在Windows 10中禁用Windows Defender


32

我找不到有关如何在Windows 10中禁用Windows Defender的任何信息。在预览中有一些有关如何执行此操作的信息,但最终版本的配置页已更改。

具体来说,我想停止并禁用Windows Defender服务。

  • net stop windefend在提升的命令提示符下使用,将显示“访问被拒绝”
  • 即使在以管理员身份登录时,sevices.msc中的停止和启动类型也会显示为灰色
  • 在Windows 10中似乎没有禁用UAC的GUI方法

有谁知道如何在Windows 10中禁用Defender?


3
最简单的方法。只要安装付费/免费安全套件,它就会自动禁用。除此之外,只需转到“更新和安全”并禁用实时保护。在Windows 8及更高版本中,您无法以与Windows 7中相同的程度禁用UAC。当然,我不确定UAC与Windows Defender有什么关系。
Ramhound 2015年

我提到UAC是因为UAC似乎有可能阻止我禁用Defender。我尚未部署支持Windows 10的最新卡巴斯基,坦率地说,我对卡巴斯基将在Defender运行时安装得很好没有信心。另外,我希望原则上能够禁用它,以防万一我出于其他原因需要或想要禁用它。
Todd Wilcox

我打开后Update & Security可以禁用Windows Defender。就我个人而言,尽管这样做之后我还是能够将其禁用。
Ramhound

Windows Defender设计为易于替换,只需安装另一个AV,它应自动关闭。
gronostaj

3
@gronostaj如果我的问题是如何用另一个A / V解决方案替换Windows Defender,我建议您以评论的形式发表评论,我会接受的,除非您的评论与Ramhound的评论相同,所以我真的建议您他做到了。但这不是我要尝试的。
Todd Wilcox

Answers:


22

您可以使用组策略来执行此操作。

打开 gpedit.msc

导航 Computer Configuration > Administrative Templates > Windows Components > Windows Defender

Turn off Windows Defender =已启用

如果您随后尝试打开W​​indows Defender,则会看到以下内容: 在此处输入图片说明

即使在“设置”中它似乎已打开,该服务也没有运行:在此处输入图片说明

更多信息:

http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html

http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350


我不敢相信我自己找不到这个。谢谢!
Todd Wilcox

2
这也适用于Windows Home吗?我找不到gpedit.msc
Stijn de Witt

2
不,它不适用于家庭用户。仅限于Pro / Enterprise / Education
sloosecannon

2
尝试过此操作...但是服务仍在任务管理器中运行。
2017年

12

我发现了使用注册表的另一种方法。

使用本文,我以管理员身份登录时更改了注册表中Defender服务和驱动程序(!!)的启动类型。这是一个简短的总结:

  1. 浏览注册表到HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  2. 查找以Description值包含“ Windows Defender”的以“ wd”开头的服务。可能不完整的列表是:wdboot,wdfilter,wdnisdrv,wdnissvc,windefend。
  3. Start每个服务的值更改为0x4(十六进制4,十进制4)。
  4. 重启。

4
我以管理员身份登录,但仍然收到错误“写入开始时出错。写入值的新内容时出错”。
2015年

1
我也有同样的错误"Error writing start. Error writing the value's new contents。@Todd Wilcox可以为我们工作吗?
Nam G VU 2015年

1
您是否尝试过右键单击regedit并以管理员身份运行?
Todd Wilcox

2
不幸的是,在Win10 Home Single Language上,即使我以管理员身份启动regedit,也遇到了其他解决方法,但仍收到相同的错误。我现在真的开始鄙视Windows 10。
gideon '18

如果获取Error writing (...),请关闭regedit并重新打开。
Marc.2377

11

简洁版本

  1. 下载
  2. 提取
  3. 连按两下 DisableDefender.reg

说明

如Aaron Hoffman所述,到目前为止,在Windows 10中永久禁用Windows Defender的最有效,最干净的方法是通过组策略。不幸的是,Windows 10 Home缺少必要的工具。

这是一个注册表文件,其中包含Windows 10 Pro计算机上gpedit.msc所做的更改。它也在Windows 10 Home上进行了测试。将文件另存为DisableDefender.regWindows样式的行尾,然后双击将其导入注册表。

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001

如果您想重新启用Defender,0000000100000000在两行都更改为。

您可以从Gist下载文件以禁用和重新启用防御者。


1
先生,您今天赢得了互联网。
ivan_bilan '16

我已经通过将regedit的值重新启用为0000000000来重新启用WD,结果WD实时保护已关闭,因为您正在使用其他AV。实际上我没有安装任何防病毒软件。如何解决这个问题?谢谢
圣淘沙桑迪

@SantosaSandy可能由于多种原因而发生,包括恶意软件。您应该开始一个单独的问题。
Zenexer '16

谢谢PB先生。在紧急情况下并且没有错误的调查线索时,我只是更新Windows并运行注册表清理程序(例如CCleaner)。Windows Defender再次处于活动状态。谢谢
圣淘沙桑迪

4

要完全禁用Windows Defender(而不仅仅是实时保护),您可以:

  1. 安装另一个安全套件(如Ramhound所述)。
  2. 如果您愿意使用第三方应用程序,则可以使用NoDefender:http ://msft.gq/pub/apps/NoDefender.zip

有关NoDefender的更多信息,可以在这里找到:http ://winaero.com/blog/nodefender-disable-windows-defender-in-windows-10-with-few-clicks/


我怀疑NoDefender可能只是编辑注册表的一种自动方法,我已经手动完成了。
Todd Wilcox

@ToddWilcox,那么您的方法比我的好!少担心的第三方应用程序。
2015年

1
我仍然看到运行Windows Defender的反恶意软件服务。我已经安装了
Avg

2
确实,@ Sharif我想确认是否也禁用了反恶意软件服务。
2015年

2

我编写了应完全禁用Windows 10中的Windows Defender的批处理文件和注册表文件。

  1. 将以下文件保存到同一文件夹中。
  2. Disable Windows Defender.bat以管理员身份运行。
  3. 批处理文件完成后,重新启动。
  4. Disable Windows Defender.bat再次以管理员身份运行。
  5. Windows Defender现在应该被完全禁用。

Disable Windows Defender.bat

@echo off

call :main %*
goto :eof

:main
    setlocal EnableDelayedExpansion

    rem Check if Windows Defender is running.
    tasklist /fi "imageName eq "MsMpEng.exe"" | find /i "MsMpEng.exe" > nul 2> nul
    if %errorLevel% equ 0 (
        rem Windows Defender is running.
        echo Windows Defender is running.

        rem Performable operations while Windows Defender is running.
        rem Disable Windows Defender drivers.
        echo Disabling Windows Defender drivers...
        set "drivers="%SystemRoot%\System32\drivers\WdBoot.sys";"%SystemRoot%\System32\drivers\WdFilter.sys";"%SystemRoot%\System32\drivers\WdNisDrv.sys""
        set "drivers=!drivers:""="!"

        set "wasDriverDisabled=false"
        for %%d in (!drivers!) do (
            if exist "%%~d" (
                echo Disabling Windows Defender driver "%%~d"...
                call :disableFile "%%~d"
                set "wasDriverDisabled=true"
            )
        )

        rem Disable Windows Defender objects.
        echo Disabling Windows Defender objects...
        call :importRegistry "Disable Windows Defender objects.reg"

        rem Require restart to unload Windows Defender drivers and objects.
        echo.
        echo Restart required.
    ) else (
        rem Windows Defender is not running.
        echo Windows Defender is not running.

        rem Performable operations while Windows Defender is not running.
        rem Disable Windows Defender features.
        echo Disabling Windows Defender features...
        call :importRegistry "Disable Windows Defender features.reg"
        rem Disable Windows Defender services.
        echo Disabling Windows Defender services...
        call :importRegistry "Disable Windows Defender services.reg"

        rem Disable Windows Defender files.
        echo Disabling Windows Defender files...
        ren "%ProgramFiles%\Windows Defender" "Windows Defender.bak"
        ren "%ProgramFiles(x86)%\Windows Defender" "Windows Defender.bak"
        ren "%ProgramData%\Microsoft\Windows Defender" "Windows Defender.bak"
    )

    endlocal
    goto :eof

:ownFile
    setlocal
    set "filePath=%~1"
    set "user=%~2"
    takeown /f "%filePath%" /a
    icacls "%filePath%" /grant "%user%:F"
    endlocal
    goto :eof

:disableFile
    setlocal
    set "filePath=%~1"
    call :ownFile "%filePath%" "Administrators"
    ren "%filePath%" "%~nx1.bak"
    endlocal
    goto :eof

:importRegistry
    setlocal
    set "filePath=%~1"
    call OwnRegistryKeys.bat "%filePath%"
    @echo off
    regedit /s "%filePath%"
    endlocal
    goto :eof

Disable Windows Defender objects.reg

Windows Registry Editor Version 5.00

; Disable "Scan with Windows Defender..." right click context menu.
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]

; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]

; Disable "DefenderCSP.dll".
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}]

; Disable Windows Defender IOfficeAntiVirus implementation ("MpOav.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]

; Disable InfectionState WMI Provider ("MpProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]

; Disable Status WMI Provider ("MpProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}]

; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]

; Disable Microsoft Windows Defender ("MsMpCom.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
[-HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF43B}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF43B}]

; Disable Windows Defender WMI Provider ("ProtectionManagement.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]

; Disable AMMonitoring WMI Provider ("AMMonitoringProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}]

; Disable MP UX Host ("MpUxSrv.exe").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]

Disable Windows Defender features.reg

Windows Registry Editor Version 5.00

; Disable Windows Defender features.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ProductStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Real-Time Protection]
"DisableAntiSpywareRealtimeProtection"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"ScheduleDay"=dword:00000008

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\UX Configuration]
"AllowNonAdminFunctionality"=dword:00000000
"DisablePrivacyMode"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ProductStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection]
"DisableAntiSpywareRealtimeProtection"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"ScheduleDay"=dword:00000008

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\UX Configuration]
"AllowNonAdminFunctionality"=dword:00000000
"DisablePrivacyMode"=dword:00000001

Disable Windows Defender services.reg

Windows Registry Editor Version 5.00

; Disable "Windows Defender" services.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

OwnRegistryKeys.bat

@echo off

rem Get the location of the PowerShell file.
for /f "usebackq tokens=*" %%f in (`where "OwnRegistryKeys.ps1"`) do (
    rem Run command for each argument.
    for %%a in (%*) do (
        powershell -executionPolicy bypass -file "%%~f" "%%~a"
    )
)

OwnRegistryKeys.ps1

$script:baseKey = @{
    "HKEY_CLASSES_ROOT" = @{
        "name" = "HKEY_CLASSES_ROOT";
        "shortName" = "HKCR";
        "key" = [Microsoft.Win32.Registry]::ClassesRoot
    };
    "HKEY_CURRENT_CONFIG" = @{
        "name" = "HKEY_CURRENT_CONFIG";
        "shortName" = "HKCC";
        "key" = [Microsoft.Win32.Registry]::CurrentConfig
    };
    "HKEY_CURRENT_USER" = @{
        "name" = "HKEY_CURRENT_USER";
        "shortName" = "HKCU";
        "key" = [Microsoft.Win32.Registry]::CurrentUser
    };
    "HKEY_DYN_DATA" = @{
        "name" = "HKEY_DYN_DATA";
        "shortName" = "HKDD";
        "key" = [Microsoft.Win32.Registry]::DynData
    };
    "HKEY_LOCAL_MACHINE" = @{
        "name" = "HKEY_LOCAL_MACHINE";
        "shortName" = "HKLM";
        "key" = [Microsoft.Win32.Registry]::LocalMachine
    };
    "HKEY_PERFORMANCE_DATA" = @{
        "name" = "HKEY_PERFORMANCE_DATA";
        "shortName" = "HKPD";
        "key" = [Microsoft.Win32.Registry]::PerformanceData
    };
    "HKEY_USERS" = @{
        "name" = "HKEY_USERS";
        "shortName" = "HKU";
        "key" = [Microsoft.Win32.Registry]::Users
    }
}

function enablePrivilege {
    param(
        # The privilege to adjust. This set is taken from:
        # http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
        [validateSet(
            "SeAssignPrimaryTokenPrivilege",
            "SeAuditPrivilege",
            "SeBackupPrivilege",
            "SeChangeNotifyPrivilege",
            "SeCreateGlobalPrivilege",
            "SeCreatePagefilePrivilege",
            "SeCreatePermanentPrivilege",
            "SeCreateSymbolicLinkPrivilege",
            "SeCreateTokenPrivilege",
            "SeDebugPrivilege",
            "SeEnableDelegationPrivilege",
            "SeImpersonatePrivilege",
            "SeIncreaseBasePriorityPrivilege",
            "SeIncreaseQuotaPrivilege",
            "SeIncreaseWorkingSetPrivilege",
            "SeLoadDriverPrivilege",
            "SeLockMemoryPrivilege",
            "SeMachineAccountPrivilege",
            "SeManageVolumePrivilege",
            "SeProfileSingleProcessPrivilege",
            "SeRelabelPrivilege",
            "SeRemoteShutdownPrivilege",
            "SeRestorePrivilege",
            "SeSecurityPrivilege",
            "SeShutdownPrivilege",
            "SeSyncAgentPrivilege",
            "SeSystemEnvironmentPrivilege",
            "SeSystemProfilePrivilege",
            "SeSystemtimePrivilege",
            "SeTakeOwnershipPrivilege",
            "SeTcbPrivilege",
            "SeTimeZonePrivilege",
            "SeTrustedCredManAccessPrivilege",
            "SeUndockPrivilege",
            "SeUnsolicitedInputPrivilege"
        )]
        $privilege,

        # The process on which to adjust the privilege. Defaults to the current process.
        $processId = $pid,

        # Switch to disable the privilege, rather than enable it.
        [switch] $disable
    )

    # Taken from P/Invoke.NET with minor adjustments.
    $definition = @'
using System;
using System.Runtime.InteropServices;

public class AdjustPrivilege {
    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
    internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
    internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

    [DllImport("advapi32.dll", SetLastError = true)]
    internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    internal struct TokPriv1Luid {
        public int Count;
        public long Luid;
        public int Attr;
    }

    internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
    internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
    internal const int TOKEN_QUERY = 0x00000008;
    internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

    public static bool EnablePrivilege(long processHandle, string privilege, bool disable) {
        bool result;
        TokPriv1Luid tp;
        IntPtr hproc = new IntPtr(processHandle);
        IntPtr htok = IntPtr.Zero;
        result = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
        tp.Count = 1;
        tp.Luid = 0;
        if (disable) {
            tp.Attr = SE_PRIVILEGE_DISABLED;
        } else {
            tp.Attr = SE_PRIVILEGE_ENABLED;
        }
        result = LookupPrivilegeValue(null, privilege, ref tp.Luid);
        result = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
        return result;
    }
}
'@

    $processHandle = (get-process -id $processId).handle
    $type = add-type $definition -passThru
    $type[0]::EnablePrivilege($processHandle, $privilege, $disable)
}

function getKeyNames {
    param(
        [parameter(mandatory = $true)]
        [string[]] $filePaths = $null
    )

    return (get-content $filePaths | select-string -pattern "\[\-?(.*)\]" -allMatches | forEach-object {$_.matches.groups[1].value} | get-unique)
}

function splitKeyName {
    param(
        [parameter(mandatory = $true)]
        [string] $keyName = $null
    )

    $names = $keyName.split("\\/", 2)

    $rootKeyName = $names[0]
    $subKeyName = $names[1]

    $keyPart = @{
        root = $baseKey[$rootKeyName];
        subKey = @{
            name = $subKeyName
        }
    }

    return $keyPart
}

function ownRegistryKey {
    param(
        [parameter(mandatory = $true)]
        [string] $keyName = $null
    )

    write-host """$keyName"""

    # Check if the key exists.
    if ($(try { test-path -path "Registry::$keyName".trim() } catch { $false })) {
        write-host "    Opening..."

        $keyPart = splitKeyName -keyName $keyName
        $ownableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
        if ($ownableKey -ne $null) {
            # Set the owner.
            write-host "    Setting owner..."
            $acl = $ownableKey.getAccessControl([System.Security.AccessControl.AccessControlSections]::None)
            $owner = [System.Security.Principal.NTAccount] "Administrators"
            $acl.setOwner($owner)
            $ownableKey.setAccessControl($acl)

            # Set the permissions.
            write-host "    Setting permissions..."
            $acl = $ownableKey.getAccessControl()
            $person = [System.Security.Principal.NTAccount] "Administrators"
            $access = [System.Security.AccessControl.RegistryRights] "FullControl"
            $inheritance = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit"
            $propagation = [System.Security.AccessControl.PropagationFlags] "None"
            $type = [System.Security.AccessControl.AccessControlType] "Allow"

            $rule = new-object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)
            $acl.setAccessRule($rule)
            $ownableKey.setAccessControl($acl)

            $ownableKey.close()

            write-host "    Done."

            # Own children subkeys.
            $readableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadSubTree, [System.Security.AccessControl.RegistryRights]::ReadKey)
            if ($readableKey -ne $null) {
                $subKeyNames = ($readableKey.getSubKeyNames() | forEach-object { "$keyName\$_" })
                $readableKey.close()
                if ($subKeyNames -ne $null) {
                    ownRegistryKeys -keyNames $subKeyNames
                }
            } else {
                write-host "    Unable to open children subkeys."
            }
        } else {
            write-host "    Unable to open subkey."
        }
    } else {
        write-host "    Key does not exist."
    }

    write-host
}

function ownRegistryKeys {
    param(
        [parameter(mandatory = $true)]
        [string[]] $keyNames = $null
    )

    $keyName = $null
    foreach ($keyName in $keyNames) {
        # Own parent key and children subkeys.
        ownRegistryKey -keyName $keyName
    }
}

function requestPrivileges {
    $numberOfRetries = 10

    $privilegeResult = $false
    for ($r = 0; !$privilegeResult -band $r -lt $numberOfRetries; $r += 1) {
        $privilegeResult = enablePrivilege -privilege "SeTakeOwnershipPrivilege"
    }

    if (!$privilegeResult) {
        write-host "Unable to receive privilege."
        exit 1
    }
}

function main {
    param(
        [parameter(mandatory = $true)]
        [string[]] $filePaths = $null
    )

    requestPrivileges

    $keyNames = getKeyNames -filePaths $filePaths
    ownRegistryKeys -keyNames $keyNames
}

main $args

谢谢!顺便说一句:这需要英语版本的Windows才能正常工作
M. Abdelhafid

2

了解为什么您无法停止特定服务会很有帮助。

  • 我是管理员;比失败,管理员无法管理?

这是因为WinDefend服务具有安全权限。

注意WinDefend“ Windows Defender防病毒服务”的实际名称

在此处输入图片说明

查看权限

如果从命令行运行:

>sc sdshow WinDefend

哪里

  • sdshow表示“显示服务的安全描述符”。

您将获得安全描述符

C:\Users\Ian>sc sdshow WinDefend

D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

这是一个丑陋的斑点,Microsoft完全没有记录,但是我们在解码它时会遇到麻烦。首先通过换行:

D:
   (A;;CCLCSWRPLOCRRC;;;BU)
   (A;;CCLCSWRPLOCRRC;;;SY)
   (A;;CCLCSWRPLOCRRC;;;BA)
   (A;;CCLCSWRPLOCRRC;;;IU)
   (A;;CCLCSWRPLOCRRC;;;SU)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

D:意味着这是一个随意访问控制列表。访问控制列表由许多访问控制项(ACE)组成:

  • D: 随意访问控制列表
    • ACE1: A;;CCLCSWRPLOCRRC;;;BU
    • ACE2: A;;CCLCSWRPLOCRRC;;;SY
    • ACE3: A;;CCLCSWRPLOCRRC;;;BA
    • ACE4: A;;CCLCSWRPLOCRRC;;;IU
    • ACE5: A;;CCLCSWRPLOCRRC;;;SU
    • ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
    • ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

每个ACE是一组5分号结束设置,其次是它适用于。

首先看一下他们的申请对象,一篇随机博客文章对其中的一些进行了解码 archive.is

  • BU:内置用户
  • SY:本地系统
  • BA:内置管理员
  • UI:交互式登录的用户
  • SU:服务登录用户
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:受信任的安装程序
  • S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

您可以通过运行以下命令获取与SID关联的名称:

>wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name

每个ACE都包含允许或拒绝用户的权限列表。

  • D: 随意访问控制列表
    • ACE 1: A;;CCLCSWRPLOCRRC;;; 内置用户
    • ACE 2: A;;CCLCSWRPLOCRRC;;;本地系统
    • ACE 3: A;;CCLCSWRPLOCRRC;;; 内置管理员
    • ACE 4: A;;CCLCSWRPLOCRRC;;; 交互式用户
    • ACE 5: A;;CCLCSWRPLOCRRC;;; 服务登录用户
    • ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; 受信任的安装程序
    • ACE 7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

在ACE中分解其余用分号分隔的部分:

  • 高手: A;;CCLCSWRPLOCRRC;;;
    • AceType:AACCESS_ALLOWED_ACE_TYPE
    • AceFlags :(无)
    • AccessMask: CC LC SW RP LO CR RC
      • CC:CREATE_CHILD
      • LC:LIST_CHILDREN
      • SW:SELF_WRITE
      • RP:READ_PROPERTY
      • LO:LIST_OBJECT
      • CR:CONTROL_ACCESS
      • RC:READ_CONTROL
    • ObjectGuid :( 无)
    • InheritObjectGuid :( 无)

前导A表示Allowed,权限是两个字母的代码:

  • D: 随意访问控制列表
    • ACE 1:允许CC LC SW RP LO CR RC,内置用户
    • ACE 2:允许CC LC SW RP LO CR RC,本地系统
    • ACE 3:允许CC LC SW RP LO CR RC,内置管理员
    • ACE 4:“允许” CC LC SW RP LO CR RC,“交互式”用户
    • ACE 5:允许CC LC SW RP LO CR RC、、服务登录用户
    • ACE 6:允许CC LC SW RP LO CR RC DC WP DT SD WD WO、、受信任的安装程序
    • ACE 7:允许CC LC SW RP LO CR RC DC WP DT SD WD WO、、 S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

这是我必须停止保存我的工作的地方。绕开如何停止Windows Defender服务的过程很有趣,而且很有趣:但是我已经停止了它,而我的PC仍然表现异常。

扰流板:

sc sdset WinDefend [newSDLString]

奖励阅读


1

一种简单的powershell方法是从我在一个问题上发布的答案中获得的,此问题后来被标记为重复。

最简单的方法是使用powershell禁用它,您可能想要的命令是

Set-MpPreference -DisableRealtimeMonitoring $true
Get-Service WinDefend | stop-service 

有关使用Powershell禁用/启用Windows Defender的文章,请在此处查看:http : //wmug.co.uk/wmug/b/pwin/archive/2015/05/12/quickly-disable-windows-defender-on-windows -10-使用Powershell

以下是technet文章,详细介绍了可用的防御者cmdlet:https : //technet.microsoft.com/zh-cn/library/dn433280.aspx


我不认为这会停止并禁用服务本身。它只是禁用Windows Defender的实时功能,只需通过“设置”即可完成操作,而无需PowerShell小程序。
Ramhound

@Ramhound使用powershell为服务mgmt编辑。我不是100%会停止服务而不会出现与net stop服务相同的问题,但是我对Powershell的运气更高,并且不相信get / stop-service别名是net-stop
Abraxas

1

我发现以下过程很有效;它不会删除或禁用Windows Defender,但会禁用Windows Defender SERVICE,停止所有启动和实时扫描,并阻止Windows Defender实时扫描重新打开。(它将Windows Defender保留在原位,因此您可以使用它来按需扫描可疑文件。)

程序:

  1. 查找,下载并安装“ SysInternals”程序套件。
  2. 运行程序“ AutoRuns”。
  3. 找到“ Windows Defender服务”。
  4. 取消选中该框。
  5. 重启你的电脑。

之后,我的启动时间从20分钟减少到5分钟,并且启动后(启动任何应用程序之前)的内存使用从2.1 GB减少到1.2 GB。当我查看“服务”时,我发现“ Windows Defender服务”仍然存在,但现在标记为“未运行,已禁用”。


给出“访问被拒绝”的权限,甚至以管理员身份运行
pgr

1

要可靠地完全禁用Windows Defender并非易事。有一个PowerShell脚本可以卸载Windows Defender,但是您稍后可能无法重新安装它。该脚本需要重新启动两次。

只需下载Debloat-Windows-10,然后按照作者提供的步骤进行操作:

  1. 解压缩档案;
  2. 启用PowerShell脚本执行:

    PS> Set-ExecutionPolicy不受限制

  3. 取消阻止此目录中的PowerShell脚本和模块:

    PS> ls -Recurse * .ps1 | 解锁文件PS> ls -Recurse * .psm1 | 取消阻止文件

  4. scripts\disable-windows-defender.ps1

  5. 重新启动计算机(以通常的方式或通过PS > Restart-Computer
  6. 再运行scripts\disable-windows-defender.ps1一次。
  7. 再次重新启动计算机。

这不是最简单的方法,而是非常可靠和有弹性的。

还有一些脚本可以删除不需要的程序,例如BingFinance,Skype,OneDrive等-如果您不需要它们的话。

存档中还包含许多可能有用的脚本。

请注意,这些脚本不可撤消删除文件,并且可以删除Windows的重要功能。例如,他们可能会完全禁用“开始”菜单!

不要disable-ShellExperienceHost.bat从此程序包运行,否则“开始”菜单将停止打开。


0

我设法使用自动运行将其禁用;在服务选项卡下,有一个条目WinDefend,取消选中该框并重新启动。


给出“访问被拒绝”的权限,甚至以管理员身份运行
pgr

0

我找到的最简单的方法是打开管理员命令提示符并运行:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /t REG_DWORD /v DisableAntiSpyware /f /d 1

然后重启。一旦启动服务而没有重新启动,我一直无法找到关闭服务的方法。


0

以我的经验,设置组策略是停止Windows Defender及其可执行的反恶意软件服务的最可靠方法。但是,最近我遇到了一种情况,即设置组策略无效,并且Antimalware可执行文件一直在运行并占用我的CPU。

我最终编写了一个小脚本来获取可执行文件的所有权,并拒绝对其执行读取和执行访问权限。这样就解决了问题。该脚本如下。

@echo off

echo.
echo Disabling Windows Defender Antimalware Executable
echo Note: must be run with Admin permissions
echo.

rem taking ownership of Windows Defender files so that we can change their permissions
takeown /f "%PROGRAMDATA%\Microsoft\Windows Defender\Platform" /A /r /d y > takeown-result.txt

rem denying read and execute for all MsMpEng.exe files found in the directory structure (there may be multiple versions)
icacls %PROGRAMDATA%"\Microsoft\Windows Defender\Platform\*MsMpEng.exe" /deny SYSTEM:(RX) /T /C  /deny Administrators:(RX) /T /C   /deny Users:(RX) /T /C

@echo on

这在Windows 10 Pro [版本10.0.18362.476]上对我有用,并且在重新启动后仍然有效。但我的路径是c:\Program Files\Windows Defender\MsMpEng.exe
PGR
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.