The most invasive but effective way I've found to disable Defender is to boot into a live Linux USB, rename "C:\ProgramData\Microsoft\Windows Defender", and create an empty file in its place.
71bw · 5h ago
Group policies still work so effectively that I've set up a local domain using a controller in my homelab that does nothing but change the defender policies automatically for all users.
devwastaken · 1h ago
group policy no longer works on win11. updates will reverse it. additionally defender detects turning off realtime monitoring as malware.
71bw · 1h ago
And yet I have none of these issues on 11 LTSC 24H2? Sounds like you forgot to disable Tamper Protection
OsrsNeedsf2P · 1h ago
As someone who moved to Linux 10 years ago, this comment chain shows Windows became the real hacker distro
animuchan · 22m ago
In a sense, it has been for a long time.
With Linux, there's often a good clean way to do a thing, and then there are weird hacks.
On Windows, it often starts with weird hacks, as Microsoft is further enclosing its ecosystem.
(I use Windows mostly for gaming and VR, and still have to constantly fiddle with the system to keep it working on a basic level, sad face emoji. Who would've thunk that merely playing a 8K European documentary in VR would require configuring DirectShow filters found on GitHub.)
SSLy · 7m ago
> Who would've thunk that merely playing a 8K European documentary in VR would require configuring DirectShow filters found on GitHub.
Dios Mio, get mpv, enable gpu-hq
keepamovin · 6h ago
It's weird that windows wouldn't have a signed manifest that would detect that
da_chicken · 23m ago
It does have that. Windows uses code signing and either DISM or SFC to do that.
But this isn't about the binaries. It's where definitions and configuration are stored. It's C:\ProgramData, not C:\Program Files.
The system also can't object too severely. Third party endpoint protection exists.
vachina · 4h ago
You can also disable Windows Update entirely by taking ownership of wuaueng.dll and .exe. It’s the only effective method on Windows Home.
subscribed · 3h ago
But disabling updates on the system connected to the Internet is a terrible idea.
How do you update that afterwards?
stuffoverflow · 2h ago
I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.
I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.
I would guess that keeping your browser updated is more important.
keepamovin · 1h ago
Correct! The browser is now the key vector because it's the most promiscuous and lascivious-for-code-and-data software on most devices.
Browser-zero days are why I factored out a way to distribute "web RPA agent creation" on any device, with no download - into its own product layer for browser-isolation. It's a legitimate defense layer but main barriers to adoption are operating friction, even tho it makes the task of hackers who want to compromise your network with browser 0-days much harder.
Because of that the RBI aspect is not as popular as ways its being used where you need a really locked down browser, with policies for preventing upload/download, even copy and paste, etc - for DLP (data loss prevention), for regulated enterprises.
Even so I think the potential applications of this tech layer are just starting.
mr_toad · 47m ago
> I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.
It’s much less likely than it was 20 years ago. A lot of attack vectors have already been fixed. But hypothetically a bug in the network stack could still leave an internet connected machine vulnerable.
vachina · 3h ago
By reinstating the ownership of those files.
londons_explore · 3h ago
Since the rest of the world updates their PC's, malware authors rarely focus on exploiting older versions.
Both Chrome and Windows are now in that position.
Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.
shakna · 46m ago
There are still active attacks against DOS and Win98. Automated driveby attacks, just looking to increase the size of a bot farm. There are still new exploits being released against rather old systems.
eru · 2h ago
That seems like pretty sketchy reasoning.
Like leaving your door unlocked, because you live in such a sketchy neighbourhood that everyone else always locks their doors.
TeMPOraL · 28m ago
It would make sense if the cost/danger for the thieves to check every door would be prohibitive. Unfortunately, with networked computers, checking the doors is usually both riskless and effectively free.
eru · 13m ago
And turning off your old door checker, just because someone fixed the vulnerability in the latest version, is probably more hassle than it's worth.
hansbo · 2h ago
More like, continue living in a sketchy neighbourhood because all the thieves go to the newer, more polished neighbourhoods anyway.
perching_aix · 2h ago
Would suck if an exploit was present for years, sometimes decades. Would especially suck if people piled up old exploits and fell back on them as needed.
nsteel · 2h ago
Imagine if this was all automated, even scripted, so even kiddies could do it, or others with almost zero security knowledge.
I'd really, really like to think most of us don't follow this terrible security practice based on a bad premise.
LoganDark · 2h ago
Actually riddle me this: what if you want to exploit exactly the type of person to disable updates? They are potentially more lucrative targets if nobody else targets them. Just a thought. It's sort of how "delete me" services profit off paranoia, they're a lucrative market because of the paranoia.
ForOldHack · 5h ago
That is basically how a popular product does it,while taking down about 25% of the entire internet...
stuckkeys · 3h ago
I see what you did there.
qbane · 6h ago
FYI, WSC stands for Windows Security Center.
Washuu · 3h ago
Thank you for the help. It is really frustrating when authors do not define an acronym when it is first introduced in the text.
unmole · 3h ago
But they do:
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
Washuu · 2h ago
It needs to be closer to where the acronym is first introduced. The definition, on my screen, is below the fold so it can not be seen in context of where the acronym is first introduced. If it was defined below the title, I would understand.
I do a lot of copy editing for clarity and non-native speakers so I have keep these things in mind. ¯\_(ツ)_/¯
es3n1n · 2h ago
This is a somewhat useful feedback, however I am not too sure how this can be fixed given the structure of my blog post. Do you think if I just add a line `*WSC is short for Windows Security Center` in the first paragraph this will be enough?
lawgimenez · 52m ago
Just wondering is this Slack? Just wondering what kind of logging flow you’re using.
The typical solution, is to include the expansion in brackets after the first use.
Simple rule I learned on my Electronic Engineering degree (where we're guilty of many, many acronyms): When you write an acronym/initialism in a paper (or anywhere for others to read reall), assume the reader doesn't know what it stands for and include the expansion in brackets immediately after the first use.
EDIT: As my sibling comment also suggests, writing it in full the first time, and using the acronym/initialism in brackets is also acceptable.
magicalhippo · 2h ago
My suggestion:
In this post I will briefly describe the journey I went through while implementing defendnot, a tool that disables Windows Defender by using the Windows Security Center (WSC) service API directly.
n4r9 · 2h ago
At least that one is defined later on. I'm still scratching my head over "CTF".
[Edit - could be Capture The Flag?]
tempaway43563 · 53m ago
You're right, that never gets defined. Yes, Capture The Flag cybersecurity sort of competition I think
They do. They understandably shorten it in the title, but then they define the acronym the first time they use it in the article.
einsteinx2 · 16m ago
> As you might still remember, I was working on an arm64 macbook and there currently is no sane solutions how to emulate x86 windows on arm macbooks.
What about UTM? Also Parallels recently added initial support for Intel VMs as well.
nottorp · 10m ago
I tried UTM and it's unusable for x86 Windows.
Maybe command line Linux would be acceptably slow, but anything with a GUI isn't.
You can run arm64 Windows pretty well, but that's not x86 Windows and won't help with reverse engineering an x86 system component.
einsteinx2 · 2m ago
I hadn’t tried it myself I just knew it could run it, sucks to hear it’s so unusable.
rootsudo · 4h ago
I recently read https://nostarch.com/windows-security-internals and this makes it much more relatable. I've know a bit about how alot of this back stuff works in Windows, but the timing is great - the last chapter of that book really goes into the same detail this author went about tokens and sids.
yeah sorry i didnt feel like implementing my own RAII stuff for all the COM thingies due to time constraints. it will be changed in the next update though
Honestly if this isn't part of a public API this isn't very cursed in terms of C++, especially if you have a lot of one-off cleanup operations.
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
quietbritishjim · 53m ago
I think the syntax is exactly why they're saying it's cursed. IMO your suggestion is no better - yes it makes defer look like a keyword, but it's not! As I said in a sibling comment, I think it's clearer if you're honest that you're using a macro: DEFER([](){something();});
Or you could even make a non-macro version (but then you need to think of variable names for each defer):
auto defer_uninitialise = do_defer([](){CoUninitialize();});
chii · 4h ago
can someone well versed in explaining CPP magic explain what is going on and why it is cursed?
quietbritishjim · 2h ago
We're starting with this code:
defer->void { CoUninitialize(); };
Using the macros in the second linked file, this expands to:
auto _defer_instance_1234 = Defer{} % [&]()->void { CoUninitialize(); };
* The 1234 is whatever the line number is, which makes the variable name unique.
* auto means infer the type of this local variable from the expression after the =.
* Defer{} means default construct a Defer instance. Defer is an empty type, but it allows the % following it to call a specific function because...
* Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
* [&]()->void { /*code here*/ }; is C++ syntax for a lambda function that captures any variables it uses by address (that's the [&] bit), takes no parameters (that's the () bit) and returns nothing (that's the ->void bit). The code goes in braces.
* DeferHolder calls the function it holds when it is destroyed.
It's subjective but some (including me!) would say it's cursed because it's using a macro to make something that almost looks like C++ syntax but isn't quite. I'm pretty confident with C++ but I had no idea what was going on at first (except, "surely this is using macros somehow ... right?"). [Edit: After some thought, I think the most confusing aspect is that defer->void looks like a method call through an object pointer rather than a trailing return type.]
I'd say it would be better to just be honest about its macroness, and also just do the extra typing of the [&] each time so the syntax of the lambda is all together. (You could then also simplify the implementation.) You end up with something like this:
DEFER([&]()->void { CoUninitialize(); });
Or if you go all in with no args lambda, you could shorten it to:
DEFER({ CoUninitialize(); });
Sebb767 · 1h ago
> * Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
Is there any reason to use operator% instead of a normal method call? Except possibly looking cool, which doesn't seem useful given that the call is hidden away in a macro anyway.
quietbritishjim · 57m ago
If you used a normal method call then there would need to be a corresponding close bracket at the end of the overall line of code, after the end of the lambda function. But the macro ("defer") only occurs at the start of the line, so it has no way to supply that close bracket. So the caller of the macro would have to supply it themselves. As I mentioned near the end of my comment, it seems like the defer macro is specifically engineered to avoid the caller needing a close bracket.
If you don't mind that, I said that you can "simplify the implementation" - what I meant was, as you say, you don't need the overloaded Defer::operator% (or indeed the Defer class at all). Instead you could do:
Disclaimer: I haven't tried it and I don't normally write macros so this could have glaring issues.
chii · 2h ago
That's interesting! So i assume that this macro allows code to get registered to be run after the 'current' scope exits.
But from my understanding (or lack thereof), the `auto _defer_instance_1234 =` is never referenced post construction. Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
quietbritishjim · 1h ago
> Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
Yes, exactly. The destructor is allowed to have some visible side effect such as closing a file handle or unlocking a mutex that could violate the assumption of the code in that block. (Even just freeing some memory could be an issue for code in the block.) It is guaranteed that the destructor is closed at the end of the block, and that all the destructors called in that way happen in reverse order to the order of their corresponding constructors.
jeffbee · 1h ago
Yes, this is guaranteed. The compiler cannot simply elide statements with effects.
This is a class which implements a 'defer' mechanism, similar to Go and Javascript constructs, which do the same thing - delay execution of the given block until the current block scope is exited. Its pretty clever, actually, and quite useful.
I personally don't find it that cursed, but for many old C++ heads this may be an overwhelming smell - adding a class to implement what should be a language feature may tweak some folks' ideology a bit too far.
eru · 2h ago
C++ sort-of guarantees that your objects' destructors will be called when they go out of scope.
So you can abuse this mechanic to 'register' things to be executed at the end of the current scope, almost no matter how you exit the current scope.
fc417fc802 · 3h ago
What's cursed about this? I use this pattern all over in my code although the signature at the callsite looks a bit different (personal preference).
D (for example) has the concept of statements that trigger at end of scope built into the language.
xyst · 1h ago
Every time I see anime characters in pfp, I know it’s going to be a good write up. Thanks for sharing.
Keeping this saved in case I return to a crappy windows env.
dark-star · 4h ago
For those wondering:
WSC stands for Windows Security Center.
I had to look it up as well
einsteinx2 · 21m ago
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
It’s in the article
dark-star · 2m ago
true, but you have to read until the 4th paragraph to find it. Putting it in the title would have been better
einsteinx2 · 58s ago
Fair point
s4mbh4 · 4h ago
Why would you want to disable WSC?
ahoka · 5m ago
Because why would you want to rootkit yourself on purpose?
Is there a more performant, less resource-crippling, antivirus for Windows?
hoseja · 14m ago
It's called no antivirus. It's what this is supposed to do. Antiviruses are useless malware.
bob1029 · 1h ago
A skilled user.
I understand and mostly support the idea of mandatory AV for the people who can barely handle the concept of a file system.
There is also a class of user forged in the fires of the primordial internet who would never in a trillion years be tricked into clicking a fake explorer.exe window in their browser.
Giving users choice is the best option. Certainly, make it very hard to disable the AV. But, don't make me go dig through DMCA'd repos and dark corners of the internet (!) to find a way to properly disable this bullshit.
hoseja · 13m ago
The worst is when they silently re-enable the AV with a mandatory update later.
nicman23 · 1h ago
because all antivirus softwares are at least powerviruses.
i do not care for anyone baby sitting me telling me that netcat.exe is a no no
xyst · 1h ago
It’s my hardware. I’ll do what I want with it, m8.
Simple as that.
AStonesThrow · 59m ago
Well this is a straightforward sentiment with a real "my body, my choice" ring to it, isn't it? Until it isn't.
Perhaps your hardware, when connected to a network, has real effects on the rest of that network. What if your system joined a botnet and began DDOS activities for payment? What if your system was part of a residential proxy network, and could be rented in the grey market for any kind of use or abuse of others' systems? What if your system became a host for CSAM or copyright-violating materials, unbeknownst to you, until the authorities confiscated it?
And what if your hardware had a special privileged location on a corporate network, or you operated a VPC with some valuable assets, and that was compromised and commandeered by a state-level threat actor? Is it still "your hardware, your choice"? Or do your bad choices affect other people as well?
ahoka · 3m ago
There's the "Malicious Software Removal Tool" for that case.
SecretDreams · 19m ago
I got measles just reading this
VMtest · 14m ago
I guess I have to start audit all devices that connect to my home internet...oh wait
dinga · 1h ago
This is literally Hacker News :)
ForOldHack · 5h ago
This is a godsend. I should send you a jar of KimChee for this. Please return to Seoul, and enjoy the sights. South Korea is one of the most beautiful countries in the world. Try to plan into corrispond to either the cherry blossoms falling in the spring, or the leaves falling in the fall.
I miss Seoul.
nar001 · 3h ago
Will you go back? Holidays, or are you from there?
yard2010 · 3h ago
"Busan is Good"
<3
gitroom · 3h ago
Lmao reverse engineering WSC on vacation sounds like some real dedication - honestly can't tell if that's commitment or just a cry for help. Made me think: if tuning all this stuff gives you a headache, would you rather have max security or just peace of mind and a fast machine?
0xEF · 2h ago
> Max security or just peace of mind and a fast machine
Or, to avoid making that choice at all, just don't use Windows.
eru · 2h ago
There's plenty of other insecure systems.
xyst · 1h ago
Windows in its entirety is security theatre. WSC is an example of this
no idea there was so much going on behind the scenes of defendnot (I feel like someone sent it to me earlier; thought it was super cool)
kunley · 3h ago
It'simply disgusting, not what the guy did, but the fact that he needed to do it at all, because this whole Windows environment is so crappy
ThrowawayTestr · 5h ago
Is the point to actually disable defender or to highlight a vulnerability?
geocar · 3h ago
I think the point is to disable defender: Air-gapped machines, kiosks, industrial applications, and so on, have no need to eat gobs of ram and waste loads of cpu checking the same files over and over again. For other applications, WD provides dubious benefits. It is annoying that there isn't a switch that says "I know how to operate a computer".
Evildoers don't need to bother with this: If they have access at this point you've got other problems.
Microsoft may extend WD to detect/block this vector since it is using undocumented interfaces; Microsoft would absolutely prefer you buy more cores, and if you're not going to do that, collect some additional licensing revenue through some other way.
mappu · 1h ago
> It is annoying that there isn't a switch that says "I know how to operate a computer".
I found one such switch: Install Linux
eru · 2h ago
Why would Microsoft care how much money I spend with my CPU core vendor?
That is one possible point, but om machines with low memory, (like a lab full of 8Gb potatoes) this is a godsend. These lab PCs are so stripped down, that the only thing using most of the memory is WD.
You should be able to make a normal mode to run full security and a gaming mode just run a semi large game,and yes, this does expose a vulnerability,but it can be easily brought back up.
iforgotpassword · 4h ago
Oof, really? Haven't really used windows much after 7, but it always seemed to me defender was pretty lightweight. At least compared to all the other products where just opening the UI would lag out the average machine.
With Linux, there's often a good clean way to do a thing, and then there are weird hacks.
On Windows, it often starts with weird hacks, as Microsoft is further enclosing its ecosystem.
(I use Windows mostly for gaming and VR, and still have to constantly fiddle with the system to keep it working on a basic level, sad face emoji. Who would've thunk that merely playing a 8K European documentary in VR would require configuring DirectShow filters found on GitHub.)
Dios Mio, get mpv, enable gpu-hq
But this isn't about the binaries. It's where definitions and configuration are stored. It's C:\ProgramData, not C:\Program Files.
The system also can't object too severely. Third party endpoint protection exists.
How do you update that afterwards?
I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.
I would guess that keeping your browser updated is more important.
Browser-zero days are why I factored out a way to distribute "web RPA agent creation" on any device, with no download - into its own product layer for browser-isolation. It's a legitimate defense layer but main barriers to adoption are operating friction, even tho it makes the task of hackers who want to compromise your network with browser 0-days much harder.
Because of that the RBI aspect is not as popular as ways its being used where you need a really locked down browser, with policies for preventing upload/download, even copy and paste, etc - for DLP (data loss prevention), for regulated enterprises.
Even so I think the potential applications of this tech layer are just starting.
It’s much less likely than it was 20 years ago. A lot of attack vectors have already been fixed. But hypothetically a bug in the network stack could still leave an internet connected machine vulnerable.
Both Chrome and Windows are now in that position.
Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.
Like leaving your door unlocked, because you live in such a sketchy neighbourhood that everyone else always locks their doors.
I'd really, really like to think most of us don't follow this terrible security practice based on a bad premise.
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
* https://apastyle.apa.org/style-grammar-guidelines/abbreviati...
* https://www.stylemanual.gov.au/grammar-punctuation-and-conve...
* https://learn.microsoft.com/en-us/style-guide/acronyms
I do a lot of copy editing for clarity and non-native speakers so I have keep these things in mind. ¯\_(ツ)_/¯
https://blog.es3n1n.eu/posts/how-i-ruined-my-vacation/pics/p...
Simple rule I learned on my Electronic Engineering degree (where we're guilty of many, many acronyms): When you write an acronym/initialism in a paper (or anywhere for others to read reall), assume the reader doesn't know what it stands for and include the expansion in brackets immediately after the first use.
EDIT: As my sibling comment also suggests, writing it in full the first time, and using the acronym/initialism in brackets is also acceptable.
In this post I will briefly describe the journey I went through while implementing defendnot, a tool that disables Windows Defender by using the Windows Security Center (WSC) service API directly.
[Edit - could be Capture The Flag?]
https://news.ycombinator.com/item?id=43960389
What about UTM? Also Parallels recently added initial support for Intel VMs as well.
Maybe command line Linux would be acceptably slow, but anything with a GUI isn't.
You can run arm64 Windows pretty well, but that's not x86 Windows and won't help with reverse engineering an x86 system component.
https://github.com/es3n1n/defendnot/blob/master/defendnot-lo...
If you're curious what's actually going on there:
https://github.com/es3n1n/defendnot/blob/master/cxx-shared/s...
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
Or you could even make a non-macro version (but then you need to think of variable names for each defer):
* auto means infer the type of this local variable from the expression after the =.
* Defer{} means default construct a Defer instance. Defer is an empty type, but it allows the % following it to call a specific function because...
* Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
* [&]()->void { /*code here*/ }; is C++ syntax for a lambda function that captures any variables it uses by address (that's the [&] bit), takes no parameters (that's the () bit) and returns nothing (that's the ->void bit). The code goes in braces.
* DeferHolder calls the function it holds when it is destroyed.
It's subjective but some (including me!) would say it's cursed because it's using a macro to make something that almost looks like C++ syntax but isn't quite. I'm pretty confident with C++ but I had no idea what was going on at first (except, "surely this is using macros somehow ... right?"). [Edit: After some thought, I think the most confusing aspect is that defer->void looks like a method call through an object pointer rather than a trailing return type.]
I'd say it would be better to just be honest about its macroness, and also just do the extra typing of the [&] each time so the syntax of the lambda is all together. (You could then also simplify the implementation.) You end up with something like this:
Or if you go all in with no args lambda, you could shorten it to:Is there any reason to use operator% instead of a normal method call? Except possibly looking cool, which doesn't seem useful given that the call is hidden away in a macro anyway.
If you don't mind that, I said that you can "simplify the implementation" - what I meant was, as you say, you don't need the overloaded Defer::operator% (or indeed the Defer class at all). Instead you could do:
Disclaimer: I haven't tried it and I don't normally write macros so this could have glaring issues.But from my understanding (or lack thereof), the `auto _defer_instance_1234 =` is never referenced post construction. Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
Yes, exactly. The destructor is allowed to have some visible side effect such as closing a file handle or unlocking a mutex that could violate the assumption of the code in that block. (Even just freeing some memory could be an issue for code in the block.) It is guaranteed that the destructor is closed at the end of the block, and that all the destructors called in that way happen in reverse order to the order of their corresponding constructors.
I personally don't find it that cursed, but for many old C++ heads this may be an overwhelming smell - adding a class to implement what should be a language feature may tweak some folks' ideology a bit too far.
So you can abuse this mechanic to 'register' things to be executed at the end of the current scope, almost no matter how you exit the current scope.
D (for example) has the concept of statements that trigger at end of scope built into the language.
Keeping this saved in case I return to a crappy windows env.
WSC stands for Windows Security Center.
I had to look it up as well
It’s in the article
I understand and mostly support the idea of mandatory AV for the people who can barely handle the concept of a file system.
There is also a class of user forged in the fires of the primordial internet who would never in a trillion years be tricked into clicking a fake explorer.exe window in their browser.
Giving users choice is the best option. Certainly, make it very hard to disable the AV. But, don't make me go dig through DMCA'd repos and dark corners of the internet (!) to find a way to properly disable this bullshit.
i do not care for anyone baby sitting me telling me that netcat.exe is a no no
Simple as that.
Perhaps your hardware, when connected to a network, has real effects on the rest of that network. What if your system joined a botnet and began DDOS activities for payment? What if your system was part of a residential proxy network, and could be rented in the grey market for any kind of use or abuse of others' systems? What if your system became a host for CSAM or copyright-violating materials, unbeknownst to you, until the authorities confiscated it?
And what if your hardware had a special privileged location on a corporate network, or you operated a VPC with some valuable assets, and that was compromised and commandeered by a state-level threat actor? Is it still "your hardware, your choice"? Or do your bad choices affect other people as well?
I miss Seoul.
<3
Or, to avoid making that choice at all, just don't use Windows.
Evildoers don't need to bother with this: If they have access at this point you've got other problems.
Microsoft may extend WD to detect/block this vector since it is using undocumented interfaces; Microsoft would absolutely prefer you buy more cores, and if you're not going to do that, collect some additional licensing revenue through some other way.
I found one such switch: Install Linux
https://www.microsoft.com/en-us/windows-server/pricing
You should be able to make a normal mode to run full security and a gaming mode just run a semi large game,and yes, this does expose a vulnerability,but it can be easily brought back up.