The most invasive but effective way I've found to disable Defender is to boot into a live Linux USB, rename "C:\ProgramData\Microsoft\Windows Defender", and create an empty file in its place.
71bw 4 hours ago [-]
Group policies still work so effectively that I've set up a local domain using a controller in my homelab that does nothing but change the defender policies automatically for all users.
devwastaken 6 minutes ago [-]
group policy no longer works on win11. updates will reverse it. additionally defender detects turning off realtime monitoring as malware.
keepamovin 5 hours ago [-]
It's weird that windows wouldn't have a signed manifest that would detect that
vachina 3 hours ago [-]
You can also disable Windows Update entirely by taking ownership of wuaueng.dll and .exe. It’s the only effective method on Windows Home.
subscribed 2 hours ago [-]
But disabling updates on the system connected to the Internet is a terrible idea.
How do you update that afterwards?
stuffoverflow 37 minutes ago [-]
I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.
I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.
I would guess that keeping your browser updated is more important.
londons_explore 2 hours ago [-]
Since the rest of the world updates their PC's, malware authors rarely focus on exploiting older versions.
Both Chrome and Windows are now in that position.
Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.
eru 1 hours ago [-]
That seems like pretty sketchy reasoning.
Like leaving your door unlocked, because you live in such a sketchy neighbourhood that everyone else always locks their doors.
hansbo 59 minutes ago [-]
More like, continue living in a sketchy neighbourhood because all the thieves go to the newer, more polished neighbourhoods anyway.
perching_aix 53 minutes ago [-]
Would suck if an exploit was present for years, sometimes decades. Would especially suck if people piled up old exploits and fell back on them as needed.
nsteel 43 minutes ago [-]
Imagine if this was all automated, even scripted, so even kiddies could do it, or others with almost zero security knowledge.
I'd really, really like to think most of us don't follow this terrible security practice based on a bad premise.
LoganDark 1 hours ago [-]
Actually riddle me this: what if you want to exploit exactly the type of person to disable updates? They are potentially more lucrative targets if nobody else targets them. Just a thought. It's sort of how "delete me" services profit off paranoia, they're a lucrative market because of the paranoia.
vachina 2 hours ago [-]
By reinstating the ownership of those files.
ForOldHack 4 hours ago [-]
That is basically how a popular product does it,while taking down about 25% of the entire internet...
stuckkeys 2 hours ago [-]
I see what you did there.
qbane 5 hours ago [-]
FYI, WSC stands for Windows Security Center.
Washuu 2 hours ago [-]
Thank you for the help. It is really frustrating when authors do not define an acronym when it is first introduced in the text.
unmole 2 hours ago [-]
But they do:
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
Washuu 1 hours ago [-]
It needs to be closer to where the acronym is first introduced. The definition, on my screen, is below the fold so it can not be seen in context of where the acronym is first introduced. If it was defined below the title, I would understand.
I do a lot of copy editing for clarity and non-native speakers so I have keep these things in mind. ¯\_(ツ)_/¯
es3n1n 1 hours ago [-]
This is a somewhat useful feedback, however I am not too sure how this can be fixed given the structure of my blog post. Do you think if I just add a line `*WSC is short for Windows Security Center` in the first paragraph this will be enough?
alias_neo 10 minutes ago [-]
The typical solution, is to include the expansion in brackets after the first use.
Simple rule I learned on my Electronic Engineering degree (where we're guilty of many, many acronyms): When you write an acronym/initialism in a paper (or anywhere for others to read reall), assume the reader doesn't know what it stands for and include the expansion in brackets immediately after the first use.
EDIT: As my sibling comment also suggests, writing it in full the first time, and using the acronym/initialism in brackets is also acceptable.
magicalhippo 42 minutes ago [-]
My suggestion:
In this post I will briefly describe the journey I went through while implementing defendnot, a tool that disables Windows Defender by using the Windows Security Center (WSC) service API directly.
n4r9 46 minutes ago [-]
At least that one is defined later on. I'm still scratching my head over "CTF".
[Edit - could be Capture The Flag?]
rschiavone 2 hours ago [-]
They do. They understandably shorten it in the title, but then they define the acronym the first time they use it in the article.
rootsudo 3 hours ago [-]
I recently read https://nostarch.com/windows-security-internals and this makes it much more relatable. I've know a bit about how alot of this back stuff works in Windows, but the timing is great - the last chapter of that book really goes into the same detail this author went about tokens and sids.
yeah sorry i didnt feel like implementing my own RAII stuff for all the COM thingies due to time constraints. it will be changed in the next update though
Honestly if this isn't part of a public API this isn't very cursed in terms of C++, especially if you have a lot of one-off cleanup operations.
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
chii 3 hours ago [-]
can someone well versed in explaining CPP magic explain what is going on and why it is cursed?
quietbritishjim 1 hours ago [-]
We're starting with this code:
defer->void { CoUninitialize(); };
Using the macros in the second linked file, this expands to:
auto _defer_instance_1234 = Defer{} % [&]()->void { CoUninitialize(); };
* The 1234 is whatever the line number is, which makes the variable name unique.
* auto means infer the type of this local variable from the expression after the =.
* Defer{} means default construct a Defer instance. Defer is an empty type, but it allows the % following it to call a specific function because...
* Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
* [&]()->void { /*code here*/ }; is C++ syntax for a lambda function that captures any variables it uses by address (that's the [&] bit), takes no parameters (that's the () bit) and returns nothing (that's the ->void bit). The code goes in braces.
* DeferHolder calls the function it holds when it is destroyed.
It's subjective but some (including me!) would say it's cursed because it's using a macro to make something that almost looks like C++ syntax but isn't quite. I'm pretty confident with C++ but I had no idea what was going on at first (except, "surely this is using macros somehow ... right?"). [Edit: After some thought, I think the most confusing aspect is that defer->void looks like a method call through an object pointer rather than a trailing return type.]
I'd say it would be better to just be honest about its macroness, and also just do the extra typing of the [&] each time so the syntax of the lambda is all together. (You could then also simplify the implementation.) You end up with something like this:
DEFER([&]()->void { CoUninitialize(); });
Or if you go all in with no args lambda, you could shorten it to:
DEFER({ CoUninitialize(); });
chii 30 minutes ago [-]
That's interesting! So i assume that this macro allows code to get registered to be run after the 'current' scope exits.
But from my understanding (or lack thereof), the `auto _defer_instance_1234 =` is never referenced post construction. Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
eru 1 hours ago [-]
C++ sort-of guarantees that your objects' destructors will be called when they go out of scope.
So you can abuse this mechanic to 'register' things to be executed at the end of the current scope, almost no matter how you exit the current scope.
fc417fc802 2 hours ago [-]
What's cursed about this? I use this pattern all over in my code although the signature at the callsite looks a bit different (personal preference).
D (for example) has the concept of statements that trigger at end of scope built into the language.
Is there a more performant, less resource-crippling, antivirus for Windows?
dark-star 3 hours ago [-]
For those wondering:
WSC stands for Windows Security Center.
I had to look it up as well
gitroom 2 hours ago [-]
Lmao reverse engineering WSC on vacation sounds like some real dedication - honestly can't tell if that's commitment or just a cry for help. Made me think: if tuning all this stuff gives you a headache, would you rather have max security or just peace of mind and a fast machine?
0xEF 1 hours ago [-]
> Max security or just peace of mind and a fast machine
Or, to avoid making that choice at all, just don't use Windows.
eru 1 hours ago [-]
There's plenty of other insecure systems.
ForOldHack 4 hours ago [-]
This is a godsend. I should send you a jar of KimChee for this. Please return to Seoul, and enjoy the sights. South Korea is one of the most beautiful countries in the world. Try to plan into corrispond to either the cherry blossoms falling in the spring, or the leaves falling in the fall.
I miss Seoul.
nar001 2 hours ago [-]
Will you go back? Holidays, or are you from there?
no idea there was so much going on behind the scenes of defendnot (I feel like someone sent it to me earlier; thought it was super cool)
kunley 1 hours ago [-]
It'simply disgusting, not what the guy did, but the fact that he needed to do it at all, because this whole Windows environment is so crappy
ThrowawayTestr 4 hours ago [-]
Is the point to actually disable defender or to highlight a vulnerability?
geocar 2 hours ago [-]
I think the point is to disable defender: Air-gapped machines, kiosks, industrial applications, and so on, have no need to eat gobs of ram and waste loads of cpu checking the same files over and over again. For other applications, WD provides dubious benefits. It is annoying that there isn't a switch that says "I know how to operate a computer".
Evildoers don't need to bother with this: If they have access at this point you've got other problems.
Microsoft may extend WD to detect/block this vector since it is using undocumented interfaces; Microsoft would absolutely prefer you buy more cores, and if you're not going to do that, collect some additional licensing revenue through some other way.
mappu 15 minutes ago [-]
> It is annoying that there isn't a switch that says "I know how to operate a computer".
I found one such switch: Install Linux
eru 1 hours ago [-]
Why would Microsoft care how much money I spend with my CPU core vendor?
ForOldHack 4 hours ago [-]
That is one possible point, but om machines with low memory, (like a lab full of 8Gb potatoes) this is a godsend. These lab PCs are so stripped down, that the only thing using most of the memory is WD.
You should be able to make a normal mode to run full security and a gaming mode just run a semi large game,and yes, this does expose a vulnerability,but it can be easily brought back up.
iforgotpassword 3 hours ago [-]
Oof, really? Haven't really used windows much after 7, but it always seemed to me defender was pretty lightweight. At least compared to all the other products where just opening the UI would lag out the average machine.
How do you update that afterwards?
I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.
I would guess that keeping your browser updated is more important.
Both Chrome and Windows are now in that position.
Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.
Like leaving your door unlocked, because you live in such a sketchy neighbourhood that everyone else always locks their doors.
I'd really, really like to think most of us don't follow this terrible security practice based on a bad premise.
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
* https://apastyle.apa.org/style-grammar-guidelines/abbreviati...
* https://www.stylemanual.gov.au/grammar-punctuation-and-conve...
* https://learn.microsoft.com/en-us/style-guide/acronyms
I do a lot of copy editing for clarity and non-native speakers so I have keep these things in mind. ¯\_(ツ)_/¯
Simple rule I learned on my Electronic Engineering degree (where we're guilty of many, many acronyms): When you write an acronym/initialism in a paper (or anywhere for others to read reall), assume the reader doesn't know what it stands for and include the expansion in brackets immediately after the first use.
EDIT: As my sibling comment also suggests, writing it in full the first time, and using the acronym/initialism in brackets is also acceptable.
In this post I will briefly describe the journey I went through while implementing defendnot, a tool that disables Windows Defender by using the Windows Security Center (WSC) service API directly.
[Edit - could be Capture The Flag?]
https://github.com/es3n1n/defendnot/blob/master/defendnot-lo...
If you're curious what's actually going on there:
https://github.com/es3n1n/defendnot/blob/master/cxx-shared/s...
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
* auto means infer the type of this local variable from the expression after the =.
* Defer{} means default construct a Defer instance. Defer is an empty type, but it allows the % following it to call a specific function because...
* Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
* [&]()->void { /*code here*/ }; is C++ syntax for a lambda function that captures any variables it uses by address (that's the [&] bit), takes no parameters (that's the () bit) and returns nothing (that's the ->void bit). The code goes in braces.
* DeferHolder calls the function it holds when it is destroyed.
It's subjective but some (including me!) would say it's cursed because it's using a macro to make something that almost looks like C++ syntax but isn't quite. I'm pretty confident with C++ but I had no idea what was going on at first (except, "surely this is using macros somehow ... right?"). [Edit: After some thought, I think the most confusing aspect is that defer->void looks like a method call through an object pointer rather than a trailing return type.]
I'd say it would be better to just be honest about its macroness, and also just do the extra typing of the [&] each time so the syntax of the lambda is all together. (You could then also simplify the implementation.) You end up with something like this:
Or if you go all in with no args lambda, you could shorten it to:But from my understanding (or lack thereof), the `auto _defer_instance_1234 =` is never referenced post construction. Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
So you can abuse this mechanic to 'register' things to be executed at the end of the current scope, almost no matter how you exit the current scope.
D (for example) has the concept of statements that trigger at end of scope built into the language.
WSC stands for Windows Security Center.
I had to look it up as well
Or, to avoid making that choice at all, just don't use Windows.
I miss Seoul.
<3
Evildoers don't need to bother with this: If they have access at this point you've got other problems.
Microsoft may extend WD to detect/block this vector since it is using undocumented interfaces; Microsoft would absolutely prefer you buy more cores, and if you're not going to do that, collect some additional licensing revenue through some other way.
I found one such switch: Install Linux
You should be able to make a normal mode to run full security and a gaming mode just run a semi large game,and yes, this does expose a vulnerability,but it can be easily brought back up.