我找不到有关如何在Windows 10中禁用Windows Defender的任何信息。在预览中有一些有关如何执行此操作的信息，但最终版本的配置页已更改。

具体来说，我想停止并禁用Windows Defender服务。

• net stop windefend在提升的命令提示符下使用，将显示“访问被拒绝”
• 即使在以管理员身份登录时，sevices.msc中的停止和启动类型也会显示为灰色
• 在Windows 10中似乎没有禁用UAC的GUI方法

有谁知道如何在Windows 10中禁用Defender？

您可以使用组策略来执行此操作。

打开 gpedit.msc

导航 Computer Configuration > Administrative Templates > Windows Components > Windows Defender

Turn off Windows Defender =已启用

如果您随后尝试打开W​​indows Defender，则会看到以下内容：

即使在“设置”中它似乎已打开，该服务也没有运行：

更多信息：

http://aaron-hoffman.blogspot.com/2015/08/install-and-setup-windows-10-for.html

和http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350

我发现了使用注册表的另一种方法。

使用本文，我以管理员身份登录时更改了注册表中Defender服务和驱动程序（!!）的启动类型。这是一个简短的总结：

1. 浏览注册表到HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services。
2. 查找以Description值包含“ Windows Defender”的以“ wd”开头的服务。可能不完整的列表是：wdboot，wdfilter，wdnisdrv，wdnissvc，windefend。
3. 将Start每个服务的值更改为0x4（十六进制4，十进制4）。
4. 重启。

简洁版本

1. 下载
2. 提取
3. 连按两下 DisableDefender.reg

说明

如Aaron Hoffman所述，到目前为止，在Windows 10中永久禁用Windows Defender的最有效，最干净的方法是通过组策略。不幸的是，Windows 10 Home缺少必要的工具。

这是一个注册表文件，其中包含Windows 10 Pro计算机上gpedit.msc所做的更改。它也在Windows 10 Home上进行了测试。将文件另存为DisableDefender.regWindows样式的行尾，然后双击将其导入注册表。

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001

如果您想重新启用Defender，00000001请00000000在两行都更改为。

您可以从Gist下载文件以禁用和重新启用防御者。

要完全禁用Windows Defender（而不仅仅是实时保护），您可以：

1. 安装另一个安全套件（如Ramhound所述）。
2. 如果您愿意使用第三方应用程序，则可以使用NoDefender：http ://msft.gq/pub/apps/NoDefender.zip

有关NoDefender的更多信息，可以在这里找到：http ://winaero.com/blog/nodefender-disable-windows-defender-in-windows-10-with-few-clicks/

我编写了应完全禁用Windows 10中的Windows Defender的批处理文件和注册表文件。

1. 将以下文件保存到同一文件夹中。
2. Disable Windows Defender.bat以管理员身份运行。
3. 批处理文件完成后，重新启动。
4. Disable Windows Defender.bat再次以管理员身份运行。
5. Windows Defender现在应该被完全禁用。

Disable Windows Defender.bat

@echo off

call :main %*
goto :eof

:main
    setlocal EnableDelayedExpansion

    rem Check if Windows Defender is running.
    tasklist /fi "imageName eq "MsMpEng.exe"" | find /i "MsMpEng.exe" > nul 2> nul
    if %errorLevel% equ 0 (
        rem Windows Defender is running.
        echo Windows Defender is running.

        rem Performable operations while Windows Defender is running.
        rem Disable Windows Defender drivers.
        echo Disabling Windows Defender drivers...
        set "drivers="%SystemRoot%\System32\drivers\WdBoot.sys";"%SystemRoot%\System32\drivers\WdFilter.sys";"%SystemRoot%\System32\drivers\WdNisDrv.sys""
        set "drivers=!drivers:""="!"

        set "wasDriverDisabled=false"
        for %%d in (!drivers!) do (
            if exist "%%~d" (
                echo Disabling Windows Defender driver "%%~d"...
                call :disableFile "%%~d"
                set "wasDriverDisabled=true"
            )
        )

        rem Disable Windows Defender objects.
        echo Disabling Windows Defender objects...
        call :importRegistry "Disable Windows Defender objects.reg"

        rem Require restart to unload Windows Defender drivers and objects.
        echo.
        echo Restart required.
    ) else (
        rem Windows Defender is not running.
        echo Windows Defender is not running.

        rem Performable operations while Windows Defender is not running.
        rem Disable Windows Defender features.
        echo Disabling Windows Defender features...
        call :importRegistry "Disable Windows Defender features.reg"
        rem Disable Windows Defender services.
        echo Disabling Windows Defender services...
        call :importRegistry "Disable Windows Defender services.reg"

        rem Disable Windows Defender files.
        echo Disabling Windows Defender files...
        ren "%ProgramFiles%\Windows Defender" "Windows Defender.bak"
        ren "%ProgramFiles(x86)%\Windows Defender" "Windows Defender.bak"
        ren "%ProgramData%\Microsoft\Windows Defender" "Windows Defender.bak"
    )

    endlocal
    goto :eof

:ownFile
    setlocal
    set "filePath=%~1"
    set "user=%~2"
    takeown /f "%filePath%" /a
    icacls "%filePath%" /grant "%user%:F"
    endlocal
    goto :eof

:disableFile
    setlocal
    set "filePath=%~1"
    call :ownFile "%filePath%" "Administrators"
    ren "%filePath%" "%~nx1.bak"
    endlocal
    goto :eof

:importRegistry
    setlocal
    set "filePath=%~1"
    call OwnRegistryKeys.bat "%filePath%"
    @echo off
    regedit /s "%filePath%"
    endlocal
    goto :eof

Disable Windows Defender objects.reg

Windows Registry Editor Version 5.00

; Disable "Scan with Windows Defender..." right click context menu.
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}]

; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8}]

; Disable "DefenderCSP.dll".
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}]

; Disable Windows Defender IOfficeAntiVirus implementation ("MpOav.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}]

; Disable InfectionState WMI Provider ("MpProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}]

; Disable Status WMI Provider ("MpProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}]

; Disable PSFactoryBuffer ("mpuxhostproxy.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{94F35585-C5D7-4D95-BA71-A745AE76E2E2}]

; Disable Microsoft Windows Defender ("MsMpCom.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}]
[-HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF43B}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF43B}]

; Disable Windows Defender WMI Provider ("ProtectionManagement.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}]

; Disable AMMonitoring WMI Provider ("AMMonitoringProvider.dll").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}]

; Disable MP UX Host ("MpUxSrv.exe").
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10D}]

Disable Windows Defender features.reg

Windows Registry Editor Version 5.00

; Disable Windows Defender features.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ProductStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Real-Time Protection]
"DisableAntiSpywareRealtimeProtection"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"ScheduleDay"=dword:00000008

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\UX Configuration]
"AllowNonAdminFunctionality"=dword:00000000
"DisablePrivacyMode"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ProductStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection]
"DisableAntiSpywareRealtimeProtection"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"ScheduleDay"=dword:00000008

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\UX Configuration]
"AllowNonAdminFunctionality"=dword:00000000
"DisablePrivacyMode"=dword:00000001

Disable Windows Defender services.reg

Windows Registry Editor Version 5.00

; Disable "Windows Defender" services.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdBoot]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WdNisSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

OwnRegistryKeys.bat

@echo off

rem Get the location of the PowerShell file.
for /f "usebackq tokens=*" %%f in (`where "OwnRegistryKeys.ps1"`) do (
    rem Run command for each argument.
    for %%a in (%*) do (
        powershell -executionPolicy bypass -file "%%~f" "%%~a"
    )
)

OwnRegistryKeys.ps1

$script:baseKey = @{
    "HKEY_CLASSES_ROOT" = @{
        "name" = "HKEY_CLASSES_ROOT";
        "shortName" = "HKCR";
        "key" = [Microsoft.Win32.Registry]::ClassesRoot
    };
    "HKEY_CURRENT_CONFIG" = @{
        "name" = "HKEY_CURRENT_CONFIG";
        "shortName" = "HKCC";
        "key" = [Microsoft.Win32.Registry]::CurrentConfig
    };
    "HKEY_CURRENT_USER" = @{
        "name" = "HKEY_CURRENT_USER";
        "shortName" = "HKCU";
        "key" = [Microsoft.Win32.Registry]::CurrentUser
    };
    "HKEY_DYN_DATA" = @{
        "name" = "HKEY_DYN_DATA";
        "shortName" = "HKDD";
        "key" = [Microsoft.Win32.Registry]::DynData
    };
    "HKEY_LOCAL_MACHINE" = @{
        "name" = "HKEY_LOCAL_MACHINE";
        "shortName" = "HKLM";
        "key" = [Microsoft.Win32.Registry]::LocalMachine
    };
    "HKEY_PERFORMANCE_DATA" = @{
        "name" = "HKEY_PERFORMANCE_DATA";
        "shortName" = "HKPD";
        "key" = [Microsoft.Win32.Registry]::PerformanceData
    };
    "HKEY_USERS" = @{
        "name" = "HKEY_USERS";
        "shortName" = "HKU";
        "key" = [Microsoft.Win32.Registry]::Users
    }
}

function enablePrivilege {
    param(
        # The privilege to adjust. This set is taken from:
        # http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
        [validateSet(
            "SeAssignPrimaryTokenPrivilege",
            "SeAuditPrivilege",
            "SeBackupPrivilege",
            "SeChangeNotifyPrivilege",
            "SeCreateGlobalPrivilege",
            "SeCreatePagefilePrivilege",
            "SeCreatePermanentPrivilege",
            "SeCreateSymbolicLinkPrivilege",
            "SeCreateTokenPrivilege",
            "SeDebugPrivilege",
            "SeEnableDelegationPrivilege",
            "SeImpersonatePrivilege",
            "SeIncreaseBasePriorityPrivilege",
            "SeIncreaseQuotaPrivilege",
            "SeIncreaseWorkingSetPrivilege",
            "SeLoadDriverPrivilege",
            "SeLockMemoryPrivilege",
            "SeMachineAccountPrivilege",
            "SeManageVolumePrivilege",
            "SeProfileSingleProcessPrivilege",
            "SeRelabelPrivilege",
            "SeRemoteShutdownPrivilege",
            "SeRestorePrivilege",
            "SeSecurityPrivilege",
            "SeShutdownPrivilege",
            "SeSyncAgentPrivilege",
            "SeSystemEnvironmentPrivilege",
            "SeSystemProfilePrivilege",
            "SeSystemtimePrivilege",
            "SeTakeOwnershipPrivilege",
            "SeTcbPrivilege",
            "SeTimeZonePrivilege",
            "SeTrustedCredManAccessPrivilege",
            "SeUndockPrivilege",
            "SeUnsolicitedInputPrivilege"
        )]
        $privilege,

        # The process on which to adjust the privilege. Defaults to the current process.
        $processId = $pid,

        # Switch to disable the privilege, rather than enable it.
        [switch] $disable
    )

    # Taken from P/Invoke.NET with minor adjustments.
    $definition = @'
using System;
using System.Runtime.InteropServices;

public class AdjustPrivilege {
    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
    internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
    internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

    [DllImport("advapi32.dll", SetLastError = true)]
    internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    internal struct TokPriv1Luid {
        public int Count;
        public long Luid;
        public int Attr;
    }

    internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
    internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
    internal const int TOKEN_QUERY = 0x00000008;
    internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

    public static bool EnablePrivilege(long processHandle, string privilege, bool disable) {
        bool result;
        TokPriv1Luid tp;
        IntPtr hproc = new IntPtr(processHandle);
        IntPtr htok = IntPtr.Zero;
        result = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
        tp.Count = 1;
        tp.Luid = 0;
        if (disable) {
            tp.Attr = SE_PRIVILEGE_DISABLED;
        } else {
            tp.Attr = SE_PRIVILEGE_ENABLED;
        }
        result = LookupPrivilegeValue(null, privilege, ref tp.Luid);
        result = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
        return result;
    }
}
'@

    $processHandle = (get-process -id $processId).handle
    $type = add-type $definition -passThru
    $type[0]::EnablePrivilege($processHandle, $privilege, $disable)
}

function getKeyNames {
    param(
        [parameter(mandatory = $true)]
        [string[]] $filePaths = $null
    )

    return (get-content $filePaths | select-string -pattern "\[\-?(.*)\]" -allMatches | forEach-object {$_.matches.groups[1].value} | get-unique)
}

function splitKeyName {
    param(
        [parameter(mandatory = $true)]
        [string] $keyName = $null
    )

    $names = $keyName.split("\\/", 2)

    $rootKeyName = $names[0]
    $subKeyName = $names[1]

    $keyPart = @{
        root = $baseKey[$rootKeyName];
        subKey = @{
            name = $subKeyName
        }
    }

    return $keyPart
}

function ownRegistryKey {
    param(
        [parameter(mandatory = $true)]
        [string] $keyName = $null
    )

    write-host """$keyName"""

    # Check if the key exists.
    if ($(try { test-path -path "Registry::$keyName".trim() } catch { $false })) {
        write-host "    Opening..."

        $keyPart = splitKeyName -keyName $keyName
        $ownableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
        if ($ownableKey -ne $null) {
            # Set the owner.
            write-host "    Setting owner..."
            $acl = $ownableKey.getAccessControl([System.Security.AccessControl.AccessControlSections]::None)
            $owner = [System.Security.Principal.NTAccount] "Administrators"
            $acl.setOwner($owner)
            $ownableKey.setAccessControl($acl)

            # Set the permissions.
            write-host "    Setting permissions..."
            $acl = $ownableKey.getAccessControl()
            $person = [System.Security.Principal.NTAccount] "Administrators"
            $access = [System.Security.AccessControl.RegistryRights] "FullControl"
            $inheritance = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit"
            $propagation = [System.Security.AccessControl.PropagationFlags] "None"
            $type = [System.Security.AccessControl.AccessControlType] "Allow"

            $rule = new-object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)
            $acl.setAccessRule($rule)
            $ownableKey.setAccessControl($acl)

            $ownableKey.close()

            write-host "    Done."

            # Own children subkeys.
            $readableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadSubTree, [System.Security.AccessControl.RegistryRights]::ReadKey)
            if ($readableKey -ne $null) {
                $subKeyNames = ($readableKey.getSubKeyNames() | forEach-object { "$keyName\$_" })
                $readableKey.close()
                if ($subKeyNames -ne $null) {
                    ownRegistryKeys -keyNames $subKeyNames
                }
            } else {
                write-host "    Unable to open children subkeys."
            }
        } else {
            write-host "    Unable to open subkey."
        }
    } else {
        write-host "    Key does not exist."
    }

    write-host
}

function ownRegistryKeys {
    param(
        [parameter(mandatory = $true)]
        [string[]] $keyNames = $null
    )

    $keyName = $null
    foreach ($keyName in $keyNames) {
        # Own parent key and children subkeys.
        ownRegistryKey -keyName $keyName
    }
}

function requestPrivileges {
    $numberOfRetries = 10

    $privilegeResult = $false
    for ($r = 0; !$privilegeResult -band $r -lt $numberOfRetries; $r += 1) {
        $privilegeResult = enablePrivilege -privilege "SeTakeOwnershipPrivilege"
    }

    if (!$privilegeResult) {
        write-host "Unable to receive privilege."
        exit 1
    }
}

function main {
    param(
        [parameter(mandatory = $true)]
        [string[]] $filePaths = $null
    )

    requestPrivileges

    $keyNames = getKeyNames -filePaths $filePaths
    ownRegistryKeys -keyNames $keyNames
}

main $args

了解为什么您无法停止特定服务会很有帮助。

• 我是管理员；比失败还糟，管理员无法管理？

这是因为WinDefend服务具有安全权限。

注意：WinDefend是“ Windows Defender防病毒服务”的实际名称

查看权限

如果从命令行运行：

>sc sdshow WinDefend

哪里

• sdshow表示“显示服务的安全描述符”。

您将获得安全描述符：

C:\Users\Ian>sc sdshow WinDefend

D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

这是一个丑陋的斑点，Microsoft完全没有记录，但是我们在解码它时会遇到麻烦。首先通过换行：

D:
   (A;;CCLCSWRPLOCRRC;;;BU)
   (A;;CCLCSWRPLOCRRC;;;SY)
   (A;;CCLCSWRPLOCRRC;;;BA)
   (A;;CCLCSWRPLOCRRC;;;IU)
   (A;;CCLCSWRPLOCRRC;;;SU)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
   (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

这D:意味着这是一个随意访问控制列表。访问控制列表由许多访问控制项（ACE）组成：

• D: 随意访问控制列表
  • ACE1： A;;CCLCSWRPLOCRRC;;;BU
  • ACE2： A;;CCLCSWRPLOCRRC;;;SY
  • ACE3： A;;CCLCSWRPLOCRRC;;;BA
  • ACE4： A;;CCLCSWRPLOCRRC;;;IU
  • ACE5： A;;CCLCSWRPLOCRRC;;;SU
  • ACE6： A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • ACE7： A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

每个ACE是一组5分号结束设置，其次是谁它适用于。

首先看一下他们的申请对象，一篇随机博客文章对其中的一些进行了解码 （archive.is）：

• BU：内置用户
• SY：本地系统
• BA：内置管理员
• UI：交互式登录的用户
• SU：服务登录用户
• S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464：受信任的安装程序
• S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736：

您可以通过运行以下命令获取与SID关联的名称：

>wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name

每个ACE都包含允许或拒绝用户的权限列表。

• D: 随意访问控制列表
  • ACE 1： A;;CCLCSWRPLOCRRC;;; 内置用户
  • ACE 2： A;;CCLCSWRPLOCRRC;;;本地系统
  • ACE 3： A;;CCLCSWRPLOCRRC;;; 内置管理员
  • ACE 4： A;;CCLCSWRPLOCRRC;;; 交互式用户
  • ACE 5： A;;CCLCSWRPLOCRRC;;; 服务登录用户
  • ACE 6： A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; 受信任的安装程序
  • ACE 7： A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

在ACE中分解其余用分号分隔的部分：

• 高手： A;;CCLCSWRPLOCRRC;;;
  • AceType：AACCESS_ALLOWED_ACE_TYPE
  • AceFlags ：（无）
  • AccessMask： CC LC SW RP LO CR RC
    • CC：CREATE_CHILD
    • LC：LIST_CHILDREN
    • SW：SELF_WRITE
    • RP：READ_PROPERTY
    • LO：LIST_OBJECT
    • CR：CONTROL_ACCESS
    • RC：READ_CONTROL
  • ObjectGuid ：（ 无）
  • InheritObjectGuid ：（ 无）

前导A表示Allowed，权限是两个字母的代码：

• D: 随意访问控制列表
  • ACE 1：允许CC LC SW RP LO CR RC，内置用户
  • ACE 2：允许CC LC SW RP LO CR RC，本地系统
  • ACE 3：允许CC LC SW RP LO CR RC，内置管理员
  • ACE 4：“允许” CC LC SW RP LO CR RC，“交互式”用户
  • ACE 5：允许CC LC SW RP LO CR RC、、服务登录用户
  • ACE 6：允许CC LC SW RP LO CR RC DC WP DT SD WD WO、、受信任的安装程序
  • ACE 7：允许CC LC SW RP LO CR RC DC WP DT SD WD WO、、 S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

这是我必须停止保存我的工作的地方。绕开如何停止Windows Defender服务的过程很有趣，而且很有趣：但是我已经停止了它，而我的PC仍然表现异常。

扰流板：

sc sdset WinDefend [newSDLString]

奖励阅读

• 如何通过使用SDDL在Windows中指定对服务的权限？*（archive.is）
• 如何将SID转换为用户名和副版本 （archive.is）
• 爱的安全描述符定义语言（第2部分） （archive.is）
• 2.5.1.1语法 （archive.is）

一种简单的powershell方法是从我在一个问题上发布的答案中获得的，此问题后来被标记为重复。

最简单的方法是使用powershell禁用它，您可能想要的命令是

Set-MpPreference -DisableRealtimeMonitoring $true
Get-Service WinDefend | stop-service 

有关使用Powershell禁用/启用Windows Defender的文章，请在此处查看：http : //wmug.co.uk/wmug/b/pwin/archive/2015/05/12/quickly-disable-windows-defender-on-windows -10-使用Powershell

以下是technet文章，详细介绍了可用的防御者cmdlet：https : //technet.microsoft.com/zh-cn/library/dn433280.aspx

我发现以下过程很有效；它不会删除或禁用Windows Defender，但会禁用Windows Defender SERVICE，停止所有启动和实时扫描，并阻止Windows Defender实时扫描重新打开。（它将Windows Defender保留在原位，因此您可以使用它来按需扫描可疑文件。）

程序：

1. 查找，下载并安装“ SysInternals”程序套件。
2. 运行程序“ AutoRuns”。
3. 找到“ Windows Defender服务”。
4. 取消选中该框。
5. 重启你的电脑。

之后，我的启动时间从20分钟减少到5分钟，并且启动后（启动任何应用程序之前）的内存使用从2.1 GB减少到1.2 GB。当我查看“服务”时，我发现“ Windows Defender服务”仍然存在，但现在标记为“未运行，已禁用”。

要可靠地完全禁用Windows Defender并非易事。有一个PowerShell脚本可以卸载Windows Defender，但是您稍后可能无法重新安装它。该脚本需要重新启动两次。

只需下载Debloat-Windows-10，然后按照作者提供的步骤进行操作：

1. 解压缩档案；

2. 启用PowerShell脚本执行：

   PS> Set-ExecutionPolicy不受限制

3. 取消阻止此目录中的PowerShell脚本和模块：

   PS> ls -Recurse * .ps1 | 解锁文件PS> ls -Recurse * .psm1 | 取消阻止文件

4. 跑 scripts\disable-windows-defender.ps1

5. 重新启动计算机（以通常的方式或通过PS > Restart-Computer）
6. 再运行scripts\disable-windows-defender.ps1一次。
7. 再次重新启动计算机。

这不是最简单的方法，而是非常可靠和有弹性的。

还有一些脚本可以删除不需要的程序，例如BingFinance，Skype，OneDrive等-如果您不需要它们的话。

存档中还包含许多可能有用的脚本。

请注意，这些脚本不可撤消删除文件，并且可以删除Windows的重要功能。例如，他们可能会完全禁用“开始”菜单！

不要disable-ShellExperienceHost.bat从此程序包运行，否则“开始”菜单将停止打开。

我设法使用自动运行将其禁用；在服务选项卡下，有一个条目WinDefend，取消选中该框并重新启动。

我找到的最简单的方法是打开管理员命令提示符并运行：

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /t REG_DWORD /v DisableAntiSpyware /f /d 1

然后重启。一旦启动服务而没有重新启动，我一直无法找到关闭服务的方法。

以我的经验，设置组策略是停止Windows Defender及其可执行的反恶意软件服务的最可靠方法。但是，最近我遇到了一种情况，即设置组策略无效，并且Antimalware可执行文件一直在运行并占用我的CPU。

我最终编写了一个小脚本来获取可执行文件的所有权，并拒绝对其执行读取和执行访问权限。这样就解决了问题。该脚本如下。

@echo off

echo.
echo Disabling Windows Defender Antimalware Executable
echo Note: must be run with Admin permissions
echo.

rem taking ownership of Windows Defender files so that we can change their permissions
takeown /f "%PROGRAMDATA%\Microsoft\Windows Defender\Platform" /A /r /d y > takeown-result.txt

rem denying read and execute for all MsMpEng.exe files found in the directory structure (there may be multiple versions)
icacls %PROGRAMDATA%"\Microsoft\Windows Defender\Platform\*MsMpEng.exe" /deny SYSTEM:(RX) /T /C  /deny Administrators:(RX) /T /C   /deny Users:(RX) /T /C

@echo on