Skip to main content

Disable Defender Antivirus service (breaks "Set-MpPreference" cmdlet)

Overview

About this script

This script improves your privacy on Windows.

These changes use Windows system commands to update your settings.

This script disables the Microsoft Defender Antivirus Service and its associated process (MsMpEng.exe).

This service is known both as Microsoft Defender Antivirus Service 1 2 and Windows Defender Service 2. It is the primary component of Defender Antivirus 2, essential for its functionality 1 3.

Disabling this service has the following benefits:

  • It enhances privacy by preventing Microsoft from collecting data about your system and files for malware analysis.
  • It improves system performance by reducing background processes and resource usage.

Disabling this service comes at a cost:

  • It reduces your system's security by removing real-time malware protection.
  • It may also impair other Defender products, such as Defender for Endpoint 4.
  • It interrupts the functionality of the Set-MpPreference PowerShell cmdlet. This cmdlet is used to configure Defender scans and updates 5.
Caution

Disabling this service reduces your computer's security against malware, may affect other protective features, and can prevent you from changing Defender settings.

Technical Details

This service runs the MsMpEng.exe executable 6 7. This executable is also known as Microsoft Defender Antivirus service executable 4 or Antimalware Service Executable 1. It's located at:

  • On modern Windows versions:
    • %PROGRAMFILES%\Windows Defender 4 6 7
  • On older versions of Windows:
    • %PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MsMpEng.exe 8
    • %PROGRAMFILES%\Microsoft Security Client on older versions 4.

Attempting to use the Set-MpPreference cmdlet in PowerShell after disabling the service results in an error. Here's an example:

$ Set-MpPreference -Force -MAPSReporting 0

Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.
Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference.

Overview of default service statuses

OS VersionStatusStart type
Windows 10 (≥ 22H2)🟢 RunningAutomatic
Windows 11 (≥ 23H2)🟢 RunningAutomatic

This script uses Batch (batchfile) scripting language.

Not Advised

This script should only be used by advanced users. This script is not recommended for daily use as it breaks important functionality. Do not run it without having backups and system snapshots.

Implementation Details
  • Language: batch

  • Required Privileges: Administrator rights

  • Compatibility: Windows only

  • Reversibility: Can be undone using provided revert script

Explore Categories

This action belongs to Disable Defender Antivirus service category. This category disables the Defender Antivirus service and its related components. This service is also referred to as Microsoft Defender Antivirus Service and Windows Defender Service. It is a core component of Microsoft Defender Antivirus, essential for its operation. Using these... Read more on category page ▶

Apply now

Choose one of three ways to apply:

  1. Automatically via privacy.sexy: The easiest and safest option.
  2. Manually by downloading: Requires downloading a file.
  3. Manually by copying: Advanced flexibility.

Alternative 1. Apply with Privacy.sexy

privacy.sexy is free and open-source application that lets securely apply this action easily.

Open privacy.sexy

You can fully restore this action (revert back to the original behavior) using the application.

privacy.sexy instructions
  1. Open or download the desktop application
  2. Search for the script name: Disable Defender Antivirus service (breaks Set-MpPreference cmdlet).
  3. Check the script by clicking on the checkbox.
  4. Click on Run button at the bottom of the page.

Alternative 2. Download

Irreversible Changes

This script is irreversible, meaning there is no straightforward method to restore changes once applied. Exercise caution before running, restoring it may not be possible.

  1. Download the script file by clicking on the button below:

    Download script

  2. Run the script file by clicking on it.

Download revert script

This file restores your system to its original state, before this script is applied.

Download restore script

Alternative 3. Copy

This is for advanced users. Consider automatically applying or downloading the script for simpler way.

  1. Open Command Prompt as administrator.
HELP: Step-by-step guide
  1. Click on Start menu

  2. Type cmd

  3. Right click on Command Prompt select Run as administrator

  4. Click on Yes to run Command Prompt


Animation showing how to open terminal as administrator on Windows 11

  1. Copy the following code:
Code to apply changes
:: Disable the service `WinDefend` using TrustedInstaller privileges
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$serviceQuery = ''WinDefend'''+"^""`r`n"^""+'$stopWithDependencies= $false'+"^""`r`n"^""+'<# -- 1. Skip if service does not exist #>'+"^""`r`n"^""+'$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue'+"^""`r`n"^""+'if(!$service) {'+"^""`r`n"^""+' Write-Host "^""Service query `"^""$serviceQuery`"^"" did not yield any results, no need to disable it."^""'+"^""`r`n"^""+' Exit 0'+"^""`r`n"^""+'}'+"^""`r`n"^""+'$serviceName = $service.Name'+"^""`r`n"^""+'Write-Host "^""Disabling service: `"^""$serviceName`"^""."^""'+"^""`r`n"^""+'<# -- 2. Stop if running #>'+"^""`r`n"^""+'if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {'+"^""`r`n"^""+' Write-Host "^""`"^""$serviceName`"^"" is running, attempting to stop it."^""'+"^""`r`n"^""+' try {'+"^""`r`n"^""+' Write-Host "^""Stopping the service `"^""$serviceName`"^""."^""'+"^""`r`n"^""+' $stopParams = @{ `'+"^""`r`n"^""+' Name = $ServiceName'+"^""`r`n"^""+' Force = $true'+"^""`r`n"^""+' ErrorAction = ''Stop'''+"^""`r`n"^""+' }'+"^""`r`n"^""+' if (-not $stopWithDependencies) {'+"^""`r`n"^""+' $stopParams[''NoWait''] = $true'+"^""`r`n"^""+' }'+"^""`r`n"^""+' Stop-Service @stopParams'+"^""`r`n"^""+' Write-Host "^""Stopped `"^""$serviceName`"^"" successfully."^""'+"^""`r`n"^""+' } catch {'+"^""`r`n"^""+' if ($_.FullyQualifiedErrorId -eq ''CouldNotStopService,Microsoft.PowerShell.Commands.StopServiceCommand'') {'+"^""`r`n"^""+' Write-Warning "^""The service `"^""$serviceName`"^"" does not accept a stop command and may need to be stopped manually or on reboot."^""'+"^""`r`n"^""+' } else {'+"^""`r`n"^""+' Write-Warning "^""Failed to stop service `"^""$ServiceName`"^"". It will be stopped after reboot. Error: $($_.Exception.Message)"^""'+"^""`r`n"^""+' }'+"^""`r`n"^""+' }'+"^""`r`n"^""+'} else {'+"^""`r`n"^""+' Write-Host "^""`"^""$serviceName`"^"" is not running, no need to stop."^""'+"^""`r`n"^""+'}'+"^""`r`n"^""+'<# -- 3. Skip if service info is not found in registry #>'+"^""`r`n"^""+'$registryKey = "^""HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"^""'+"^""`r`n"^""+'if (-Not (Test-Path $registryKey)) {'+"^""`r`n"^""+' Write-Host "^""`"^""$registryKey`"^"" is not found in registry, cannot enable it."^""'+"^""`r`n"^""+' Exit 0'+"^""`r`n"^""+'}'+"^""`r`n"^""+'<# -- 4. Skip if already disabled #>'+"^""`r`n"^""+'if( $(Get-ItemProperty -Path "^""$registryKey"^"").Start -eq 4) {'+"^""`r`n"^""+' Write-Host "^""`"^""$serviceName`"^"" is already disabled from start, no further action is needed."^""'+"^""`r`n"^""+' Exit 0'+"^""`r`n"^""+'}'+"^""`r`n"^""+'<# -- 5. Disable service #>'+"^""`r`n"^""+'try {'+"^""`r`n"^""+' Set-ItemProperty `'+"^""`r`n"^""+' -LiteralPath $registryKey `'+"^""`r`n"^""+' -Name "^""Start"^"" `'+"^""`r`n"^""+' -Value 4 `'+"^""`r`n"^""+' -ErrorAction Stop'+"^""`r`n"^""+' Write-Host ''Successfully disabled the service. It will not start automatically on next boot.'''+"^""`r`n"^""+'} catch {'+"^""`r`n"^""+' Write-Error "^""Failed to disable the service. Error: $($_.Exception.Message)"^""'+"^""`r`n"^""+' Exit 1'+"^""`r`n"^""+'}'; Invoke-AsTrustedInstaller $cmd"
:: Soft delete files matching pattern: "%PROGRAMFILES%\Windows Defender\MsMpEng.exe" as TrustedInstaller
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$pathGlobPattern = "^""%PROGRAMFILES%\Windows Defender\MsMpEng.exe"^""'+"^""`r`n"^""+'$expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern)'+"^""`r`n"^""+'Write-Host "^""Searching for items matching pattern: `"^""$($expandedPath)`"^""."^""'+"^""`r`n"^""+''+"^""`r`n"^""+'$renamedCount = 0'+"^""`r`n"^""+'$skippedCount = 0'+"^""`r`n"^""+'$failedCount = 0'+"^""`r`n"^""+''+"^""`r`n"^""+'$foundAbsolutePaths = @()'+"^""`r`n"^""+''+"^""`r`n"^""+'try {'+"^""`r`n"^""+' $foundAbsolutePaths += @('+"^""`r`n"^""+' Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName'+"^""`r`n"^""+' )'+"^""`r`n"^""+'} catch [System.Management.Automation.ItemNotFoundException] {'+"^""`r`n"^""+' <# Swallow, do not run `Test-Path` before, it''s unreliable for globs requiring extra permissions #>'+"^""`r`n"^""+'}'+"^""`r`n"^""+'$foundAbsolutePaths = $foundAbsolutePaths `'+"^""`r`n"^""+' | Select-Object -Unique `'+"^""`r`n"^""+' | Sort-Object -Property { $_.Length } -Descending'+"^""`r`n"^""+'if (!$foundAbsolutePaths) {'+"^""`r`n"^""+' Write-Host ''Skipping, no items available.'''+"^""`r`n"^""+' exit 0'+"^""`r`n"^""+'}'+"^""`r`n"^""+'Write-Host "^""Initiating processing of $($foundAbsolutePaths.Count) items from `"^""$expandedPath`"^""."^""'+"^""`r`n"^""+'foreach ($path in $foundAbsolutePaths) {'+"^""`r`n"^""+' if (Test-Path -Path $path -PathType Container) {'+"^""`r`n"^""+' Write-Host "^""Skipping folder (not its contents): `"^""$path`"^""."^""'+"^""`r`n"^""+' $skippedCount++'+"^""`r`n"^""+' continue'+"^""`r`n"^""+'}'+"^""`r`n"^""+'if($revert -eq $true) {'+"^""`r`n"^""+' if (-not $path.EndsWith(''.OLD'')) {'+"^""`r`n"^""+' Write-Host "^""Skipping non-backup file: `"^""$path`"^""."^""'+"^""`r`n"^""+' $skippedCount++'+"^""`r`n"^""+' continue'+"^""`r`n"^""+' }'+"^""`r`n"^""+'} else {'+"^""`r`n"^""+' if ($path.EndsWith(''.OLD'')) {'+"^""`r`n"^""+' Write-Host "^""Skipping backup file: `"^""$path`"^""."^""'+"^""`r`n"^""+' $skippedCount++'+"^""`r`n"^""+' continue'+"^""`r`n"^""+' }'+"^""`r`n"^""+'}'+"^""`r`n"^""+'$originalFilePath = $path'+"^""`r`n"^""+'Write-Host "^""Processing file: `"^""$originalFilePath`"^""."^""'+"^""`r`n"^""+'if (-Not (Test-Path $originalFilePath)) {'+"^""`r`n"^""+' Write-Host "^""Skipping, file `"^""$originalFilePath`"^"" not found."^""'+"^""`r`n"^""+' $skippedCount++'+"^""`r`n"^""+' exit 0'+"^""`r`n"^""+'}'+"^""`r`n"^""+''+"^""`r`n"^""+'if ($revert -eq $true) {'+"^""`r`n"^""+' $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4)'+"^""`r`n"^""+'} else {'+"^""`r`n"^""+' $newFilePath = "^""$($originalFilePath).OLD"^""'+"^""`r`n"^""+'}'+"^""`r`n"^""+'try {'+"^""`r`n"^""+' Move-Item -LiteralPath "^""$($originalFilePath)"^"" -Destination "^""$newFilePath"^"" -Force -ErrorAction Stop'+"^""`r`n"^""+' Write-Host "^""Successfully processed `"^""$originalFilePath`"^""."^""'+"^""`r`n"^""+' $renamedCount++'+"^""`r`n"^""+' '+"^""`r`n"^""+'} catch {'+"^""`r`n"^""+' Write-Error "^""Failed to rename `"^""$originalFilePath`"^"" to `"^""$newFilePath`"^"": $($_.Exception.Message)"^""'+"^""`r`n"^""+' $failedCount++'+"^""`r`n"^""+' '+"^""`r`n"^""+'}'+"^""`r`n"^""+'}'+"^""`r`n"^""+'if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) {'+"^""`r`n"^""+' Write-Host "^""Successfully processed $renamedCount items and skipped $skippedCount items."^""'+"^""`r`n"^""+'}'+"^""`r`n"^""+'if ($failedCount -gt 0) {'+"^""`r`n"^""+' Write-Warning "^""Failed to process $($failedCount) items."^""'+"^""`r`n"^""+'}'+"^""`r`n"^""+''; Invoke-AsTrustedInstaller $cmd"
:: Check and terminate the running process "MsMpEng.exe"
tasklist /fi "ImageName eq MsMpEng.exe" /fo csv 2>NUL | find /i "MsMpEng.exe">NUL && (
echo MsMpEng.exe is running and will be killed.
taskkill /f /im MsMpEng.exe
) || (
echo Skipping, MsMpEng.exe is not running.
)
:: Configure termination of "MsMpEng.exe" immediately upon its startup
:: Set the registry value: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe!Debugger"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe'; $data = '%SYSTEMROOT%\System32\taskkill.exe'; reg add 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe' /v 'Debugger' /t 'REG_SZ' /d "^""$data"^"" /f"
:: Add a rule to prevent the executable "MsMpEng.exe" from running via File Explorer
PowerShell -ExecutionPolicy Unrestricted -Command "$executableFilename='MsMpEng.exe'; try { $registryPathForDisallowRun='HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun'; $existingBlockEntries = Get-ItemProperty -Path "^""$registryPathForDisallowRun"^"" -ErrorAction Ignore; $nextFreeRuleIndex = 1; if ($existingBlockEntries) { $existingBlockingRuleForExecutable = $existingBlockEntries.PSObject.Properties | Where-Object { $_.Value -eq $executableFilename }; if ($existingBlockingRuleForExecutable) { $existingBlockingRuleIndexForExecutable = $existingBlockingRuleForExecutable.Name; Write-Output "^""Skipping, no action needed: '$executableFilename' is already blocked under rule index `"^""$existingBlockingRuleIndexForExecutable`"^""."^""; exit 0; }; $occupiedRuleIndexes = $existingBlockEntries.PSObject.Properties | Where-Object { $_.Name -Match '^\d+$' } | Select -ExpandProperty Name; if ($occupiedRuleIndexes) { while ($occupiedRuleIndexes -Contains $nextFreeRuleIndex) { $nextFreeRuleIndex += 1; }; }; }; Write-Output "^""Adding block rule for `"^""$executableFilename`"^"" under rule index `"^""$nextFreeRuleIndex`"^""."^""; if (!(Test-Path $registryPathForDisallowRun)) { New-Item -Path "^""$registryPathForDisallowRun"^"" -Force -ErrorAction Stop | Out-Null; }; New-ItemProperty -Path "^""$registryPathForDisallowRun"^"" -Name "^""$nextFreeRuleIndex"^"" -PropertyType String -Value "^""$executableFilename"^"" ` -ErrorAction Stop | Out-Null; Write-Output "^""Successfully blocked `"^""$executableFilename`"^"" with rule index `"^""$nextFreeRuleIndex`"^""."^""; } catch { Write-Error "^""Failed to block `"^""$executableFilename`"^"": $_"^""; Exit 1; }"
:: Activate the DisallowRun policy to block specified programs from running via File Explorer
PowerShell -ExecutionPolicy Unrestricted -Command "try { $fileExplorerDisallowRunRegistryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer'; $currentDisallowRunPolicyValue = Get-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -ErrorAction Ignore | Select -ExpandProperty DisallowRun; if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) { Write-Output "^""Creating DisallowRun policy at `"^""$fileExplorerDisallowRunRegistryPath`"^""."^""; if (!(Test-Path $fileExplorerDisallowRunRegistryPath)) { New-Item -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Force -ErrorAction Stop | Out-Null; }; New-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -Value 1 -PropertyType DWORD -Force -ErrorAction Stop | Out-Null; Write-Output 'Successfully activated DisallowRun policy.'; Exit 0; }; if ($currentDisallowRunPolicyValue -eq 1) { Write-Output 'Skipping, no action needed: DisallowRun policy is already in place.'; Exit 0; }; Write-Output 'Updating DisallowRun policy from unexpected value `"^""$currentDisallowRunPolicyValue`"^"" to `"^""1`"^"".'; Set-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -Value 1 -Type DWORD -Force -ErrorAction Stop | Out-Null; Write-Output 'Successfully activated DisallowRun policy.'; } catch { Write-Error "^""Failed to activate DisallowRun policy: $_"^""; Exit 1; }"
  1. Right click on command prompt to paste it.
  2. Press Enter to apply remaining code.

Copy restore code

Copy and run the following code to restore changes:

Revert code
:: Restore the service `WinDefend` using TrustedInstaller privileges
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$serviceQuery = ''WinDefend'''+"^""`r`n"^""+'$defaultStartupMode = ''Automatic'''+"^""`r`n"^""+'<# -- 1. Skip if service does not exist #>'+"^""`r`n"^""+'$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue'+"^""`r`n"^""+'if (!$service) {'+"^""`r`n"^""+' Write-Warning "^""Service query `"^""$serviceQuery`"^"" did not yield and results. Revert cannot proceed."^""'+"^""`r`n"^""+' Exit 1'+"^""`r`n"^""+'}'+"^""`r`n"^""+'$serviceName = $service.Name'+"^""`r`n"^""+'Write-Host "^""Restoring registry settings for service `"^""$serviceName`"^"" to default startup mode `"^""$defaultStartupMode`"^""."^""'+"^""`r`n"^""+'<# -- 2. Skip if service info is not found in registry #>'+"^""`r`n"^""+'$registryKey = "^""HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"^""'+"^""`r`n"^""+'if (-Not (Test-Path $registryKey)) {'+"^""`r`n"^""+' Write-Warning "^""`"^""$registryKey`"^"" is not found in registry. Revert cannot proceed."^""'+"^""`r`n"^""+' Exit 1'+"^""`r`n"^""+'}'+"^""`r`n"^""+'<# -- 3. Enable if not already enabled #>'+"^""`r`n"^""+'$defaultStartupRegValue = switch ($defaultStartupMode) {'+"^""`r`n"^""+' ''Boot'' { 0 }'+"^""`r`n"^""+' ''System'' { 1 }'+"^""`r`n"^""+' ''Automatic'' { 2 }'+"^""`r`n"^""+' ''Manual'' { 3 }'+"^""`r`n"^""+' ''Disabled'' { 4 }'+"^""`r`n"^""+' default {'+"^""`r`n"^""+' Write-Error "^""Error: Unknown startup mode specified: `"^""$defaultStartupMode`"^"". Revert cannot proceed."^""'+"^""`r`n"^""+' return'+"^""`r`n"^""+' }'+"^""`r`n"^""+'}'+"^""`r`n"^""+'if ($(Get-ItemProperty -Path "^""$registryKey"^"").Start -eq $defaultStartupRegValue) {'+"^""`r`n"^""+' Write-Host "^""`"^""$serviceName`"^"" is has already default startup mode: `"^""$defaultStartupMode`"^""."^""'+"^""`r`n"^""+'} else {'+"^""`r`n"^""+' try {'+"^""`r`n"^""+' Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force'+"^""`r`n"^""+' Write-Host "^""Successfully restored `"^""$serviceName`"^"" with `"^""$defaultStartupMode`"^"" start, this may require restarting your computer."^""'+"^""`r`n"^""+' } catch {'+"^""`r`n"^""+' Write-Error "^""Could not enable `"^""$serviceName`"^"": $_"^""'+"^""`r`n"^""+' Exit 1'+"^""`r`n"^""+' }'+"^""`r`n"^""+'}'+"^""`r`n"^""+'<# -- 4. Start if not running (must be enabled first) #>'+"^""`r`n"^""+'if ($defaultStartupMode -eq ''Automatic'' -or $defaultStartupMode -eq ''Boot'' -or $defaultStartupMode -eq ''System'') {'+"^""`r`n"^""+' if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {'+"^""`r`n"^""+' Write-Host "^""`"^""$serviceName`"^"" is not running, trying to start it."^""'+"^""`r`n"^""+' try {'+"^""`r`n"^""+' Start-Service -Name $serviceName -ErrorAction Stop'+"^""`r`n"^""+' Write-Host ''Service started successfully.'''+"^""`r`n"^""+' } catch {'+"^""`r`n"^""+' Write-Warning "^""Failed to restart service. It will be started after reboot. Error: $($_.Exception.Message)"^""'+"^""`r`n"^""+' }'+"^""`r`n"^""+' } else {'+"^""`r`n"^""+' Write-Host "^""`"^""$serviceName`"^"" is already running, no need to start."^""'+"^""`r`n"^""+' }'+"^""`r`n"^""+'}'; Invoke-AsTrustedInstaller $cmd"
:: Restore files matching pattern: "%PROGRAMFILES%\Windows Defender\MsMpEng.exe" as TrustedInstaller
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$revert = $true'+"^""`r`n"^""+' $pathGlobPattern = "^""%PROGRAMFILES%\Windows Defender\MsMpEng.exe.OLD"^""'+"^""`r`n"^""+' $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern)'+"^""`r`n"^""+' Write-Host "^""Searching for items matching pattern: `"^""$($expandedPath)`"^""."^""'+"^""`r`n"^""+' '+"^""`r`n"^""+'$renamedCount = 0'+"^""`r`n"^""+'$skippedCount = 0'+"^""`r`n"^""+'$failedCount = 0'+"^""`r`n"^""+''+"^""`r`n"^""+' $foundAbsolutePaths = @()'+"^""`r`n"^""+' '+"^""`r`n"^""+' try {'+"^""`r`n"^""+' $foundAbsolutePaths += @('+"^""`r`n"^""+' Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName'+"^""`r`n"^""+' )'+"^""`r`n"^""+' } catch [System.Management.Automation.ItemNotFoundException] {'+"^""`r`n"^""+' <# Swallow, do not run `Test-Path` before, it''s unreliable for globs requiring extra permissions #>'+"^""`r`n"^""+' }'+"^""`r`n"^""+' $foundAbsolutePaths = $foundAbsolutePaths `'+"^""`r`n"^""+' | Select-Object -Unique `'+"^""`r`n"^""+' | Sort-Object -Property { $_.Length } -Descending'+"^""`r`n"^""+' if (!$foundAbsolutePaths) {'+"^""`r`n"^""+' Write-Host ''Skipping, no items available.'''+"^""`r`n"^""+' exit 0'+"^""`r`n"^""+' }'+"^""`r`n"^""+' Write-Host "^""Initiating processing of $($foundAbsolutePaths.Count) items from `"^""$expandedPath`"^""."^""'+"^""`r`n"^""+' foreach ($path in $foundAbsolutePaths) {'+"^""`r`n"^""+' if (Test-Path -Path $path -PathType Container) {'+"^""`r`n"^""+' Write-Host "^""Skipping folder (not its contents): `"^""$path`"^""."^""'+"^""`r`n"^""+' $skippedCount++'+"^""`r`n"^""+' continue'+"^""`r`n"^""+'}'+"^""`r`n"^""+'if($revert -eq $true) {'+"^""`r`n"^""+' if (-not $path.EndsWith(''.OLD'')) {'+"^""`r`n"^""+' Write-Host "^""Skipping non-backup file: `"^""$path`"^""."^""'+"^""`r`n"^""+' $skippedCount++'+"^""`r`n"^""+' continue'+"^""`r`n"^""+' }'+"^""`r`n"^""+'} else {'+"^""`r`n"^""+' if ($path.EndsWith(''.OLD'')) {'+"^""`r`n"^""+' Write-Host "^""Skipping backup file: `"^""$path`"^""."^""'+"^""`r`n"^""+' $skippedCount++'+"^""`r`n"^""+' continue'+"^""`r`n"^""+' }'+"^""`r`n"^""+'}'+"^""`r`n"^""+'$originalFilePath = $path'+"^""`r`n"^""+'Write-Host "^""Processing file: `"^""$originalFilePath`"^""."^""'+"^""`r`n"^""+'if (-Not (Test-Path $originalFilePath)) {'+"^""`r`n"^""+' Write-Host "^""Skipping, file `"^""$originalFilePath`"^"" not found."^""'+"^""`r`n"^""+' $skippedCount++'+"^""`r`n"^""+' exit 0'+"^""`r`n"^""+'}'+"^""`r`n"^""+''+"^""`r`n"^""+'if ($revert -eq $true) {'+"^""`r`n"^""+' $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4)'+"^""`r`n"^""+'} else {'+"^""`r`n"^""+' $newFilePath = "^""$($originalFilePath).OLD"^""'+"^""`r`n"^""+'}'+"^""`r`n"^""+'try {'+"^""`r`n"^""+' Move-Item -LiteralPath "^""$($originalFilePath)"^"" -Destination "^""$newFilePath"^"" -Force -ErrorAction Stop'+"^""`r`n"^""+' Write-Host "^""Successfully processed `"^""$originalFilePath`"^""."^""'+"^""`r`n"^""+' $renamedCount++'+"^""`r`n"^""+' '+"^""`r`n"^""+'} catch {'+"^""`r`n"^""+' Write-Error "^""Failed to rename `"^""$originalFilePath`"^"" to `"^""$newFilePath`"^"": $($_.Exception.Message)"^""'+"^""`r`n"^""+' $failedCount++'+"^""`r`n"^""+' '+"^""`r`n"^""+'}'+"^""`r`n"^""+' }'+"^""`r`n"^""+' if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) {'+"^""`r`n"^""+' Write-Host "^""Successfully processed $renamedCount items and skipped $skippedCount items."^""'+"^""`r`n"^""+'}'+"^""`r`n"^""+'if ($failedCount -gt 0) {'+"^""`r`n"^""+' Write-Warning "^""Failed to process $($failedCount) items."^""'+"^""`r`n"^""+'}'+"^""`r`n"^""+''; Invoke-AsTrustedInstaller $cmd"
:: Remove configuration preventing "MsMpEng.exe" from starting
:: Delete the registry value "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe!Debugger"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe' /v 'Debugger' /f 2>$null"
:: Remove the rule that prevents the executable "MsMpEng.exe" from running via File Explorer
PowerShell -ExecutionPolicy Unrestricted -Command "$executableFilename='MsMpEng.exe'; try { $blockEntries = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -ErrorAction Ignore; if (-Not $blockEntries) { Write-Output "^""Skipping, no action needed: No block rules exist, `"^""$executableFilename`"^"" is not blocked."^""; exit 0; }; $blockingRulesForExecutable = @(; $blockEntries.PSObject.Properties | Where-Object { $_.Value -eq $executableFilename }; ); if (-Not $blockingRulesForExecutable) { Write-Output "^""Skipping, no action needed: `"^""$executableFilename`"^"" is not currently blocked."^""; exit 0; }; foreach ($blockingRuleForExecutable in $blockingRulesForExecutable) { $blockingRuleIndexForExecutable = $blockingRuleForExecutable.Name; Write-Output "^""Removing rule `"^""$blockingRuleIndexForExecutable`"^"" that blocks `"^""$executableFilename`"^""."^""; Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -Name "^""$blockingRuleIndexForExecutable"^"" -Force -ErrorAction Stop; Write-Output "^""Successfully revoked blocking of `$executableFilename` under rule `"^""$blockingRuleIndexForExecutable`"^""."^""; }; } catch { Write-Error "^""Failed to revoke blocking of `"^""$executableFilename`"^"": $_"^""; Exit 1; }"
:: Restore the File Explorer DisallowRun policy if no other blocks are active
PowerShell -ExecutionPolicy Unrestricted -Command "try { $currentDisallowRunPolicyValue = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'DisallowRun' -ErrorAction Ignore | Select-Object -ExpandProperty 'DisallowRun'; if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) { Write-Output 'Skipping, no action needed: DisallowRun policy is not active.'; Exit 0; }; if ($currentDisallowRunPolicyValue -ne 1) { Write-Output "^""Skipping, DisallowRun policy is not configured by privacy.sexy, unexpected value: `"^""$currentDisallowRunPolicyValue`"^""."^""; Exit 0; }; $remainingBlockingRules = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -ErrorAction Ignore; if ($remainingBlockingRules) { Write-Output 'Skipping deactivating DisallowRun policy, there are still active rules.'; Exit 0; }; Write-Output 'No remaining rules, deleting DisallowRun policy.'; Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'DisallowRun' -Force -ErrorAction Stop; Write-Output 'Successfully restored DisallowRun policy.'; } catch { Write-Error "^""Failed to restore DisallowRun policy: $_"^""; Exit 1; }"

Support

This website relies on your support.

Support now

Your donation helps keep the project alive and improves its content ❤️.

Share this page: