The most invasive but effective way I've found to disable Defender is to boot into a live Linux USB, rename "C:\ProgramData\Microsoft\Windows Defender", and create an empty file in its place.
71bw · 3h ago
Group policies still work so effectively that I've set up a local domain using a controller in my homelab that does nothing but change the defender policies automatically for all users.
keepamovin · 4h ago
It's weird that windows wouldn't have a signed manifest that would detect that
vachina · 2h ago
You can also disable Windows Update entirely by taking ownership of wuaueng.dll and .exe. It’s the only effective method on Windows Home.
subscribed · 1h ago
But disabling updates on the system connected to the Internet is a terrible idea.
How do you update that afterwards?
stuffoverflow · 8m ago
I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.
I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.
I would guess that keeping your browser updated is more important.
londons_explore · 1h ago
Since the rest of the world updates their PC's, malware authors rarely focus on exploiting older versions.
Both Chrome and Windows are now in that position.
Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.
perching_aix · 25m ago
Would suck if an exploit was present for years, sometimes decades. Would especially suck if people piled up old exploits and fell back on them as needed.
nsteel · 14m ago
Imagine if this was all automated, even scripted, so even kiddies could do it, or others with almost zero security knowledge.
I'd really, really like to think most of us don't follow this terrible security practice based on a bad premise.
eru · 44m ago
That seems like pretty sketchy reasoning.
Like leaving your door unlocked, because you live in such a sketchy neighbourhood that everyone else always locks their doors.
hansbo · 31m ago
More like, continue living in a sketchy neighbourhood because all the thieves go to the newer, more polished neighbourhoods anyway.
LoganDark · 42m ago
Actually riddle me this: what if you want to exploit exactly the type of person to disable updates? They are potentially more lucrative targets if nobody else targets them. Just a thought. It's sort of how "delete me" services profit off paranoia, they're a lucrative market because of the paranoia.
vachina · 1h ago
By reinstating the ownership of those files.
ForOldHack · 3h ago
That is basically how a popular product does it,while taking down about 25% of the entire internet...
stuckkeys · 1h ago
I see what you did there.
qbane · 4h ago
FYI, WSC stands for Windows Security Center.
Washuu · 1h ago
Thank you for the help. It is really frustrating when authors do not define an acronym when it is first introduced in the text.
unmole · 1h ago
But they do:
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
Washuu · 54m ago
It needs to be closer to where the acronym is first introduced. The definition, on my screen, is below the fold so it can not be seen in context of where the acronym is first introduced. If it was defined below the title, I would understand.
I do a lot of copy editing for clarity and non-native speakers so I have keep these things in mind. ¯\_(ツ)_/¯
es3n1n · 40m ago
This is a somewhat useful feedback, however I am not too sure how this can be fixed given the structure of my blog post. Do you think if I just add a line `*WSC is short for Windows Security Center` in the first paragraph this will be enough?
magicalhippo · 13m ago
My suggestion:
In this post I will briefly describe the journey I went through while implementing defendnot, a tool that disables Windows Defender by using the Windows Security Center (WSC) service API directly.
n4r9 · 17m ago
At least that one is defined later on. I'm still scratching my head over "CTF".
[Edit - could be Capture The Flag?]
rschiavone · 1h ago
They do. They understandably shorten it in the title, but then they define the acronym the first time they use it in the article.
rootsudo · 2h ago
I recently read https://nostarch.com/windows-security-internals and this makes it much more relatable. I've know a bit about how alot of this back stuff works in Windows, but the timing is great - the last chapter of that book really goes into the same detail this author went about tokens and sids.
can someone well versed in explaining CPP magic explain what is going on and why it is cursed?
quietbritishjim · 44m ago
We're starting with this code:
defer->void { CoUninitialize(); };
Using the macros in the second linked file, this expands to:
auto _defer_instance_1234 = Defer{} % [&]()->void { CoUninitialize(); };
* The 1234 is whatever the line number is, which makes the variable name unique.
* auto means infer the type of this local variable from the expression after the =.
* Defer{} means default construct a Defer instance. Defer is an empty type, but it allows the % following it to call a specific function because...
* Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
* [&]()->void { /*code here*/ }; is C++ syntax for a lambda function that captures any variables it uses by address (that's the [&] bit), takes no parameters (that's the () bit) and returns nothing (that's the ->void bit). The code goes in braces.
* DeferHolder calls the function it holds when it is destroyed.
It's subjective but some (including me!) would say it's cursed because it's using a macro to make something that almost looks like C++ syntax but isn't quite. I'm pretty confident with C++ but I had no idea what was going on at first (except, "surely this is using macros somehow ... right?"). [Edit: After some thought, I think the most confusing aspect is that defer->void looks like a method call through an object pointer rather than a trailing return type.]
I'd say it would be better to just be honest about its macroness, and also just do the extra typing of the [&] each time so the syntax of the lambda is all together. (You could then also simplify the implementation.) You end up with something like this:
DEFER([&]()->void { CoUninitialize(); });
Or if you go all in with no args lambda, you could shorten it to:
DEFER({ CoUninitialize(); });
chii · 1m ago
That's interesting! So i assume that this macro allows code to get registered to be run after the 'current' scope exits.
But from my understanding (or lack thereof), the `auto _defer_instance_1234 =` is never referenced post construction. Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
eru · 42m ago
C++ sort-of guarantees that your objects' destructors will be called when they go out of scope.
So you can abuse this mechanic to 'register' things to be executed at the end of the current scope, almost no matter how you exit the current scope.
fc417fc802 · 1h ago
What's cursed about this? I use this pattern all over in my code although the signature at the callsite looks a bit different (personal preference).
D (for example) has the concept of statements that trigger at end of scope built into the language.
es3n1n · 2h ago
yeah sorry i didnt feel like implementing my own RAII stuff for all the COM thingies due to time constraints. it will be changed in the next update though
Honestly if this isn't part of a public API this isn't very cursed in terms of C++, especially if you have a lot of one-off cleanup operations.
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
Is there a more performant, less resource-crippling, antivirus for Windows?
gitroom · 1h ago
Lmao reverse engineering WSC on vacation sounds like some real dedication - honestly can't tell if that's commitment or just a cry for help. Made me think: if tuning all this stuff gives you a headache, would you rather have max security or just peace of mind and a fast machine?
0xEF · 54m ago
> Max security or just peace of mind and a fast machine
Or, to avoid making that choice at all, just don't use Windows.
eru · 41m ago
There's plenty of other insecure systems.
dark-star · 2h ago
For those wondering:
WSC stands for Windows Security Center.
I had to look it up as well
ForOldHack · 3h ago
This is a godsend. I should send you a jar of KimChee for this. Please return to Seoul, and enjoy the sights. South Korea is one of the most beautiful countries in the world. Try to plan into corrispond to either the cherry blossoms falling in the spring, or the leaves falling in the fall.
I miss Seoul.
nar001 · 1h ago
Will you go back? Holidays, or are you from there?
yard2010 · 1h ago
"Busan is Good"
<3
AtomicByte · 5h ago
no idea there was so much going on behind the scenes of defendnot (I feel like someone sent it to me earlier; thought it was super cool)
kunley · 57m ago
It'simply disgusting, not what the guy did, but the fact that he needed to do it at all, because this whole Windows environment is so crappy
Is the point to actually disable defender or to highlight a vulnerability?
geocar · 1h ago
I think the point is to disable defender: Air-gapped machines, kiosks, industrial applications, and so on, have no need to eat gobs of ram and waste loads of cpu checking the same files over and over again. For other applications, WD provides dubious benefits. It is annoying that there isn't a switch that says "I know how to operate a computer".
Evildoers don't need to bother with this: If they have access at this point you've got other problems.
Microsoft may extend WD to detect/block this vector since it is using undocumented interfaces; Microsoft would absolutely prefer you buy more cores, and if you're not going to do that, collect some additional licensing revenue through some other way.
eru · 40m ago
Why would Microsoft care how much money I spend with my CPU core vendor?
ForOldHack · 3h ago
That is one possible point, but om machines with low memory, (like a lab full of 8Gb potatoes) this is a godsend. These lab PCs are so stripped down, that the only thing using most of the memory is WD.
You should be able to make a normal mode to run full security and a gaming mode just run a semi large game,and yes, this does expose a vulnerability,but it can be easily brought back up.
iforgotpassword · 2h ago
Oof, really? Haven't really used windows much after 7, but it always seemed to me defender was pretty lightweight. At least compared to all the other products where just opening the UI would lag out the average machine.
How do you update that afterwards?
I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.
I would guess that keeping your browser updated is more important.
Both Chrome and Windows are now in that position.
Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.
I'd really, really like to think most of us don't follow this terrible security practice based on a bad premise.
Like leaving your door unlocked, because you live in such a sketchy neighbourhood that everyone else always locks their doors.
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
* https://apastyle.apa.org/style-grammar-guidelines/abbreviati...
* https://www.stylemanual.gov.au/grammar-punctuation-and-conve...
* https://learn.microsoft.com/en-us/style-guide/acronyms
I do a lot of copy editing for clarity and non-native speakers so I have keep these things in mind. ¯\_(ツ)_/¯
In this post I will briefly describe the journey I went through while implementing defendnot, a tool that disables Windows Defender by using the Windows Security Center (WSC) service API directly.
[Edit - could be Capture The Flag?]
https://github.com/es3n1n/defendnot/blob/master/defendnot-lo...
If you're curious what's actually going on there:
https://github.com/es3n1n/defendnot/blob/master/cxx-shared/s...
* auto means infer the type of this local variable from the expression after the =.
* Defer{} means default construct a Defer instance. Defer is an empty type, but it allows the % following it to call a specific function because...
* Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
* [&]()->void { /*code here*/ }; is C++ syntax for a lambda function that captures any variables it uses by address (that's the [&] bit), takes no parameters (that's the () bit) and returns nothing (that's the ->void bit). The code goes in braces.
* DeferHolder calls the function it holds when it is destroyed.
It's subjective but some (including me!) would say it's cursed because it's using a macro to make something that almost looks like C++ syntax but isn't quite. I'm pretty confident with C++ but I had no idea what was going on at first (except, "surely this is using macros somehow ... right?"). [Edit: After some thought, I think the most confusing aspect is that defer->void looks like a method call through an object pointer rather than a trailing return type.]
I'd say it would be better to just be honest about its macroness, and also just do the extra typing of the [&] each time so the syntax of the lambda is all together. (You could then also simplify the implementation.) You end up with something like this:
Or if you go all in with no args lambda, you could shorten it to:But from my understanding (or lack thereof), the `auto _defer_instance_1234 =` is never referenced post construction. Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
So you can abuse this mechanic to 'register' things to be executed at the end of the current scope, almost no matter how you exit the current scope.
D (for example) has the concept of statements that trigger at end of scope built into the language.
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
Or, to avoid making that choice at all, just don't use Windows.
WSC stands for Windows Security Center.
I had to look it up as well
I miss Seoul.
<3
Evildoers don't need to bother with this: If they have access at this point you've got other problems.
Microsoft may extend WD to detect/block this vector since it is using undocumented interfaces; Microsoft would absolutely prefer you buy more cores, and if you're not going to do that, collect some additional licensing revenue through some other way.
You should be able to make a normal mode to run full security and a gaming mode just run a semi large game,and yes, this does expose a vulnerability,but it can be easily brought back up.