Disable Tamper Protection
Overview
This script improves your privacy on Windows.
These changes use Windows system commands to update your settings.
This script disables the Tamper Protection feature.
Tamper Protection is a security feature that blocks unauthorized changes to key Defender Antivirus settings 1 2. These settings include real-time protection 1 2, behavior monitoring 2, and cloud-delivered protection 1. By default, Tamper Protection is enabled 1. It is available in all editions of Windows since Windows 10, version 1903 3.
Disabling Tamper Protection may increase privacy and control over your system by allowing you to:
- Change protected Defender Antivirus settings to enhance privacy 1 3
- Disable Defender Antivirus entirely 1 3 to increase privacy
- Improve system performance by adjusting or disabling certain security features
However, turning off Tamper Protection may reduce your system's security by:
- Making your device more vulnerable to malware that attempts to disable security features
- Allowing potentially harmful changes to important security settings
With Tamper Protection enabled, users can modify protected settings through the Windows Security app 1. Disabling Tamper Protection allows changes through scripts and third-party apps such as privacy.sexy 1.
Technical Details
This script modifies the following registry keys:
HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtection
4 5 6.HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtectionSource
7
These keys interact with the MpClient.dll
library within Defender Antivirus 8.
The script sets values to replicate changes made through the Windows Security interface 5.
Tests reveal the following values for various Windows versions:
Key | Opearting System | Default | After toggling ON | After toggling OFF |
---|---|---|---|---|
TamperProtection | Windows 10 Pro (>= 22H2) | 1 | 5 4 6 | 4 4 6 7 |
TamperProtection | Windows 11 Pro (>= 23H2) | 1 | 5 4 5 | 4 4 5 |
TamperProtectionSource | Windows 10 Pro (>= 22H2) | No value | No value | No value (Or 2 7) |
TamperProtectionSource | Windows 11 Pro (>= 23H2) | 5 | 2 | 2 |
TamperProtectionSource
value 2
means that the Tamper Protection is based on signatures.
Other recorded values in various installations include ATP
9, Service Init
10, Intune
11,
and E5 transition
12.
However, these values lack official public documentation 13.
To check the current Tamper Protection source, use this command:
wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list | findstr "TamperProtectionSource"
Or this PowerShell command:
Get-MpComputerStatus | Select-Object -ExpandProperty TamperProtectionSource
This script uses Batch (batchfile) scripting language.
This script should only be used by advanced users. This script is not recommended for daily use as it breaks important functionality. Do not run it without having backups and system snapshots.
Implementation Details
-
Language: batch
-
Required Privileges: Administrator rights
-
Compatibility: Windows only
-
Reversibility: Can be undone using provided revert script
Explore Categories
- Disable system modification restrictions
- Disable Defender
- Privacy over security
This action belongs to Disable system modification restrictions category. This category disables features that restrict system modifications in Windows. This enables deeper system modifications, enhancing privacy by allowing the removal or disabling of data-collecting components like Defender. These features raise several concerns: Less user control: • Users can't... Read more on category page ▶
This action belongs to Disable Defender category. This category offers scripts to disable Windows security components related to Defender. Defender is also referred to as Microsoft Defender or Windows Defender. Although designed to protect you, its features may compromise your privacy and decrease computer performance. Privacy concerns... Read more on category page ▶
This action belongs to Privacy over security category. This category configures Windows using 254 scripts. These scripts are organized in 57 categories. The category includes 3 subcategories that include more scripts and categories. Read more on category page ▶
Apply now
Choose one of three ways to apply:
- Automatically via privacy.sexy: The easiest and safest option.
- Manually by downloading: Requires downloading a file.
- Manually by copying: Advanced flexibility.
Alternative 1. Apply with Privacy.sexy
privacy.sexy is free and open-source application that lets securely apply this action easily.
You can fully restore this action (revert back to the original behavior) using the application.
privacy.sexy instructions
- Open or download the desktop application
- Search for the script name:
Disable Tamper Protection
. - Check the script by clicking on the checkbox.
- Click on Run button at the bottom of the page.
Alternative 2. Download
This script is irreversible, meaning there is no straightforward method to restore changes once applied. Exercise caution before running, restoring it may not be possible.
-
Download the script file by clicking on the button below:
-
Run the script file by clicking on it.
Download revert script
This file restores your system to its original state, before this script is applied.
Alternative 3. Copy
This is for advanced users. Consider automatically applying or downloading the script for simpler way.
- Open Command Prompt as administrator.
HELP: Step-by-step guide
-
Click on Start menu
- Windows 11
- Windows 10
-
Type cmd
- Windows 11
- Windows 10
-
Right click on Command Prompt select Run as administrator
- Windows 11
- Windows 10
-
Click on Yes to run Command Prompt
- Windows 11
- Windows 10
- Windows 11
- Windows 10
- Copy the following code:
:: Set the registry value: "HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtection"
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$registryPath = ''HKLM\SOFTWARE\Microsoft\Windows Defender\Features'''+"^""`r`n"^""+'$data = ''4'''+"^""`r`n"^""+''+"^""`r`n"^""+'reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Features'' `'+"^""`r`n"^""+' /v ''TamperProtection'' `'+"^""`r`n"^""+' /t ''REG_DWORD'' `'+"^""`r`n"^""+' /d "^""$data"^"" `'+"^""`r`n"^""+' /f'; Invoke-AsTrustedInstaller $cmd"
:: Set the registry value: "HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtectionSource"
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$registryPath = ''HKLM\SOFTWARE\Microsoft\Windows Defender\Features'''+"^""`r`n"^""+'$data = ''2'''+"^""`r`n"^""+''+"^""`r`n"^""+'reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Features'' `'+"^""`r`n"^""+' /v ''TamperProtectionSource'' `'+"^""`r`n"^""+' /t ''REG_DWORD'' `'+"^""`r`n"^""+' /d "^""$data"^"" `'+"^""`r`n"^""+' /f'; Invoke-AsTrustedInstaller $cmd"
- Right click on command prompt to paste it.
- Press Enter to apply remaining code.
Copy restore code
Copy and run the following code to restore changes:
:: Set the registry value "HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtection"
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$revertData = ''1'''+"^""`r`n"^""+' '+"^""`r`n"^""+' reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Features'' `'+"^""`r`n"^""+' /v ''TamperProtection'' `'+"^""`r`n"^""+' /t ''REG_DWORD'' `'+"^""`r`n"^""+' /d "^""$revertData"^"" `'+"^""`r`n"^""+' /f'; Invoke-AsTrustedInstaller $cmd"
:: Set the registry value "HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtectionSource"
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$revertData = ''5'''+"^""`r`n"^""+' '+"^""`r`n"^""+' reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Features'' `'+"^""`r`n"^""+' /v ''TamperProtectionSource'' `'+"^""`r`n"^""+' /t ''REG_DWORD'' `'+"^""`r`n"^""+' /d "^""$revertData"^"" `'+"^""`r`n"^""+' /f'; Invoke-AsTrustedInstaller $cmd"
Support
This website relies on your support.
Your donation helps keep the project alive and improves its content ❤️.
Share this page: