Portfolio / PowerShell lane / DisableDefender
PS

DisableDefender

Defender disabler/remover — CLI + premium WPF GUI, firewall preserved

PowerShell
Open source on GitHub Open the PowerShell lane 2
Delivery
Source-first
Browse code, README, and release notes on GitHub.
Primary lane
PowerShell lane
The clearest adjacent context for this project inside the portfolio.
Freshness
Updated Apr 26, 2026
Latest release
v0.0.4
Published Apr 20, 2026

Preview

Using the generated project card as a clean fallback until a live capture is available.

DisableDefender card

Source at github.com/SysAdminDoc/DisableDefender.

README

Cached at build time, cleaned up for in-site reading, and linked back to the canonical GitHub source.

DisableDefender

![Version](https://img.shields.io/badge/version-0.0.4-blue.svg) ![License](https://img.shields.io/badge/license-MIT-green.svg) ![Platform](https://img.shields.io/badge/platform-Windows%2010%20%7C%2011-0078D6.svg) ![PowerShell](https://img.shields.io/badge/powershell-5.1%2B-012456.svg)

2026-04-20 14_23_00-DisableDefender

The ultimate Microsoft Defender Antivirus disabler / remover for Windows 10 and 11.

DisableDefender fully disables (and optionally removes) Microsoft Defender Antivirus while explicitly preserving the Windows Firewall. Firewall services (mpssvc, BFE, SharedAccess) and policy keys are on a refuse-list and verified intact before and after every operation.

PowerShell-native with both a CLI and a premium WPF GUI. No external dependencies. Reversible. Built from a synthesis of the best community techniques (policy keys, Set-MpPreference, registry ACL takeover, SYSTEM-via-task fallback, DISM package removal, SecHealthUI deprovision, scheduled task nuke, SafeBoot trap).

GUI

A premium WPF dark interface — Catppuccin Mocha palette, custom chrome, glassmorphic tiles, live status dashboard, embedded log, async execution.

Run via:

.\DisableDefender.GUI.ps1

or double-click DisableDefender.GUI.bat.

Dashboard tiles show: Antivirus engine, Real-time protection, Tamper Protection (with warning banner + direct link to Windows Security), Firewall, Defender service count, MAPS telemetry. Overall indicator summarizes to PROTECTED / DISABLED / BLOCKED. Live log pane streams every operation with level colors (INFO / OK / WARN / ERROR / DEBUG). Copy, Export, Clear buttons. Toast notifications on completion.

![GUI placeholder — re-capture after first run per screenshots.md]

Features

  • Three modes: Disable (reversible), Remove (aggressive), Restore (undo)
  • Firewall preservation with critical (mpssvc, BFE) vs touch-refuse separation; pre/post integrity guard aborts if profile flips off
  • Registry ACL takeover via SeTakeOwnershipPrivilege + Microsoft.Win32.Registry — no TrustedInstaller needed (TI triggers Defender alarms per privacy.sexy #264)
  • SYSTEM-via-task fallback for keys that even Admin+ACL-override can't touch
  • Multi-strategy Set-ServiceStart: direct write → ACL takeover → SYSTEM task
  • Full policy coverage (privacy.sexy-enriched): DisableAntiSpyware, real-time, behavior, IOAV, IPS, IPC, spynet, MAPS, NIS, IPS-throttle, MpEngine PUA + file-hash, signatures, scan, SmartScreen, MRT, passive-mode for MDE, UX suppression, legacy Microsoft Antimalware
  • Runtime prefs: Set-MpPreference sweep + global path/extension/process exclusions
  • Scheduled tasks: all four Defender tasks + ExploitGuard refresh disabled
  • Service takedown: 17 services including MDCoreSvc, MDDlpSvc, MsSecFlt, MsSecCore, SgrmAgent/Broker, webthreatdefsvc
  • Appx removal: SecHealthUI deprovision with NonRemovableAppPolicy override
  • SafeBoot trap (Remove mode): nukes SafeBoot\{Minimal,Network}\WinDefend so the service can't load even in Safe Mode
  • Restore point before any destructive op (opt-out with -NoRestorePoint)
  • Auto-elevate, silent mode, transcript logging, Safe Mode aware

Requirements

  • Windows 10 (1809+) or Windows 11 (any build, including 24H2/25H2)
  • PowerShell 5.1+ (PowerShell 7 works too)
  • Administrator rights (script auto-elevates)
  • Tamper Protection OFF — you must toggle this manually first: Settings > Windows Security > Virus & threat protection > Manage settings > Tamper Protection There is no scripted bypass for Tamper Protection on 24H2+. DisableDefender detects the state and aborts if still on.

Usage

.\DisableDefender.GUI.ps1

Or double-click DisableDefender.GUI.bat. Auto-elevates to Administrator.

Interactive CLI

powershell -ExecutionPolicy Bypass -File .\DisableDefender.ps1

A menu appears with Disable / Remove / Restore / Status.

CLI

# Reversible disable
.\DisableDefender.ps1 -Mode Disable

# Full removal (Safe Mode recommended)
.\DisableDefender.ps1 -Mode Remove

# Undo everything
.\DisableDefender.ps1 -Mode Restore

# Just show state
.\DisableDefender.ps1 -Mode Status

# Silent automation
.\DisableDefender.ps1 -Mode Disable -Silent -NoReboot

Parameters

Flag Description
-Mode Disable / Remove / Restore / Status
-Silent No console output, no prompts. Requires -Mode.
-NoRestorePoint Skip System Restore checkpoint.
-NoReboot Don't auto-reboot at end.
-Force Bypass Tamper Protection / Safe Mode abort gates.
-LogPath Override log path (default %APPDATA%\DisableDefender\DisableDefender.log).

What each mode does

Disable (reversible)

  1. Checks Tamper Protection is off
  2. Verifies firewall intact
  3. Creates System Restore point
  4. Writes Defender policy keys (anti-spyware, real-time, behavior, IPS, spynet, passive-mode, SmartScreen, MRT)
  5. Applies Set-MpPreference sweep + global exclusions
  6. Disables 5 scheduled tasks
  7. Stops + disables 10 Defender services (NOT firewall)
  8. Re-verifies firewall intact
  9. Prompts reboot

Remove (aggressive)

Everything Disable does, plus:

  • Deprovisions the Microsoft.SecHealthUI Appx package (with NonRemovableAppPolicy override)
  • DISM-removes Windows-Defender / SecurityClient platform packages
  • Best run from Safe Mode for service registry key edits to stick

Restore (undo)

  • Removes all Defender policy keys
  • Resets MpPreference flags to default
  • Re-enables scheduled tasks
  • Restores default service start types
  • Re-registers SecHealthUI from %ProgramFiles%\WindowsApps
  • If the Security app does not come back: sfc /scannow then DISM /Online /Cleanup-Image /RestoreHealth

Firewall preservation (explicit guarantee)

The following are on a hard refuse-list and will never be modified:

Critical (must stay running — script aborts if they're disabled or profiles are off):

  • Services: mpssvc, BFE
  • Per-profile firewall state (Domain / Private / Public)

Touch-refuse (script never writes to these, even if they happen to be disabled by default like SharedAccess/ICS):

  • Services: mpssvc, BFE, SharedAccess, MpsDrv, mpsdrv, MsSecWfp, IKEEXT, PolicyAgent, Dnscache, Dhcp, Wlansvc, NetSetupSvc
  • Policy paths: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall, HKLM\SYSTEM\...\mpssvc, HKLM\SYSTEM\...\BFE, HKLM\SYSTEM\...\SharedAccess\Parameters\FirewallPolicy, ...\MpsDrv, ...\MsSecWfp

v0.0.2 fixed a false-positive where SharedAccess (ICS, off by default) tripped the guard. v0.0.3 renamed the project from DefenderPurge → DisableDefender.

Warnings

  • Your PC will have no antivirus after running this. Install an alternative AV if that matters to you.
  • Tamper Protection must be off first. No workaround exists on Windows 11 24H2+.
  • Remove mode partially bricks the Windows Security UI. Restore reprovisions it but may require DISM /RestoreHealth if Windows Update has installed a Security Intelligence Update.
  • Windows Update may periodically re-install parts of Defender; re-run -Mode Disable after major feature updates.
  • Use at your own risk on production systems. Authored for lab / workstation / dedicated-purpose machines (medical imaging, PACS/DICOM, VM hosts).

Troubleshooting

Symptom Fix
"Tamper Protection blocks changes" Toggle off in Windows Security UI, rerun
Services come back after reboot Boot to Safe Mode, run -Mode Remove
Get-MpComputerStatus errors in Status Defender platform is partly removed — expected
Restore didn't bring back UI sfc /scannow && DISM /Online /Cleanup-Image /RestoreHealth
Firewall got disabled Run -Mode Restore, or netsh advfirewall set allprofiles state on

Log locations

  • %APPDATA%\DisableDefender\DisableDefender.log
  • %APPDATA%\DisableDefender\transcript.log

License

MIT. See LICENSE.

Credits / Prior Art

Techniques synthesized from:

  • undergroundwires/privacy.sexy — comprehensive policy key catalog (NIS, MpEngine, IPC, UX, SpyNet overrides, legacy Antimalware), MpPreference-first strategy, grantPermissions ACL takeover approach, SafeBoot\WinDefend trick, extended service list (MsSecFlt, MsSecCore, SgrmAgent/Broker, MDDlpSvc, webthreatdefsvc)
  • ionuttbara/windows-defender-remover — DISM NonRemovableAppPolicy pattern, SecHealthUI deprovision
  • pgkt04/defender-control — registry flag research
  • conspiracyrip/DefenderControlV2 — anti-tamper service kill surface
  • Microsoft Set-MpPreference and admx.help documentation

Read on GitHub → github.com/SysAdminDoc/DisableDefender

Recent Releases

Latest tagged notes pulled from GitHub release history for this project.

  • v0.0.4

    First public release. · - Three modes: **Disable** (reversible), **Remove** (aggressive), **Restore** (undo) · - Firewall explicitly preserved (`mpssvc`, `BFE`, per-profile state verified pre/post)