{"id":49246352,"url":"https://github.com/sysadmindoc/defendercontrol","last_synced_at":"2026-04-24T22:01:44.443Z","repository":{"id":345218986,"uuid":"1184952962","full_name":"SysAdminDoc/DefenderControl","owner":"SysAdminDoc","description":"WPF GUI to fully disable or re-enable Microsoft Defender on Windows 10/11","archived":false,"fork":false,"pushed_at":"2026-04-24T20:27:04.000Z","size":129,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-24T21:32:48.320Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SysAdminDoc.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-18T04:58:37.000Z","updated_at":"2026-04-24T20:27:06.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/SysAdminDoc/DefenderControl","commit_stats":null,"previous_names":["sysadmindoc/defendercontrol"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/SysAdminDoc/DefenderControl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysAdminDoc%2FDefenderControl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysAdminDoc%2FDefenderControl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysAdminDoc%2FDefenderControl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysAdminDoc%2FDefenderControl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SysAdminDoc","download_url":"https://codeload.github.com/SysAdminDoc/DefenderControl/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysAdminDoc%2FDefenderControl/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32242315,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T13:21:15.438Z","status":"ssl_error","status_checked_at":"2026-04-24T13:21:15.005Z","response_time":64,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-24T22:01:43.154Z","updated_at":"2026-04-24T22:01:44.433Z","avatar_url":"https://github.com/SysAdminDoc.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Defender Control\n\nA professional PowerShell WPF utility to comprehensively disable or re-enable Microsoft Defender on Windows 10/11. Dark-themed GUI with fully async operations, detailed logging, and complete reversibility.\n\n![PowerShell](https://img.shields.io/badge/PowerShell-5.1-blue?logo=powershell\u0026logoColor=white)\n![Windows](https://img.shields.io/badge/Windows-10%20%7C%2011-0078D6?logo=windows\u0026logoColor=white)\n![License](https://img.shields.io/badge/License-MIT-green)\n\n---\n\n## Why This Exists\n\nSometimes you need Defender completely out of the way — deploying custom imaging software, running legacy tools that trigger false positives, benchmarking without AV overhead, or configuring kiosk systems. The built-in Windows UI only lets you temporarily disable real-time protection, and it re-enables itself within minutes.\n\nDefender Control performs a thorough multi-phase disable that persists across reboots by targeting preferences, group policy registry keys, services, scheduled tasks, PPL flags, and more. Everything is fully reversible with a single click.\n\n\u003e **Windows Firewall is completely untouched.** This tool only manages Defender antivirus components. Starting in v3.2.0, this guarantee is machine-checked: every Disable/Enable run snapshots Get-NetFirewallProfile and the mpssvc/BFE service state before the first change and verifies it after the last change. Any divergence is logged as an error.\n\n---\n\n## Features\n\n- **10-Phase Disable** — Preferences, group policy, notifications, scheduled tasks, services, PPL flags, context menus, SmartScreen, and process termination\n- **7-Phase Enable** — Full restoration to Windows defaults with signature update and verification\n- **Fully Async GUI** — All operations run in background runspaces; the window never freezes\n- **4-Level Permission Escalation** — Direct write → .NET handle with ownership → reg.exe → SYSTEM scheduled task\n- **PPL Flag Stripping** — Removes Protected Process Light from Defender services so they don't survive reboot\n- **System Restore Point** — Automatically created before disabling for easy rollback\n- **Dry Run Mode** — Simulate the entire operation without making any changes\n- **Verbose Toggle** — Filter log output between important-only and full diagnostic detail\n- **Export Log** — Save the full operation log to a text file for troubleshooting or documentation\n- **Reboot Button** — Appears after operations that need a restart\n- **OS Build Awareness** — Detects Win10/11, warns on deprecated GP keys (Win11 22H2+), blocks unsupported versions\n- **Self-Elevation** — Automatically requests Administrator via UAC\n- **Orphan Cleanup** — Removes leftover scheduled tasks from interrupted previous runs\n- **Firewall Integrity Guard** — Snapshots firewall profile state + mpssvc/BFE service state before Phase 1; verifies no divergence after Phase 10\n- **Third-Party AV Pre-Flight** — Warns via Security Center WMI when no non-Microsoft AV is registered before disabling\n- **Undo / Audit Manifest** — Every Disable/Enable writes a JSON audit record to `%ProgramData%\\DefenderControl\\manifests\\`; view with `-Mode Manifest`\n\n---\n\n## Requirements\n\n| Requirement | Details |\n|---|---|\n| **OS** | Windows 10 (1809+) or Windows 11 |\n| **PowerShell** | Windows PowerShell 5.1 (not PowerShell 7) |\n| **Privileges** | Administrator (auto-elevates via UAC) |\n| **Tamper Protection** | Should be OFF for full effectiveness (see below) |\n\n---\n\n## Usage\n\n### Quick Start\n\n1. Download `DefenderControl.ps1`\n2. Right-click → **Run with PowerShell** (or it will self-elevate)\n3. Disable Tamper Protection first if you haven't already\n4. Click **Disable Defender** or **Enable Defender**\n5. Reboot when prompted\n\n### Tamper Protection\n\nFor the disable operation to fully persist, Tamper Protection must be turned off **manually** — Microsoft does not allow programmatic control of this setting.\n\n**Windows Security → Virus \u0026 Threat Protection → Manage Settings → Tamper Protection → Off**\n\nThe tool detects Tamper Protection status and warns you if it's still on. Operations will still run, but Windows will silently revert many registry changes.\n\n### Dry Run Mode\n\nCheck the **Dry Run** checkbox before clicking Disable or Enable. The tool will log exactly what it *would* do without making any changes. Useful for auditing or understanding the scope before committing.\n\n### Command Line\n\n```powershell\n# Launch the WPF GUI\npowershell.exe -ExecutionPolicy Bypass -File \"DefenderControl.ps1\"\n\n# Print current Defender state\npowershell.exe -ExecutionPolicy Bypass -File \"DefenderControl.ps1\" -Mode Status\n\n# Extended state: services + PPL + scheduled tasks + policy keys + third-party AV\npowershell.exe -ExecutionPolicy Bypass -File \"DefenderControl.ps1\" -Mode Health\n\n# Emit stable JSON for automation pipelines\npowershell.exe -ExecutionPolicy Bypass -File \"DefenderControl.ps1\" -Mode Health -Json\n\n# Show CLI usage\npowershell.exe -ExecutionPolicy Bypass -File \"DefenderControl.ps1\" -Help\n```\n\n**Exit codes:** `0` success, `1` partial, `2` blocked by Tamper Protection, `3` Safe Mode required, `4` usage / OS error, `5` verification failure.\n\n`-Mode Disable` and `-Mode Enable` are reserved — use the GUI for mutating operations. Read-only Status / Health / Verify / Manifest modes are CLI-safe.\n\n\u003e **Note on elevation:** all CLI modes require Administrator privileges. If you invoke the script from a non-elevated shell, it re-launches in a new UAC-elevated window and the CLI output appears there, not in your calling shell. For automation pipelines, elevate the calling shell once (`Start-Process powershell -Verb RunAs`) and then invoke the script normally so stdout/stderr return to the caller.\n\n### Verify Mode\n\n```powershell\n# Assert Defender is fully enabled (exit 0 PASS, exit 5 FAIL, exit 2 if Tamper blocked)\npowershell.exe -ExecutionPolicy Bypass -File \"DefenderControl.ps1\" -Mode Verify -Expect Enabled\n\n# Assert Defender is fully disabled after a Disable run\npowershell.exe -ExecutionPolicy Bypass -File \"DefenderControl.ps1\" -Mode Verify -Expect Disabled\n\n# Opt-in synthetic detection test (writes a harmless EICAR test file, waits 2.5s, cleans up)\npowershell.exe -ExecutionPolicy Bypass -File \"DefenderControl.ps1\" -Mode Verify -Expect Enabled -Eicar -Force\n\n# JSON shape for automation: { expectation, overall, failCount, checks[] }\npowershell.exe -ExecutionPolicy Bypass -File \"DefenderControl.ps1\" -Mode Verify -Json\n```\n\n### Undo / Audit Manifests\n\nEvery Disable and Enable run writes a JSON audit manifest to `%ProgramData%\\DefenderControl\\manifests\\\u003coperation\u003e-\u003ctimestamp\u003e.json` with firewall before/after snapshots, third-party AV detection, and the list of phases that ran. View the latest:\n\n```powershell\npowershell.exe -ExecutionPolicy Bypass -File \"DefenderControl.ps1\" -Mode Manifest\npowershell.exe -ExecutionPolicy Bypass -File \"DefenderControl.ps1\" -Mode Manifest -Json\n```\n\n---\n\n## What It Does\n\n### Disable Operation (10 Phases)\n\n| Phase | Action |\n|---|---|\n| 1 | **System Restore Point** — Creates a restore point before making changes |\n| 2 | **Tamper Protection Check** — Detects and warns if Tamper Protection is blocking changes |\n| 3 | **Preferences** — Disables 25 `Set-MpPreference` settings, adds wildcard exclusions for drives/extensions/processes |\n| 4 | **Group Policy Registry** — Sets 19 policy keys (DisableAntiSpyware, DisableRealtimeMonitoring, SpynetReporting, etc.) |\n| 5 | **Notifications \u0026 Systray** — Suppresses all Defender notifications, hides system tray icon, disables SecurityHealth autostart |\n| 6 | **Scheduled Tasks** — Disables 5 Defender tasks (Cache Maintenance, Cleanup, Scan, Verification, ExploitGuard) |\n| 7 | **Services** — Sets `Start=4` (Disabled) for 8 services with permission escalation, strips PPL flags from 4 core services |\n| 8 | **Context Menus** — Removes \"Scan with Microsoft Defender\" from right-click menus |\n| 9 | **Additional** — Disables SmartScreen, suppresses signature auto-updates |\n| 10 | **Processes** — Kills non-protected processes, logs PPL status for MsMpEng |\n\n### Enable Operation (7 Phases)\n\n| Phase | Action |\n|---|---|\n| 1 | **Remove Policies** — Deletes entire Defender policy registry tree |\n| 2 | **Restore Preferences** — Restores 24 settings to defaults, clears all exclusions |\n| 3 | **Restore Services** — Sets default start types, restores PPL flags, starts services |\n| 4 | **Scheduled Tasks** — Re-enables all 5 tasks |\n| 5 | **Context Menus \u0026 Systray** — Restores context menu GUIDs, autostart, notifications, SmartScreen |\n| 6 | **Signature Update** — Triggers `Update-MpSignature` |\n| 7 | **Verify** — Queries `Get-MpComputerStatus` to confirm restoration |\n\n---\n\n## What It Does NOT Do\n\n- Does **not** touch Windows Firewall\n- Does **not** delete Defender binaries or Windows components\n- Does **not** modify boot configuration or safe mode settings\n- Does **not** disable Windows Update\n- All changes are **fully reversible** via the Enable button or System Restore\n\n---\n\n## Permission Escalation\n\nDefender service registry keys (WinDefend, WdFilter, etc.) are protected even from Administrators. The tool uses a 4-level escalation chain:\n\n1. **Direct write** via `Set-ItemProperty` — works for unprotected keys\n2. **Take ownership + .NET handle** — P/Invoke `SeTakeOwnershipPrivilege`, set owner to Administrators SID, grant FullControl, write via `RegistryKey.SetValue()`\n3. **reg.exe** — Command-line registry editor sometimes bypasses PowerShell permission constraints\n4. **SYSTEM scheduled task** — Creates a one-shot task running as SYSTEM to execute `reg.exe add`, verifies the write, then cleans up\n\nThe log shows exactly which method succeeded for each key.\n\n---\n\n## Known Limitations\n\n- **MsMpEng.exe** (Antimalware Service Executable) runs as a Protected Process Light (PPL) and **cannot be killed** in the current session. Once services are disabled and PPL flags are stripped, it will not restart after reboot.\n\n- **Tamper Protection** will silently revert registry changes if left on. The tool detects this and warns you, but cannot programmatically disable it.\n\n- **Windows Home editions** lack Group Policy support. Phase 4 registry keys will still be written but may have reduced effectiveness.\n\n- **Checkpoint-Computer** (System Restore) is throttled to one restore point per 24 hours by Windows. If one was created recently, the tool logs a warning and continues.\n\n- **Some heavily locked service keys** may resist all 4 escalation methods. In this case, the only remaining option is Safe Mode, which is outside the scope of this tool.\n\n---\n\n## Log Colors\n\n| Color | Meaning |\n|---|---|\n| 🔵 Blue | Informational messages |\n| 🟢 Green | Successful operations |\n| 🟠 Orange | Warnings (non-fatal) |\n| 🔴 Red | Errors (operation failed) |\n| 🟣 Purple | Phase headers |\n| ⚫ Gray | Verbose diagnostics |\n\n---\n\n## License\n\nMIT License — see [LICENSE](LICENSE) for details.\n\n---\n\n## Disclaimer\n\nThis tool is intended for system administrators, IT professionals, and power users who understand the security implications of disabling endpoint protection. Disabling Defender leaves your system vulnerable to malware.\n\n**Use at your own risk.** Always ensure you have alternative security measures in place when Defender is disabled.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysadmindoc%2Fdefendercontrol","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsysadmindoc%2Fdefendercontrol","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysadmindoc%2Fdefendercontrol/lists"}