Repository: ionuttbara/windows-defender-remover Branch: main Commit: 016f166ce9fc Files: 31 Total size: 103.6 KB Directory structure: gitextract_cj61oeoo/ ├── .github/ │ ├── CONTRIBUTING.md │ ├── ISSUE_TEMPLATE/ │ │ ├── bug_report.md │ │ └── feature_request.md │ ├── PULL_REQUEST_TEMPLATE.md │ └── SECURITY.md ├── ISO_Maker/ │ ├── README.md │ ├── autounattend.xml │ └── sources/ │ └── $OEM$/ │ └── $$/ │ └── Panther/ │ ├── autounattend.xml │ └── unattend.xml ├── LICENSE ├── README.md ├── RemoveSecHealthApp.ps1 ├── Remove_Defender/ │ ├── Disable Mitigation.reg │ ├── Disable SmartScreen.reg │ ├── DisableAntivirusProtection.reg │ ├── DisableDefenderPolicies.reg │ ├── DisableDefenderandSecurityCenterNotifications.reg │ ├── README.md │ ├── RemovalofWindowsDefenderAntivirus.reg │ ├── RemoveDefenderTasks.reg │ ├── RemoveServices.reg │ ├── RemoveShellAssociation.reg │ ├── RemoveSignatureUpdates.reg │ ├── RemoveStartupEntries.reg │ ├── RemoveWindowsWebThreat.reg │ ├── RemoverofDefenderContextMenu.reg │ └── WindowsSettingsPageVisibility.reg ├── Remove_SecurityComp/ │ ├── README.md │ └── Remove_SecurityComp.reg ├── Script_Run.bat └── files_removal.bat ================================================ FILE CONTENTS ================================================ ================================================ FILE: .github/CONTRIBUTING.md ================================================ # Contributing to Windows Defender Remover First off, thanks for taking the time to contribute! ## 🛡️ Safety First This project modifies core Windows system files. * **ALWAYS test your changes on a Virtual Machine (VM)** before submitting a Pull Request. * Do not submit code that deletes system files without a backup mechanism or clear warning. ## 🛠️ How to Contribute 1. Fork the repo and create your branch from `main`. 2. If you've added code that should be tested, add proof (screenshots/logs) that it works on a clean Windows install. 3. Ensure your code follows the existing batch/PowerShell styling. ## 🐛 Issues * Look through existing issues to check if your bug has already been reported. * Use the provided Issue Templates. ## 📜 License By contributing, you agree that your contributions will be licensed under the project's license. ================================================ FILE: .github/ISSUE_TEMPLATE/bug_report.md ================================================ --- name: 🐛 Bug Report about: Create a report to help us improve title: "[BUG] " labels: bug assignees: '' --- **⚠️ Pre-Check (Crucial)** - [ ] I have read the [README](../README.md) and the FAQ section. - [ ] I have created a **System Restore Point** before running the script. - [ ] I have disabled **Tamper Protection** manually if I am on a newer Windows version. - [ ] I understand that antivirus detection (False Positive) is NOT a bug. **Describe the bug** A clear and concise description of what the bug is. **To Reproduce** Steps to reproduce the behavior: 1. Run script version '...' 2. Select option '...' 3. See error **Expected behavior** A clear and concise description of what you expected to happen. **Screenshots** If applicable, add screenshots to help explain your problem. **Desktop (please complete the following information):** - OS: [e.g. Windows 10 Pro / Windows 11 Home] - Version/Build: [e.g. 22H2 Build 22621] - Script Version: [e.g. 12.6] **Additional context** Add any other context about the problem here. (e.g., Are you using a custom ISO? Is this a fresh install?) ================================================ FILE: .github/ISSUE_TEMPLATE/feature_request.md ================================================ --- name: 💡 Feature Request about: Suggest an idea for this project title: "[FEAT] " labels: enhancement assignees: '' --- **Is your feature request related to a problem? Please describe.** A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] **Describe the solution you'd like** A clear and concise description of what you want to happen. **Describe alternatives you've considered** A clear and concise description of any alternative solutions or features you've considered. **Additional context** Add any other context or screenshots about the feature request here. ================================================ FILE: .github/PULL_REQUEST_TEMPLATE.md ================================================ ## Description Please include a summary of the change and which issue is fixed. ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) ## 🧪 Testing **I have tested this on:** - [ ] Windows 10 - [ ] Windows 11 - [ ] Virtual Machine - [ ] Real Hardware ## Checklist: - [ ] The provided code follows the style guidelines of this project - [ ] I have performed a self-review of my own code - [ ] I have commented my code, particularly in hard-to-understand areas ================================================ FILE: .github/SECURITY.md ================================================ # Security Policy ## ⚠️ False Positives / Virus Detections This application works by modifying system files and terminating security processes (Windows Defender). By definition, **antivirus software will flag this behavior as malicious.** The EXE file is flagged as virus. To download virus-free version, you can download the .zip source code version or clone the project with Git. **Please DO NOT report antivirus detections as security vulnerabilities.** These are expected behavior (False Positives). ## Reporting a Vulnerability If you find a genuine security vulnerability (e.g., the script can be exploited to run arbitrary code remotely, or privilege escalation outside the intended scope), please report it follows: 1. Do not open a public GitHub issue. 2. Send an email to [ionutbaraooo@gmail.com](mailto:ionutbaraooo@gmail.com) or open a draft Security Advisory if enabled. ## Supported Versions | Version | Supported | | ------- | ------------------ | | 12.x | :white_check_mark: | | 11.x | :x: | | < 11.x | :x: | ================================================ FILE: ISO_Maker/README.md ================================================ # ISO Maker / Unattended Installation This module allows you to create a Windows ISO with Windows Defender and Security Services disabled right from the start. **Benefits:** * Defender never runs, even during the first boot. * Prevents Windows Update from reinstalling components during setup. * Ideal for creating a Defender free, installation media. ## Instructions (If you're working on Windows DVD) To integrate Defender Remover into your Windows Installation media, follow these steps: 1. **Extract the ISO:** Mount your Windows ISO and extract its contents to a folder on your PC. 2. **Create the Folder Structure:** Navigate to the `sources` folder inside your extracted ISO and create the following nested directory structure: ```text sources └── $OEM$ └── $$ └── Panther ``` *Full path example:* `C:\ISOFolder\sources\$OEM$\$$\Panther\` 3. **Copy the XML:** * Download the `unattend.xml` (or `autounattend.xml`) file from this folder. * Place it inside the newly created `Panther` folder. 4. **Rebuild the ISO:** Save the folder contents back as a bootable ISO using tools like AnyBurn or ImgBurn. ## Instructions (if you're working on Windows USB Flash Drive) 1. **Make USB bootable with Rufus.** 2. **Create the Folder Structure:** Navigate to the `sources` folder inside your extracted ISO and create the following nested directory structure: ```text sources └── $OEM$ └── $$ └── Panther ``` *Full path example:* `C:\ISOFolder\sources\$OEM$\$$\Panther\` 3. **Copy the XML:** * Download the `unattend.xml` (or `autounattend.xml`) file from this folder. * Place it inside the newly created `Panther` folder. * Copy the autounattend.xml file to main folder of USB. (This will block to make in-place upgrades.) ## Important Note This method utilizes the `unattend.xml` mechanism of Windows Setup. Ensure you do not have conflicting unattended files if you are using other customization tools. ================================================ FILE: ISO_Maker/autounattend.xml ================================================ 00000-00000-00000-00000-00000 Always true false 1 reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassTPMCheck /t REG_DWORD /d 1 /f 2 reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassSecureBootCheck /t REG_DWORD /d 1 /f 3 reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassRAMCheck /t REG_DWORD /d 1 /f 4 cmd.exe /c >>X:\defender.vbs (echo:WScript.Echo ^"Scanning for newly created SYSTEM registry hive file to disable Windows Defender services...^"&echo:Set fso = CreateObject(^"Scripting.FileSystemObject^"^)) 5 cmd.exe /c >>X:\defender.vbs (echo:Set existing = CreateObject(^"Scripting.Dictionary^"^)&echo:Function Execute(command^)&echo:WScript.Echo ^"Running command '^" + command + ^"'^"&echo:Set shell = CreateObject(^"WScript.Shell^"^)) 6 cmd.exe /c >>X:\defender.vbs (echo:Set exec = shell.Exec(command^)&echo:Do While exec.Status = 0&echo:WScript.Sleep 100&echo:Loop&echo:WScript.Echo exec.StdOut.ReadAll&echo:WScript.Echo exec.StdErr.ReadAll&echo:Execute = exec.ExitCode&echo:End Function) 7 cmd.exe /c >>X:\defender.vbs (echo:Function FindHiveFiles&echo:Set FindHiveFiles = CreateObject(^"Scripting.Dictionary^"^)&echo:For Each drive In fso.Drives&echo:If drive.IsReady And drive.DriveLetter ^<^> ^"X^" Then) 8 cmd.exe /c >>X:\defender.vbs (echo:For Each folder In Array(^"$Windows.~BT\NewOS\Windows^", ^"Windows^"^)&echo:file = fso.BuildPath(fso.BuildPath(drive.RootFolder, folder^), ^"System32\config\SYSTEM^"^)) 9 cmd.exe /c >>X:\defender.vbs (echo:If fso.FileExists(file^) And fso.FileExists(file + ^".LOG1^"^) And fso.FileExists(file + ^".LOG2^"^) Then&echo:FindHiveFiles.Add file, Nothing&echo:End If&echo:Next&echo:End If&echo:Next&echo:End Function) 10 cmd.exe /c >>X:\defender.vbs (echo:For Each file In FindHiveFiles&echo:WScript.Echo ^"Will ignore file at '^" + file + ^"' because it was already present when Windows Setup started.^"&echo:existing.Add file, Nothing&echo:Next&echo:Do) 11 cmd.exe /c >>X:\defender.vbs (echo:For Each file In FindHiveFiles&echo:If Not existing.Exists(file^) Then&echo:ret = 1&echo:While ret ^> 0&echo:WScript.Sleep 500&echo:ret = Execute(^"reg.exe LOAD HKLM\mount ^" + file^)&echo:Wend) 12 cmd.exe /c >>X:\defender.vbs (echo:For Each service In Array(^"Sense^", ^"WdBoot^", ^"WdFilter^", ^"WdNisDrv^", ^"WdNisSvc^", ^"WinDefend^"^)) 13 cmd.exe /c >>X:\defender.vbs (echo:ret = Execute(^"reg.exe ADD HKLM\mount\ControlSet001\Services\^" + service + ^" /v Start /t REG_DWORD /d 4 /f^"^)&echo:Next&echo:ret = Execute(^"reg.exe UNLOAD HKLM\mount^"^)) 14 cmd.exe /c >>X:\defender.vbs (echo:WScript.Echo ^"Found and successfully modified SYSTEM registry hive file at '^" + file + ^"'. This window will now close.^"&echo:WScript.Sleep 5000&echo:Exit Do&echo:End If&echo:WScript.Sleep 1000&echo:Next&echo:Loop) 15 cmd.exe /c "start /MIN cscript.exe //E:vbscript X:\defender.vbs" 1 powershell.exe -WindowStyle "Hidden" -NoProfile -Command "$xml = [xml]::new(); $xml.Load('C:\Windows\Panther\unattend.xml'); $sb = [scriptblock]::Create( $xml.unattend.Extensions.ExtractScript ); Invoke-Command -ScriptBlock $sb -ArgumentList $xml;" 2 powershell.exe -WindowStyle "Hidden" -ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\Specialize.ps1" 3 reg.exe load "HKU\DefaultUser" "C:\Users\Default\NTUSER.DAT" 4 powershell.exe -WindowStyle "Hidden" -ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\DefaultUser.ps1" 5 reg.exe unload "HKU\DefaultUser" Admin Administrators true</PlainText> </Password> </LocalAccount> <LocalAccount wcm:action="add"> <Name>User</Name> <DisplayName></DisplayName> <Group>Users</Group> <Password> <Value></Value> <PlainText>true</PlainText> </Password> </LocalAccount> </LocalAccounts> </UserAccounts> <AutoLogon> <Username>Admin</Username> <Enabled>true</Enabled> <LogonCount>1</LogonCount> <Password> <Value></Value> <PlainText>true</PlainText> </Password> </AutoLogon> <OOBE> <ProtectYourPC>3</ProtectYourPC> <HideEULAPage>true</HideEULAPage> <HideWirelessSetupInOOBE>false</HideWirelessSetupInOOBE> <HideOnlineAccountScreens>false</HideOnlineAccountScreens> </OOBE> <FirstLogonCommands> <SynchronousCommand wcm:action="add"> <Order>1</Order> <CommandLine>powershell.exe -WindowStyle "Hidden" -ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\FirstLogon.ps1"</CommandLine> </SynchronousCommand> </FirstLogonCommands> </component> </settings> <Extensions xmlns="https://schneegans.de/windows/unattend-generator/"> <ExtractScript> param( [xml] $Document ); foreach( $file in $Document.unattend.Extensions.File ) { $path = [System.Environment]::ExpandEnvironmentVariables( $file.GetAttribute( 'path' ) ); mkdir -Path( $path | Split-Path -Parent ) -ErrorAction 'SilentlyContinue'; $encoding = switch( [System.IO.Path]::GetExtension( $path ) ) { { $_ -in '.ps1', '.xml' } { [System.Text.Encoding]::UTF8; } { $_ -in '.reg', '.vbs', '.js' } { [System.Text.UnicodeEncoding]::new( $false, $true ); } default { [System.Text.Encoding]::Default; } }; $bytes = $encoding.GetPreamble() + $encoding.GetBytes( $file.InnerText.Trim() ); [System.IO.File]::WriteAllBytes( $path, $bytes ); } </ExtractScript> <File path="C:\Windows\Setup\Scripts\PauseWindowsUpdate.ps1"> $formatter = { $args[0].ToString( "yyyy'-'MM'-'dd'T'HH':'mm':'ssK" ); }; $now = [datetime]::UtcNow; $start = &amp; $formatter $now; $end = &amp; $formatter $now.AddDays( 7 ); $params = @{ LiteralPath = 'Registry::HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings'; Type = 'String'; Force = $true; }; Set-ItemProperty @params -Name 'PauseFeatureUpdatesStartTime' -Value $start; Set-ItemProperty @params -Name 'PauseFeatureUpdatesEndTime' -Value $end; Set-ItemProperty @params -Name 'PauseQualityUpdatesStartTime' -Value $start; Set-ItemProperty @params -Name 'PauseQualityUpdatesEndTime' -Value $end; Set-ItemProperty @params -Name 'PauseUpdatesStartTime' -Value $start; Set-ItemProperty @params -Name 'PauseUpdatesExpiryTime' -Value $end; </File> <File path="C:\Windows\Setup\Scripts\PauseWindowsUpdate.xml"> &lt;Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"&gt; &lt;Triggers&gt; &lt;BootTrigger&gt; &lt;Repetition&gt; &lt;Interval&gt;P1D&lt;/Interval&gt; &lt;StopAtDurationEnd&gt;false&lt;/StopAtDurationEnd&gt; &lt;/Repetition&gt; &lt;Enabled&gt;true&lt;/Enabled&gt; &lt;/BootTrigger&gt; &lt;/Triggers&gt; &lt;Principals&gt; &lt;Principal id="Author"&gt; &lt;UserId&gt;S-1-5-19&lt;/UserId&gt; &lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt; &lt;/Principal&gt; &lt;/Principals&gt; &lt;Settings&gt; &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; &lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt; &lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt; &lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt; &lt;StartWhenAvailable&gt;false&lt;/StartWhenAvailable&gt; &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; &lt;IdleSettings&gt; &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; &lt;/IdleSettings&gt; &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; &lt;Enabled&gt;true&lt;/Enabled&gt; &lt;Hidden&gt;false&lt;/Hidden&gt; &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; &lt;ExecutionTimeLimit&gt;PT72H&lt;/ExecutionTimeLimit&gt; &lt;Priority&gt;7&lt;/Priority&gt; &lt;/Settings&gt; &lt;Actions Context="Author"&gt; &lt;Exec&gt; &lt;Command&gt;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&lt;/Command&gt; &lt;Arguments&gt;-ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\PauseWindowsUpdate.ps1"&lt;/Arguments&gt; &lt;/Exec&gt; &lt;/Actions&gt; &lt;/Task&gt; </File> <File path="C:\Windows\Setup\Scripts\Specialize.ps1"> $scripts = @( { reg.exe add "HKLM\SYSTEM\Setup\MoSetup" /v AllowUpgradesWithUnsupportedTPMOrCPU /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v BypassNRO /t REG_DWORD /d 1 /f; }; { net.exe accounts /maxpwage:UNLIMITED; }; { Register-ScheduledTask -TaskName 'PauseWindowsUpdate' -Xml $( Get-Content -LiteralPath 'C:\Windows\Setup\Scripts\PauseWindowsUpdate.xml' -Raw ); }; { reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy" /v VerifiedAndReputablePolicyState /t REG_DWORD /d 0 /f; }; { reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v ServiceEnabled /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v NotifyMalicious /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v NotifyPasswordReuse /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v NotifyUnsafeApp /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\BitLocker" /v "PreventDeviceEncryption" /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f; reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f; reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "EnabledBootId" /t REG_DWORD /d 0 /f; reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "WasEnabledBy" /t REG_DWORD /d 0 /f; }; ); &amp; { [float] $complete = 0; [float] $increment = 100 / $scripts.Count; foreach( $script in $scripts ) { Write-Progress -Activity 'Running scripts to customize your Windows installation. Do not close this window.' -PercentComplete $complete; '*** Will now execute command &#xAB;{0}&#xBB;.' -f $( $str = $script.ToString().Trim() -replace '\s+', ' '; $max = 100; if( $str.Length -le $max ) { $str; } else { $str.Substring( 0, $max - 1 ) + '&#x2026;'; } ); $start = [datetime]::Now; &amp; $script; '*** Finished executing command after {0:0} ms.' -f [datetime]::Now.Subtract( $start ).TotalMilliseconds; "`r`n" * 3; $complete += $increment; } } *&gt;&amp;1 | Out-String -Width 1KB -Stream &gt;&gt; "C:\Windows\Setup\Scripts\Specialize.log"; </File> <File path="C:\Windows\Setup\Scripts\DefaultUser.ps1"> $scripts = @( { reg.exe add "HKU\DefaultUser\Software\Microsoft\Edge\SmartScreenEnabled" /ve /t REG_DWORD /d 0 /f; reg.exe add "HKU\DefaultUser\Software\Microsoft\Edge\SmartScreenPuaEnabled" /ve /t REG_DWORD /d 0 /f; reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f; reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\AppHost" /v PreventOverride /t REG_DWORD /d 0 /f; }; ); &amp; { [float] $complete = 0; [float] $increment = 100 / $scripts.Count; foreach( $script in $scripts ) { Write-Progress -Activity 'Running scripts to modify the default user&#x2019;&#x2019;s registry hive. Do not close this window.' -PercentComplete $complete; '*** Will now execute command &#xAB;{0}&#xBB;.' -f $( $str = $script.ToString().Trim() -replace '\s+', ' '; $max = 100; if( $str.Length -le $max ) { $str; } else { $str.Substring( 0, $max - 1 ) + '&#x2026;'; } ); $start = [datetime]::Now; &amp; $script; '*** Finished executing command after {0:0} ms.' -f [datetime]::Now.Subtract( $start ).TotalMilliseconds; "`r`n" * 3; $complete += $increment; } } *&gt;&amp;1 | Out-String -Width 1KB -Stream &gt;&gt; "C:\Windows\Setup\Scripts\DefaultUser.log"; </File> <File path="C:\Windows\Setup\Scripts\FirstLogon.ps1"> $scripts = @( { Set-ItemProperty -LiteralPath 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'AutoLogonCount' -Type 'DWord' -Force -Value 0; }; { Remove-Item -LiteralPath @( 'C:\Windows\Panther\unattend.xml'; 'C:\Windows\Panther\unattend-original.xml'; 'C:\Windows\Setup\Scripts\Wifi.xml'; ) -Force -ErrorAction 'SilentlyContinue' -Verbose; }; ); &amp; { [float] $complete = 0; [float] $increment = 100 / $scripts.Count; foreach( $script in $scripts ) { Write-Progress -Activity 'Running scripts to finalize your Windows installation. Do not close this window.' -PercentComplete $complete; '*** Will now execute command &#xAB;{0}&#xBB;.' -f $( $str = $script.ToString().Trim() -replace '\s+', ' '; $max = 100; if( $str.Length -le $max ) { $str; } else { $str.Substring( 0, $max - 1 ) + '&#x2026;'; } ); $start = [datetime]::Now; &amp; $script; '*** Finished executing command after {0:0} ms.' -f [datetime]::Now.Subtract( $start ).TotalMilliseconds; "`r`n" * 3; $complete += $increment; } } *&gt;&amp;1 | Out-String -Width 1KB -Stream &gt;&gt; "C:\Windows\Setup\Scripts\FirstLogon.log"; </File> </Extensions> </unattend> ================================================ FILE: ISO_Maker/sources/$OEM$/$$/Panther/autounattend.xml ================================================ <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"> <settings pass="offlineServicing"></settings> <settings pass="windowsPE"> <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> <UserData> <ProductKey> <Key>00000-00000-00000-00000-00000</Key> <WillShowUI>Always</WillShowUI> </ProductKey> <AcceptEula>true</AcceptEula> </UserData> <UseConfigurationSet>false</UseConfigurationSet> <RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Order>1</Order> <Path>reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassTPMCheck /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>2</Order> <Path>reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassSecureBootCheck /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>3</Order> <Path>reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassRAMCheck /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>4</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:WScript.Echo ^"Scanning for newly created SYSTEM registry hive file to disable Windows Defender services...^"&amp;echo:Set fso = CreateObject(^"Scripting.FileSystemObject^"^))</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>5</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:Set existing = CreateObject(^"Scripting.Dictionary^"^)&amp;echo:Function Execute(command^)&amp;echo:WScript.Echo ^"Running command '^" + command + ^"'^"&amp;echo:Set shell = CreateObject(^"WScript.Shell^"^))</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>6</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:Set exec = shell.Exec(command^)&amp;echo:Do While exec.Status = 0&amp;echo:WScript.Sleep 100&amp;echo:Loop&amp;echo:WScript.Echo exec.StdOut.ReadAll&amp;echo:WScript.Echo exec.StdErr.ReadAll&amp;echo:Execute = exec.ExitCode&amp;echo:End Function)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>7</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:Function FindHiveFiles&amp;echo:Set FindHiveFiles = CreateObject(^"Scripting.Dictionary^"^)&amp;echo:For Each drive In fso.Drives&amp;echo:If drive.IsReady And drive.DriveLetter ^&lt;^&gt; ^"X^" Then)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>8</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:For Each folder In Array(^"$Windows.~BT\NewOS\Windows^", ^"Windows^"^)&amp;echo:file = fso.BuildPath(fso.BuildPath(drive.RootFolder, folder^), ^"System32\config\SYSTEM^"^))</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>9</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:If fso.FileExists(file^) And fso.FileExists(file + ^".LOG1^"^) And fso.FileExists(file + ^".LOG2^"^) Then&amp;echo:FindHiveFiles.Add file, Nothing&amp;echo:End If&amp;echo:Next&amp;echo:End If&amp;echo:Next&amp;echo:End Function)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>10</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:For Each file In FindHiveFiles&amp;echo:WScript.Echo ^"Will ignore file at '^" + file + ^"' because it was already present when Windows Setup started.^"&amp;echo:existing.Add file, Nothing&amp;echo:Next&amp;echo:Do)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>11</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:For Each file In FindHiveFiles&amp;echo:If Not existing.Exists(file^) Then&amp;echo:ret = 1&amp;echo:While ret ^&gt; 0&amp;echo:WScript.Sleep 500&amp;echo:ret = Execute(^"reg.exe LOAD HKLM\mount ^" + file^)&amp;echo:Wend)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>12</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:For Each service In Array(^"Sense^", ^"WdBoot^", ^"WdFilter^", ^"WdNisDrv^", ^"WdNisSvc^", ^"WinDefend^"^))</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>13</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:ret = Execute(^"reg.exe ADD HKLM\mount\ControlSet001\Services\^" + service + ^" /v Start /t REG_DWORD /d 4 /f^"^)&amp;echo:Next&amp;echo:ret = Execute(^"reg.exe UNLOAD HKLM\mount^"^))</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>14</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:WScript.Echo ^"Found and successfully modified SYSTEM registry hive file at '^" + file + ^"'. This window will now close.^"&amp;echo:WScript.Sleep 5000&amp;echo:Exit Do&amp;echo:End If&amp;echo:WScript.Sleep 1000&amp;echo:Next&amp;echo:Loop)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>15</Order> <Path>cmd.exe /c "start /MIN cscript.exe //E:vbscript X:\defender.vbs"</Path> </RunSynchronousCommand> </RunSynchronous> </component> </settings> <settings pass="generalize"></settings> <settings pass="specialize"> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> <RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Order>1</Order> <Path>powershell.exe -WindowStyle "Hidden" -NoProfile -Command "$xml = [xml]::new(); $xml.Load('C:\Windows\Panther\unattend.xml'); $sb = [scriptblock]::Create( $xml.unattend.Extensions.ExtractScript ); Invoke-Command -ScriptBlock $sb -ArgumentList $xml;"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>2</Order> <Path>powershell.exe -WindowStyle "Hidden" -ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\Specialize.ps1"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>3</Order> <Path>reg.exe load "HKU\DefaultUser" "C:\Users\Default\NTUSER.DAT"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>4</Order> <Path>powershell.exe -WindowStyle "Hidden" -ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\DefaultUser.ps1"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>5</Order> <Path>reg.exe unload "HKU\DefaultUser"</Path> </RunSynchronousCommand> </RunSynchronous> </component> </settings> <settings pass="auditSystem"></settings> <settings pass="auditUser"></settings> <settings pass="oobeSystem"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> <UserAccounts> <LocalAccounts> <LocalAccount wcm:action="add"> <Name>Admin</Name> <DisplayName></DisplayName> <Group>Administrators</Group> <Password> <Value></Value> <PlainText>true</PlainText> </Password> </LocalAccount> <LocalAccount wcm:action="add"> <Name>User</Name> <DisplayName></DisplayName> <Group>Users</Group> <Password> <Value></Value> <PlainText>true</PlainText> </Password> </LocalAccount> </LocalAccounts> </UserAccounts> <AutoLogon> <Username>Admin</Username> <Enabled>true</Enabled> <LogonCount>1</LogonCount> <Password> <Value></Value> <PlainText>true</PlainText> </Password> </AutoLogon> <OOBE> <ProtectYourPC>3</ProtectYourPC> <HideEULAPage>true</HideEULAPage> <HideWirelessSetupInOOBE>false</HideWirelessSetupInOOBE> <HideOnlineAccountScreens>false</HideOnlineAccountScreens> </OOBE> <FirstLogonCommands> <SynchronousCommand wcm:action="add"> <Order>1</Order> <CommandLine>powershell.exe -WindowStyle "Hidden" -ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\FirstLogon.ps1"</CommandLine> </SynchronousCommand> </FirstLogonCommands> </component> </settings> <Extensions xmlns="https://schneegans.de/windows/unattend-generator/"> <ExtractScript> param( [xml] $Document ); foreach( $file in $Document.unattend.Extensions.File ) { $path = [System.Environment]::ExpandEnvironmentVariables( $file.GetAttribute( 'path' ) ); mkdir -Path( $path | Split-Path -Parent ) -ErrorAction 'SilentlyContinue'; $encoding = switch( [System.IO.Path]::GetExtension( $path ) ) { { $_ -in '.ps1', '.xml' } { [System.Text.Encoding]::UTF8; } { $_ -in '.reg', '.vbs', '.js' } { [System.Text.UnicodeEncoding]::new( $false, $true ); } default { [System.Text.Encoding]::Default; } }; $bytes = $encoding.GetPreamble() + $encoding.GetBytes( $file.InnerText.Trim() ); [System.IO.File]::WriteAllBytes( $path, $bytes ); } </ExtractScript> <File path="C:\Windows\Setup\Scripts\PauseWindowsUpdate.ps1"> $formatter = { $args[0].ToString( "yyyy'-'MM'-'dd'T'HH':'mm':'ssK" ); }; $now = [datetime]::UtcNow; $start = &amp; $formatter $now; $end = &amp; $formatter $now.AddDays( 7 ); $params = @{ LiteralPath = 'Registry::HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings'; Type = 'String'; Force = $true; }; Set-ItemProperty @params -Name 'PauseFeatureUpdatesStartTime' -Value $start; Set-ItemProperty @params -Name 'PauseFeatureUpdatesEndTime' -Value $end; Set-ItemProperty @params -Name 'PauseQualityUpdatesStartTime' -Value $start; Set-ItemProperty @params -Name 'PauseQualityUpdatesEndTime' -Value $end; Set-ItemProperty @params -Name 'PauseUpdatesStartTime' -Value $start; Set-ItemProperty @params -Name 'PauseUpdatesExpiryTime' -Value $end; </File> <File path="C:\Windows\Setup\Scripts\PauseWindowsUpdate.xml"> &lt;Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"&gt; &lt;Triggers&gt; &lt;BootTrigger&gt; &lt;Repetition&gt; &lt;Interval&gt;P1D&lt;/Interval&gt; &lt;StopAtDurationEnd&gt;false&lt;/StopAtDurationEnd&gt; &lt;/Repetition&gt; &lt;Enabled&gt;true&lt;/Enabled&gt; &lt;/BootTrigger&gt; &lt;/Triggers&gt; &lt;Principals&gt; &lt;Principal id="Author"&gt; &lt;UserId&gt;S-1-5-19&lt;/UserId&gt; &lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt; &lt;/Principal&gt; &lt;/Principals&gt; &lt;Settings&gt; &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; &lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt; &lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt; &lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt; &lt;StartWhenAvailable&gt;false&lt;/StartWhenAvailable&gt; &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; &lt;IdleSettings&gt; &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; &lt;/IdleSettings&gt; &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; &lt;Enabled&gt;true&lt;/Enabled&gt; &lt;Hidden&gt;false&lt;/Hidden&gt; &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; &lt;ExecutionTimeLimit&gt;PT72H&lt;/ExecutionTimeLimit&gt; &lt;Priority&gt;7&lt;/Priority&gt; &lt;/Settings&gt; &lt;Actions Context="Author"&gt; &lt;Exec&gt; &lt;Command&gt;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&lt;/Command&gt; &lt;Arguments&gt;-ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\PauseWindowsUpdate.ps1"&lt;/Arguments&gt; &lt;/Exec&gt; &lt;/Actions&gt; &lt;/Task&gt; </File> <File path="C:\Windows\Setup\Scripts\Specialize.ps1"> $scripts = @( { reg.exe add "HKLM\SYSTEM\Setup\MoSetup" /v AllowUpgradesWithUnsupportedTPMOrCPU /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v BypassNRO /t REG_DWORD /d 1 /f; }; { net.exe accounts /maxpwage:UNLIMITED; }; { Register-ScheduledTask -TaskName 'PauseWindowsUpdate' -Xml $( Get-Content -LiteralPath 'C:\Windows\Setup\Scripts\PauseWindowsUpdate.xml' -Raw ); }; { reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy" /v VerifiedAndReputablePolicyState /t REG_DWORD /d 0 /f; }; { reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v ServiceEnabled /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v NotifyMalicious /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v NotifyPasswordReuse /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v NotifyUnsafeApp /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\BitLocker" /v "PreventDeviceEncryption" /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f; reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f; reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "EnabledBootId" /t REG_DWORD /d 0 /f; reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "WasEnabledBy" /t REG_DWORD /d 0 /f; }; ); &amp; { [float] $complete = 0; [float] $increment = 100 / $scripts.Count; foreach( $script in $scripts ) { Write-Progress -Activity 'Running scripts to customize your Windows installation. Do not close this window.' -PercentComplete $complete; '*** Will now execute command &#xAB;{0}&#xBB;.' -f $( $str = $script.ToString().Trim() -replace '\s+', ' '; $max = 100; if( $str.Length -le $max ) { $str; } else { $str.Substring( 0, $max - 1 ) + '&#x2026;'; } ); $start = [datetime]::Now; &amp; $script; '*** Finished executing command after {0:0} ms.' -f [datetime]::Now.Subtract( $start ).TotalMilliseconds; "`r`n" * 3; $complete += $increment; } } *&gt;&amp;1 | Out-String -Width 1KB -Stream &gt;&gt; "C:\Windows\Setup\Scripts\Specialize.log"; </File> <File path="C:\Windows\Setup\Scripts\DefaultUser.ps1"> $scripts = @( { reg.exe add "HKU\DefaultUser\Software\Microsoft\Edge\SmartScreenEnabled" /ve /t REG_DWORD /d 0 /f; reg.exe add "HKU\DefaultUser\Software\Microsoft\Edge\SmartScreenPuaEnabled" /ve /t REG_DWORD /d 0 /f; reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f; reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\AppHost" /v PreventOverride /t REG_DWORD /d 0 /f; }; ); &amp; { [float] $complete = 0; [float] $increment = 100 / $scripts.Count; foreach( $script in $scripts ) { Write-Progress -Activity 'Running scripts to modify the default user&#x2019;&#x2019;s registry hive. Do not close this window.' -PercentComplete $complete; '*** Will now execute command &#xAB;{0}&#xBB;.' -f $( $str = $script.ToString().Trim() -replace '\s+', ' '; $max = 100; if( $str.Length -le $max ) { $str; } else { $str.Substring( 0, $max - 1 ) + '&#x2026;'; } ); $start = [datetime]::Now; &amp; $script; '*** Finished executing command after {0:0} ms.' -f [datetime]::Now.Subtract( $start ).TotalMilliseconds; "`r`n" * 3; $complete += $increment; } } *&gt;&amp;1 | Out-String -Width 1KB -Stream &gt;&gt; "C:\Windows\Setup\Scripts\DefaultUser.log"; </File> <File path="C:\Windows\Setup\Scripts\FirstLogon.ps1"> $scripts = @( { Set-ItemProperty -LiteralPath 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'AutoLogonCount' -Type 'DWord' -Force -Value 0; }; { Remove-Item -LiteralPath @( 'C:\Windows\Panther\unattend.xml'; 'C:\Windows\Panther\unattend-original.xml'; 'C:\Windows\Setup\Scripts\Wifi.xml'; ) -Force -ErrorAction 'SilentlyContinue' -Verbose; }; ); &amp; { [float] $complete = 0; [float] $increment = 100 / $scripts.Count; foreach( $script in $scripts ) { Write-Progress -Activity 'Running scripts to finalize your Windows installation. Do not close this window.' -PercentComplete $complete; '*** Will now execute command &#xAB;{0}&#xBB;.' -f $( $str = $script.ToString().Trim() -replace '\s+', ' '; $max = 100; if( $str.Length -le $max ) { $str; } else { $str.Substring( 0, $max - 1 ) + '&#x2026;'; } ); $start = [datetime]::Now; &amp; $script; '*** Finished executing command after {0:0} ms.' -f [datetime]::Now.Subtract( $start ).TotalMilliseconds; "`r`n" * 3; $complete += $increment; } } *&gt;&amp;1 | Out-String -Width 1KB -Stream &gt;&gt; "C:\Windows\Setup\Scripts\FirstLogon.log"; </File> </Extensions> </unattend> ================================================ FILE: ISO_Maker/sources/$OEM$/$$/Panther/unattend.xml ================================================ <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"> <settings pass="offlineServicing"></settings> <settings pass="windowsPE"> <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> <UserData> <ProductKey> <Key>00000-00000-00000-00000-00000</Key> <WillShowUI>Always</WillShowUI> </ProductKey> <AcceptEula>true</AcceptEula> </UserData> <UseConfigurationSet>false</UseConfigurationSet> <RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Order>1</Order> <Path>reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassTPMCheck /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>2</Order> <Path>reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassSecureBootCheck /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>3</Order> <Path>reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v BypassRAMCheck /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>4</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:WScript.Echo ^"Scanning for newly created SYSTEM registry hive file to disable Windows Defender services...^"&amp;echo:Set fso = CreateObject(^"Scripting.FileSystemObject^"^))</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>5</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:Set existing = CreateObject(^"Scripting.Dictionary^"^)&amp;echo:Function Execute(command^)&amp;echo:WScript.Echo ^"Running command '^" + command + ^"'^"&amp;echo:Set shell = CreateObject(^"WScript.Shell^"^))</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>6</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:Set exec = shell.Exec(command^)&amp;echo:Do While exec.Status = 0&amp;echo:WScript.Sleep 100&amp;echo:Loop&amp;echo:WScript.Echo exec.StdOut.ReadAll&amp;echo:WScript.Echo exec.StdErr.ReadAll&amp;echo:Execute = exec.ExitCode&amp;echo:End Function)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>7</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:Function FindHiveFiles&amp;echo:Set FindHiveFiles = CreateObject(^"Scripting.Dictionary^"^)&amp;echo:For Each drive In fso.Drives&amp;echo:If drive.IsReady And drive.DriveLetter ^&lt;^&gt; ^"X^" Then)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>8</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:For Each folder In Array(^"$Windows.~BT\NewOS\Windows^", ^"Windows^"^)&amp;echo:file = fso.BuildPath(fso.BuildPath(drive.RootFolder, folder^), ^"System32\config\SYSTEM^"^))</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>9</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:If fso.FileExists(file^) And fso.FileExists(file + ^".LOG1^"^) And fso.FileExists(file + ^".LOG2^"^) Then&amp;echo:FindHiveFiles.Add file, Nothing&amp;echo:End If&amp;echo:Next&amp;echo:End If&amp;echo:Next&amp;echo:End Function)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>10</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:For Each file In FindHiveFiles&amp;echo:WScript.Echo ^"Will ignore file at '^" + file + ^"' because it was already present when Windows Setup started.^"&amp;echo:existing.Add file, Nothing&amp;echo:Next&amp;echo:Do)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>11</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:For Each file In FindHiveFiles&amp;echo:If Not existing.Exists(file^) Then&amp;echo:ret = 1&amp;echo:While ret ^&gt; 0&amp;echo:WScript.Sleep 500&amp;echo:ret = Execute(^"reg.exe LOAD HKLM\mount ^" + file^)&amp;echo:Wend)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>12</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:For Each service In Array(^"Sense^", ^"WdBoot^", ^"WdFilter^", ^"WdNisDrv^", ^"WdNisSvc^", ^"WinDefend^"^))</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>13</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:ret = Execute(^"reg.exe ADD HKLM\mount\ControlSet001\Services\^" + service + ^" /v Start /t REG_DWORD /d 4 /f^"^)&amp;echo:Next&amp;echo:ret = Execute(^"reg.exe UNLOAD HKLM\mount^"^))</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>14</Order> <Path>cmd.exe /c &gt;&gt;X:\defender.vbs (echo:WScript.Echo ^"Found and successfully modified SYSTEM registry hive file at '^" + file + ^"'. This window will now close.^"&amp;echo:WScript.Sleep 5000&amp;echo:Exit Do&amp;echo:End If&amp;echo:WScript.Sleep 1000&amp;echo:Next&amp;echo:Loop)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>15</Order> <Path>cmd.exe /c "start /MIN cscript.exe //E:vbscript X:\defender.vbs"</Path> </RunSynchronousCommand> </RunSynchronous> </component> </settings> <settings pass="generalize"></settings> <settings pass="specialize"> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> <RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Order>1</Order> <Path>powershell.exe -WindowStyle "Hidden" -NoProfile -Command "$xml = [xml]::new(); $xml.Load('C:\Windows\Panther\unattend.xml'); $sb = [scriptblock]::Create( $xml.unattend.Extensions.ExtractScript ); Invoke-Command -ScriptBlock $sb -ArgumentList $xml;"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>2</Order> <Path>powershell.exe -WindowStyle "Hidden" -ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\Specialize.ps1"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>3</Order> <Path>reg.exe load "HKU\DefaultUser" "C:\Users\Default\NTUSER.DAT"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>4</Order> <Path>powershell.exe -WindowStyle "Hidden" -ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\DefaultUser.ps1"</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>5</Order> <Path>reg.exe unload "HKU\DefaultUser"</Path> </RunSynchronousCommand> </RunSynchronous> </component> </settings> <settings pass="auditSystem"></settings> <settings pass="auditUser"></settings> <settings pass="oobeSystem"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> <UserAccounts> <LocalAccounts> <LocalAccount wcm:action="add"> <Name>Admin</Name> <DisplayName></DisplayName> <Group>Administrators</Group> <Password> <Value></Value> <PlainText>true</PlainText> </Password> </LocalAccount> <LocalAccount wcm:action="add"> <Name>User</Name> <DisplayName></DisplayName> <Group>Users</Group> <Password> <Value></Value> <PlainText>true</PlainText> </Password> </LocalAccount> </LocalAccounts> </UserAccounts> <AutoLogon> <Username>Admin</Username> <Enabled>true</Enabled> <LogonCount>1</LogonCount> <Password> <Value></Value> <PlainText>true</PlainText> </Password> </AutoLogon> <OOBE> <ProtectYourPC>3</ProtectYourPC> <HideEULAPage>true</HideEULAPage> <HideWirelessSetupInOOBE>false</HideWirelessSetupInOOBE> <HideOnlineAccountScreens>false</HideOnlineAccountScreens> </OOBE> <FirstLogonCommands> <SynchronousCommand wcm:action="add"> <Order>1</Order> <CommandLine>powershell.exe -WindowStyle "Hidden" -ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\FirstLogon.ps1"</CommandLine> </SynchronousCommand> </FirstLogonCommands> </component> </settings> <Extensions xmlns="https://schneegans.de/windows/unattend-generator/"> <ExtractScript> param( [xml] $Document ); foreach( $file in $Document.unattend.Extensions.File ) { $path = [System.Environment]::ExpandEnvironmentVariables( $file.GetAttribute( 'path' ) ); mkdir -Path( $path | Split-Path -Parent ) -ErrorAction 'SilentlyContinue'; $encoding = switch( [System.IO.Path]::GetExtension( $path ) ) { { $_ -in '.ps1', '.xml' } { [System.Text.Encoding]::UTF8; } { $_ -in '.reg', '.vbs', '.js' } { [System.Text.UnicodeEncoding]::new( $false, $true ); } default { [System.Text.Encoding]::Default; } }; $bytes = $encoding.GetPreamble() + $encoding.GetBytes( $file.InnerText.Trim() ); [System.IO.File]::WriteAllBytes( $path, $bytes ); } </ExtractScript> <File path="C:\Windows\Setup\Scripts\PauseWindowsUpdate.ps1"> $formatter = { $args[0].ToString( "yyyy'-'MM'-'dd'T'HH':'mm':'ssK" ); }; $now = [datetime]::UtcNow; $start = &amp; $formatter $now; $end = &amp; $formatter $now.AddDays( 7 ); $params = @{ LiteralPath = 'Registry::HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings'; Type = 'String'; Force = $true; }; Set-ItemProperty @params -Name 'PauseFeatureUpdatesStartTime' -Value $start; Set-ItemProperty @params -Name 'PauseFeatureUpdatesEndTime' -Value $end; Set-ItemProperty @params -Name 'PauseQualityUpdatesStartTime' -Value $start; Set-ItemProperty @params -Name 'PauseQualityUpdatesEndTime' -Value $end; Set-ItemProperty @params -Name 'PauseUpdatesStartTime' -Value $start; Set-ItemProperty @params -Name 'PauseUpdatesExpiryTime' -Value $end; </File> <File path="C:\Windows\Setup\Scripts\PauseWindowsUpdate.xml"> &lt;Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"&gt; &lt;Triggers&gt; &lt;BootTrigger&gt; &lt;Repetition&gt; &lt;Interval&gt;P1D&lt;/Interval&gt; &lt;StopAtDurationEnd&gt;false&lt;/StopAtDurationEnd&gt; &lt;/Repetition&gt; &lt;Enabled&gt;true&lt;/Enabled&gt; &lt;/BootTrigger&gt; &lt;/Triggers&gt; &lt;Principals&gt; &lt;Principal id="Author"&gt; &lt;UserId&gt;S-1-5-19&lt;/UserId&gt; &lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt; &lt;/Principal&gt; &lt;/Principals&gt; &lt;Settings&gt; &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; &lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt; &lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt; &lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt; &lt;StartWhenAvailable&gt;false&lt;/StartWhenAvailable&gt; &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; &lt;IdleSettings&gt; &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; &lt;/IdleSettings&gt; &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; &lt;Enabled&gt;true&lt;/Enabled&gt; &lt;Hidden&gt;false&lt;/Hidden&gt; &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; &lt;ExecutionTimeLimit&gt;PT72H&lt;/ExecutionTimeLimit&gt; &lt;Priority&gt;7&lt;/Priority&gt; &lt;/Settings&gt; &lt;Actions Context="Author"&gt; &lt;Exec&gt; &lt;Command&gt;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&lt;/Command&gt; &lt;Arguments&gt;-ExecutionPolicy "Unrestricted" -NoProfile -File "C:\Windows\Setup\Scripts\PauseWindowsUpdate.ps1"&lt;/Arguments&gt; &lt;/Exec&gt; &lt;/Actions&gt; &lt;/Task&gt; </File> <File path="C:\Windows\Setup\Scripts\Specialize.ps1"> $scripts = @( { reg.exe add "HKLM\SYSTEM\Setup\MoSetup" /v AllowUpgradesWithUnsupportedTPMOrCPU /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v BypassNRO /t REG_DWORD /d 1 /f; }; { net.exe accounts /maxpwage:UNLIMITED; }; { Register-ScheduledTask -TaskName 'PauseWindowsUpdate' -Xml $( Get-Content -LiteralPath 'C:\Windows\Setup\Scripts\PauseWindowsUpdate.xml' -Raw ); }; { reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy" /v VerifiedAndReputablePolicyState /t REG_DWORD /d 0 /f; }; { reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v ServiceEnabled /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v NotifyMalicious /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v NotifyPasswordReuse /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components" /v NotifyUnsafeApp /t REG_DWORD /d 0 /f; reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\BitLocker" /v "PreventDeviceEncryption" /t REG_DWORD /d 1 /f; }; { reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f; reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f; reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "EnabledBootId" /t REG_DWORD /d 0 /f; reg.exe add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "WasEnabledBy" /t REG_DWORD /d 0 /f; }; ); &amp; { [float] $complete = 0; [float] $increment = 100 / $scripts.Count; foreach( $script in $scripts ) { Write-Progress -Activity 'Running scripts to customize your Windows installation. Do not close this window.' -PercentComplete $complete; '*** Will now execute command &#xAB;{0}&#xBB;.' -f $( $str = $script.ToString().Trim() -replace '\s+', ' '; $max = 100; if( $str.Length -le $max ) { $str; } else { $str.Substring( 0, $max - 1 ) + '&#x2026;'; } ); $start = [datetime]::Now; &amp; $script; '*** Finished executing command after {0:0} ms.' -f [datetime]::Now.Subtract( $start ).TotalMilliseconds; "`r`n" * 3; $complete += $increment; } } *&gt;&amp;1 | Out-String -Width 1KB -Stream &gt;&gt; "C:\Windows\Setup\Scripts\Specialize.log"; </File> <File path="C:\Windows\Setup\Scripts\DefaultUser.ps1"> $scripts = @( { reg.exe add "HKU\DefaultUser\Software\Microsoft\Edge\SmartScreenEnabled" /ve /t REG_DWORD /d 0 /f; reg.exe add "HKU\DefaultUser\Software\Microsoft\Edge\SmartScreenPuaEnabled" /ve /t REG_DWORD /d 0 /f; reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f; reg.exe add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\AppHost" /v PreventOverride /t REG_DWORD /d 0 /f; }; ); &amp; { [float] $complete = 0; [float] $increment = 100 / $scripts.Count; foreach( $script in $scripts ) { Write-Progress -Activity 'Running scripts to modify the default user&#x2019;&#x2019;s registry hive. Do not close this window.' -PercentComplete $complete; '*** Will now execute command &#xAB;{0}&#xBB;.' -f $( $str = $script.ToString().Trim() -replace '\s+', ' '; $max = 100; if( $str.Length -le $max ) { $str; } else { $str.Substring( 0, $max - 1 ) + '&#x2026;'; } ); $start = [datetime]::Now; &amp; $script; '*** Finished executing command after {0:0} ms.' -f [datetime]::Now.Subtract( $start ).TotalMilliseconds; "`r`n" * 3; $complete += $increment; } } *&gt;&amp;1 | Out-String -Width 1KB -Stream &gt;&gt; "C:\Windows\Setup\Scripts\DefaultUser.log"; </File> <File path="C:\Windows\Setup\Scripts\FirstLogon.ps1"> $scripts = @( { Set-ItemProperty -LiteralPath 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'AutoLogonCount' -Type 'DWord' -Force -Value 0; }; { Remove-Item -LiteralPath @( 'C:\Windows\Panther\unattend.xml'; 'C:\Windows\Panther\unattend-original.xml'; 'C:\Windows\Setup\Scripts\Wifi.xml'; ) -Force -ErrorAction 'SilentlyContinue' -Verbose; }; ); &amp; { [float] $complete = 0; [float] $increment = 100 / $scripts.Count; foreach( $script in $scripts ) { Write-Progress -Activity 'Running scripts to finalize your Windows installation. Do not close this window.' -PercentComplete $complete; '*** Will now execute command &#xAB;{0}&#xBB;.' -f $( $str = $script.ToString().Trim() -replace '\s+', ' '; $max = 100; if( $str.Length -le $max ) { $str; } else { $str.Substring( 0, $max - 1 ) + '&#x2026;'; } ); $start = [datetime]::Now; &amp; $script; '*** Finished executing command after {0:0} ms.' -f [datetime]::Now.Subtract( $start ).TotalMilliseconds; "`r`n" * 3; $complete += $increment; } } *&gt;&amp;1 | Out-String -Width 1KB -Stream &gt;&gt; "C:\Windows\Setup\Scripts\FirstLogon.log"; </File> </Extensions> </unattend> ================================================ FILE: LICENSE ================================================ This work is licensed under the Creative Commons Attribution-NonCommercial 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. ================================================ FILE: README.md ================================================ # ❌️ Defender Remover / Defender Disabler <a href="https://github.com/ionuttbara/windows-defender-remover"> <picture> <source media="(prefers-color-scheme: dark)" srcset="./site-res/darkmode.png"> <img alt="Defender Remover" src="./site-res/lightmode.png"> </picture> </a> ## Project Modules For specific details on the sub-components, please check: * **[💿 ISO Maker](./ISO_Maker/README.md)** - Create a custom Windows ISO with Defender disabled. * **[🛡️ Remove Defender Engine](./Remove_Defender/README.md)** - Remove the antivirus core and services. * **[🖥️ Remove Security App](./Remove_SecurityComp/README.md)** - Remove the Windows Security UI. --- ## ❓️ What does the app do? This application removes / disables Windows Defender, including the Windows Security App, Windows Virtualization-Based Security (VBS), Windows SmartScreen, Windows Security Services, Windows Web-Threat Service, Windows File Virtualization (UAC), Microsoft Defender App Guard, Microsoft Driver Block List, System Mitigations and the Windows Defender page in the Settings App on Windows 10 or later. ## ❓️ What components are removing? ### Removing Security Components This script removes/disables following security components: - support for Windows Security Center including Windows Security Center Service (wscsvc), Windows Security Service (SgrmBroker, Sgrm Drivers) which are needed to run Windows Security App. - virtualization support. - Hypervisor startup (this fixes disablation of Virtualization Based Security, this will auto enable if you use Hyper-V and/or WSL (Windows Subsystem for Linux), WSA (Windows Subsystem for Android)) - LUA (disables File Virtualization and User Account Control, which will run all apps as administrator priviliges (also fixes old app errors)) - Exploit Guard (something about Exploits) - Windows Smart Control - Tamper Protection (for Windows 11 21H2 or earlier) - SecHealthUI (Windows Security UWP App) - SmartScreen - Pluton Support and Pluton Services Support - System Mitigations - "Services Mitigations" (search on admx.help for more informations, its policy) - Spectre and Meltdown Mitigation (for get +30% performance on old Intel CPUs) - Windows Security Section from Settings App. ### Removing Antivirus Components This script forcily removes following antivirus components: - Windows Defender Definition Update List (this will disable updating definitions of Defender because its removed) - Windows Defender SpyNet Telemetry - Antivirus Service - Windows Defender Antivirus filter and windows defender rootkit scanner drivers - Antivirus Scanning Tasks - Shell Associations (Context Menu) - Hides Antivirus Protection section from Windows Security App. ## 📃 Instructions > [!NOTE] > A system restore point is recommended before you run the script. (if you don't know what are you doing) 1. Download the packed script from [Releases](https://github.com/ionuttbara/windows-defender-remover/releases) 2. Run the ".exe" as administrator 3. Follow the instructions displayed OR you can use git ``` git clone [https://github.com/ionuttbara/windows-defender-remover.git](https://github.com/ionuttbara/windows-defender-remover.git) cd windows-defender-remover Script_Run.bat ``` OR you can use download entire source code 1. Download the source code from [Releases](https://github.com/jbara2002/windows-defender-remover/releases). 2. Choose the file **Source Code(.zip)** from last version and download it. 3. Unarchive the file into a folder and run the Script_Run.bat. ![cli](https://github.com/drunkwinter/windows-defender-remover/assets/38593134/46007191-0a65-43c2-b451-a993ff90e00e) You can file an [issue](https://github.com/ionuttbara/windows-defender-remover/issues) if you experience any problems. ## 📃 Automation of the script You can remove Defender with arguments. #### Removing ```PowerShell # Removal Defender.Remover.exe /r <# or /R #> ``` ## Disable or Remove Windows Defender *Application Guard Policies* (advanced) If you have any problems when opening an app (*extremely rare*) and get the message "The app can not run because Device Guard" or "Windows Defender Application Guard Blocked this app", you have to remove 4 files with the same name, from different locations. - In EFI Partition ```PowerShell Remove-Item -LiteralPath "$((Get-Partition | ? IsSystem).AccessPaths[0])Microsoft\Boot\WiSiPolicy.p7b" ``` - In Code Integrity Folder ```PowerShell Remove-Item -LiteralPath "$env:windir\System32\CodeIntegrity\WiSiPolicy.p7b" ``` - In Windows Folder ```PowerShell Remove-Item -LiteralPath "$env:windir\Boot\EFI\wisipolicy.p7b" ``` - In WinSxS Folder ```PowerShell Remove-Item -Path "$env:windir\WinSxS" -Include *winsipolicy.p7b* -Recurse ``` ## Creating an ISO with Windows Defender and Services disabled You can create an ISO with Windoows Defender and Security Services Disabled. It's easy, so this is a fiie which it can helps you. Here are the rules: 1. Mount the ISO and extract it into location. 2. Open the **sources** folder and create the **$OEM$** folder. (this is needed to run the DefenderRemover part in OOBE). 3. Open the **$OEM$** folder and create the folder with **$$** name. 4. Open the **$$** folder and create the folder with **Panther** name. 5. Open the **Panther** folder. The path it shown like to **%location of extracted ISO%\sources\$OEM$\$$\Panther\** 6. Download the unnatended.xml file from repo in ISO_Maker folder and put it in Panther folder. 7. Save this as bootable ISO. (for now the script can't do this automaticly, but it will do in next version). ## ❓ Frequently Asked Questions #### ⭕ How to remove Windows Security Center / Windows SecurityApp from PC without downloading Script? Paste this code into a powershell file and after **Run as Administrator**. ``` $remove_appx = @("SecHealthUI"); $provisioned = get-appxprovisionedpackage -online; $appxpackage = get-appxpackage -allusers; $eol = @() $store = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore' $users = @('S-1-5-18'); if (test-path $store) {$users += $((dir $store -ea 0 |where {$_ -like '*S-1-5-21*'}).PSChildName)} foreach ($choice in $remove_appx) { if ('' -eq $choice.Trim()) {continue} foreach ($appx in $($provisioned |where {$_.PackageName -like "*$choice*"})) { $next = !1; foreach ($no in $skip) {if ($appx.PackageName -like "*$no*") {$next = !0}} ; if ($next) {continue} $PackageName = $appx.PackageName; $PackageFamilyName = ($appxpackage |where {$_.Name -eq $appx.DisplayName}).PackageFamilyName ni "$store\Deprovisioned\$PackageFamilyName" -force >''; $PackageFamilyName foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageName" -force >''} ; $eol += $PackageName dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >'' remove-appxprovisionedpackage -packagename $PackageName -online -allusers >'' } foreach ($appx in $($appxpackage |where {$_.PackageFullName -like "*$choice*"})) { $next = !1; foreach ($no in $skip) {if ($appx.PackageFullName -like "*$no*") {$next = !0}} ; if ($next) {continue} $PackageFullName = $appx.PackageFullName; ni "$store\Deprovisioned\$appx.PackageFamilyName" -force >''; $PackageFullName foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageFullName" -force >''} ; $eol += $PackageFullName dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >'' remove-appxpackage -package $PackageFullName -allusers >'' } } ``` #### ⭕ Why is the downloaded executable being flagged as a virus? That is a false positive. Some security apps flag this app as a virus because of the way the ".exe" files are created. Download with **git** or source code .zip will indicate virus-free. Starting with Defender 12.6.x , some versions are considered as virus, some are not (its a bug from me, so do not file for this). #### ⭕ Why is the patch not working when Windows is updated? Windows Update includes a ```Intelligence Update``` which blocks certain actions and modifies Windows Defender/Security policies. If the script is not working for you, check if you have the Windows Security Intelligence Update installed. If you do, disable tamper protection, and re-run the script. #### ⭕ How to use the package remover without downloading the executable from the release? Run the desired ".bat" file from cmd with PowerRun (by dragging to the executable). You must reboot for the changes to take effect. #### ⭕ How to disable VBS if the removal script does not work Disable with this command and reboot. ``` bcdedit /set hypervisorlaunchtype off ``` After that you will not be able to use virtual machines. #### ⭕ Why VBS is keeping enabling on Windows 11? By default the script is disabling VBS to gain performance in your system. The factors which is keeping VBS enabled is Windows Virtualization. Apps and features which is used by Windows Virtualization: - Windows Subsystem for **Android**/**Linux** - HyperV Virtual Machine - <a href="https://apps.microsoft.com/detail/9n0tn65p5bf6?hl=en-US&gl=US" target="_blank">Microsoft Emulator</a> (Windows 10X Emulator which you can find in Microsoft Store) - Android Studio integration in VisuaL Studio or another Emulators (for Windows 10 22H2 with March 2025 Update or newer) If you open those one of that app mentioned earlier, VBS will be enabled without user intervention. Its needed to run Virtual Machine engine. If you don't use any virtual machine, you can file an Issue at <a href="https://github.com/ionuttbara/windows-defender-remover/issues" target="_blank">here</a>. ================================================ FILE: RemoveSecHealthApp.ps1 ================================================ $remove_appx = @("SecHealthUI"); $provisioned = get-appxprovisionedpackage -online; $appxpackage = get-appxpackage -allusers; $eol = @() $store = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore' $users = @('S-1-5-18'); if (test-path $store) {$users += $((dir $store -ea 0 |where {$_ -like '*S-1-5-21*'}).PSChildName)} foreach ($choice in $remove_appx) { if ('' -eq $choice.Trim()) {continue} foreach ($appx in $($provisioned |where {$_.PackageName -like "*$choice*"})) { $next = !1; foreach ($no in $skip) {if ($appx.PackageName -like "*$no*") {$next = !0}} ; if ($next) {continue} $PackageName = $appx.PackageName; $PackageFamilyName = ($appxpackage |where {$_.Name -eq $appx.DisplayName}).PackageFamilyName ni "$store\Deprovisioned\$PackageFamilyName" -force >''; $PackageFamilyName foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageName" -force >''} ; $eol += $PackageName dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >'' remove-appxprovisionedpackage -packagename $PackageName -online -allusers >'' } foreach ($appx in $($appxpackage |where {$_.PackageFullName -like "*$choice*"})) { $next = !1; foreach ($no in $skip) {if ($appx.PackageFullName -like "*$no*") {$next = !0}} ; if ($next) {continue} $PackageFullName = $appx.PackageFullName; ni "$store\Deprovisioned\$appx.PackageFamilyName" -force >''; $PackageFullName foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageFullName" -force >''} ; $eol += $PackageFullName dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >'' remove-appxpackage -package $PackageFullName -allusers >'' } } ================================================ FILE: Remove_Defender/Disable Mitigation.reg ================================================ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsMitigation] "UserPreference"=dword:00000002 ; In-kernel Mitigations [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] "MitigationAuditOptions"=hex:00,00,00,00,00,00,20,22,00,00,00,00,00,00,00,20,00,00,00,00,00,00,00,00 "MitigationOptions"=hex:00,22,22,20,22,20,22,22,20,00,00,00,00,20,00,20,00,00,00,00,00,00,00,00 "KernelSEHOPEnabled"=dword:00000000 ; Services Mitigations [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig] "EnableSvchostMitigationPolicy"=hex(b):00,00,00,00,00,00,00,00 ; Remove Defender's Tamper Protection [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features] "MpPlatformKillbitsFromEngine"=hex:00,00,00,00,00,00,00,00 "TamperProtectionSource"=dword:00000000 "MpCapability"=hex:00,00,00,00,00,00,00,00 "TamperProtection"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "RunAsPPL"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "LsaConfigFlags"=dword:00000000 "RunAsPPL"=dword:00000000 "RunAsPPLBoot"=dword:00000000 "LmCompatibilityLevel"=- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config] "VulnerableDriverBlocklistEnable"=dword:00000000 ================================================ FILE: Remove_Defender/Disable SmartScreen.reg ================================================ Windows Registry Editor Version 5.00 ; Disable SmartScreen for Microsoft Edge [HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter] "EnabledV9"=dword:00000000 "PreventOverride"=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Edge] "SmartScreenEnabled"=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Edge\SmartScreenEnabled] @=dword:00000000 ; Disable SmartScreen in File Explorer and Windows Shell [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer] "SmartScreenEnabled"="off" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "EnableSmartScreen"=dword:00000000 "ShellSmartScreenLevel"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Browser\AllowSmartScreen] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\SmartScreen\EnableSmartScreenInShell] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\SmartScreen\EnableAppInstallControl] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\SmartScreen\PreventOverrideForFilesInShell] "value"=dword:00000000 ; Disable SmartScreen for Microsoft Store Apps [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost] "EnableWebContentEvaluation"=dword:00000000 "PreventOverride"=dword:00000000 ; Configure App Install Control [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen] "ConfigureAppInstallControlEnabled"=dword:00000001 "ConfigureAppInstallControl"="Anywhere" ================================================ FILE: Remove_Defender/DisableAntivirusProtection.reg ================================================ Windows Registry Editor Version 5.00 ; disabling Antivirus [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableRoutinelyTakingAction"=dword:00000001 "ServiceKeepAlive"=dword:00000000 "AllowFastServiceStartup"=dword:00000000 "DisableLocalAdminMerge"=dword:00000001 ; disable overwriting real time protection settings [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] "LocalSettingOverrideDisableOnAccessProtection"=dword:00000000 "LocalSettingOverrideRealtimeScanDirection"=dword:00000000 "LocalSettingOverrideDisableIOAVProtection"=dword:00000000 "LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000 "LocalSettingOverrideDisableIntrusionPreventionSystem"=dword:00000000 "LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000 "DisableIOAVProtection"=dword:00000001 "DisableRealtimeMonitoring"=dword:00000001 "DisableBehaviorMonitoring"=dword:00000001 "DisableOnAccessProtection"=dword:00000001 "DisableScanOnRealtimeEnable"=dword:00000001 "RealtimeScanDirection"=dword:00000002 "DisableInformationProtectionControl"=dword:00000001 "DisableIntrusionPreventionSystem"=dword:00000001 "DisableRawWriteNotification"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender] "DisableRoutinelyTakingAction"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet] "DisableBlockAtFirstSeen"=dword:00000001 "LocalSettingOverrideSpynetReporting"=dword:00000000 "SpynetReporting"=dword:00000000 "SubmitSamplesConsent"=dword:00000002 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet] "SpyNetReporting"=dword:00000000 "LocalSettingOverrideSpyNetReporting"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MpGears] "HeartbeatTrackingIndex"=dword:00000000 "SpyNetReportingLocation"="0" ================================================ FILE: Remove_Defender/DisableDefenderPolicies.reg ================================================ Windows Registry Editor Version 5.00 ; Enforce Disabling of Windows Defender Antivirus Policy [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "PUAProtection"=dword:00000000 "DisableRoutinelyTakingAction"=dword:00000001 "ServiceKeepAlive"=dword:00000000 "AllowFastServiceStartup"=dword:00000000 "DisableLocalAdminMerge"=dword:00000001 "DisableAntiSpyware"=dword:00000001 "RandomizeScheduleTaskTimes"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowArchiveScanning] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowCloudProtection] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowEmailScanning] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanOnMappedNetworkDrives] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanRemovableDriveScanning] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIntrusionPreventionSystem] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowOnAccessProtection] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowRealtimeMonitoring] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScanningNetworkFiles] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScriptScanning] "value"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowUserUIAccess] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AvgCPULoadFactor] "value"=dword:00000032 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CheckForSignaturesBeforeRunningScan] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CloudBlockLevel] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CloudExtendedTimeout] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DaysToRetainCleanedMalware] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupFullScan] "value"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupQuickScan] "value"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableControlledFolderAccess] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableLowCPUPriority] "value"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableNetworkProtection] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\PUAProtection] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\RealTimeScanDirection] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScanParameter] "value"=dword:00000002 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanDay] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanTime] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\SignatureUpdateInterval] "value"=dword:00000018 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\SubmitSamplesConsent] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions] "DisableAutoExclusions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine] "MpEnablePus"=dword:00000000 "MpCloudBlockLevel"=dword:00000000 "MpBafsExtendedTimeout"=dword:00000000 "EnableFileHashComputation"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS] "ThrottleDetectionEventsRate"=dword:00000000 "DisableSignatureRetirement"=dword:00000001 "DisableProtocolRecognition"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager] "DisableScanningNetworkFiles"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] "DisableRealtimeMonitoring"=dword:00000001 "DisableBehaviorMonitoring"=dword:00000001 "DisableOnAccessProtection"=dword:00000001 "DisableScanOnRealtimeEnable"=dword:00000001 "DisableIOAVProtection"=dword:00000001 "LocalSettingOverrideDisableOnAccessProtection"=dword:00000000 "LocalSettingOverrideRealtimeScanDirection"=dword:00000000 "LocalSettingOverrideDisableIOAVProtection"=dword:00000000 "LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000 "LocalSettingOverrideDisableIntrusionPreventionSystem"=dword:00000000 "LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000 "RealtimeScanDirection"=dword:00000002 "IOAVMaxSize"=dword:00000512 "DisableInformationProtectionControl"=dword:00000001 "DisableIntrusionPreventionSystem"=dword:00000001 "DisableRawWriteNotification"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan] "LowCpuPriority"=dword:00000001 "DisableRestorePoint"=dword:00000001 "DisableArchiveScanning"=dword:00000000 "DisableScanningNetworkFiles"=dword:00000000 "DisableCatchupFullScan"=dword:00000000 "DisableCatchupQuickScan"=dword:00000001 "DisableEmailScanning"=dword:00000000 "DisableHeuristics"=dword:00000001 "DisableReparsePointScanning"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates] "SignatureDisableNotification"=dword:00000001 "RealtimeSignatureDelivery"=dword:00000000 "ForceUpdateFromMU"=dword:00000000 "DisableScheduledSignatureUpdateOnBattery"=dword:00000001 "UpdateOnStartUp"=dword:00000000 "SignatureUpdateCatchupInterval"=dword:00000002 "DisableUpdateOnStartupWithoutEngine"=dword:00000001 "ScheduleTime"=dword:00001440 "DisableScanOnUpdate"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet] "DisableBlockAtFirstSeen"=dword:00000001 "LocalSettingOverrideSpynetReporting"=dword:00000000 "SpynetReporting"=dword:00000000 "SubmitSamplesConsent"=dword:00000002 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration] "SuppressRebootNotification"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access] "EnableControlledFolderAccess"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection] "EnableNetworkProtection"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender] "DisableRoutinelyTakingAction"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware] "ServiceKeepAlive"=dword:00000000 "AllowFastServiceStartup"=dword:00000000 "DisableRoutinelyTakingAction"=dword:00000001 "DisableAntiSpyware"=dword:00000001 "DisableAntiVirus"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet] "SpyNetReporting"=dword:00000000 "LocalSettingOverrideSpyNetReporting"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting] "DisableEnhancedNotifications"=dword:00000001 "DisableGenericRePorts"=dword:00000001 "WppTracingLevel"=dword:00000000 "WppTracingComponents"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy] "VerifiedAndReputablePolicyState"=dword:00000000 ================================================ FILE: Remove_Defender/DisableDefenderandSecurityCenterNotifications.reg ================================================ Windows Registry Editor Version 5.00 ; Disable Windows Defender Security Center Notifications [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableEnhancedNotifications] "value"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableNotifications] "value"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\HideWindowsSecurityNotificationAreaControl] "value"=dword:00000001 ; Disable Windows Security Center Notifications [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications] "DisableEnhancedNotifications"=dword:00000001 "DisableNotifications"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance] "Enabled"=dword:00000000 ================================================ FILE: Remove_Defender/README.md ================================================ #️ Remove Core Defender (Engine & Services) This directory contains registry files and scripts specifically designed to neutralize the backend of Windows Defender. ## What gets removed? Running the scripts in this section will forcibly remove or disable: * **Antivirus Service:** The main engine preventing file execution. * **Windows Defender Drivers:** Including rootkit scanners and file system filters. * **SmartScreen:** The filter that blocks "unrecognized" apps. * **SpyNet Telemetry:** Prevents sending data to Microsoft. * **Scheduled Tasks:** Disables automatic scanning and maintenance tasks. * **Context Menu:** Removes "Scan with Windows Defender" from the right-click menu. ## Usage These files are typically executed automatically by the main `Script_Run.bat`, but can be used individually for troubleshooting or specific needs. * **Registry Tweaks (.reg):** Double-click to merge into the registry. * **Disabling Mitigation:** Use `Disable Mitigation.reg` to turn off exploit protection features. > **Note:** Removing these files usually keeps the "Windows Security" app visible, but the antivirus protection inside it will be broken/disabled. If you want to remove the App UI as well, see the [Remove_SecurityComp](../Remove_SecurityComp/README.md) module. ================================================ FILE: Remove_Defender/RemovalofWindowsDefenderAntivirus.reg ================================================ Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] [-HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] [-HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}] [-HKEY_CLASSES_ROOT\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}] [-HKEY_CLASSES_ROOT\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}] [-HKEY_CLASSES_ROOT\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}] [-HKEY_CLASSES_ROOT\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}] [-HKEY_CLASSES_ROOT\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}] [-HKEY_CLASSES_ROOT\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}] [-HKEY_CLASSES_ROOT\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}] [-HKEY_CLASSES_ROOT\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}] [-HKEY_CLASSES_ROOT\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}] [-HKEY_CLASSES_ROOT\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}] [-HKEY_CLASSES_ROOT\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}] [-HKEY_CLASSES_ROOT\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}] ; Defender Loggers [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger] ================================================ FILE: Remove_Defender/RemoveDefenderTasks.reg ================================================ Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0ACC9108-2000-46C0-8407-5FD9F89521E8}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D77BCC8-1D07-42D0-8C89-3A98674DFB6F}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4A9233DB-A7D3-45D6-B476-8C7D8DF73EB5}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B05F34EE-83F2-413D-BC1D-7D5BD6E98300}] ================================================ FILE: Remove_Defender/RemoveServices.reg ================================================ Windows Registry Editor Version 5.00 ; Remove Defender and Windows Security Services [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecCore] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmAgent] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmBroker] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection] "DisallowExploitProtectionOverride"=dword:00000001 [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecFlt] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecWfp] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\whesvc] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\WebThreatDefSvc] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefsvc] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WebThreatDefense] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlutonHsp2] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlutonHeci] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hsp] ================================================ FILE: Remove_Defender/RemoveShellAssociation.reg ================================================ Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend] [-HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\windowsdefender] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender] [-HKEY_CLASSES_ROOT\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0] [-HKEY_CURRENT_USER\Software\Classes\ms-cxh] [-HKEY_CLASSES_ROOT\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri] [-HKEY_CLASSES_ROOT\WindowsDefender] [-HKEY_CURRENT_USER\Software\Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsDefender] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Ubpm] "CriticalMaintenance_DefenderCleanup"=- "CriticalMaintenance_DefenderVerification"=- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System] "WindowsDefender-1"=- "WindowsDefender-2"=- "WindowsDefender-3"=- ================================================ FILE: Remove_Defender/RemoveSignatureUpdates.reg ================================================ Windows Registry Editor Version 5.00 ; this file disables Signature Updates in Windows Defender [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates] "SignatureDisableNotification"=dword:00000001 "RealtimeSignatureDelivery"=dword:00000000 "ForceUpdateFromMU"=dword:00000000 "DisableScheduledSignatureUpdateOnBattery"=dword:00000001 "UpdateOnStartUp"=dword:00000000 "SignatureUpdateCatchupInterval"=dword:00000002 "DisableUpdateOnStartupWithoutEngine"=dword:00000001 "ScheduleTime"=dword:00001440 "DisableScanOnUpdate"=dword:00000001 ================================================ FILE: Remove_Defender/RemoveStartupEntries.reg ================================================ Windows Registry Editor Version 5.00 ; Remove Defender's Startup Entries [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"=- "SecurityHealth"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run] "Windows Defender"=- "SecurityHealth"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WindowsDefender"=- "SecurityHealth"=- ================================================ FILE: Remove_Defender/RemoveWindowsWebThreat.reg ================================================ Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Service.UserSessionServiceManager] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatExperienceManager.ThreatExperienceManager] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatResponseEngine.ThreatDecisionEngine] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Configuration.WTDUserSettings] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\AuditMode] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\NotifyUnsafeOrReusedPassword] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\ServiceEnabled] "value"=dword:00000000 [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefsvc] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WebThreatDefense] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] "WebThreatDefense"=- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System] "WebThreatDefSvc_Allow_In"=- "WebThreatDefSvc_Allow_Out"=- "WebThreatDefSvc_Block_In"=- "WebThreatDefSvc_Block_Out"=- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System] "{2A5FE97D-01A4-4A9C-8241-BB3755B65EE0}"=- "72e33e44-dc4c-40c5-a688-a77b6e988c69"=- "b23879b5-1ef3-45b7-8933-554a4303d2f3"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] "WebThreatDefense"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\AuditMode] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\NotifyUnsafeOrReusedPassword] "value"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\WebThreatDefense\ServiceEnabled] "value"=dword:00000000 [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components] "NotifyPasswordReuse"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components] "NotifyMalicious"=dword:00000000 ================================================ FILE: Remove_Defender/RemoverofDefenderContextMenu.reg ================================================ Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}] ; Remove "Scan with Defender" Context Menu [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] [-HKEY_CLASSES_ROOT\Folder\shell\WindowsDefender] [-HKEY_CLASSES_ROOT\DesktopBackground\Shell\WindowsSecurity] [-HKEY_CLASSES_ROOT\Folder\shell\WindowsDefender\Command] ================================================ FILE: Remove_Defender/WindowsSettingsPageVisibility.reg ================================================ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] "SettingsPageVisibility"="hide:windowsdefender;" ================================================ FILE: Remove_SecurityComp/README.md ================================================ # ️ Remove Security Components (UI & Center) This module handles the removal of the visual and system integration aspects of Windows Security. ## What gets removed? * **Windows Security App:** The UWP application (SecHealthUI) found in the Start Menu. * **Windows Security Center Service (wscsvc):** The service that monitors security status. * **Settings Page:** Removes the "Windows Security" section from the Windows Settings app. * **System Tray Icon:** The shield icon in the taskbar. ## Manual Removal via PowerShell If you wish to remove the Security App without using the full removal suite, you can run the following PowerShell code, save into ps1, and run with PowerRun. ```powershell $remove_appx = @("SecHealthUI"); $provisioned = get-appxprovisionedpackage -online; $appxpackage = get-appxpackage -allusers; $eol = @() $store = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore' $users = @('S-1-5-18'); if (test-path $store) {$users += $((dir $store -ea 0 |where {$_ -like '*S-1-5-21*'}).PSChildName)} foreach ($choice in $remove_appx) { if ('' -eq $choice.Trim()) {continue} foreach ($appx in $($provisioned |where {$_.PackageName -like "*$choice*"})) { $next = !1; foreach ($no in $skip) {if ($appx.PackageName -like "*$no*") {$next = !0}} ; if ($next) {continue} $PackageName = $appx.PackageName; $PackageFamilyName = ($appxpackage |where {$_.Name -eq $appx.DisplayName}).PackageFamilyName ni "$store\Deprovisioned\$PackageFamilyName" -force >''; $PackageFamilyName foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageName" -force >''} ; $eol += $PackageName dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >'' remove-appxprovisionedpackage -packagename $PackageName -online -allusers >'' } foreach ($appx in $($appxpackage |where {$_.PackageFullName -like "*$choice*"})) { $next = !1; foreach ($no in $skip) {if ($appx.PackageFullName -like "*$no*") {$next = !0}} ; if ($next) {continue} $PackageFullName = $appx.PackageFullName; ni "$store\Deprovisioned\$appx.PackageFamilyName" -force >''; $PackageFullName foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageFullName" -force >''} ; $eol += $PackageFullName dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >'' remove-appxpackage -package $PackageFullName -allusers >'' } } ) ``` Attention! This .ps1 file must be runned with PowerRun. The command argument is ```cmd Powerrun powershell.exe -noprofile -executionpolicy bypass -file "RemoveSecHealthApp.ps1" ``` ================================================ FILE: Remove_SecurityComp/Remove_SecurityComp.reg ================================================ Windows Registry Editor Version 5.00 ; removes data and kills Security Health Service App [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health] [-HKEY_CURRENT_USER\Software\Microsoft\Windows Security Health] [HKEY_CURRENT_USER\Software\Microsoft\Windows Security Health\State] "Disabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\Platform] "Registered"=dword:00000000 ; removal of Security Center from Action Center [-HKEY_CLASSES_ROOT\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] [-HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] [-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] [-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}] ; Remove Windows Security Health Service [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService] ================================================ FILE: Script_Run.bat ================================================ @set defenderremoverver=13.0 @setlocal DisableDelayedExpansion @echo off net session >nul 2>&1 if %errorlevel% neq 0 ( echo Requesting Administrator privileges... powershell -Command "Start-Process '%~f0' -Verb RunAs" exit /b ) pushd "%CD%" CD /D "%~dp0" :: Arguments Section IF "%1"== "y" GOTO :removedef IF "%1"== "Y" GOTO :removedef IF "%1"== "a" GOTO :removeantivirus IF "%1"== "A" GOTO :removeantivirus :-------------------------------------- :-------------------------------------- cls echo ------ Defender Remover Script , version %defenderremoverver% ------ echo Select an option: echo. echo Do you want to remove Windows Defender and alongside components? After this you'll need to reboot. echo A backup and/or System Restore point is recommended. echo [Y] Remove Windows Defender Antivirus + Windows Security App echo [A] Remove Windows Defender Antivirus App (keeps Windows Security App, it will be back if you update) echo [S] Remove Defender Files (if you removed antivirus first) choice /C:yas /N if errorlevel==3 goto removalfiles if errorlevel==2 goto removeantivirus if errorlevel==1 goto removedef :-------------------------------------- :-------------------------------------- :removalfiles PowerRun cmd.exe /k files_removal.bat pause :-------------------------------------- :-------------------------------------- goto :eof :-------------------------------------- :-------------------------------------- :removedef CLS CLS echo Removing Windows Security UWP App... Powerrun powershell.exe -noprofile -executionpolicy bypass -file "RemoveSecHealthApp.ps1" CLS echo Unregister Windows Defender Security Components... FOR /R %%f IN (Remove_defender\*.reg) DO PowerRun.exe regedit.exe /s "%%f" FOR /R %%f IN (Remove_defender\*.reg) DO regedit.exe /s "%%f" FOR /R %%f IN (Remove_SecurityComp\*.reg) DO PowerRun.exe regedit.exe /s "%%f" timeout 3 shutdown /r /f /t 10 exit :-------------------------------------- :-------------------------------------- :removeantivirus CLS echo Removing Windows Security UWP App... FOR /R %%f IN (Remove_defender\*.reg) DO PowerRun.exe regedit.exe /s "%%f" FOR /R %%f IN (Remove_defender\*.reg) DO regedit.exe /s "%%f" CLS timeout 3 shutdown /r /f /t 10 exit :-------------------------------------- ================================================ FILE: files_removal.bat ================================================ @echo off Echo Please wait... takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t rd /s /q "C:\ProgramData\Microsoft\Windows Defender" takeown /f "C:\Program Files\Windows Defender" /r /d y icacls "C:\Program Files\Windows Defender" /grant administrators:F /t rd /s /q "C:\Program Files\Windows Defender" takeown /f "C:\Program Files (x86)\Windows Defender" /r /d y icacls "C:\Program Files (x86)\Windows Defender" /grant administrators:F /t rd /s /q "C:\Program Files (x86)\Windows Defender" takeown /f "C:\Program Files\Windows Defender Advanced Threat Protection" /r /d y icacls "C:\Program Files\Windows Defender Advanced Threat Protection" /grant administrators:F /t rd /s /q "C:\Program Files\Windows Defender Advanced Threat Protection" exit