Atari800XL Posted April 28 Share Posted April 28 (edited) I am happy to say I got it to work finally!!!! I had to throw in some more settings that somebody sent me from a NTLite forum link, so I'm not sure which one of the settings below finally did the trick, but I thought I'd throw them in here in case somebody might need to use them some day. Once again: This is just for my own scripts and experiments, WinNTSetup itself was doing it correctly already (for which I'm giving HUUUGE thanks to JFX!!!) So here are the things I added: (All are EXTRA things on top of the stuff in JFX's code example) Software hive: ============== [HKEY_LOCAL_MACHINE\temp\Microsoft\Windows Defender\Real-Time Protection] "DisableBehaviorMonitoring"=dword:00000001 "DisableOnAccessProtection"=dword:00000001 "DisableScanOnRealtimeEnable"=dword:00000001 [HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender] "DisableRealtimeMonitoring"=dword:00000001 "DisableRoutinelyTakingAction"=dword:00000001 "DisableSpecialRunningModes"=dword:00000001 "ServiceKeepAlive"=dword:00000001 [HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender\Signature Updates] "ForceUpdateFromMU"=dword:00000001 [HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender\SmartScreen] "ConfigureAppInstallControlEnabled"=dword:00000001 "ConfigureAppInstallControl"=dword:00000001 [HKEY_LOCAL_MACHINE\temp\Policies\Microsoft\Windows Defender\Spynet] "DisableBlockAtFirstSeen"=dword:00000001 System hive: ============ [HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WdFilter] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WdNisDrv] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WdNisSvc] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\temp\ControlSet001\Services\WinDefend] "Start"=dword:00000004 Edited April 28 by Atari800XL 1 Link to comment Share on other sites More sharing options...
JFX Posted April 28 Author Share Posted April 28 Glad, you got it work. 2 Link to comment Share on other sites More sharing options...
Nikolay Posted May 1 Share Posted May 1 (edited) Hi JFX, could you share with the batnik to disable Windows Defender. Edited May 1 by Nikolay Link to comment Share on other sites More sharing options...
dimo70 Posted May 1 Share Posted May 1 Yes, this will be very usefull Link to comment Share on other sites More sharing options...
JFX Posted May 1 Author Share Posted May 1 No sure if you still can disable defender online. This should work from WinPE/WinRE. Another Windows would need to run it with TrustedInstaller rights. Defender.cmd reg load HKLM\SOFT C:\Windows\System32\config\software reg load HKLM\SYS C:\Windows\System32\config\system reg import Defender.reg reg unload HKLM\SOFT reg unload HKLM\SYS Defender.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows\CurrentVersion\Run] "SecurityHealth"=- [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows\CurrentVersion\Explorer] "SmartScreenEnabled"="Off" [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 "DisableAntiVirus"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows Defender\Features] "TamperProtection"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows Defender\Real-Time Protection] "DisableRealtimeMonitoring"=dword:00000001 "DisableAntiSpywareRealtimeProtection"=dword:00000001 "DpaDisabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe] "Debugger"="NUL" [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe] "Debugger"="NUL" [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe] "Debugger"="NUL" [HKEY_LOCAL_MACHINE\SOFT\Policies\Microsoft\Windows\System] "EnableSmartScreen"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFT\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 "DisableAntiVirus"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFT\Policies\Microsoft\Windows Defender\SmartScreen] "ConfigureAppInstallControlEnabled"=dword:00000001 "ConfigureAppInstallControl"=dword:00000001 [HKEY_LOCAL_MACHINE\SYS\ControlSet001\Control\CI\Policy] "VerifiedAndReputablePolicyState"=dword:00000000 [HKEY_LOCAL_MACHINE\SYS\ControlSet001\Services\SecurityHealthService] "Start"=dword:00000000 [HKEY_LOCAL_MACHINE\SYS\ControlSet001\Services\WinDefend] "Start"=dword:00000004 P.S: Not sure why I set SecurityHealthService to autostart, either there was a problem with disabling or it's a typo. 2 Link to comment Share on other sites More sharing options...
Nikolay Posted May 1 Share Posted May 1 JFX, Thank you very much!!! Link to comment Share on other sites More sharing options...
dimo70 Posted May 1 Share Posted May 1 (edited) Just now, JFX said: No sure if you still can disable defender online. This should work from WinPE/WinRE. Another Windows would need to run it with TrustedInstaller rights. Defender.cmd reg load HKLM\SOFT C:\Windows\System32\config\software reg load HKLM\SYS C:\Windows\System32\config\system reg import Defender.reg reg unload HKLM\SOFT reg unload HKLM\SYS Defender.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows\CurrentVersion\Run] "SecurityHealth"=- [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows\CurrentVersion\Explorer] "SmartScreenEnabled"="Off" [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 "DisableAntiVirus"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows Defender\Features] "TamperProtection"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows Defender\Real-Time Protection] "DisableRealtimeMonitoring"=dword:00000001 "DisableAntiSpywareRealtimeProtection"=dword:00000001 "DpaDisabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe] "Debugger"="NUL" [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe] "Debugger"="NUL" [HKEY_LOCAL_MACHINE\SOFT\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe] "Debugger"="NUL" [HKEY_LOCAL_MACHINE\SOFT\Policies\Microsoft\Windows\System] "EnableSmartScreen"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFT\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 "DisableAntiVirus"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFT\Policies\Microsoft\Windows Defender\SmartScreen] "ConfigureAppInstallControlEnabled"=dword:00000001 "ConfigureAppInstallControl"=dword:00000001 [HKEY_LOCAL_MACHINE\SYS\ControlSet001\Control\CI\Policy] "VerifiedAndReputablePolicyState"=dword:00000000 [HKEY_LOCAL_MACHINE\SYS\ControlSet001\Services\SecurityHealthService] "Start"=dword:00000000 [HKEY_LOCAL_MACHINE\SYS\ControlSet001\Services\WinDefend] "Start"=dword:00000004 P.S: Not sure why I set SecurityHealthService to autostart, either there was a problem with disabling or it's a typo. JFX, ill make an repack exe from your codes using advancedrun.exe, and try to stop windows defender in win11 latest version. After starting it and restarting the PC, only upper option of defender was started, and all 3 other options of defender was stopped sucsessfully. May be we needs something little more to stop it completely. Edited May 1 by dimo70 Link to comment Share on other sites More sharing options...
Antonino Posted May 1 Share Posted May 1 (edited) excuse me, everybody, if I might appear to be like a stick in the mud, but would anyone explain to me what is wrong with having only the following list of registry occurrences of defend (which means windefend, windows defender, windowsdefender, etc.) and no file or folder occurrence on disk? below is a text file listing all I have found in my registry concerning windows defender. no coming back, no rebutting in in normal everyday operations. never have I had to disable anything, never mind control it, at least this is what I see. am I missing anything? Advanced Registry Search.txt Edited May 1 by Antonino Link to comment Share on other sites More sharing options...
JFX Posted May 1 Author Share Posted May 1 @dimo70 You can't disable defender while the system is still running, it does protect it self. 2 Link to comment Share on other sites More sharing options...
Antonino Posted May 1 Share Posted May 1 that is why one has to have done it beforehand. Link to comment Share on other sites More sharing options...
dimo70 Posted May 1 Share Posted May 1 (edited) Just now, JFX said: @dimo70 You can't disable defender while the system is still running, it does protect it self. I see. There is another way to remove windows defender for sure in running systems - DefenderKiller. Works perfect. JFX, I tested Windows 10 and Windows 11 original with checking defender disable tweak - works perfect. Edited May 1 by dimo70 Link to comment Share on other sites More sharing options...
Antonino Posted May 1 Share Posted May 1 unfortunately, there is no english translation, so I cannot test it. Link to comment Share on other sites More sharing options...
Antonino Posted May 1 Share Posted May 1 (edited) well, I have now come across the bat version from github and I launched it, some russian wording came up a dos window and I can't make out what it means. but it did launch and execute. I just hope it has done the job if it was needed. Edited May 2 by Antonino Link to comment Share on other sites More sharing options...
dimo70 Posted May 2 Share Posted May 2 (edited) Antonino, I use it nearly 10 times per day on Win10 & 11 and everything works fine. There is no viruses inside. Yes, I used many russion tools, and some of them are super. I have many russion friends and some of them are genius just as respectable JFX. And one more update - NTHelper Edited May 2 by dimo70 Link to comment Share on other sites More sharing options...
Antonino Posted May 2 Share Posted May 2 (edited) no doubt about that, I only did not know what to do on the first version, which left me with a dos-box-like scenario of alternatives for me to choose from among, and I did not know which would do what. on my second instance, it was a bat which I executed, but did not know what it did or did not in terms of stopping windows defender, which I claim I already have done by my brute force deletion philosophy, i.e. by deleting all occurrences of windows defender both on the disk and in the registry. I even posted a txt listing the only entries left in the registry for u all to check. in spite of my incompetence, I am still talking of windows defender, not of racism whatsoever, which I do not even consider in the least. I am a tech fan, not a politics fan. all that to simply mean my english is infinitely better than my russian, so I was afraid of making the wrong choice out of misunderstanding the options. Edited May 2 by Antonino Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now