Disable Windows Defender in Windows 10

Solution 1:

You are able to do this using a Group Policy.

open gpedit.msc

navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender

Turn off Windows Defender = Enabled

If you then try to open Windows Defender you'll see this: enter image description here

And even though in Settings it may appear to be on, the Service is not running: enter image description here

more info:

http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html

and http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350

Solution 2:

I found another way using the registry.

Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:

Browse the registry to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.
Change the Start value for each service to 0x4 (hex 4, decimal 4).
Reboot.

Solution 3:

It would be helpful to understand why you cannot stop a particular service.

I'm the administrator; worse than failure can't the Administrator administrate?!

It's because of the security permissions on the WinDefend service.

Note: WinDefend is the actual name of the "Windows Defender Antivirus Service"

enter image description here

Viewing Permissions

If you run from a command line:

>sc sdshow WinDefend

where

sdshow means "Displays a service's security descriptor."

You'll get the security descriptor:

C:\Users\Ian>sc sdshow WinDefend

D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:

D:
   (A;;CCLCSWRPLOCRRC;;;BU)
   (A;;CCLCSWRPLOCRRC;;;SY)
   (A;;CCLCSWRPLOCRRC;;;BA)
   (A;;CCLCSWRPLOCRRC;;;IU)
   (A;;CCLCSWRPLOCRRC;;;SU)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

The D: means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):

D: discretionary access control list
- ACE1: A;;CCLCSWRPLOCRRC;;;BU
- ACE2: A;;CCLCSWRPLOCRRC;;;SY
- ACE3: A;;CCLCSWRPLOCRRC;;;BA
- ACE4: A;;CCLCSWRPLOCRRC;;;IU
- ACE5: A;;CCLCSWRPLOCRRC;;;SU
- ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
- ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.

Looking first at who they apply to, a random blog article decode some of them (archive.is):

BU: Built-in users
SY: Local System
BA: Built-in administrators
UI: Interactively logged-on user
SU: Service logon user
S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: Trusted Installer
S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736: Virtual NT service account NT SERVICE\WinDefend

You can get the name associated with an SID by running:

>wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name

Each ACE contains a list of permissions that the user is being allowed or denied.

D: discretionary access control list
- ACE 1: A;;CCLCSWRPLOCRRC;;; Built-in users
- ACE 2: A;;CCLCSWRPLOCRRC;;; Local system
- ACE 3: A;;CCLCSWRPLOCRRC;;; Built-in administrators
- ACE 4: A;;CCLCSWRPLOCRRC;;; Interactive user
- ACE 5: A;;CCLCSWRPLOCRRC;;; Service logon user
- ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; Trusted installer
- ACE 7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; NT SERVICE\WinDefend

Breaking down the remaining semicolon separated sections in an ACE:

ACE: A;;CCLCSWRPLOCRRC;;;
- AceType: A ACCESS_ALLOWED_ACE_TYPE
- AceFlags: (none)
- AccessMask: CC LC SW RP LO CR RC
  - CC: CREATE_CHILD
  - LC: LIST_CHILDREN
  - SW: SELF_WRITE
  - RP: READ_PROPERTY
  - LO: LIST_OBJECT
  - CR: CONTROL_ACCESS
  - RC: READ_CONTROL
- ObjectGuid: (none)
- InheritObjectGuid: (none)

The leading A means Allowed, and the permissions are two-letter codes:

D: discretionary access control list
- ACE 1: Allow, CC LC SW RP LO CR RC, Built-in users
- ACE 2: Allow, CC LC SW RP LO CR RC, Local system
- ACE 3: Allow, CC LC SW RP LO CR RC, Built-in administrators
- ACE 4: Allow, CC LC SW RP LO CR RC, Interactive user
- ACE 5: Allow, CC LC SW RP LO CR RC, Service logon user
- ACE 6: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, Trusted installer
- ACE 7: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, NT SERVICE\WinDefend

And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.

Spoiler:

sc sdset WinDefend [newSDLString]

Bonus Reading

How to specify permissions to services in Windows by using SDDL? (archive.is)
How to Convert SID to Username and Vice Versa (archive.is)
The Security Descriptor Definition Language of Love (Part 2) (archive.is)
Microsoft Security Descriptor Language - 2.5.1.1 Syntax (archive.is)