Disable Windows Defender in Windows 10
You are able to do this using a Group Policy.
open gpedit.msc
navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender
Turn off Windows Defender
= Enabled
If you then try to open Windows Defender you'll see this:
And even though in Settings it may appear to be on, the Service is not running:
more info:
http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html
and http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350
I found another way using the registry.
Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:
- Browse the registry to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
. - Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.
- Change the
Start
value for each service to0x4
(hex 4, decimal 4). - Reboot.
It would be helpful to understand why you cannot stop a particular service.
- I'm the administrator; worse than failure can't the Administrator administrate?!
It's because of the security permissions on the WinDefend service.
Note: WinDefend
is the actual name of the "Windows Defender Antivirus Service"
Viewing Permissions
If you run from a command line:
>sc sdshow WinDefend
where
sdshow
means "Displays a service's security descriptor."
You'll get the security descriptor:
C:\Users\Ian>sc sdshow WinDefend
D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)
This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:
D:
(A;;CCLCSWRPLOCRRC;;;BU)
(A;;CCLCSWRPLOCRRC;;;SY)
(A;;CCLCSWRPLOCRRC;;;BA)
(A;;CCLCSWRPLOCRRC;;;IU)
(A;;CCLCSWRPLOCRRC;;;SU)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)
The D:
means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):
D:
discretionary access control list- ACE1:
A;;CCLCSWRPLOCRRC;;;BU
- ACE2:
A;;CCLCSWRPLOCRRC;;;SY
- ACE3:
A;;CCLCSWRPLOCRRC;;;BA
- ACE4:
A;;CCLCSWRPLOCRRC;;;IU
- ACE5:
A;;CCLCSWRPLOCRRC;;;SU
- ACE6:
A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
- ACE7:
A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
- ACE1:
Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.
Looking first at who they apply to, a random blog article decode some of them (archive.is):
BU
: Built-in usersSY
: Local SystemBA
: Built-in administratorsUI
: Interactively logged-on userSU
: Service logon userS-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
: Trusted InstallerS-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
: Virtual NT service accountNT SERVICE\WinDefend
You can get the name associated with an SID by running:
>wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name
Each ACE contains a list of permissions that the user is being allowed or denied.
D:
discretionary access control list- ACE 1:
A;;CCLCSWRPLOCRRC;;;
Built-in users - ACE 2:
A;;CCLCSWRPLOCRRC;;;
Local system - ACE 3:
A;;CCLCSWRPLOCRRC;;;
Built-in administrators - ACE 4:
A;;CCLCSWRPLOCRRC;;;
Interactive user - ACE 5:
A;;CCLCSWRPLOCRRC;;;
Service logon user - ACE 6:
A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;
Trusted installer - ACE 7:
A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;
NT SERVICE\WinDefend
- ACE 1:
Breaking down the remaining semicolon separated sections in an ACE:
- ACE:
A;;CCLCSWRPLOCRRC;;;
- AceType:
A
ACCESS_ALLOWED_ACE_TYPE - AceFlags: (none)
- AccessMask:
CC LC SW RP LO CR RC
CC
: CREATE_CHILDLC
: LIST_CHILDRENSW
: SELF_WRITERP
: READ_PROPERTYLO
: LIST_OBJECTCR
: CONTROL_ACCESSRC
: READ_CONTROL
- ObjectGuid:
- InheritObjectGuid:
- AceType:
The leading A
means Allowed, and the permissions are two-letter codes:
D:
discretionary access control list- ACE 1: Allow,
CC LC SW RP LO CR RC
, Built-in users - ACE 2: Allow,
CC LC SW RP LO CR RC
, Local system - ACE 3: Allow,
CC LC SW RP LO CR RC
, Built-in administrators - ACE 4: Allow,
CC LC SW RP LO CR RC
, Interactive user - ACE 5: Allow,
CC LC SW RP LO CR RC
, Service logon user - ACE 6: Allow,
CC LC SW RP LO CR RC DC WP DT SD WD WO
, Trusted installer - ACE 7: Allow,
CC LC SW RP LO CR RC DC WP DT SD WD WO
, NT SERVICE\WinDefend
- ACE 1: Allow,
And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.
Spoiler:
sc sdset WinDefend [newSDLString]
Bonus Reading
- How to specify permissions to services in Windows by using SDDL? (archive.is)
- How to Convert SID to Username and Vice Versa (archive.is)
- The Security Descriptor Definition Language of Love (Part 2) (archive.is)
- Microsoft Security Descriptor Language - 2.5.1.1 Syntax (archive.is)