Disable Windows Defender in Windows 10

You are able to do this using a Group Policy.

open gpedit.msc

navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender

Turn off Windows Defender = Enabled

If you then try to open Windows Defender you'll see this: enter image description here

And even though in Settings it may appear to be on, the Service is not running:enter image description here

more info:

http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html

and http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350


I found another way using the registry.

Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:

  1. Browse the registry to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
  2. Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.
  3. Change the Start value for each service to 0x4 (hex 4, decimal 4).
  4. Reboot.

It would be helpful to understand why you cannot stop a particular service.

  • I'm the administrator; worse than failure can't the Administrator administrate?!

It's because of the security permissions on the WinDefend service.

Note: WinDefend is the actual name of the "Windows Defender Antivirus Service"

enter image description here

Viewing Permissions

If you run from a command line:

>sc sdshow WinDefend

where

  • sdshow means "Displays a service's security descriptor."

You'll get the security descriptor:

C:\Users\Ian>sc sdshow WinDefend

D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:

D:
   (A;;CCLCSWRPLOCRRC;;;BU)
   (A;;CCLCSWRPLOCRRC;;;SY)
   (A;;CCLCSWRPLOCRRC;;;BA)
   (A;;CCLCSWRPLOCRRC;;;IU)
   (A;;CCLCSWRPLOCRRC;;;SU)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

The D: means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):

  • D: discretionary access control list
    • ACE1: A;;CCLCSWRPLOCRRC;;;BU
    • ACE2: A;;CCLCSWRPLOCRRC;;;SY
    • ACE3: A;;CCLCSWRPLOCRRC;;;BA
    • ACE4: A;;CCLCSWRPLOCRRC;;;IU
    • ACE5: A;;CCLCSWRPLOCRRC;;;SU
    • ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
    • ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.

Looking first at who they apply to, a random blog article decode some of them (archive.is):

  • BU: Built-in users
  • SY: Local System
  • BA: Built-in administrators
  • UI: Interactively logged-on user
  • SU: Service logon user
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: Trusted Installer
  • S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736: Virtual NT service account NT SERVICE\WinDefend

You can get the name associated with an SID by running:

>wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name

Each ACE contains a list of permissions that the user is being allowed or denied.

  • D: discretionary access control list
    • ACE 1: A;;CCLCSWRPLOCRRC;;; Built-in users
    • ACE 2: A;;CCLCSWRPLOCRRC;;; Local system
    • ACE 3: A;;CCLCSWRPLOCRRC;;; Built-in administrators
    • ACE 4: A;;CCLCSWRPLOCRRC;;; Interactive user
    • ACE 5: A;;CCLCSWRPLOCRRC;;; Service logon user
    • ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; Trusted installer
    • ACE 7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; NT SERVICE\WinDefend

Breaking down the remaining semicolon separated sections in an ACE:

  • ACE: A;;CCLCSWRPLOCRRC;;;
    • AceType: A ACCESS_ALLOWED_ACE_TYPE
    • AceFlags: (none)
    • AccessMask: CC LC SW RP LO CR RC
      • CC: CREATE_CHILD
      • LC: LIST_CHILDREN
      • SW: SELF_WRITE
      • RP: READ_PROPERTY
      • LO: LIST_OBJECT
      • CR: CONTROL_ACCESS
      • RC: READ_CONTROL
    • ObjectGuid: (none)
    • InheritObjectGuid: (none)

The leading A means Allowed, and the permissions are two-letter codes:

  • D: discretionary access control list
    • ACE 1: Allow, CC LC SW RP LO CR RC, Built-in users
    • ACE 2: Allow, CC LC SW RP LO CR RC, Local system
    • ACE 3: Allow, CC LC SW RP LO CR RC, Built-in administrators
    • ACE 4: Allow, CC LC SW RP LO CR RC, Interactive user
    • ACE 5: Allow, CC LC SW RP LO CR RC, Service logon user
    • ACE 6: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, Trusted installer
    • ACE 7: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, NT SERVICE\WinDefend

And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.

Spoiler:

sc sdset WinDefend [newSDLString]

Bonus Reading

  • How to specify permissions to services in Windows by using SDDL? (archive.is)
  • How to Convert SID to Username and Vice Versa (archive.is)
  • The Security Descriptor Definition Language of Love (Part 2) (archive.is)
  • Microsoft Security Descriptor Language - 2.5.1.1 Syntax (archive.is)