Jump to content

Disable Windows Defender Registry Script


XenonKilla

Recommended Posts

I've got a registry script I made that I run after every new clean install of Windows which makes several changes to the OS enables/disables features, tweaks the interface etc. I've got ALL my tweaks in the file working EXCEPT the Disabling of Windows Defender.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]"DisableAntiSpyware"=dword:00000001

I know this isn't working due to a permissions error being that the Windows Defender key is owned by SYSTEM and Administrators or User don't have sufficient privileges.

 

So I'm in search of how to script around this issue. I was thinking perhaps using regini or subinacl to change the permissions of the key and they run the reg file but I can't seem to come up with anything that works.

 

Any ideas?

Link to comment
Share on other sites


Worked great!! Thanks!!

 

Here is what I ended up with...

PsExec -accepteula -s reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001
Edited by XenonKilla
Link to comment
Share on other sites

Looks like I spoke too soon. I just discovered an issue today when I was rebuilding a system and doing an OS install from scratch. My script worked fine however PsExec would not run because the computer didn't have a network connection enabled. The computer has a network controller however the drivers weren't installed yet so this was causing PsExec to throw this error...

 

Error establishing communication with PsExec service on Desktop.

The network location cannot be reached.

 

I was running the exact code I listed above locally so I dunno why it would throw this error. I'm assuming it just has something to do with the way PsExec works being that it's a tool targeted for running commands on remote systems rather than locally. I dunno if there is a workaround for this or if I just need to search for a new tool or what.

 

Any ideas?

Edited by XenonKilla
Link to comment
Share on other sites

Yeah I tried that before and upon your suggestion I tried it again, however, I'm having the same issue as the first time I tried which is that I can get it to launch a command window as SYSTEM, however, I cannot get it to pass a command to that new command window with the same batch script.

 

Here's what I've tried...

RunAsSystem reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001RunAsSystem cmd /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001
If I use RunAsSystem to launch a new command window and then run my reg add it works just fine. But I'm trying to get this all to run automatic without any user intervention.

Ideas?

Edited by XenonKilla
Link to comment
Share on other sites

Well I tried creating TWO bat files. My first one uses this command...
 

test1.bat

RunAsSystem test2.bat

test2.bat

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001

This didn't work either. So I guess RunAsSystem won't work for this situation then. If it only opens the process but doesn't pass any parameters to the process then it's pretty much useless for this situation. At the very most I would have to launch the cmd process from my original batch file and then manually type the reg add command.

 

Ideas?

Edited by XenonKilla
Link to comment
Share on other sites

Strange. :unsure:

And I mean it.

 

What actually means "did not work"?

I mean is the test2.bat not executed or it is not executed as system or *something else*?

 

I have not a way to reproduce/test this right now. :(

Try just running RunAsSystem.

And in the command prompt that results try running test2.bat.

 

 

What happens if you try "compiling" ( please notice the double quotes) the second batch?

Like (say) with this:

http://www.f2ko.de/programs.php?lang=en&pid=b2e

 

jaclaz

Link to comment
Share on other sites

Yeah I'm using VMware Workstation to test. I'm working with a clean install of Windows 7 x64 and NOTHING modified. UAC enabled etc etc. I'm simply trying to disable Windows Defender with a batch script so that I can implement it into my "Tweaks" script that I've made.

 

If I open a command window (as admin) and run this...

 

RunAsSystem cmd

 

This obviously opens a new command window as SYSTEM. So now if I run my reg script

 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001

 

Then everything works great. Registry value gets changed and Windows Defender is now Disabled.

 

So obviously I know RunAsSystem can get the job done, however the hard part is getting this to work in a batch script. When I say it doesn't work, I simply mean that everything executes as expected, however, the registry value just never gets changed.

 

 

I've tried this...

From a command window (as admin)RunAsSystem reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001

No errors are given and everything executes as expected, however, the DisableAntiSpyware value isn't changed.

 

 

I've also tried this...

From a command windows (as admin)RunAsSystem test.bat(test.bat)reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001

Once again no errors are given and everything executes as expected, however, the DisableAntiSpyware value isn't changed.

 

And lastly, per your suggestion, I tried compiling with BATtoEXE (which I already use regulary BTW) and I got the same results as running with test.bat

Link to comment
Share on other sites

This is very strange.

The first method should not work because RunAsSystem (according to the docs)  will only accept a process name (and no further parameters)-.

The second should work unless the cmd.exe that is spawned by the batch changes back to "admin" user. :unsure:

If this is the case also the compiled batch (actually a SFX installer) behaves the same.

 

Try running this batch through RegAsSystem:

whoami /allpausereg. exe /?whoami /allpause

and compare with the output of whoami /all given from the command prompt opened by RunAsSystem.

 

Otherwise it will be needed a "real" executable.

 

On another approach, what happens using Nirsoft's nircmd?

http://www.nirsoft.net/utils/nircmd.html

the command runassystem:

http://www.nirsoft.net/utils/nircmd2.html#using

allows process and command line parameters.

 

jaclaz

Link to comment
Share on other sites

FINALLY! NirCmd did the trick!

nircmdc runassystem reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001

Out of all the dam registry tweaks I have in my script, this stupid Windows Defender key is the only one to give me trouble. You would expect the UAC key to have the same issues but of course that one can be modified with no issues lol.

 

Now hopefully I don't run into any other issues like I did with PsExec :P

 

Thanks to everyone for their help and especially jaclaz for suggesting NirCmd. As many NirSoft programs as I have saved on my computer, I completely forgot about NirCmd :lol:

Edited by XenonKilla
Link to comment
Share on other sites

Well, just for the record my usual approach to a Windows batch issue is:

  1. can it be done natively with built-in commands?
  2. if not can it be done with one of Nirsoft's nircmd   :thumbup or some of the other nice tools?
  3. if not let me see if another suitable tool exists...

 

In this occasion I somehow :blushing: missed point #2 .

 

All is well that ends well.... :yes:

 

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Yeah I was pretty disappointed when PsExec didn't work when trying to run commands on a LOCAL computer without an active network connection. Then RunAsSystem looked promising but clearly lacks the ability to pass arguments to the process it's opening. But NirCmd definitely seems to do the trick just fine :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...