disable always running antimalware service\" is wrong. · Issue #393 · undergroundwires/privacy.sexy | github.com" + [5]: https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings "10_0_22623_1020/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com" + [6]: https://web.archive.org/web/20240917123620/https://raw.githubusercontent.com/privacysexy-forks/10_0_22622_601/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings "10_0_22622_601/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [7]: https://web.archive.org/web/20240925235844/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/event-id-41-restart "Event ID 41 The system has rebooted without cleanly shutting down first - Windows Client | Microsoft Learn | learn.microsoft.com" + [8]: https://archive.ph/2024.09.25-234859/https://malwaretips.com/threads/configuredefender-utility-for-windows-10-11.79039/page-44 "ConfigureDefender utility for Windows 10/11 | Page 44 | MalwareTips Forums | malwaretips.com" call: function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: UpdateOnStartUp + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender + valueName: IsServiceRunning dataType: REG_DWORD - data: '1' + data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + elevateToTrustedInstaller: 'true' # Without TrustedInstaller: ✅ Windows 10 Pro (>= 22H2) | ❌ Windows 11 Pro (>= 23H2) - - name: Disable catch-up security intelligence (signature) updates # default is one day - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdatecatchupinterval + name: Disable Defender Antivirus data storage location # TODO: Archive + docs: |- + This script removes a configuration value that controls where Defender stores its data. + + This is a configuration related to **Defender Antivirus** [1]. + Windows configures this setting when installing Defender Antivirus service [2]. + It specifies where data, including virus definition databases and other detection files, is installed [3]. + It is used by various Defender components like `MpClient.dll` [4], `MpSvc.dll` [5], `MsMpEng.exe` [6] and `MpCmdRun.exe` [7]. + + Deleting this value enhances privacy by preventing these components from accessing their data directories. + This reduces their data collection capabilities. + + However, this change has significant security risks: + + - It may weaken Defender Antivirus's ability to detect and remove malware + - Some security features of Defender Antivirus may not work properly + - This may make your system more vulnerable to security threats + + > **Caution**: This action may leave your system less protected against viruses and malware. + + ### Technical Details + + The script deletes the `HKLM\SOFTWARE\Microsoft\Windows Defender!ProductAppDataPath` registry value [1] [2]. + In earlier Windows versions, this value was found at `HKLM\SOFTWARE\Microsoft\Microsoft Antimalware!ProductAppDataPath` [3]. + + When this value is removed, Windows logs Event ID 5007 [1]. + The event message states [1]: + + ``` + Microsoft Defender Antivirus Configuration has changed. + If this is an unexpected event you should review the settings as this may be the result of malware. + ``` + + According to tests, Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) have protective measures that + may prevent this change from taking effect or may quickly reverse it. + + [1]: https://www.windowsphoneinfo.com/threads/new-windows-defender-event-5007-re-productappdatapath.464273/ "New Windows Defender event 5007 re. ProductAppDataPath | www.windowsphoneinfo.com" + [2]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [3]: https://ivandemes.com/redirecting-microsoft-forefront-endpoint-protection-av-pattern-files/ "Redirecting Microsoft ForeFront Endpoint Protection AV Pattern Files - IVANDEMES | ivandemes.com" + [4]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings "10_0_22622_601/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [5]: https://web.archive.org/web/20240917123620/https://raw.githubusercontent.com/privacysexy-forks/10_0_22622_601/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings "10_0_22622_601/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [6]: https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MsMpEng.exe.strings "10_0_22623_1020/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MsMpEng.exe.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com" + [7]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.1_none_7b973051f62a1a6d/MpCmdRun.exe.strings "10_0_19045_2251/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.1_none_7b973051f62a1a6d/MpCmdRun.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf · privacysexy-forks/10_0_19045_2251 | github.com" call: - # Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: SignatureUpdateCatchupInterval - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval - value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0' - default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1' + function: DeleteRegistryValue + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender + valueName: ProductAppDataPath + dataOnRevert: '%PROGRAMDATA%\Microsoft\Windows Defender' + dataTypeOnRevert: REG_SZ + elevateToTrustedInstaller: 'true' # Without TrustedInstaller: ❌ Windows 10 Pro (>= 22H2) | ❌ Windows 11 Pro (>= 21H2) + - - name: Minimize spyware security intelligence (signature) updates # default is one day, recommended is 7 days - # Maximize period when spyware security intelligence (signature) is considered up-to-dates - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241 + name: Disable Defender Antivirus service "Endpoint Data Loss Prevention (DLP)" library + docs: |- # TODO: Archive + This script disables `EndpointDlp.dll`, the endpoint data loss prevention (DLP) library. + + This library is part of **Defender Antivirus** [1] [2] [3], and belongs to its service component [3]. + + It aims to prevent sensitive data from leaving an organization's network [4] [5] [6]. + It provides functions for process on Windows to monitor and control the flow of data [1] [4]. + It allows applications to notify the operating system before and after handling sensitive data [4]. + These functions are designed to protect sensitive information from accidental sharing or leaks [4] [5] [6]. + This feature is not enabled by default on Windows as it requires a specific license to use [1]. + + Key functions of the DLP library include: + + - Monitoring file operations (opening, closing, saving) [1] [4] + - Controlling clipboard and drag-and-drop actions [1] [4] [7] + - Managing printing operations [1] [4] [7] + - Enforcing cloud-based policies for files and applications [1] [4] [7] + - Auditing and enforcing data protection rules [1] [4] [7] + - Monitoring website and network interactions [1] [7] + + It provides endpoint data loss prevention APIs [1]. + Microsoft refers to this library as **Microsoft Endpoint Data Leak Prevention Library** [8]. + + Disabling this library may enhance your privacy by preventing potential monitoring of activities related to sensitive data. + It disables DLP features that track files, documents, user interactions, and associated Microsoft cloud data collection. + + It may also improve system performance by reducing background processes associated with data loss prevention. + + However, this script may reduce your security by disabling features designed to protect your sensitive data + from unauthorized access or accidental sharing. + + > **Caution**: + > This action may expose you to risks such as accidental sharing or loss of sensitive data. + + ### Technical Details + + This script removes the library from `%PROGRAMFILES%\Windows Defender\endpointdlp.dll` [2] [8]. + On older versions of Windows, this file is located at `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\endpointdlp.dll` [8]. + + [1]: https://learn.microsoft.com/en-us/windows/win32/lwef/endpointdlp-functions "Endpoint data loss prevention functions - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [3]: https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [4]: https:///en-us/windows/win32/lwef/endpointdlp-endpoint-data-loss-prevention "Endpoint data loss prevention - Win32 apps | Microsoft Learn | learn.microsoft.com" + [5]: https://techloris.com/library/dll/endpointdlp-dll/ "Endpointdlp.dll Fix - Windows 11, 10, 8, 7, Vista & XP | TechLoris | techloris.com" + [6]: https://www.microsoft.com/en-us/security/business/security-101/what-is-data-loss-prevention-dlp "Microsoft Purview Data Loss Prevention | Microsoft Security | www.microsoft.com" + [7]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/endpointdlp.dll.strings "10_0_22622_601/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/endpointdlp.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [8]: https://www.pconlife.com/viewfileinfo/endpointdlp-dll/ "endpointdlp.dll File Download & Fix For All Windows OS | www.pconlife.com" call: - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: ASSignatureDue - dataType: REG_DWORD - data: '4294967295' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Availability: 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\endpointdlp.dll' + minimumWindowsVersion: Windows11-21H2 + # grantPermissions: 'true' # ❌ Does not work on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - name: Minimize virus security intelligence (signature) updates # default is one day, recommended is 7 days - # Maximize period when virus security intelligence (signature) is considered up-to-date - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue - - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243 + name: Disable Defender Antivirus service module + docs: |- # TODO: Archicve + This script disables `MpSvc.dll`. + + Microsoft refers to `MpSvc.dll` as the **Service Module** [1] [2]. + It is part of **Defender Antivirus** service [3]. + + It manages essential Defender Antivirus functions, including: + + - **Scans:** Monitors files in real-time, protects network, manages scans [4] + - **Updates:** Downloads new virus definitions [4] + - **Threats:** Finds and removes malware [4] + - **Telemetry:** Collects and sends data to Microsoft [4] + - **Integrations**: Works with **Windows Security Center** and antimalware scanning (AMSI) [4] + - **Restrictions**: Prevents Defender Antivirus from being disabled [5] + + This script improves privacy by: + + - Reducing data collection and reporting to Microsoft + - Preventing system monitoring [4] + - Allowing more control over privacy-related settings, including the ability to disable Defender Antivirus [5] + + The script may improve system performance by: + + - Reducing background scanning activities + - Decreasing memory usage + - Lowering CPU usage from real-time protection + + Disabling `MpSvc.dll` reduces potential attack vectors that have been exploited in REvil ransomware [6], + state-sponsored attacks [7], and the Clambing backdoor [8]. + + However, disabling it also impairs critical security functions such as real-time protection, security + definition updates and threat detection capabilities. + + > **Caution**: + > Disabling this component may increase your computer's risk of viruses and other security threats. + + ### Technical Details + + Defender Antivirus service runs `MsMpEng.exe` on modern versions of Windows [9]. + This file loads this DLL [6] [8] [10] [11]. + This DLL activates core antivirus functions via `MpEngine.dll` [11] [12]. + It interacts with other applications using an ALPC port labeled 'IMpService' [13]. + + Location on modern Windows: + + - `%PROGRAMFILES%\Windows Defender\mpsvc.dll` [2] [3] [10] + + Historical locations on older Windows versions: + + - `%PROGRAMFILES64%\Windows Defender\mpsvc.dll` [1] + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\\MpSvc.dll` [2] [10] + - `%PROGRAMFILES\Microsoft Security Client\MpSvc.dll` [2] + + [1]: https://systemexplorer.net/file-database/file/mpsvc-dll "What is mpsvc.dll ? | System Explorer | systemexplorer.net" + [2]: http://windowfin.com/bbs/board.php?bo_table=windowfin&wr_id=908493 "What is MpSvc.dll? Service Module File Information. ID:0908493 | windowfin.com" + [3]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [4]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7/MpSvc.dll.strings "10_0_19045_2251/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7/MpSvc.dll.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf · privacysexy-forks/10_0_19045_2251 | github.com" + [5]: https://learn.microsoft.com/en-us/answers/questions/122512/can-not-disable-windows-defender-via-group-policie?page=1#comment-122571 "Can not disable Windows Defender via group policies - Microsoft Q&A | learn.microsoft.com" + [6]: https://www.cynet.com/blog/kaseya-supply-chain-attack/ "Security Update – Kaseya Supply-Chain Attack - All-in-One Cybersecurity Platform - Cynet | www.cynet.com" + [7]: https://www.anomali.com/fr/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center "Anomali Cyber Watch I Cyber News on Pirate Panda | www.anomali.com" + [8]: https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/ "CLAMBLING - A New Backdoor Base On Dropbox (EN) | 詮睿科技 | www.talent-jump.com" + [9]: https://batcmd.com/windows/11/services/windefend/ "Microsoft Defender Antivirus Service - Windows 11 Service - batcmd.com | batcmd.com" + [10]: https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html "mpsvc.dll | HijackLibs | hijacklibs.net" + [11]: https://malware.news/t/fuzzing-the-shield-cve-2022-24548/65673 "Fuzzing the Shield: CVE-2022–24548 - Malware Analysis - Malware Analysis, News and Indicators | malware.news" + [12]: https://web.archive.org/web/20240930174756/https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world "An unexpected journey into Microsoft Defender's signature World — retooling_ | retooling.io" + [13]: https://redplait.blogspot.com/2010/11/mpsvcdll-rpc-interfaces.html "windows deep internals: MpSvc.dll RPC interfaces | redplait.blogspot.com" call: - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: AVSignatureDue - dataType: REG_DWORD - data: '4294967295' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpSvc.dll' + # grantPermissions: 'true' # ❌ Does not work on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - name: Disable security intelligence (signature) update on startup - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine + name: Disable Defender Antivirus antimalware engine + docs: |- # TODO: Archive + This script disables Defender's main virus-scanning component (`MpEngine.dll`). + + Microsoft refers to this component as **Microsoft Malware Protection Engine** [1] [2] [3] [4] [5]. + This is a core component of **Defender Antivirus** [1] [4] [6] [7]. + It is enabled by default on Windows [8]. + This component scans, detects, and removes malware using Microsoft's antivirus technology [1]. + + It monitors system activity by: + + - Scanning files [9] [10] [11] [12] [13] [14], memory [7], emails [8], and web downloads [8] + - Analyzing system processes and registry keys [5] + - Tracking network activity [14] + - Collecting system data for analysis [10] and logging events [15] + - Scanning compressed files like RAR archives [11] [12] + - Running files in a virtual sandbox environment [7] [11] [16] called **Defender Emulator** [11] + + Disabling this component increases your privacy by: + + - Reducing system monitoring and data collection + - Preventing forensic analysis of your files and system activity [10] [13] + - Stopping the creation of event logs [15], scan logs [10] and file caches [10] + - Eliminating potential security risks from the engine's vulnerabilities [1] [11] [17] + + However, this script may reduce your security since your system will no longer detect or protect against + viruses and other malicious software. + + > **Caution**: This action may lower your system's security by disabling virus detection and protection. + + ### Technical Details + + The engine (`MpEngine.dll`) is loaded by `MpSvc.dll` [9] and works as part of `MsMpEng.exe` [9]. + It is located in these paths: + + | Path | Confirmed versions with tests | + | ---- | ----------------------------- | + | `%PROGRAMDATA%\Microsoft\Windows Defender\Definition Updates\Default\MpEngine.dll` [2] [3] [18] | Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) | + | `%PROGRAMDATA%\Microsoft\Windows Defender\Definition Updates\{}` [2] [3] | Windows 11 Pro (≥ 22H2) | + | `%PROGRAMDATA%\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll` [15] | Windows 11 Pro (≥ 21H2) | + + [1]: https://www.bleepingcomputer.com/news/security/microsoft-out-of-band-security-update-patches-malware-protection-engine-flaw/ "Microsoft Out-Of-Band Security Update Patches Malware Protection Engine Flaw | www.bleepingcomputer.com" + [2]: https://systemexplorer.net/file-database/file-variants/mpengine-dll "Variants of mpengine.dll | systemexplorer.net" + [3]: http://windowfin.com/bbs/board.php?bo_table=windowfin&wr_id=246526 "What is mpengine.dll? Microsoft Malware Protection Engine File Information. ID:0246526 | windowfin.com" + [4]: https://learn.microsoft.com/en-us/security-updates/securityadvisories/2017/4022344 "Microsoft Security Advisory 4022344 | Microsoft Learn | learn.microsoft.com" + [5]: https://support.microsoft.com/en-us/topic/description-of-forefront-endpoint-security-definition-updates-b0833c24-fab3-390b-820b-3835beeb03b3 "Description of Forefront endpoint security definition updates - Microsoft Support | support.microsoft.com" + [6]: https://www.virusbulletin.com/conference/vb2018/abstracts/windows-defender-under-microscope-reverse-engineers-perspective "Virus Bulletin :: Windows Defender under the microscope: a reverse engineer's perspective | virusbulletin.com" + [7]: https://readmedium.com/windows-defender-memory-scan-feature-analysis-3f9242f00132 "Windows Defender Memory Scan Feature Analysis | readmedium.com" + [8]: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f49b2ef7-244f-451d-85a5-0ca2ab01bf26&CommunityKey=a9b005c5-dc3c-4b04-9a1a-41efdafc2a35&tab=librarydocuments "Web Isolation - Symantec Enterprise | community.broadcom.com" + [9]: https://web.archive.org/web/20240930174756/https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world "An unexpected journey into Microsoft Defender's signature World — retooling_ | retooling.io" + [10]: https://forensics.wiki/microsoft_security_essentials/ "Microsoft security essentials - | forensics.wiki" + [11]: https://www.pixiepointsecurity.com/blog/nday-cve-2021-31985/ "Exploiting the Windows Defender `AsProtect` Heap Overflow Vulnerability | PixiePoint Security | www.pixiepointsecurity.com" + [12]: https://project-zero.issues.chromium.org/issues/42450597 "mpengine contains unrar code forked from unrar prior to 5.0, introduces new bug while fixing others [42450597] - Project Zero | project-zero.issues.chromium.org" + [13]: https://blog.fox-it.com/2023/12/14/reverse-reveal-recover-windows-defender-quarantine-forensics/ "Reverse, Reveal, Recover: Windows Defender Quarantine Forensics – Fox-IT International blog | blog.fox-it.com" + [14]: https://cert.europa.eu/static/security-advisories/CERT-EU-SA2017-011.pdf "Critical Microsoft Scripting Engine Memory Corruption Vulnerability | cert.europa.eu" + [15]: https://github.com/privacysexy-forks/winevt-kb/blob/main/docs/sources/eventlog-providers/Provider-Microsoft-Antimalware-Engine.md "winevt-kb/docs/sources/eventlog-providers/Provider-Microsoft-Antimalware-Engine.md at main · privacysexy-forks/winevt-kb | github.com" + [16]: https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-whitepaper-metasploit-framework-encapsulating-av-techniques.pdf rapid7-whitepaper-metasploit-framework-encapsulating-av-techniques.pdf | Encapsulating Antivirus (AV) Evasion Techniques in Metasploit Framework | Wei Chen | www.rapid7.com" + [17]: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&isCpeNameSearch=true&seach_type=all&query=cpe:2.3:a:microsoft:malware_protection_engine:-:*:*:*:*:*:*:* "NVD - Results | nvd.nist.gov" + [18]: https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-am-engine_31bf3856ad364e35_10.0.22621.1_none_60c1274fa9ff3325.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-am-engine_31bf3856ad364e35_10.0.22621.1_none_60c1274fa9ff3325.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · colorsci/nickel-x64 | github.com" call: - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: DisableUpdateOnStartupWithoutEngine - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Definition Updates\Default\MpEngine.dll' + # grantPermissions: 'true' # ❌ Does not work on Windows 11 Pro (≥ 21H2) | ✅ Works on Windows 10 Pro (≥ 22H2) + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - function: SetMpPreference + function: SoftDeleteFiles parameters: - property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine - value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True - default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (21H2) | ✅ Windows 11 Pro (≥ 22H2) + fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Definition Updates\{*}\mpengine.dll' + # grantPermissions: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (21H2) | ❌ Does not work on Windows 11 Pro (≥ 22H2) + elevateToTrustedInstaller: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (21H2) | ✅ Works on Windows 11 Pro (≥ 22H2) + - + function: SoftDeleteFiles + parameters: + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' + # grantPermissions: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ❌ Does not work on Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - name: Disable automatic checks for security intelligence (signature) updates # Already disabled by default - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturescheduleday + name: Disable Defender Antivirus command-line library + docs: |- # TODO: Archive + This script disables `MpClient.dll`, the **Defender Antivirus** command-line library. + + Microsoft refers to this library as the **Client Interface** [1]. + It's a crucial component of **Defender Antivirus** [2] [3]. + It allows Windows and third-party processes to manage **Defender Antivirus** [3] [4]. + + It contains functions for: + + - Scanning for viruses [3] [4] [5] + - Detecting threats [3] [4] + - Updating the antivirus [3] [4] + - Configuring antivirus features [3] [4] + - Submitting samples and telemetry data [3] + - Managing exclusions and **Defender Exploit Guard** [3] + - Logging system security state [2] [3] + - Security and certificate validation [3] + - Communication with other Windows processes through COM [3]. + + This library is used by various Defender command-line tools, such as: + + - `MpCmdRun.exe` (**Defender Antivirus** CLI) [6] + - `MpDlpCmd.exe` (**Microsoft Endpoint DLP** CLI) [6]. + + This script may enhance privacy by disabling telemetry and data submission functions of **Defender Antivirus**. + It may also enhance system performance by reducing background processes. + However, there are trade-offs: + + - It disables command-line tools for managing **Defender Antivirus**. + - It may weaken your system's protection against malware and other threats. + + > **Caution:** This script weakens your computer's built-in security features. + + ### Technical Details + + This script deletes the `MpRtp.dll` library from: + + - `%PROGRAMFILES%\Windows Defender\MpClient.dll` [1] [3] [7] + - `%PROGRAMFILES(X86)%\Windows Defender\MpClient.dll` [1] + + On older versions of Windows, this file is located at + `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\Drivers\MpClient.dll` [2] [7]. + + Microsoft states that deleting this file prevents **Defender Antivirus** from functioning as the default antivirus [7]. + + The library also registers Event Tracing for Windows (ETW) providers for security logging [2]: + + | ETW Provider GUID | ETW Provider Name | + | ----------------- | ----------------- | + | `E4B70372-261F-4C54-8FA6-A5A7914D73DA` | `Microsoft-Antimalware-Protection` | + | `7AF898D7-7E0E-518D-5F96-B1E79239484C ` | `Microsoft.Windows.Defender` | + + [1]: https://www.exefiles.com/en/dll/mpclient-dll/ "How to Repair MpClient.dll (Free Download) | www.exefiles.com" + [2]: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/Microsoft_Antivirus.pdf?__blob=publicationFile&v=2 "Microsoft Defender Antivirus | Federal Office for Information Security Germany | www.bsi.bund.de" + [3]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [4]: https://learn.microsoft.com/en-us/windows/win32/lwef/windows-defender-functions "Windows Defender Functions - Win32 apps | Microsoft Learn | learn.microsoft.com" + [5]: https://readmedium.com/windows-defender-memory-scan-feature-analysis-3f9242f00132 "Windows Defender Memory Scan Feature Analysis | readmedium.com" + [6]: https://s.itho.me/ccms_slides/2023/5/24/c1633689-1c8f-4871-a1a9-2923fd92348d.pdf "Hack The Real Box | An Analysis of Multiple Campaigns by APT41’s Subgroup, Earth Longzhi | Hiroaki Hara and Ted L | Trend Micro | s.itho.me" + [7]: https://support.checkpoint.com/results/sk/sk169592 "Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services | support.checkpoint.com" + [8]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings "10_0_22622_601/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" call: - # Options: - # 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday' - # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default) - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: ScheduleDay - dataType: REG_DWORD - data: '8' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpClient.dll' + # grantPermissions: 'true' # ❌ Does not work on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - function: SetMpPreference + function: SoftDeleteFiles parameters: - property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay - value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8' - default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8' + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES(X86)%\Windows Defender\MpClient.dll' + # grantPermissions: 'true' # ❌ Does not work on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - name: Minimize checks for security intelligence (signature) updates - docs: - - https://web.archive.org/web/20240314122335/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval + name: Disable Defender Antivirus command-line utility process + docs: |- # TODO: Archive + This script disables the `MpCmdRun.exe` process. + + This process is also known as the **Microsoft Defender Antivirus command-line utility** [1] [2] [3]. + The utility is part of **Defender for Endpoint** [1] and **Defender Antivirus** [2] [4]. + It automates **Defender Antivirus** tasks [4]. + It runs scheduled background tasks automatically [3]. + It can be used to: + + - Start scans [4] + - Start diagnostic tracing [4] + - Capture and save network input [4] + - Collect diagnostic data [4] + - Manage security signatures [4] + - Manage quarantined items [4] + - Verify **Defender Antivirus cloud service** communication [4] + - Check exclusions [4] + + The **Defender Antivirus cloud service** is also known as **Microsoft Active Protection Service (MAPS)** [4] [5] [6] [7] or **SpyNet** [6] [7]. + This service collects data about your computer, files, and software and sends it to Microsoft [5]. + + Disabling this process can enhance privacy by preventing the automatic collection and transmission of diagnostic data to Microsoft. + It may also improve system performance by reducing background processes. + + However, this action may decrease your system's security by stopping **Defender Antivirus** from performing scans and other protective tasks. + + > **Caution**: Disabling this process may reduce your computer's defenses against malware and other security threats. + + ### Technical Details + + `MpCmdRun.exe` is typically located at: + + - `%PROGRAMFILES%\Windows Defender\MpCmdRun.exe` on modern versions of Windows [1] [3] [4] + - `%PROGRAMFILES%\Microsoft Security Client\MpCmdRun.exe` on older versions of Windows [1] + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpCmdRun.exe` on older versions of Windows [4] + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [4]: https://learn.microsoft.com/en-us/defender-endpoint/command-line-arguments-microsoft-defender-antivirus "Use the command line to manage Microsoft Defender Antivirus - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240728212840/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj618314(v=ws.11) "Manage Privacy: Windows Defender and Resulting Internet Communication | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowcloudprotection "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" call: - # Valid values range from 1 (every hour) to 24 (once per day). - # If not specified (0), parameter, Microsoft Defender checks at the default interval - - function: SetRegistryValue + function: TerminateAndBlockExecution parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: SignatureUpdateInterval - dataType: REG_DWORD - data: '24' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + executableNameWithExtension: MpCmdRun.exe - - function: SetMpPreference + function: SoftDeleteFiles parameters: - property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval - value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24' - default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0' - - - category: Disable alternate definition updates - children: - - - name: Disable definition updates via WSUS and Microsoft Malware Protection Center - docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: CheckAlternateHttpLocation - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpCmdRun.exe' + # grantPermissions: 'true' # ❌ Does not work on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - name: Disable definition updates through both WSUS and Windows Update - docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: CheckAlternateDownloadLocation - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Minimize Defender updates to completed gradual release cycles - docs: - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - call: - function: SetMpPreference - parameters: - # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) - property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease - value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True - default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease - - - name: Minimize Defender engine updates to completed release cycles - docs: - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - call: - function: SetMpPreference - parameters: - # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) - property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel - value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad' - # Valid values: - # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' - # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' - default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'" + function: SoftDeleteFiles + parameters: + # Availability: 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES(X86)%\Windows Defender\MpCmdRun.exe' + minimumWindowsVersion: Windows11-21H2 + # grantPermissions: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ❌ Does not work on Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) + - + name: Disable Defender Antivirus communication module + docs: |- # TODO: Archive + This script removes the `MpCommu.dll` library, disabling its functionality. + + Microsoft refers to this library as **Communication Module** [1] [2] [3]. + This library is a component of **Defender Antivirus** service [4] [5]. + + It performs several network-related functions: + + - Communicates with Microsoft servers over HTTP/HTTPS using REST/SOAP APIs and proxy support [5]. + - Manages updates, including scheduling and downloading antimalware definition updates and interacting with **Windows Update** [5]. + - Submits reports to **SpyNet** [5], also known as **Microsoft Active Protection Service (MAPS)** [6]. + - Reports errors [5]. + - Interacts with other Windows processes using COM (Component Object Model) [5]. + - Manages configurations and settings related to malware protection [5]. + + Removing this library enhances privacy by preventing data transmission to Microsoft servers, + including **SpyNet** reporting and other communications. + This action may also slightly improve system performance by eliminating background communications and update processes + associated with the module. + + However, removing this library reduces system security. + Without this library, **Defender Antivirus** may not receive malware definition updates, leaving your system vulnerable to new threats. + Error reporting and other security features may also be disabled. + + > **Caution**: Removing this library may leave your system unprotected from new malware and security threats. + + ### Technical Details + + The script removes the `MpCommu.dll` file from its standard location: + + - `%PROGRAMFILES%\Windows Defender\MpCommu.dll` [1] [4] + + In older versions of Windows, this file is located at: + + - `%PROGRAMFILES%\Microsoft Security Client\Antimalware\MpCommu.dll` [2] + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpCommu.dll` [3] + + [1]: https://www.exefiles.com/en/dll/mpcommu-dll/ "Troubleshooting MpCommu.dll: How To Guide (Free Download) | www.exefiles.com" + [2]: https://regrunreanimator.com/research/antivirus/mse/mpcommu-dll-2.htm "MPCOMMU.DLL « Microsoft Security Essentials &Laquo; Antivirus Tools « System Software Research | regrunreanimator.com" + [3]: https://dllsearch.ru/ru/dll/MpCommu.dll/df0cd1ff23178d5a0d4195cb09f10ed40beb7e9352300e18401e07243428dfeb "Полная информация о файле MpCommu.dll. Устанавливайте нужное | dllsearch.ru" + [4]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [5]: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpCommu.dll.strings "10_0_22000_1165/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpCommu.dll.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d · privacysexy-forks/10_0_22000_1165 | github.com" + [6]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + call: + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpCommu.dll' + # grantPermissions: 'true' # ❌ Does not work on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - name: Minimize Defender platform updates to completed release cycles - docs: - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service + docs: |- + - https://web.archive.org/web/20240314062056/https://batcmd.com/windows/10/services/wdnisdrv/ + - https://web.archive.org/web/20240609145030/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | call: - function: SetMpPreference - parameters: - # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) - property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel - value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad' - # Valid values: - # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' - # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' - default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'" + # Excluding: + # - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: 🔍 Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + function: DisableServiceInRegistry + parameters: + serviceName: WdNisDrv # Check: (Get-Service -Name 'WdNisDrv').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + waitForDependentServicesOnStop: 'true' # Or it fails, `Microsoft Defender Antivirus Network Inspection Service (WdNisSvc)` depends on this + elevateToTrustedInstaller: 'true' + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\WdNisDrv.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - name: Minimize Defender definition updates to completed gradual release cycles - docs: - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + name: Disable Defender Antivirus device filter driver + docs: |- # TODO: Archive + This script disables Windows Defender’s device monitoring by removing the driver file `WdDevFlt.sys`. + + Microsoft refers to this file as **Microsoft antimalware device filter driver** [2]. + This driver belongs to **Defender Antivirus** [1] [2] [3]. + This driver allows Windows Defender to monitor devices you connect, including USB drives, displays, and audio devices [2]. + + This script improves privacy by: + + - Preventing Windows Defender from monitoring device connections and activities + - Reducing tracking of device activity at the system level + - Limiting data collection about connected devices + + It may improve system performance by: + + - Reduces background processes that monitor your devices + - Uses less system resources when connecting devices + - May speed up device connections + + However, it may reduce security by: + + - Limiting Defender's ability to detect malicious USB devices + - Reducing protection against harmful device-based attacks + - Decreasing system's capability to identify compromised hardware + + > **Caution:** This makes your system more vulnerable to attacks from malicious USB drives and other devices. + + ### Technical Details + + The system file `WdDevFlt.sys` comes with Windows Defender's drivers package [1]. + The script removes the driver file from `%SYSTEMROOT%\System32\drivers\WdDevFlt.sys` [4]. + + #### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟡 Missing | N/A | + | Windows 11 (≥ 21H2) | 🟡 Missing | N/A | + + [1]: https://archive.ph/2024.10.27-164219/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22621.1_none_5262daf3e8f76071.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22621.1_none_5262daf3e8f76071.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [2]: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22000.1_none_4710ace5fa0243a2/WdDevFlt.sys.strings "10_0_22000_1165/C/Windows/WinSxS/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22000.1_none_4710ace5fa0243a2/WdDevFlt.sys.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d · WinDLLsExports/10_0_22000_1165 | github.com" + [3]: https://arxiv.org/pdf/2210.02821 "MICROSOFT DEFENDER WILL BE DEFENDED: MEMORYRANGER PREVENTS BLINDING WINDOWS AV | arxiv.org" + [4]: https://techcommunity.microsoft.com/t5/windows-11/windows-11-total-meltdown/m-p/3265897/highlight/true#M3053 "Re: Windows 11 total meltdown - Microsoft Community Hub | techcommunity.microsoft.com" call: - # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) - function: SetMpPreference + function: SoftDeleteFiles parameters: - property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel - # Its former name was "SignaturesUpdatesChannel" - value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad' - # 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged' - # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' - default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" - - - category: Disable Defender reporting - children: + # Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%SYSTEMROOT%\System32\drivers\WdDevFlt.sys' + grantPermissions: 'true' # 🔍 Missing on Windows 10 (≥ 22H2) | 🔒️ Protected on Windows 11 (≥ 22H2) - - name: Disable Defender logging + name: Disable "Microsoft Defender Antivirus Network Inspection" service + docs: |- + This script disables the **Defender Antivirus Network Inspection Service** (`WdNisSvc`) + and its process, `NisSrv.exe`. + + This service is also known as: + + - **Microsoft Defender Antivirus Network Inspection Service** [1] [2] + - **Windows Defender Antivirus Network Inspection Service** [3] + - **Windows Defender Network Inspection Service** [4] + - **NIS** [5] + + This service inspects network traffic to detect known vulnerabilities, aiming to protect against network-based attacks [1] [4]. + It is part of **Defender Antivirus** [2] and **Defender for Endpoint** [6]. + + It serves as Microsoft's zero-day vulnerability shielding feature, blocking network traffic matching known + exploits against unpatched vulnerabilities [5]. + When a new unpatched vulnerability affecting Microsoft products is discovered, Microsoft releases a signature + to block that exploit on machines with this feature enabled [5]. + This feature performs **synchronous inspection** when activated, introducing latency and consuming additional resources [5]. + + This service comes preinstalled on Windows [4] and runs continuously in the background. + + Disabling this service may enhance privacy by reducing data sent to Microsoft. + By default, Defender Antivirus reports detected attacks to Microsoft [7]. + This automatically sends your network information to Microsoft. + + Disabling this service may also boost system performance by reducing resource consumption. + Synchronous inspection may cause latency, lower network throughput, and increase memory and CPU consumption [5]. + According to Microsoft, this feature is not suitable for machines with high network-intensive server roles such as IIS, Exchange, and SQL [5]. + + However, disabling this service may reduce your security. + It prevents zero-day vulnerability shielding signatures from loading on your machine [5]. + This may leave you vulnerable to new network-based attacks until patches are applied. + + > **Caution**: Disabling this service may expose your system to unpatched network vulnerabilities, increasing the risk of security breaches. + + ### Technical Details + + This script: + + - Disables the `WdNisSvc` service + - Removes the `NisSrv.exe` file + - Blocks execution of the `NisSrv.exe` process + + The script disables both the service and its process for persistent disabling. + Disabling the service alone may be insufficient, as software like **Configuration Manager** can re-enable it [3]. + + `NisSrv.exe` is the process that provides functionality to this service [2] [6]. + It is known as **Microsoft Defender Antivirus Network Realtime Inspection service** [2]. + The process is located at: + + - `%PROGRAMFILES%\Windows Defender` [6] [8] on modern versions of Windows + - `%PROGRAMFILES%\Microsoft Security Client` [6] on older versions of Windows. + + #### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + + [1]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" + [2]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20241001123134/https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/client-health-checks "Client health checks - Configuration Manager | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20231004161147/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server "Security guidelines for system services in Windows Server 2016 | Microsoft Learn" + [5]: https://web.archive.org/web/20241001123042/https://techcommunity.microsoft.com/t5/configuration-manager-archive/enhancements-to-behavior-monitoring-and-network-inspection/ba-p/273238 "Enhancements to Behavior Monitoring and Network Inspection System in the Microsoft anti-malware platform - Microsoft Community Hub | techcommunity.microsoft.com" + [6]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [7]: https://web.archive.org/web/20241001123101/https://learn.microsoft.com/en-us/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission "Cloud protection and sample submission at Microsoft Defender Antivirus - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [8]: https://web.archive.org/web/20241001123116/https://batcmd.com/windows/11/services/wdnissvc/ "Microsoft Defender Antivirus Network Inspection Service - Windows 11 Service - batcmd.com | batcmd.com" call: - - function: SetRegistryValue + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + function: DisableServiceInRegistry parameters: - keyPath: HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger - valueName: Start - dataType: REG_DWORD - data: "0" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + serviceName: WdNisSvc # Check: (Get-Service -Name 'WdNisSvc').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + elevateToTrustedInstaller: 'true' - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger - valueName: Start - dataType: REG_DWORD - data: "0" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' + # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 22H2) + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: NisSrv.exe - - name: Disable Defender ETW provider (Windows Event Logs) - docs: - - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ - - https://web.archive.org/web/20240314124054/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide + name: Disable Microsoft Defender Core Service + docs: |- + This script disables the Microsoft Defender Core service (`MDCoreSvc`). + + The Microsoft Defender Core service is a component of **Defender Antivirus** [1] [2]. + It is included in **Microsoft Defender for Endpoint** suite. [1] [2] [3]. + It contributes to the stability and performance of Defender Antivirus [1]. + + This script improves privacy by disabling this service. + It reduces data collection associated with Microsoft Defender Antivirus and Microsoft Defender for Endpoint. + It may also increase system performance by removing a background process. + However, disabling this service may reduce system security. + As a core operating system component, its removal may also affect system stability. + + ### Technical Details + + The service is technically identified as `MDCoreSvc` [1] [2] [4] [5]. + Its executable is `MpDefenderCoreService.exe` [1] [2] [5] [6]. + This process is also known as "Antimalware Core Service" [1] [2] [6]. + It's typically located in the `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\\` + folder [6]. + It may be found on modern versions of Windows [5]. + + ### Overview of default service statuses + + According to tests, the availability of this service varies across different Windows versions, + depending on the installed Defender antivirus updates. + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | + | Windows 11 (≥ 23H2) | 🟡 Missing | N/A | + + [1]: https://web.archive.org/web/20240728143438/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-core-service-overview "Microsoft Defender Core service overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240728143825/https://learn.microsoft.com/en-sg/answers/questions/1778162/how-to-fully-uninstall-clean-up-microsoft-defender "How to fully Uninstall/Clean-up Microsoft Defender Endpoint - Microsoft Q&A | learn.microsoft.com" + [4]: https://web.archive.org/web/20240728143822/https://github.com/undergroundwires/privacy.sexy/issues/385 "[Bug]: Defender is not completely disabled · Issue #385 · undergroundwires/privacy.sexy | github.com" + [5]: https://web.archive.org/web/20240724234608/https://techcommunity.microsoft.com/t5/public-sector-blog/december-2023-microsoft-365-us-public-sector-roadmap-newsletter/ba-p/4010161 "December 2023 - Microsoft 365 US Public Sector Roadmap Newsletter - Microsoft Community Hub | techcommunity.microsoft.com" + [6]: https://web.archive.org/web/20240724234556/https://www.file.net/process/mpdefendercoreservice.exe.html "MpDefenderCoreService.exe Windows process - What is it? | file.net" call: + # - + # # Commented out because it does not work due to permission errors even as TrustedInstaller + # function: DisableServiceInRegistry + # parameters: + # # Note: Always get "Permission Denied", could not find a way., https://github.com/undergroundwires/privacy.sexy/issues/385 + # # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ❌ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # # Windows 11 (23H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ❌ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # serviceName: MDCoreSvc # Check: (Get-Service -Name 'MDCoreSvc').StartType + # defaultStartupMode: Automatic + # elevateToTrustedInstaller: 'true' - - function: SetRegistryValue + function: TerminateAndBlockExecution + # Successfully disables Microsoft Defender Core Service + # and prevents it from running in the background. + # Tested and verified since Windows 10 Pro 22H2 and Windows 11 Pro 23H2 + # using Windows Defender Antivirus antimalware platform - Version 4.8.2001.100. + # It requires computer restart as it cannot terminate the process but can prevent its future execution. parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational - valueName: Enabled - dataType: REG_DWORD - data: "0" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + executableNameWithExtension: MpDefenderCoreService.exe + # - + # # Commented out because it does not work due to permission errors even as TrustedInstaller + # function: SoftDeleteFiles + # parameters: + # # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + # fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpDefenderCoreService.exe' + # # grantPermissions: 'false' # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # # elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC - valueName: Enabled - dataType: REG_DWORD - data: "0" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + function: ShowComputerRestartSuggestion + - + name: Disable Defender Antivirus license verification + docs: |- # TODO: Archive + This script disables the license module library of **Defender Antivirus**. + + This component is known as the **License Module** [1]. + It is a component of **Defender Antivirus** service [2], formerly known as **System Center Endpoint Protection** [3]. + It manages licensing aspects, such as product validation and configuration management [4]. + This library is involved in online verification of digital certificates and time stamps [4]. + It's also part of **Defender Offline**'s lightweight scanner [5]. + + By disabling this library, the script may enhance your privacy by preventing potential online connections + for license verification. + It may also slightly improve system boot performance by reducing the number of components loaded at startup. + + However, this action may reduce your security by interfering with Defender's ability to validate its license and + potentially limiting some of its functionalities. + Disabling core components of your antivirus software may leave your system more vulnerable to threats. + + > **Caution**: + > This action may prevent **Defender Antivirus** from functioning correctly. + > This may leave your computer without active antivirus protection, potentially exposing it to malware and other security threats. + + ### Technical Details + + This script deletes the library at following locations: + + - `%PROGRAMFILES%\Windows Defender\MsMpLics.dll` [1] [2] + - `%PROGRAMFILES%\Windows Defender\Offline\MsMpLics.dll` [3] + + [1]: https://systemexplorer.net/file-database/file/msmplics-dll "What is msmplics.dll ? | System Explorer | systemexplorer.net" + [2]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [3]: https://www.advanceduninstaller.com/System-Center-Endpoint-Protection-cd6bb8313ad4ba221f25af40a08680d3-application.htm "System Center Endpoint Protection version 4.7.214.0 by Microsoft Corporation - How to uninstall it | www.advanceduninstaller.com" + [4]: https://github.com/privacysexy-forks/10_0_17763_1/blob/6151931b169f55ce8b8581c39bb508a661e4085b/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.17763.1_none_b66c0cb3aef5ffee/MsMpLics.dll.strings "10_0_17763_1/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.17763.1_none_b66c0cb3aef5ffee/MsMpLics.dll.strings at 6151931b169f55ce8b8581c39bb508a661e4085b · privacysexy-forks/10_0_17763_1 | github.com" + [5]: https://www.winhelponline.com/blog/start-windows-defender-offline-scan/ "How to Start Microsoft Defender Offline Scan in Windows 10/11 » Winhelponline | winhelponline.com" + call: - - name: Minimize Windows software trace preprocessor (WPP Software Tracing) - docs: - - https://web.archive.org/web/20240314123926/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting - valueName: WppTracingLevel - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpLics.dll' + # grantPermissions: 'true' # ❌ Does not work on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\Offline\MsMpLics.dll' + # grantPermissions: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) | ❌ Does not work on Windows 11 Pro (≥ 24H2) + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - category: Disable Defender scheduled tasks + category: Disable Defender Antivirus scheduled tasks + docs: |- + This category contains scripts to disable maintenance tasks of **Defender Antivirus**. + + Scheduled tasks are automated operations that Windows runs at specific times or events [1]. + Defender uses these tasks to maintain its antivirus service [2]. + + Disabling these tasks enhances privacy by: + + - Stopping automatic data collection + - Giving you control over data collection and deletion + + Disabling these tasks can also improve system performance by: + + - Reducing background processes + - Decreasing boot time + - Reducing resource usage + - Saving disk space + + > **Caution**: + > Disabling these tasks may weaken your system's security by turning off antivirus features. + > Consider using alternative security measures. + + [1]: https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page "Task Scheduler for developers - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" children: - name: Disable "Windows Defender Cache Maintenance" task docs: |- This script disables the "Windows Defender Cache Maintenance" scheduled task. - The task is scheduled to periodically maintain the cache used by Microsoft Defender Antivirus [1]. - It runs the command `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance` [1]. - The `MpCmdRun.exe` is a command-line tool used to perform various Microsoft Defender Antivirus functions [2]. + This task is a **Defender Antivirus** component [1] [2]. + The task is scheduled to periodically maintain the cache used by Defender Antivirus [1]. - Cache maintenance involves managing temporary files that Microsoft Defender is either scanning or has quarantined [3] + Cache maintenance involves managing temporary files that Microsoft Defender is either scanning or has quarantined [3]. Disabling this task prevents the system from automatically clearing the Defender cache [3]. - This is particularly useful if you want to ensure that files are not removed from quarantine or the cache without your explicit action. - Disabling this task is reported to optimize system boot speed [4] but it could potentially lead to increased storage use by temporary files. + Disabling this task may improve your privacy by preventing automatic removal of quarantined files or cached + data without your explicit action. + For example, when Defender mistakenly flag privacy scripts (such as privacy.sexy scripts [4]) as a threat + and quarantines it, the cache maintenance task may remove this file without your knowledge. + By disabling the task, you prevent automatic deletion, giving you the opportunity to recover and review such files. + This is useful for users who handle sensitive data and want full control over file management on their system. - ### Overview of default task statuses + Disabling this task is reported to optimize system boot speed [5], but it may lead to increased storage use + by temporary files. + + > **Caution**: + > Disabling this task may lead to a buildup of unnecessary files, potentially affecting system performance over time. + + ### Technical Details + + It runs the command `%PROGRAMFILES%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance` [1] [2]. + The `MpCmdRun.exe` is a command-line tool used to perform various **Defender Antivirus** functions [6]. + + #### Overview of default task statuses `\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance`: @@ -17761,9 +20372,11 @@ actions: | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231102111550/http://windows.fyicenter.com/4439_Windows_Defender_Cache_Maintenance_Scheduled_Task_on_Windows_8.html '"Windows Defender Cache Maintenance" Scheduled Task on Windows 8 | windows.fyicenter.com' - [2]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" [3]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" - [4]: https://web.archive.org/web/20231102111645/https://discussions.citrix.com/topic/417772-very-slow-boot-times/ "Very slow boot times - Provisioning Server for Datacenters - Discussions | discussions.citrix.com" + [4]: https://github.com/undergroundwires/privacy.sexy/issues/421 "[Bug]: Defender falsely marks scripts including text \"privacy.sexy\" as malicious · Issue #421 · undergroundwires/privacy.sexy | github.com" + [5]: https://web.archive.org/web/20231102111645/https://discussions.citrix.com/topic/417772-very-slow-boot-times/ "Very slow boot times - Provisioning Server for Datacenters - Discussions | discussions.citrix.com" + [6]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" call: function: DisableScheduledTask parameters: @@ -17775,12 +20388,24 @@ actions: docs: |- This script disables the "Windows Defender Cleanup" scheduled task. - This task is used by Defender to remove unnecessary files, such as corrupted or quarantined items [1]. - The task is described in the Task Scheduler as "Periodic cleanup task" [2] [3]. + This task is a **Defender Antivirus** component [1]. + It is used by Defender to remove unnecessary files, such as corrupted or quarantined items [2]. + The task is described in the **Task Scheduler** as **"Periodic cleanup task"** [3] [4]. + + Disabling this task may enhance your privacy by preserving potentially sensitive quarantined files for + manual review and simplifying system activity monitoring. + It may also improve system performance by preventing the periodic execution of this task. + However, disabling this task may lead to the accumulation of unnecessary files over time. + + > **Caution**: Disabling this task may lead to the buildup of unnecessary files on your system. + + ### Technical Details + This task executes the following command: - `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup` [2] [3]. + `%PROGRAMFILES%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup` [1] [3] [4]. + The `MpCmdRun.exe` is a command-line tool used to perform various **Defender Antivirus** functions [5]. - ### Overview of default task statuses + #### Overview of default task statuses `\Microsoft\Windows\Windows Defender\Windows Defender Cleanup`: @@ -17789,9 +20414,11 @@ actions: | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | - [1]: https://web.archive.org/web/20231103171411/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" - [2]: https://web.archive.org/web/20231103171352/http://windows.fyicenter.com/4440_Windows_Defender_Cleanup_Scheduled_Task_on_Windows_8.html '"Windows Defender Cleanup" Scheduled Task on Windows 8 | windows.fyicenter.com' - [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" + [1]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20231103171411/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" + [3]: https://web.archive.org/web/20231103171352/http://windows.fyicenter.com/4440_Windows_Defender_Cleanup_Scheduled_Task_on_Windows_8.html '"Windows Defender Cleanup" Scheduled Task on Windows 8 | windows.fyicenter.com' + [4]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" + [5]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" call: function: DisableScheduledTask parameters: @@ -17803,13 +20430,27 @@ actions: docs: |- This script disables the "Windows Defender Scheduled Scan" scheduled task. - This scheduled task is responsible for performing automatic regular scans [1] [2]. - By disabling this task, users can control the scheduling and frequency of antivirus scans, according to their needs, thus balancing - security with system resource management [1] [2]. - - The task is known as "Periodic scan task" in the Task Scheduler [1] [3] [4]. - It executes the following command: - `C:\Program Files\Windows Defender\MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55` [3] [4]. + This task is a component of **Defender Antivirus** [1] [2] [3]. + It performs automatic regular antivirus scans [1] [2]. + It is also known as the **"Periodic scan task"** in the **Task Scheduler** [1] [4] [5]. + + Disabling this task may enhance your privacy by giving you more control over when and how often + your system is scanned. + It may also improve system performance by reducing background processes. + + However, regular scans are a key part of maintaining system security. + Disabling this task means your computer will not automatically perform scheduled antivirus scans, + which may leave your system more vulnerable to malware if you don't manually run scans regularly. + + > **Caution**: + > This action may leave your computer more vulnerable to malware if you don't follow good security + > practices or manually run antivirus scans regularly. + + ### Technical Details + + This task executes the following command: + `%PROGRAMFILES\Windows Defender\MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55` [3] [4] [5]. + The `MpCmdRun.exe` is a command-line tool used for various **Defender Antivirus** functions [6]. ### Overview of default task statuses @@ -17822,8 +20463,10 @@ actions: [1]: https://web.archive.org/web/20231103171744/https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d "Schedule a scan in Microsoft Defender Antivirus - Microsoft Support | support.microsoft.com" [2]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" - [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" - [4]: https://web.archive.org/web/20231103171825/http://windows.fyicenter.com/4441_Windows_Defender_Scheduled_Scan_Scheduled_Task_on_Windows_8.html '"Windows Defender Scheduled Scan" Scheduled Task on Windows 8 | windows.fyicenter.com' + [3]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" + [5]: https://web.archive.org/web/20231103171825/http://windows.fyicenter.com/4441_Windows_Defender_Scheduled_Scan_Scheduled_Task_on_Windows_8.html '"Windows Defender Scheduled Scan" Scheduled Task on Windows 8 | windows.fyicenter.com' + [6]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" call: function: DisableScheduledTask parameters: @@ -17835,16 +20478,27 @@ actions: docs: |- This script disables the "Windows Defender Verification" scheduled task. - This task checks for issues with Defender, such as update problems or system file errors [1]. - It is also linked to the creation of daily system restore points [2]. - Disabling this task can prevent unnecessary system slowdowns and restore point creation, conserving disk space and system resources. - It improves privacy by reducing the system state data stored on the device. + This task is a **Defender Antivirus** component [1]. + It checks for issues with Defender, such as update problems or system file errors [2]. + It is also linked to the creation of daily system restore points [3]. + + Disabling this task may improve privacy by reducing the system state data stored on the device. + It may also boost system performance by preventing unnecessary system slowdowns and restore point creation. + This may conserve disk space and system resources. + + However, disabling this task may leave your system more vulnerable to malware and reduce your ability + to recover from system issues. + + > **Caution**: This action may reduce your system's security and recovery capabilities. + + ### Technical Details - The task is known as "Periodic verification task" in the Task Scheduler [3] [4]. + The task is known as "Periodic verification task" in the Task Scheduler [1] [4] [5]. It executes the following command: - `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification` [3] [4]. + `%PROGRAMFILES%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification` [1] [4] [5]. + The `MpCmdRun.exe` is a command-line tool used for various **Defender Antivirus** functions [6]. - ### Overview of default task statuses + #### Overview of default task statuses `\Microsoft\Windows\Windows Defender\Windows Defender Verification`: @@ -17853,10 +20507,12 @@ actions: | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | - [1]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" - [2]: https://web.archive.org/web/20231103172413/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426 "Windows Defender / System Restore Points - Microsoft Community | answers.microsoft.com" - [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" - [4]: https://web.archive.org/web/20231103172432/http://windows.fyicenter.com/4442_Windows_Defender_Verification_Scheduled_Task_on_Windows_8.html '"Windows Defender Verification" Scheduled Task on Windows 8 | windows.fyicenter.com' + [1]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" + [3]: https://web.archive.org/web/20231103172413/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426 "Windows Defender / System Restore Points - Microsoft Community | answers.microsoft.com" + [4]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" + [5]: https://web.archive.org/web/20231103172432/http://windows.fyicenter.com/4442_Windows_Defender_Verification_Scheduled_Task_on_Windows_8.html '"Windows Defender Verification" Scheduled Task on Windows 8 | windows.fyicenter.com' + [6]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" call: function: DisableScheduledTask parameters: @@ -17864,289 +20520,276 @@ actions: taskPathPattern: \Microsoft\Windows\Windows Defender\ taskNamePattern: Windows Defender Verification - - category: Disable Defender services and drivers - # Windows Defender services are protected, requiring escalated methods to disable them: - # 1. Try `DisableService` first, as this is the standard method recommended for disabling services. - # 2. Try `DisableServiceInRegistry` if the first attempt fails due to access errors. - # 3. Try `DisableServiceInRegistry` with `elevateToTrustedInstaller` option as last effort. + category: Disable Defender Antivirus file activity monitoring + docs: |- + This category contains scripts that disable various file activity monitoring features of Defender Antivirus. + + These features are designed to protect your system by monitoring file activities, but they may also compromise + your privacy and affect system performance. + + Disabling these components enhances privacy by limiting the collection of data about your system, usage, and files. + It may also improve system performance during file operations. + + However, disabling these features may reduce your system's security. + Without these monitoring features, **Defender Antivirus** may be less effective at detecting and blocking certain + types of malware or unauthorized file activities. + + > **Caution**: Disabling these features can make your system more vulnerable to malware, ransomware, and unauthorized file access. children: - - name: Disable "Microsoft Defender Antivirus Service" - # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender - # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: - # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` - # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` - docs: |- - https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ + name: Disable Defender Antivirus Copy Accelerator Library + docs: |- # TODO: Archive + This script removes the Defender Antivirus Copy Accelerator Library (`MpDetoursCopyAccelerator`). - ### Overview of default service statuses + This library is referred to by Microsoft as **Malware Protection Copy Accelerator Detours Dll** [1] [2] [3]. + It is a component of **Defender Antivirus** service [4]. + It monitors and intercepts file copy operations, potentially blocking the copying of certain files [5] [6]. + It optimizes scanning by examining copied files for potential threats after a certain number of files have been transferred [7]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | - | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + The library uses Microsoft's **Detours** technology [3]. + This technology intercepts and monitors system functions [8]. + It allows Defender to examine files during copying [3]. + + Removing this library may improve privacy by reducing file operation monitoring. + It may also enhance system performance during file copy operations. + + However, this action may reduce system security. + Without this component, Defender may not scan files during copying, allowing malicious or unauthorized + files to be copied undetected. + + > **Caution**: + > Disabling this feature may expose the system to security risks because it may prevent Defender from + > monitoring and scanning files during copying. + + ### Technical Details + + This script removes the library from the following locations: + + - `%PROGRAMFILES%\Windows Defender\MpDetoursCopyAccelerator.dll` [4] [6] + - `%PROGRAMFILES(X86)%\Windows Defender\MpDetoursCopyAccelerator.dll` [9] + + On older Windows versions, the file may be located at: + + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpDetoursCopyAccelerator.dll` [1] [2] + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\X86\MpDetoursCopyAccelerator.dll` [2] + + [1]: https://www.freefixer.com/library/file/MpDetoursCopyAccelerator.dll-314442/ "What is MpDetoursCopyAccelerator.dll? | www.freefixer.com" + [2]: http://windowfin.com/bbs/board.php?bo_table=windowfin&wr_id=908486 "What is MpDetoursCopyAccelerator.dll? Malware Protection Copy Accelerator Detours Dll File Information. ID:0908486 | windowfin.com" + [3]: https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpDetoursCopyAccelerator.dll.strings "10_0_22623_1020/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpDetoursCopyAccelerator.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com" + [4]: https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [5]: https://learn.microsoft.com/en-us/answers/questions/747179/windows-defender-copy-protection-interferes-with-o "Windows Defender copy protection interferes with our product - Microsoft Q&A | learn.microsoft.com" + [6]: http://www.wublub.cn/index.php/archives/705/ "Defender 的 MpCopyAccelerator 研究 - Wublub | www.wublub.cn" + [7]: https://www.taxpool.net/HTML/index.html?defender_ausnahme_erstellen.htm "Taxpool-Buchhalter Hilfe | www.taxpool.net" + [8]: https://www.microsoft.com/en-us/research/project/detours/ "Detours - Microsoft Research | www.microsoft.com" + [9]: http://cms01.ubmsinoexpo.com/C%3A/Program%20Files%20(x86)/Windows%20Defender "C:\Program Files (x86)\Windows Defender - Everything | cms01.ubmsinoexpo.com" call: - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - function: DisableServiceInRegistry + function: SoftDeleteFiles parameters: - serviceName: WinDefend # Check: (Get-Service -Name 'WinDefend').StartType - defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual - elevateToTrustedInstaller: 'true' + # Availability: 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpDetoursCopyAccelerator.dll' + minimumWindowsVersion: Windows11-21H2 + # grantPermissions: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ❌ Does not work on Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - function: SoftDeleteFiles parameters: - fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 22H2) + # Availability: 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES(X86)%\Windows Defender\MpDetoursCopyAccelerator.dll' + minimumWindowsVersion: Windows11-21H2 + # grantPermissions: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ❌ Does not work on Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - category: Disable Defender kernel-level drivers - children: - # - Skipping wdnsfltr ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only - - - name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service - docs: |- - https://web.archive.org/web/20240314062056/https://batcmd.com/windows/10/services/wdnisdrv/ + name: Disable "Microsoft Malware Protection Copy Accelerator Utility" process + docs: |- # TODO: Archive + This script disables the `MpCopyAccelerator.exe` process. - ### Overview of default service statuses + This process is called the **Microsoft Malware Protection Copy Accelerator Utility** [1] [2] [3] [4] [5] [6]. + It is part of **Defender Antivirus** service [1] [2], introduced in update KB4052623, version 4.18.2201.10 update [3]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | - call: - # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: 🔍 Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - function: DisableServiceInRegistry - parameters: - serviceName: WdNisDrv # Check: (Get-Service -Name 'WdNisDrv').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - waitForDependentServicesOnStop: 'true' # Or it fails, `Microsoft Defender Antivirus Network Inspection Service (WdNisSvc)` depends on this - elevateToTrustedInstaller: 'true' - - - function: SoftDeleteFiles - parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\WdNisDrv.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - name: Disable "Microsoft Defender Antivirus Mini-Filter Driver" service - docs: |- - - https://web.archive.org/web/20240314091638/https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ - - https://web.archive.org/web/20240314062047/https://batcmd.com/windows/10/services/wdfilter/ + It monitors and intercepts file copy operations to enhance security [3] [4] [5]. - ### Overview of default service statuses + It logs copy operations [4] and sends the data to Microsoft as part of its **Asimov** telemetry [4]. + **Asimov** is a Microsoft feedback mechanism that tracks user activity in real time [7]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Boot | - | Windows 11 (≥ 23H2) | 🟢 Running | Boot | - call: - # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: 🔍 Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - function: DisableServiceInRegistry - parameters: - serviceName: WdFilter # Check: (Get-Service -Name 'WdFilter').StartType - defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual - # notStoppable: true # See `sc queryex WdFilter`, tested since Windows 10 22H2, Windows 11 22H2. - elevateToTrustedInstaller: 'true' - - - function: SoftDeleteFiles - parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - name: Disable "Microsoft Defender Antivirus Boot Driver" service - docs: |- - https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/ + This script enhances privacy by disabling this process, preventing the logging of file copy operations + and the transmission of telemetry data to Microsoft. + Disabling this process may improve file operation performance by removing an extra layer of processing. - ### Overview of default service statuses + However, disabling this utility may: - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🔴 Stopped | Boot | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Boot | - call: - # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: 🔍 Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - function: DisableServiceInRegistry - parameters: - serviceName: WdBoot # Check: (Get-Service -Name 'WdBoot').StartType - defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual - elevateToTrustedInstaller: 'true' - - - function: SoftDeleteFiles - parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - name: Disable "Microsoft Defender Antivirus Network Inspection" service - docs: |- - - https://web.archive.org/web/20240314091310/https://batcmd.com/windows/10/services/wdnissvc/ - - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ + - Reduce the ability of **Defender Antivirus** to monitor and protect against malware spread through file copying. + - Affect the **Defender Antivirus**, potentially leaving your system more vulnerable to certain types of threats. - ### Overview of default service statuses + > **Caution**: This script may decrease the security of your system, as it prevents **Defender Antivirus** from monitoring certain file copy operations. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + ### Technical Details + + This script: + + - Terminates and blocks the execution of `MpCopyAccelerator.exe` + - Removes `%PROGRAMFILES%\Windows Defender\MpCopyAccelerator.exe` [2]. + + Historically, this file has been known to exist at + `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpCopyAccelerator.exe` [1] [6] + on older versions of Windows. + + Tests show that `MpCopyAccelerator.exe` is absent in Windows 10 versions 22H2 and later, + but present in Windows 11 starting from version 23H2. + + `MpCopyAccelerator.exe` process works with `MsMpEng.exe` [5] and `MpDetourCopyAccelerator.dll` [3]. + It is injected into different processes by the `MpRtp.dll` module of `MsMpEng.exe` [3]. + It intercepts file copy operations (specifically the CopyFileExW function) in the processes it is injected into [3]. + When a file copy operation is detected, the actual file creation is handled by `MpCopyAccelerator.exe` instead of the original process [3]. + `MpCopyAccelerator.exe` runs as a child process of `MsMpEng.exe` (Windows Defender) [3]. + This mechanism is triggered after multiple rapid file copy operations (e.g., six times in 18 seconds) [3]. + Despite its name as an acceleration utility, its primary purpose is security monitoring of file copy operations [3]. + It uses Remote Procedure Call (RPC) to communicate between processes [3] [4]. + It has multiple security checks to prevent unauthorized use or tampering [4]. + + [1]: https://www.file.net/process/mpcopyaccelerator.exe.html "MpCopyAccelerator.exe Windows process - What is it? | www.file.net" + [2]: https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [3]: http://www.wublub.cn/index.php/archives/705/ "Defender 的 MpCopyAccelerator 研究 - Wublub | wublub.cn" + [4]: https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpCopyAccelerator.exe.strings "10_0_22623_1020/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpCopyAccelerator.exe.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com" + [5]: https://baiyujia.com/vfpdocuments/f_vfp9fix250.asp "Welcome to VFP Documents | baiyujia.com" + [6]: https://www.freefixer.com/library/file/MpCopyAccelerator.exe-308540/ "What is MpCopyAccelerator.exe? | https://www.freefixer.com/library/file/MpCopyAccelerator.exe-308540/" + [7]: https://pureinfotech.com/asimov-track-near-real-time-windows-threshold-usage/ "‘Asimov’ lets Microsoft track in real-time Windows Threshold usage - Pureinfotech | pureinfotech.com" call: - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - function: DisableServiceInRegistry + function: TerminateAndBlockExecution parameters: - serviceName: WdNisSvc # Check: (Get-Service -Name 'WdNisSvc').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - elevateToTrustedInstaller: 'true' + executableNameWithExtension: MpCopyAccelerator.exe - function: SoftDeleteFiles parameters: - fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 22H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpCopyAccelerator.exe' + # grantPermissions: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ❌ Does not work on Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - name: Disable Microsoft Defender Core Service - docs: |- - This script disables the Microsoft Defender Core service (`MDCoreSvc`). + name: Disable Defender Antivirus file activity tracking library + docs: |- # TODO: Archive + This script removes the `MpDetours.dll` library, effectively disabling its functionality. - The Microsoft Defender Core service is a component of **Defender Antivirus** [1] [2]. - It is included in **Microsoft Defender for Endpoint** suite. [1] [2] [3]. - It contributes to the stability and performance of Defender Antivirus [1]. + `MpDetours.dll` is called **Malware Protection Detours Dll** by Microsoft [1] [2]. + It is part of **Defender Antivirus** service [3] [4]. + It is a library designed to offer runtime protection and enforce security policies [4]. + The library monitors and controls system operations to prevent unauthorized access and data leaks [4]. + It achieves this by intercepting actions and enforcing security policies [4]. - This script improves privacy by disabling this service. - It reduces data collection associated with Microsoft Defender Antivirus and Microsoft Defender for Endpoint. - It may also increase system performance by removing a background process. - However, disabling this service may reduce system security. - As a core operating system component, its removal may also affect system stability. + It specifically monitors: + + - **Clipboard operations**: + Controlling copy and paste activities to prevent unauthorized data transfers [4]. + - **Printing tasks**: + Monitoring and controlling print jobs to prevent unauthorized outputs [4]. + - **Drag-and-drop actions**: + Monitoring file movements to prevent data leaks [4]. + - **System components:** + It employs techniques like DLL injection and API hooking, referred to as **Detours** [4]. + This technology allows intercepting and monitoring system functions [4] [5]. + + It also: + + - Logs security-related events [4] + - Implements security policies [4] + - Manages processes and threads [4] + + This script enhances your privacy by stopping Windows from monitoring your clipboard content, print jobs, + and file transfer activities. + It may also lead to a minor improvement in system performance by reducing background monitoring processes. + + However, removing this component may decrease your system's security. + Without it, your computer may be more vulnerable to data theft or unauthorized data sharing. + This may also conflict with your organization's security policies, especially if you are using a work-managed device. + + > **Caution**: This action may increase your vulnerability to data breaches and malware infections. ### Technical Details - The service is technically identified as `MDCoreSvc` [1] [2] [4] [5]. - Its executable is `MpDefenderCoreService.exe` [1] [2] [5] [6]. - This process is also known as "Antimalware Core Service" [1] [2] [6]. - It's typically located in the `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\\` - folder [6]. - It may be found on modern versions of Windows [5]. + This script removes the library file from: - ### Overview of default service statuses + - `%PROGRAMFILES%\Windows Defender\MpDetours.dll` [1] [3] + - `%PROGRAMFILES(X86)%\Windows Defender\MpDetours.dll` [6] - According to tests, the availability of this service varies across different Windows versions, - depending on the installed Defender antivirus updates. + On older Windows versions, the file may be located at: - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | - | Windows 11 (≥ 23H2) | 🟡 Missing | N/A | + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpDetours.dll` [2] + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\X86\MpDetours.dll` [2] - [1]: https://web.archive.org/web/20240728143438/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-core-service-overview "Microsoft Defender Core service overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20240728143825/https://learn.microsoft.com/en-sg/answers/questions/1778162/how-to-fully-uninstall-clean-up-microsoft-defender "How to fully Uninstall/Clean-up Microsoft Defender Endpoint - Microsoft Q&A | learn.microsoft.com" - [4]: https://web.archive.org/web/20240728143822/https://github.com/undergroundwires/privacy.sexy/issues/385 "[Bug]: Defender is not completely disabled · Issue #385 · undergroundwires/privacy.sexy | github.com" - [5]: https://web.archive.org/web/20240724234608/https://techcommunity.microsoft.com/t5/public-sector-blog/december-2023-microsoft-365-us-public-sector-roadmap-newsletter/ba-p/4010161 "December 2023 - Microsoft 365 US Public Sector Roadmap Newsletter - Microsoft Community Hub | techcommunity.microsoft.com" - [6]: https://web.archive.org/web/20240724234556/https://www.file.net/process/mpdefendercoreservice.exe.html "MpDefenderCoreService.exe Windows process - What is it? | file.net" + [1]: https://www.exedb.com/en/mpdetours---1135370-jpfcf3ybw8lfsh9.asp "mpdetours.dll File Removal, Download, and Error Fixing Guide | www.exedb.com" + [2]: http://windowfin.com/bbs/board.php?bo_table=windowfin&wr_id=913338 "What is MpDetours.dll? Malware Protection Detours Dll File Information. ID:0913338 | windowfin.com" + [3]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [4]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpDetours.dll.strings " [7]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "10_0_22622_601/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpDetours.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · WinDLLsExports/10_0_22622_601 | github.com" + [5]: https://www.microsoft.com/en-us/research/project/detours/ "Detours - Microsoft Research | www.microsoft.com" + [6]: https://bt4gprx.com/magnet/2bLJmDB0ebn8kqyVE2TxGwwjrfGMAUoYB "Program Files (x86) Torrent download | bt4gprx.com" + [7]: https://learn.microsoft.com/en-us/purview/endpoint-dlp-getting-started "Get started with endpoint data loss prevention | Microsoft Learn | learn.microsoft.com" call: - # - - # # Commented out because it does not work due to permission errors. - # function: DisableServiceInRegistry - # parameters: - # # Note: Always get "Permission Denied", could not find a way., https://github.com/undergroundwires/privacy.sexy/issues/385 - # # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ❌ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # # Windows 11 (23H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ❌ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # serviceName: MDCoreSvc # Check: (Get-Service -Name 'MDCoreSvc').StartType - # defaultStartupMode: Automatic - # elevateToTrustedInstaller: 'true' - - function: TerminateAndBlockExecution - # Successfully disables Microsoft Defender Core Service - # and prevents it from running in the background. - # Tested and verified since Windows 10 Pro 22H2 and Windows 11 Pro 23H2 - # using Windows Defender Antivirus antimalware platform - Version 4.8.2001.100. - # It requires computer restart as it cannot terminate the process but can prevent its future execution. + function: SoftDeleteFiles parameters: - executableNameWithExtension: MpDefenderCoreService.exe + # Availability: 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpDetours.dll' + minimumWindowsVersion: Windows11-21H2 + # grantPermissions: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ❌ Does not work on Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - function: SoftDeleteFiles parameters: - fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpDefenderCoreService.exe' - # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - function: ShowComputerRestartSuggestion + # Availability: 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%PROGRAMFILES(X86)%\Windows Defender\MpDetours.dll' + minimumWindowsVersion: Windows11-21H2 + # grantPermissions: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ❌ Does not work on Windows 11 Pro (≥ 21H2) + elevateToTrustedInstaller: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - - name: Disable Defender Antivirus shared service components - docs: |- - This script disables Microsoft Defender Antivirus shared service components. + name: Disable Defender Antivirus "File Risk Estimation" library + docs: |- # TODO: Archive + This script disables the **File Risk Estimation** library. - This script may enhance privacy by reducing the system's monitoring and data collection capabilities. - It may also improve system performance by reducing background processes and resource usage. + This library is a component of **Defender Antivirus** service [1] [2]. + It is officially named **File Risk Estimation** [3] [4] [5]. - However, disabling these components may significantly reduce system security. - Without these components, the system becomes more vulnerable to malware, viruses, and other cyber threats. + It is responsible for: - > **Caution:** This action disables your antivirus protection, exposing your computer to viruses and other cyber threats. + - Generalizing system imaging or deployment [2] + - Logging system data [2] + - Configuring registry entries for **Defender Antivirus** [2] + - Performing cleanup operations related to **Defender Antivirus** [2] + - Interacting with **Windows Security** [2] + + Disabling this library may enhance your privacy by reducing system data logging and + limiting Defender's interactions with your system. + It may also improve boot performance by eliminating a component that runs during system startup. + However, removing this library impairs functionality of **Defender Antivirus** and **Windows Security**. + + > **Caution**: + > This action may leave your system more vulnerable to malware and other security threats. + > Consider having alternative security measures in place. ### Technical Details - The script disables the following components: + This script deletes the library from the following locations: - - Microsoft Windows Defender COM application with CLSID `A2D75874-6750-4931-94C1-C99D3BC9D0C7` [1] [2] - and AppID `A79DB36D-6218-48e6-9EC9-DCBA9A39BF0F` [1] [2]. - It is component of Defender Antivirus (`WinDefend`) [2] [3]. - Its file is at `%PROGRAMFILES%\Windows Defender\MpAsDesc.dll` [1] [2]. - It also uses `MsMpCom.dll` for in-process COM servers [1] [2]. - - Microsoft Windows Defender COM Utility Type Library (`8C389764-F036-48F2-9AE2-88C260DCF43B`) [2] - - DLL `MpAsDesc.dll` located at `%PROGRAMFILES%\Windows Defender\MpAsDesc.dll` [1] - Defender services like `WdNisDrv`, `WdBoot`, `WinDefend`, `WdNisSvc` all depends on this file [4]. - - DLL `MsMpCom.dll` located at `%PROGRAMFILES%\Windows Defender\MsMpCom.dll` [1] [2] + - `SYSTEMROOT%\System32\Windows Defender\winshfhc.dll` [1] [3] [4] + - `%SYSTEMROOT%\SysWOW64\Windows Defender\winshfhc.dll` [4] [5] - [1]: https://web.archive.org/web/20240829212450/https://strontic.github.io/xcyclopedia/library/clsid_A2D75874-6750-4931-94C1-C99D3BC9D0C7.html "CLSID A2D75874-6750-4931-94C1-C99D3BC9D0C7 | Microsoft Windows Defender | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" - [3]: https://web.archive.org/web/20240829212436/https://learn.microsoft.com/en-us/defender-endpoint/configure-server-endpoints#known-issues-and-limitations-in-the-new-unified-solution-package-for-windows-server-2016-and-windows-server-2012-r2 "Onboard Windows servers to the Microsoft Defender for Endpoint service - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" - [4]: https://web.archive.org/web/20240829212123/https://github.com/privacysexy-forks/SchoolNotes/blob/af823cecc159021e1a54fb5ca15d54ce35734ee9/ifs4102/Assignments/Assignment-2/a2system.txt "SchoolNotes/ifs4102/Assignments/Assignment-2/a2system.txt at af823cecc159021e1a54fb5ca15d54ce35734ee9 · privacysexy-forks/SchoolNotes | github.com" + [1]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [2]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/winshfhc.dll.strings "10_0_22622_601/C/Windows/SysWOW64/winshfhc.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com" + [3]: https://strontic.github.io/xcyclopedia/library/winshfhc.dll-E6D3904B89FD3ECEB5C2DFB05BBFB91D.html "winshfhc.dll | File Risk Estimation | STRONTIC | strontic.github.io" + [4]: https://dll.website/winshfhc-dll "WINSHFHC.DLL | dll.website" + [5]: https://strontic.github.io/xcyclopedia/library/winshfhc.dll-7171BA6C9DA0BD128A172562FB8B7B1D.html "winshfhc.dll | File Risk Estimation | STRONTIC | strontic.github.io" call: - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\AppID\{A79DB36D-6218-48e6-9EC9-DCBA9A39BF0F} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - function: SoftDeleteRegistryKey - parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - keyPath: HKLM\Software\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF43B} - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - - - function: SoftDeleteFiles # ❌ TrustedInstaller is not enough; requires safe mode or disabled protection + function: SoftDeleteFiles parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - fileGlob: '%PROGRAMFILES%\Windows Defender\MpAsDesc.dll' - # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%SYSTEMROOT%\System32\winshfhc.dll' + grantPermissions: 'true' # ✅ Protected on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - function: SoftDeleteFiles parameters: - # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) - fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpCom.dll' - # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2) - elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 21H2) + fileGlob: '%SYSTEMROOT%\SysWOW64\winshfhc.dll' + grantPermissions: 'true' # ✅ Protected on Windows 10 Pro (≥ 22H2) | ✅ Works on Windows 11 Pro (≥ 21H2) - category: Disable Defender Firewall docs: |- @@ -18359,6 +21002,86 @@ actions: grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - function: ShowComputerRestartSuggestion + - + name: Disable Microsoft Security WFP Callout Driver + docs: |- + This script disables the **Microsoft Security WFP Callout Driver**. + This is a kernel-mode driver [1]. + Windows uses this driver to monitor and control network traffic for security purposes [2]. + + It is part of the **Windows Filtering Platform (WFP)**. + **WFP** provides a framework for building network filtering applications [2]. + It is used by built-in **Defender Firewall** to filter network packets [2]. + It works on TCP/IP communication using **TCP/IP Protocol Driver** (`Tcpip`) [1]. + + The driver is a **callout driver**. + This means that it processes network data beyond simple filtering [3]. + It performs deep inspections, modifies packet or stream data, and logs network activity [3]. + This helps manage and enforce security policies for network traffic [4]. + + Disabling this driver may enhance privacy by preventing the system from performing detailed network data inspections and logging. + Additionally, the script may slightly boost system performance and shorten boot times by stopping the driver from loading at startup. + + On On modern Windows versions, this driver is either missing entirely or is stopped and set to **Manual** by default [1]. + This means it does not actively run unless specifically triggered. + + However, disabling this driver poses security risks: + + - **Reduced threat detection:** + Your system may become more vulnerable to network-based attacks. + - **Reduced firewall effectiveness:** + The **Defender Firewall** may not work as effectively to monitor and block malicious network traffic. + - **Potential system instability:** + Other security features or applications that depend on this driver may not function properly. + + > **Caution**: + > Disabling this driver may reduce your system's network security. + > Consider having alternative security measures in place. + + ### Technical Details + + This script: + + - Disables its service named `MsSecWfp` [1]. + - Removes the driver file. + - This driver file is located at `%SYSTEMROOT%\System32\drivers\mssecwfp.sys` [1] [5]. + - This file exists on Windows 10 Pro (≥ 22H2) and Windows 11 Pro ≥ 22H2 but not on Windows 11 21H2. + - Removes its associated library. + - This library is located at `%SYSTEMROOT%\System32\mssecwfpu.dll` [6]. + - It is named **Microsoft Security Network Isolation WFP Library** [6]. + + While some sources may mention `MsSecFltWfp.sys`, this file has not been found in any version of Windows. + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | + | Windows 11 (21H2) | 🟡 Missing | N/A | + | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | + + [1]: http://web.archive.org/web/20241009112626/https://batcmd.com/windows/11/services/mssecwfp/ "Microsoft Security WFP Callout Driver - Windows 11 Service - batcmd.com | batcmd.com" + [2]: https://web.archive.org/web/20241009112634/https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-start-page "Windows Filtering Platform - Win32 apps | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20241009112626/https://learn.microsoft.com/en-us/windows-hardware/drivers/network/introduction-to-windows-filtering-platform-callout-drivers "Introduction to Windows Filtering Platform Callout Drivers - Windows drivers | Microsoft Learn | learn.microsoft.com" + [4]: https://archive.ph/2024.10.09-113421/https://techloris.com/library/sys/mssecwfp-sys/ "Mssecwfp.sys: Troubleshooting Guide | TechLoris | techloris.com" + [5]: https://archive.ph/2024.10.09-113246/https://support.citrix.com/s/article/CTX691481-specific-defender-files-are-missing-from-the-published-image?language=en_US "Specific Defender files are missing from the published image | support.citrix.com" + [6]: https://archive.ph/2024.10.09-120635/https://x.com/XenoPanther/status/1603106223129526273 "Xeno on X: "Changes between 25262 and 25267: mssecwfpu.dll (Microsoft Security Network Isolation WFP Library) has been added to System32. wslg.exe has been removed now exists in the SystemApps folder -" / X | x.com" + call: + - + function: DisableService + parameters: + serviceName: MsSecWfp # Check: (Get-Service -Name 'MsSecWfp').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | 🔍 Missing on Windows 11 Pro (21H2) | ✅ Windows 11 Pro (≥ 22H2) + fileGlob: '%SYSTEMROOT%\System32\drivers\mssecwfp.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 (≥ 22H2) | 🔍 Missing on Windows 11 Pro (21H2) | 🔒️ Protected on Windows 11 (≥ 22H2) + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | 🔍 Missing on Windows 11 Pro (21H2) | ✅ Windows 11 Pro (≥ 22H2) + fileGlob: '%SYSTEMROOT%\System32\mssecwfpu.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 (≥ 22H2) | 🔍 Missing on Windows 11 Pro (21H2) | 🔒️ Protected on Windows 11 (≥ 22H2) - name: Disable firewall via command-line utility # ❗️ Following must be enabled and in running state: @@ -18539,26 +21262,109 @@ actions: docs: |- https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ - ### Overview of default service statuses + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + call: + - + function: DisableServiceInRegistry + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + parameters: + serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Data Loss Prevention Service" service + docs: |- + This script disables the Microsoft Data Loss Prevention (DLP) Service. + + The service is known by several names: + + - Microsoft Data Loss Prevention Service [1] [2] [3] + - Microsoft Endpoint DLP service [2] + - Microsoft Purview Data Loss Prevention Service [1] + + This service is a component of both **Defender Antivirus** and **Defender for Endpoint** [1]. + It is also included in the larger **Microsoft Purview** offering [1] [4]. + + This service provides DLP (Data Loss Prevention) functionality [3] [5]. + It helps organizations prevent the unauthorized sharing of sensitive data [4]. + It automatically identifies, monitors, and protects sensitive data across Microsoft services, applications, and devices [4]. + DLP uses deep content analysis to detect sensitive information that aligns with organizational policies [4]. + Techniques include keyword matching, regular expressions, function validation, proximity analysis, and machine learning algorithms [4]. + + This script enhances privacy by stopping data collection on your files and activities. + It may also boost system performance by reducing background processes. + + However, disabling this service may reduce security by disabling organizational data protection mechanisms. + On work or school computers, disabling this service may violate organizational policies and compliance requirements. + + > **Caution:** This script may lower security by disrupting organizational data protection mechanisms. + + ### Technical Details + + The script performs the following actions: + + - Disables the `MDDlpSvc` service. + - Deletes the `MpDlpService.exe` file. + - Prevents the execution of `MpDlpService.exe`. + + The service is named `MDDlpSvc` [3] and is available on Windows 10 and 11 [3]. + This service runs the `MpDlpService.exe` process [1] [2] [3] [5]. + The process is located at + + - `%PROGRAMFILES%\Windows Defender` on older Windows versions (Windows 10 or Windows Server 2019 and above) [1]. + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\\` on modern Windows versions + (tested since Windows 10 Pro ≥ 22H2 and Windows 11 Pro ≥ 23H2) + + Historically, this functionality was part of the Defender main service [5]. + In 2024, Microsoft separated DLP functionality into its own process [3] [5]. + + #### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + | Windows 10 (≥ 22H2) | 🟡 Missing | N/A | + | Windows 11 (≥ 23H2) | 🟡 Missing | N/A | + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240728184012/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240724234608/https://techcommunity.microsoft.com/t5/public-sector-blog/december-2023-microsoft-365-us-public-sector-roadmap-newsletter/ba-p/4010161#toc-hId-115986265 "December 2023 - Microsoft 365 US Public Sector Roadmap Newsletter - Microsoft Community Hub | techcommunity.microsoft.com" + [4]: https://web.archive.org/web/20241003105017/https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp "Learn about data loss prevention | Microsoft Learn | learn.microsoft.com" + [5]: https://archive.ph/2024.10.03-105259/https://m365admin.handsontek.net/decoupling-microsoft-purview-data-loss-prevention-dlp-process-form-microsoft-defender-for-endpoint-on-windows-devices/ "Decoupling Microsoft Purview Data Loss Prevention (DLP) Process form Microsoft Defender for Endpoint on Windows Devices - M365 Admin | m365admin.handsontek.net" call: - - function: DisableServiceInRegistry - # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + function: DisableService parameters: - serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + serviceName: MDDlpSvc # Check: (Get-Service -Name 'MDDlpSvc').StartType + defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: SoftDeleteFiles parameters: - fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + # Availability: ❌ Windows 10 Pro (≥ 21H2) | ❌ Windows 11 Pro (≥ 19H1) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpDlpService.exe' + elevateToTrustedInstaller: 'true' # Unable to test, but usually files in this folder requires TrustedInstaller + # - + # # Commented out because it does not work due to permission errors even as TrustedInstaller + # function: SoftDeleteFiles + # parameters: + # # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) (usiung Defender v4.18.24080.9-0) + # fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpDlpService.exe' + # # grantPermissions: false # ❌ Cannot grant permissions since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MpDlpService.exe - name: Disable Defender for Endpoint remote configuration recommend: strict # No clear security benefits, potential risks for personal use @@ -21113,7 +23919,7 @@ actions: It is a component of ***Windows Security** [3] (formerly **Windows Defender Security Center** [4]). It operates in the background, scanning your device for threats and sending notifications as necessary [3]. The service is associated with the `SecurityHealthSystray.exe` process, which manages system tray - functionality for Windows Security [3] [5]. + functionality for **Windows Security** [3] [5]. The system tray, or notification area, is part of the Windows taskbar at the bottom-right corner of the screen [6]. Disabling this service may enhance your privacy by reducing background monitoring. @@ -21139,6 +23945,7 @@ actions: | ---- | ----------------------- | ----------------------- | | `%SYSTEMROOT%\System32\SecurityHealth\\SecurityHealthSSO.dll` | ❌ Missing | ✅ Exists | | `%SYSTEMROOT%\System32\SecurityHealthSSO.dll` [1] [2] | ❌ Missing | ✅ Exists | + | `%SYSTEMROOT%\System32\SecurityHealthSsoUdk.dll` [7] [8] | ❌ Missing | ✅ Exists | [1]: https://web.archive.org/web/20240829161045/https://strontic.github.io/xcyclopedia/library/SecurityHealthSSO.dll-3C4BE8F167045062380124D2D5BE8C1B.html "SecurityHealthSSO.dll | Security Health SSO | STRONTIC | strontic.github.io" [2]: https://web.archive.org/web/20240829161040/https://strontic.github.io/xcyclopedia/library/clsid_6D40A6F9-3D32-4FCB-8A86-BE992E03DC76.html "CLSID 6D40A6F9-3D32-4FCB-8A86-BE992E03DC76 | CLSID_DefenderShellServiceObject | STRONTIC | strontic.github.io" @@ -21146,6 +23953,8 @@ actions: [4]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" [5]: https://web.archive.org/web/20240829161012/https://oshibaetsya.ru/securityhealthsystray-exe-oshibka/ "Securityhealthsystray exe ошибка - Не ошибается лишь тот, кто ничего не делает! | oshibaetsya.ru" [6]: https://web.archive.org/web/20240829161654/https://learn.microsoft.com/en-us/windows/win32/shell/notification-area "Notifications and the Notification Area - Win32 apps | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20241001125912/https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/System32/SecurityHealthSsoUdk.dll.strings "10_0_22000_1165/C/Windows/System32/SecurityHealthSsoUdk.dll.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d · privacysexy-forks/10_0_22000_1165 | github.com" + [8]: https://archive.ph/2024.10.01-130020/https://www.dllme.com/dll/files/securityhealthssoudk "SecurityHealthSsoUdk.dll : Free .DLL download. | www.dllme.com" call: - function: SoftDeleteRegistryKey @@ -21173,6 +23982,13 @@ actions: # Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) fileGlob: '%SYSTEMROOT%\System32\SecurityHealth\*\SecurityHealthSSO.dll' grantPermissions: 'true' # 🔍 Missing on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteFiles + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthSsoUdk.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) minimumWindowsVersion: Windows11-FirstRelease - name: Disable "Windows Security Service" service @@ -21237,6 +24053,10 @@ actions: # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 22H2) fileGlob: '%SYSTEMROOT%\System32\SecurityHealthService.exe' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SecurityHealthService.exe - name: Disable "Windows Security Service" interactions docs: |- @@ -21834,6 +24654,266 @@ actions: keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\AppId\{4fe95d37-3459-4ecc-ac3e-f7abbe4e8aed} elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔍 Missing on Windows 11 Pro (≥ 23H2) maximumWindowsVersion: Windows10-MostRecent + - + name: Disable "Windows Security Center" service + docs: |- + This script disables the **Windows Security Center service**. + **Windows Security Center** is renamed to **Windows Security** in newer versions of Windows [1]. + + The **Windows Security Center Service** monitors and reports security health settings on your computer [2] [3]. + These settings include the status of protective software, system updates, and critical security configurations [2] [3]. + + The service allows security software to report their status and enables programs to access this data [2] [3]. + It powers the **Security and Maintenance** control panel and system tray alerts [2] [3]. + **Network Access Protection (NAP)** uses it for network quarantine decisions [2] [3]. + **Windows Security**, which displays protection status, relies on this service [4]. + + Disabling this service does not disable **Defender Antivirus** or **Defender Firewall** [4]. + + Disabling this service may improve your privacy by reducing the information collected and shared about your system's security status. + It may also enhance system performance by eliminating background processes. + However, this action may lower your overall security [4] [5]. + This can lead to issues with non-Microsoft antivirus solutions and affect how their information is displayed in the + **Windows Security** app [5]. + Without this service, important security alerts or status updates may not be received. + + > **Caution:** Disabling this service may make your system more vulnerable to threats and disrupt security software. + + ### Technical Details + + This script disables: + + - The `wscsvc` service [2] [3] [4] [5] + - The service file 'wscsvc.dll' [2] [3] + + #### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | + | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + + [1]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240930094238/https://batcmd.com/windows/11/services/wscsvc/ "Security Center - Windows 11 Service - batcmd.com | batcmd.com" + [3]: https://web.archive.org/web/20240930094831/https://revertservice.com/10/wscsvc/ "Security Center (wscsvc) Service Defaults in Windows 10 | revertservice.com" + [4]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [5]: https://web.archive.org/web/20240930093428/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-compatibility "Microsoft Defender Antivirus compatibility with other security products - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + - + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # Windows 11 (23H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` + function: DisableServiceInRegistry + parameters: + serviceName: wscsvc # Check: (Get-Service -Name 'wscsvc').StartType + defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual + elevateToTrustedInstaller: 'true' + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\wscsvc.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + name: Disable "Windows Security Center" service integrations + docs: |- + This script disables the **Windows Security Center Service** (`wscsvc`) communication with other security software. + + The **Windows Security Center Service** uses APIs (special programming tools) that allow security programs to + share their status with Windows [1] [2]. + In recent Windows versions, this service is part of **Windows Security** (formerly **Windows Security Center**) [3]. + + Disabling these interfaces may enhance privacy by limiting the information shared about your system's security status. + It may also improve system performance by reducing background processes. + + However, disabling this communication has significant drawbacks: + + - It may disrupt how security information is displayed in the Windows Security app [4]. + - Third-party antivirus solutions may not function properly or report their status correctly [4]. + - You may miss important security warnings or updates. + - **Network Access Protection (NAP)**, which helps secure your network, may not work properly [1] [2]. + + > **Caution:** This script may reduce your system's overall security by disrupting communication between security components. + + ### Technical Details + + This script disables the `Microsoft-Windows-SecurityCenter-Broker` package, which manages communication for + **Windows Security Center** [3]. + + - Files: + - `%SYSTEMROOT%\System32\SecurityCenterBrokerPS.dll` [3] + - Interfaces used to display information: + - `__x_Windows_CSecurityCenter_CIWscBrokerManager` (`B529B7F5-76AA-431F-AD7F-1272FEEDFF07`) [3] + - `__x_Windows_CSecurityCenter_CIWscBrokerManagerSink` (`2A23AE77-9BFC-4B7B-8520-2D7B3E4A40B6`) [3] + - `__x_Windows_CSecurityCenter_CIWscCloudBackupProvider` (`17966E44-DA6F-4AA9-B30E-5D4CCA5F5933`) [3] + - `__x_Windows_CSecurityCenter_CICbpBrokerCallback` (`CBBC9C52-0741-4E3C-8E87-711722F8740D`) [3] + - `__x_Windows_CSecurityCenter_CIWscDataProtection` (`642D1BFD-FD78-488D-8E3B-AEB1195FE4DE`) [3] + - `__x_Windows_CSecurityCenter_CISecurityAppBrokerSink` (`0A4B1BED-FD27-4932-9094-F0738284DEB4`) [3] + - `__x_Windows_CSecurityCenter_CISecurityAppBroker` (`E8CE0994-D686-46F8-A719-9EB1436EC690`) [3] + - `__x_Windows_CUI_CShell_CISecurityAppManager` (`96AC500C-AED4-561D-BDE8-953520343A2D`) [3] + - Activatable classes: + - `Windows.SecurityCenter.WscBrokerManager` [3] + - `Windows.SecurityCenter.WscCloudBackupProvider` [3] + - `Windows.SecurityCenter.WscDataProtection` [3] + - `Windows.SecurityCenter.SecurityAppBroker` [3] + - `Windows.UI.Shell.SecurityAppManager` [3] + - Registry keys: + - `HKLM\Software\Microsoft\WindowsRuntime\Server\wscsvc` [3] + - COM objects: + - `SecurityCenterBrokerProxyStubFactory` (`d5c88c8b-eca2-4921-a2e4-b1a390bad510`) [3] + + [1]: https://web.archive.org/web/20240930094238/https://batcmd.com/windows/11/services/wscsvc/ "Security Center - Windows 11 Service - batcmd.com | batcmd.com" + [2]: https://web.archive.org/web/20240930094831/https://revertservice.com/10/wscsvc/ "Security Center (wscsvc) Service Defaults in Windows 10 | revertservice.com" + [3]: https://archive.today/2024.09.30-104029/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-broker_31bf3856ad364e35_10.0.22621.1_none_bcd58d01f13dff5c.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-broker_31bf3856ad364e35_10.0.22621.1_none_bcd58d01f13dff5c.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20240930093428/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-compatibility "Microsoft Defender Antivirus compatibility with other security products - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\SecurityCenterBrokerPS.dll' + # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{B529B7F5-76AA-431F-AD7F-1272FEEDFF07} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{B529B7F5-76AA-431F-AD7F-1272FEEDFF07} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{2A23AE77-9BFC-4B7B-8520-2D7B3E4A40B6} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{2A23AE77-9BFC-4B7B-8520-2D7B3E4A40B6} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{17966E44-DA6F-4AA9-B30E-5D4CCA5F5933} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{17966E44-DA6F-4AA9-B30E-5D4CCA5F5933} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{CBBC9C52-0741-4E3C-8E87-711722F8740D} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{CBBC9C52-0741-4E3C-8E87-711722F8740D} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{642D1BFD-FD78-488D-8E3B-AEB1195FE4DE} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{642D1BFD-FD78-488D-8E3B-AEB1195FE4DE} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{0A4B1BED-FD27-4932-9094-F0738284DEB4} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{0A4B1BED-FD27-4932-9094-F0738284DEB4} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{E8CE0994-D686-46F8-A719-9EB1436EC690} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{E8CE0994-D686-46F8-A719-9EB1436EC690} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{96AC500C-AED4-561D-BDE8-953520343A2D} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{96AC500C-AED4-561D-BDE8-953520343A2D} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.SecurityCenter.WscBrokerManager + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.SecurityCenter.WscCloudBackupProvider + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.SecurityCenter.WscDataProtection + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.SecurityCenter.SecurityAppBroker + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Shell.SecurityAppManager + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\Server\wscsvc + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{d5c88c8b-eca2-4921-a2e4-b1a390bad510} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{d5c88c8b-eca2-4921-a2e4-b1a390bad510} + elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) - name: Remove "Windows Security" system tray icon docs: |- @@ -23392,7 +26472,8 @@ actions: Firewall settings can still be managed through other methods, such as PowerShell or Windows Security. > **Caution**: - > This script removes a user-friendly tool for managing the firewall, potentially making it harder to control computer security settings. + > This script removes a user-friendly tool for managing the firewall, potentially making it harder to + > control computer security settings. ### Technical Details @@ -23448,6 +26529,92 @@ actions: # Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2) keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71} elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2) + - + name: Remove "Windows Security" app (`SecHealthUI`) (breaks Windows Security user interface) + docs: |- + This script removes the "Windows Security" app [1], known as `SecHealthUI` [2] [3]. + This app serves as the interface for Windows Security [2], helping users monitor and manage their computer's security [4]. + It provides alerts and guidance on vulnerabilities through the Action Center [4]. + + However, uninstalling the "Windows Security" app has significant implications: + + - It may increase vulnerability to threats by no longer alerting users about security issues or communicating updates through the Action Center [4]. + - Disabling its interface can hinder the effective management of security settings, including tamper protection [5]. + + Despite these risks, removing the app can enhance privacy in several ways: + + - **Less personal data collection**: Reduces the collection and display of personal and system data such as threats [6], limiting information used to analyze user behavior. + - **More control over security settings**: Encourages managing security settings programmatically, reducing accidental misconfigurations and unauthorized access. + - **Decreased notifications and alerts**: Reduces the number of notifications that may expose sensitive information. + - **User choice in security tools**: Offers freedom to choose alternative privacy-focused security measures. + - **Increased anonymity**: By uninstalling the app, users reduce the amount of data shared under the terms of + [Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement), + which allows Microsoft to collect and share data with external entities when the app is in use. + + This app comes pre-installed on certain versions of Windows [7] [8]. + The package is named `Microsoft.Windows.SecHealthUI` on Windows 10 and `Microsoft.SecHealthUI` on Windows 11 [1] [2]. + + It operates independently from individual Defender features [9] and is updated separately from the operating system [10]. + Uninstalling it does not disable Microsoft Defender Antivirus or Firewall [11], + and Windows will continue sending security notifications unless disabled separately [12]. + + > **Caution**: Uninstalling "Windows Security" app can expose your system to threats and limit your ability to configure + > security settings. It should only be done with a full understanding of the consequences. + + ### Overview of default preinstallation + + `Microsoft.Windows.SecHealthUI`: + + | OS | Version | Existence | + | -- |:-------:|:---------:| + | Windows 10 | 19H2 | ✅ | + | Windows 10 | 20H2 | ✅ | + | Windows 10 | 21H2 | ✅ | + | Windows 10 | 22H2 | ✅ | + | Windows 11 | 21H2 | ❌ | + | Windows 11 | 22H2 | ❌ | + | Windows 11 | 23H2 | ❌ | + + `Microsoft.SecHealthUI`: + + | OS | Version | Existence | + | -- |:-------:|:---------:| + | Windows 10 | 19H2 | ❌ | + | Windows 10 | 20H2 | ❌ | + | Windows 10 | 21H2 | ❌ | + | Windows 10 | 22H2 | ❌ | + | Windows 11 | 21H2 | ✅ | + | Windows 11 | 22H2 | ✅ | + | Windows 11 | 23H2 | ✅ | + + [1]: https://web.archive.org/web/20231006113851/https://support.microsoft.com/en-us/topic/windows-security-update-a6ac7d2e-b1bf-44c0-a028-41720a242da3 "Windows Security Update - Microsoft Support" + [2]: https://web.archive.org/web/20240924201558/https://github.com/undergroundwires/privacy.sexy/issues/195 "[BUG]: Uninstalling the SecHealthUI fails, despite the app being installed. · Issue #195 · undergroundwires/privacy.sexy" + [3]: https://web.archive.org/web/20231006113903/https://download.microsoft.com/download/e/1/0/e10a6884-2e7a-4d80-ac2f-884c39a2a1b2/5001337.csv "Services CSV file | microsoft.com" + [4]: https://web.archive.org/web/20231006113932/https://learn.microsoft.com/en-us/windows/win32/devnotes/windows-security-center "The Windows Security app - Win32 apps | Microsoft Learn" + [5]: https://web.archive.org/web/20231006115719/https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87 "Prevent changes to security settings with Tamper Protection - Microsoft Support" + [6]: https://web.archive.org/web/20231006115719/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows | Microsoft Learn" + [7]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" + [8]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" + [9]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center#how-windows-security-works-with-windows-security-features "Windows Security - Windows Security | Microsoft Learn" + [10]: https://web.archive.org/web/20231006115836/https://support.microsoft.com/en-us/topic/kb5020779-the-vulnerable-driver-blocklist-after-the-october-2022-preview-release-3fcbe13a-6013-4118-b584-fcfbc6a09936 "KB5020779 The vulnerable driver blocklist after the October 2022 preview release - Microsoft Support" + [11]: https://web.archive.org/web/20231006115845/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-worldwide "Microsoft Defender Antivirus in the Windows Security app | Microsoft Learn" + [12]: https://web.archive.org/web/20231006115826/https://support.microsoft.com/en-us/windows/windows-security-notifications-6a59ce6a-e1e0-4795-b080-ba92d49644b2 "Windows Security notifications - Microsoft Support" + call: + - + function: UninstallNonRemovableStoreAppWithCleanup + parameters: + packageName: Microsoft.Windows.SecHealthUI # Get-AppxPackage Microsoft.Windows.SecHealthUI + publisherId: cw5n1h2txyewy + - + function: UninstallNonRemovableStoreApp + # Notes: + # - Although not a system app, this app is flagged as 'NonRemovable'. + # Therefore, `UninstallNonRemovableStoreApp` is preferred over `UninstallStoreApp`. + # - Attempts to remove the app installation files lead to permission errors, even with file ACLs permissions granted. + # Therefore, `UninstallNonRemovableStoreApp` is preferred over `UninstallNonRemovableStoreAppWithCleanup`. + parameters: + packageName: Microsoft.SecHealthUI # Get-AppxPackage Microsoft.SecHealthUI + publisherId: 8wekyb3d8bbwe - name: Disable outdated "Windows Defender Security Center" interface docs: |- @@ -25768,35 +28935,37 @@ actions: - name: Disable notifications to antivirus programs for downloaded files docs: |- - Prevents Windows from calling the registered antivirus programs when file attachments are opened [1] [2]. + This script prevents Windows from sending file attachments to antivirus programs for scanning when opened [1] [2]. Windows registered antivirus programs for downloaded files from Internet or through e-mail attachments [1]. If multiple programs are registered, they will all be notified [1] [3]. This is disabled by default, so even if you do not configure run this script, Windows does not call the registered antivirus programs when file attachments are opened [1]. - If it is enabled, Windows blocks file from being opened when antivirus program fails [1]. It is the recommended setting - by Microsoft [1]. + If it is enabled, Windows blocks file from being opened when antivirus program fails [1]. + It is the recommended setting by Microsoft [1]. Preventing calling antivirus: + - Increases privacy by not sharing your file data proactively with installed antiviruses. - Decreases by detecting and mitigating potential malicious software. Disabling it has **Moderate** - criticality as it is not an appropriate antivirus configuration according to US government [4]. + criticality as it is not an appropriate antivirus configuration according to US government [4]. An updated antivirus program must be installed for this policy setting to function properly [4]. It is configured using `ScanWithAntiVirus` value in - `\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4]. + `\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4] [5]. `3` enables the scans [1] [2] [3], `1` disables it [1] [3], and `2` leaves it optional [1]. In clean Windows 10 and 11 installations, this key by default comes with `3` value in - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus`, + `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus` [5], and key is missing for `HKCU`. [1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" [2]: https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-09-02/finding/V-14270 "The system will notify antivirus when file attachments are opened. | stigviewer.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_CallIOfficeAntiVirus "Notify antivirus programs when opening attachments | admx.help" [4]: https://web.archive.org/web/20230102223412/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov" + [5]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com" call: function: SetRegistryValue parameters: @@ -25805,93 +28974,6 @@ actions: dataType: REG_DWORD data: '1' dataOnRevert: '3' # Default value: `3` on Windows 10 Pro (≥ 22H2) | `3` on Windows 11 Pro (≥ 23H2) - - - name: Remove "Windows Security" app (`SecHealthUI`) (breaks Windows Security user interface) - docs: |- - This script removes the "Windows Security" app [1], known as `SecHealthUI` [2] [3]. - This app serves as the interface for Windows Security [2], helping users monitor and manage their computer's security [4]. - It provides alerts and guidance on vulnerabilities through the Action Center [4]. - - However, uninstalling the "Windows Security" app has significant implications: - - - It may increase vulnerability to threats by no longer alerting users about security issues or communicating updates through the Action Center [4]. - - Disabling its interface can hinder the effective management of security settings, including tamper protection [5]. - - Despite these risks, removing the app can enhance privacy in several ways: - - - **Less personal data collection**: Reduces the collection and display of personal and system data such as threats [6], limiting information used to analyze user behavior. - - **More control over security settings**: Encourages managing security settings programmatically, reducing accidental misconfigurations and unauthorized access. - - **Decreased notifications and alerts**: Reduces the number of notifications that may expose sensitive information. - - **User choice in security tools**: Offers freedom to choose alternative privacy-focused security measures. - - **Increased anonymity**: By uninstalling the app, users reduce the amount of data shared under the terms of - [Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement), - which allows Microsoft to collect and share data with external entities when the app is in use. - - This app comes pre-installed on certain versions of Windows [7] [8]. - The package is named `Microsoft.Windows.SecHealthUI` on Windows 10 and `Microsoft.SecHealthUI` on Windows 11 [1] [2]. - - It operates independently from individual Defender features [9] and is updated separately from the operating system [10]. - Uninstalling it does not disable Microsoft Defender Antivirus or Firewall [11], - and Windows will continue sending security notifications unless disabled separately [12]. - - > **Caution**: Uninstalling "Windows Security" app can expose your system to threats and limit your ability to configure - > security settings. It should only be done with a full understanding of the consequences. - - ### Overview of default preinstallation - - `Microsoft.Windows.SecHealthUI`: - - | OS | Version | Existence | - | -- |:-------:|:---------:| - | Windows 10 | 19H2 | ✅ | - | Windows 10 | 20H2 | ✅ | - | Windows 10 | 21H2 | ✅ | - | Windows 10 | 22H2 | ✅ | - | Windows 11 | 21H2 | ❌ | - | Windows 11 | 22H2 | ❌ | - | Windows 11 | 23H2 | ❌ | - - `Microsoft.SecHealthUI`: - - | OS | Version | Existence | - | -- |:-------:|:---------:| - | Windows 10 | 19H2 | ❌ | - | Windows 10 | 20H2 | ❌ | - | Windows 10 | 21H2 | ❌ | - | Windows 10 | 22H2 | ❌ | - | Windows 11 | 21H2 | ✅ | - | Windows 11 | 22H2 | ✅ | - | Windows 11 | 23H2 | ✅ | - - [1]: https://web.archive.org/web/20231006113851/https://support.microsoft.com/en-us/topic/windows-security-update-a6ac7d2e-b1bf-44c0-a028-41720a242da3 "Windows Security Update - Microsoft Support" - [2]: https://github.com/undergroundwires/privacy.sexy/issues/195 "[BUG]: Uninstalling the SecHealthUI fails, despite the app being installed. · Issue #195 · undergroundwires/privacy.sexy" - [3]: https://web.archive.org/web/20231006113903/https://download.microsoft.com/download/e/1/0/e10a6884-2e7a-4d80-ac2f-884c39a2a1b2/5001337.csv "Services CSV file | microsoft.com" - [4]: https://web.archive.org/web/20231006113932/https://learn.microsoft.com/en-us/windows/win32/devnotes/windows-security-center "The Windows Security app - Win32 apps | Microsoft Learn" - [5]: https://web.archive.org/web/20231006115719/https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87 "Prevent changes to security settings with Tamper Protection - Microsoft Support" - [6]: https://web.archive.org/web/20231006115719/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows | Microsoft Learn" - [7]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" - [8]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" - [9]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center#how-windows-security-works-with-windows-security-features "Windows Security - Windows Security | Microsoft Learn" - [10]: https://web.archive.org/web/20231006115836/https://support.microsoft.com/en-us/topic/kb5020779-the-vulnerable-driver-blocklist-after-the-october-2022-preview-release-3fcbe13a-6013-4118-b584-fcfbc6a09936 "KB5020779 The vulnerable driver blocklist after the October 2022 preview release - Microsoft Support" - [11]: https://web.archive.org/web/20231006115845/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-worldwide "Microsoft Defender Antivirus in the Windows Security app | Microsoft Learn" - [12]: https://web.archive.org/web/20231006115826/https://support.microsoft.com/en-us/windows/windows-security-notifications-6a59ce6a-e1e0-4795-b080-ba92d49644b2 "Windows Security notifications - Microsoft Support" - call: - - - function: UninstallNonRemovableStoreAppWithCleanup - parameters: - packageName: Microsoft.Windows.SecHealthUI # Get-AppxPackage Microsoft.Windows.SecHealthUI - publisherId: cw5n1h2txyewy - - - function: UninstallNonRemovableStoreApp - # Notes: - # - Although not a system app, this app is flagged as 'NonRemovable'. - # Therefore, `UninstallNonRemovableStoreApp` is preferred over `UninstallStoreApp`. - # - Attempts to remove the app installation files lead to permission errors, even with file ACLs permissions granted. - # Therefore, `UninstallNonRemovableStoreApp` is preferred over `UninstallNonRemovableStoreAppWithCleanup`. - parameters: - packageName: Microsoft.SecHealthUI # Get-AppxPackage Microsoft.SecHealthUI - publisherId: 8wekyb3d8bbwe - - category: UI for privacy children: @@ -25986,7 +29068,7 @@ actions: valueName: NoRecentDocsHistory dataType: REG_DWORD data: '1' - deleteOnRevert: 'true' # `0` by default on Windows 10 (22H2 and above) | Missing by default on Windows 11 (23H2 and above) + deleteOnRevert: 'true' # `0` by default on Windows 10 (≥ 22H2) | Missing by default on Windows 11 (≥ 23H2) - name: Clear recently opened document history upon exit recommend: strict @@ -34903,7 +37985,7 @@ functions: name: DisablePerUserService parameters: - name: serviceName # The name of the service to disable - - name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual + - name: defaultStartupMode # See `DisableServiceInRegistry` - name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` optional: true - name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` @@ -35105,7 +38187,7 @@ functions: # Use this method only if `DisableService` fails due to permission issues. parameters: # Ensure that this function has the 333same parameters as `DisableService` to simplify testing and interchangeability. - name: serviceName - - name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual + - name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual | Disabled - name: waitForDependentServicesOnStop # Set to `true` to stop the service and wait for all dependent services to stop as well. optional: true # Set to `false` to stop the service immediately without waiting for dependents. - name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` @@ -35203,7 +38285,7 @@ functions: # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue if (!$service) { - Write-Warning "Service query `"$serviceQuery`" did not yield and results, cannot enable it." + Write-Warning "Service query `"$serviceQuery`" did not yield and results. Revert cannot proceed." Exit 1 } $serviceName = $service.Name @@ -35211,7 +38293,7 @@ functions: # -- 2. Skip if service info is not found in registry $registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" if (-Not (Test-Path $registryKey)) { - Write-Warning "`"$registryKey`" is not found in registry, cannot enable it." + Write-Warning "`"$registryKey`" is not found in registry. Revert cannot proceed." Exit 1 } # -- 3. Enable if not already enabled @@ -35220,13 +38302,14 @@ functions: 'System' { 1 } 'Automatic' { 2 } 'Manual' { 3 } + 'Disabled' { 4 } default { Write-Error "Error: Unknown startup mode specified: `"$defaultStartupMode`". Revert cannot proceed." return } } if ($(Get-ItemProperty -Path "$registryKey").Start -eq $defaultStartupRegValue) { - Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start." + Write-Host "`"$serviceName`" is has already default startup mode: `"$defaultStartupMode`"." } else { try { Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force @@ -35237,7 +38320,7 @@ functions: } } # -- 4. Start if not running (must be enabled first) - if ($defaultStartupMode -ne 'Manual') { + if ($defaultStartupMode -eq 'Automatic' -or $defaultStartupMode -eq 'Boot' -or $defaultStartupMode -eq 'System') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is not running, trying to start it." try { @@ -35508,7 +38591,7 @@ functions: name: DisableService parameters: # Ensure that this function has the same parameters as `DisableServiceInRegistry` to simplify testing and interchangeability. - name: serviceName - - name: defaultStartupMode # Allowed values: Automatic | Manual + - name: defaultStartupMode # Allowed values: Automatic | Manual | Disabled - name: ignoreMissingOnRevert # When set to true, the revert operation will skip any actions for services that cannot be found, instead of failing. optional: true - name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` @@ -35560,14 +38643,15 @@ functions: } # -- 3. Skip if already disabled $startupType = $service.StartType # Does not work before .NET 4.6.1 - if(!$startupType) { + if (!$startupType) { $startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode } } - if($startupType -eq 'Disabled') { + if ($startupType -eq 'Disabled') { Write-Host "$serviceName is already disabled, no further action is needed" + Exit 0 } # -- 4. Disable service try { @@ -35580,7 +38664,7 @@ functions: $serviceName = '{{ $serviceName }}' $defaultStartupMode = '{{ $defaultStartupMode }}' $ignoreMissingOnRevert = {{ with $ignoreMissingOnRevert }} $true # {{ end }} $false - Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start." + Write-Host "Reverting service `"$serviceName`" start to `"$defaultStartupMode`"." # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue if (!$service) { @@ -35593,32 +38677,32 @@ functions: } # -- 2. Enable or skip if already enabled $startupType = $service.StartType # Does not work before .NET 4.6.1 - if(!$startupType) { + if (!$startupType) { $startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode - if(!$startupType) { + if (!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode } } - if($startupType -eq "$defaultStartupMode") { - Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start, no further action is needed." + if ($startupType -eq "$defaultStartupMode") { + Write-Host "`"$serviceName`" has already expected startup mode: `"$defaultStartupMode`". No action required." } else { try { Set-Service -Name "$serviceName" -StartupType "$defaultStartupMode" -Confirm:$false -ErrorAction Stop - Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, this may require restarting your computer." + Write-Host "Reverted `"$serviceName`" with `"$defaultStartupMode`" start, this may require restarting your computer." } catch { - Write-Error "Could not enable `"$serviceName`": $_" + Write-Error "Failed to enable `"$serviceName`": $_" Exit 1 } } # -- 4. Start if not running (must be enabled first) - if($defaultStartupMode -eq 'Automatic') { + if ($defaultStartupMode -eq 'Automatic' -or $defaultStartupMode -eq 'Boot' -or $defaultStartupMode -eq 'System') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is not running, starting it." try { Start-Service $serviceName -ErrorAction Stop Write-Host "Started `"$serviceName`" successfully." } catch { - Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_" + Write-Warning "Failed to start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_" } } else { Write-Host "`"$serviceName`" is already running, no need to start." @@ -37692,7 +40776,7 @@ functions: optional: true - name: minimumWindowsVersion # Specifies the minimum Windows version for executing the PowerShell script. optional: true # Allowed values: - # Windows11-FirstRelease (First Windows 11) | Windows11-21H2 | Windows10-22H2 | + # Windows11-FirstRelease (First Windows 11) | Windows11-22H2 | Windows11-21H2 | Windows10-22H2 | # Windows10-21H2 | Windows10-20H2 | Windows10-1909 | Windows10-1607 - name: maximumWindowsVersion # Specifies the maximum Windows version for executing the PowerShell script. optional: true # Allowed values: @@ -37900,6 +40984,8 @@ functions: optional: true - name: grantPermissions # If true, it removes Deny ACLs from the registry key optional: true + - name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` + optional: true docs: |- This function creates or modifies a registry entry at a specified path. @@ -37918,10 +41004,11 @@ functions: Remove the registry value "{{ $valueName }}" from key "{{ $keyPath }}" to restore its original state {{ with $grantPermissions }} (with additional permissions){{ end }} {{ end }} - - function: RunPowerShellWithWindowsVersionConstraints + function: RunPowerShellWithOptionalElevation parameters: maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' + elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}{{ . }}{{ end }}' # Marked: refactor-with-variables # - Registry path construction with hive is same as `DeleteRegistryKey` and `CreateRegistryKey` # - Deleting key in `deleteOnRevert` on revert code is same as "code" @@ -38058,7 +41145,7 @@ functions: # Note: # Storing the original ACL (e.g., `$originalAcl = $subkey.GetAccessControl()`) and restoring it with `SetAccessControl()` # does not work due to broken identity references. Therefore, changes are managed individually. - setupCode: |- + setupCodeElevated: |- {{ with $grantPermissions }} $RawRegistryPath = '{{ $keyPath }}' $AclChanges = [PSCustomObject]@{ `