Advertisement
aveyo

ToggleDefender

Feb 12th, 2020 (edited)
9,956
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Batch 7.62 KB | None | 0 0
  1. @(set "0=%~f0"^)#) & powershell -nop -c "iex([io.file]::ReadAllText($env:0))" & exit /b
  2.  
  3. ## Toggle Defender, AveYo 2023.08.07
  4. ## for users that understand the risk but still need it off to prevent unexpected interference and i/o handicap
  5. ## may copy-paste directly into powershell
  6.  
  7. ## Allowed check
  8. if ((gp "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" "TamperProtection" -ea 0).TamperProtection -eq 0x5) {
  9.   write-host "`n Toggle Defender only works after turning Tamper Protection off in Windows Security settings`n"
  10.   choice /c EX1T
  11.   if ((gp "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" "TamperProtection" -ea 0).TamperProtection -eq 0x5) {return}
  12. }
  13.  
  14. ## Service check
  15. if (get-process "MsMpEng" -ea 0) {$YES=6; $Q="Disable"; $NO=7; $V="ON"; $I=0} else {$YES=7; $Q="Enable"; $NO=6; $V="OFF"; $I=16}
  16.  
  17. ## Comment to hide dialog prompt with Yes, No, Cancel (6,7,2)
  18. if ($env:1 -ne 6 -and $env:1 -ne 7) {
  19.   $choice=(new-object -ComObject Wscript.Shell).Popup($Q + " Windows Defender?", 0, "Defender service is: " + $V, 0x1033 + $I)
  20.   if ($choice -eq 2) {break} elseif ($choice -eq 6) {$env:1=$YES} else {$env:1=$NO}
  21. }
  22.  
  23. ## Without the dialog prompt above would toggle automatically
  24. if ($env:1 -ne 6 -and $env:1 -ne 7) {$env:1=$YES}
  25.  
  26. ## Toggle - can press No to Enable or Disable again so there are more variants:
  27. if ( ($NO -eq 7 -and $env:1 -eq 6) -or ($NO -eq 6 -and $env:1 -eq 6) ) {$op="Disable"}
  28. if ( ($NO -eq 7 -and $env:1 -eq 7) -or ($NO -eq 6 -and $env:1 -eq 7) ) {$op="Enable"}
  29.  
  30. ## RunAsTI mod
  31. function RunAsTI { $id="Defender"; $key="Registry::HKU\S-1-5-21-*\Volatile Environment"; $code=@'
  32.  $I=[int32]; $M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal"); $P=$I.module.gettype("System.Int`Ptr"); $S=[string]
  33.  $D=@(); $DM=[AppDomain]::CurrentDomain."DefineDynami`cAssembly"(1,1)."DefineDynami`cModule"(1); $U=[uintptr]; $Z=[uintptr]::size
  34.  0..5|%!!()|% {$D += $D[$_]."MakeByR`efType"()}; $F=@()
  35.  $F+="kernel","Creat`eProcess",($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), "advapi","RegOp`enKeyEx",($U,$S,$I,$I,$D[9])
  36.  $F+="advapi","RegSetVa`lueEx",($U,$S,$I,$I,[byte[]],$I),"advapi","RegF`lushKey",($U),"advapi","RegC`loseKey",($U)
  37.  0..4|% {$9=$D[0]."DefinePInvok`eMethod"($F[3*$_+1], $F[3*$_]+"32", 8214,1,$S, $F[3*$_+2], 1,4)}
  38.  $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
  39.  1..5|%!!|% {$9=$D[$k]."Defin`eField"("f" + $n++, $_, 6)}}; $T=@(); 0..5|% {$T += $D[$_]."Creat`eType"()}
  40.  0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0]."G`etMethod"($1).invoke(0,$2)}
  41.  function M ($1,$2,$3) {$M."G`etMethod"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M "AllocHG`lobal" $I $_}
  42.  if ([environment]::username -ne "system") { $TI="Trusted`Installer"; start-service $TI -ea 0; $As=get-process -name $TI -ea 0
  43.  M "WriteInt`Ptr" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1
  44.  $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)
  45.  $R=@($null, "powershell -nop -c iex(`$env:R); # $id", 0, 0, 0, 0x0E080610, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))
  46.  F "Creat`eProcess" $R; return}; $env:R=''; rp $key $id -force -ea 0; $e=[diagnostics.process]."GetM`ember"("SetPr`ivilege",42)[0]
  47.  "SeSecurityPr`ivilege","SeTakeOwnershipPr`ivilege","SeBackupPr`ivilege","SeRestorePr`ivilege" |% {$e.Invoke($null,@("$_",2))}
  48.  ################################################################################################################################
  49.  
  50.  ## The ` sprinkles are used to keep ps event log clean, not quote the whole snippet on every run
  51.  $toggle = @(0,1)[$op -eq "Disable"]; write-host "`n $op Defender, please wait...`n"
  52.  $HKLM=[uintptr][uint32]2147483650; $REG_OPTION_NONE=0; $KEY_SET_VALUE=2; $REG_DWORD=4                    
  53.  $K1="Software\Policies\Microsoft\Windows Defender"; $K2="Software\Microsoft\Windows Defender"
  54.  
  55.  ## Toggling was unreliable due to multiple windows programs with open handles on these keys
  56.  ## so I went with low-level functions instead! do not use them in other scripts without a trip to learn-microsoft-com  
  57.  function ToggleDef ([byte[]]$d0,[byte[]]$d1) {
  58.    $rok1=($HKLM, $K1, $REG_OPTION_NONE, $KEY_SET_VALUE, ($HKLM -as $D[9])); F "RegOp`enKeyEx" $rok1; $rsv1=$rok1[4]; #$rsv1
  59.    $rok2=($HKLM, $K2, $REG_OPTION_NONE, $KEY_SET_VALUE, ($HKLM -as $D[9])); F "RegOp`enKeyEx" $rok2; $rsv2=$rok2[4]; #$rsv2
  60.    $rsv1,$rsv2 |% {
  61.      F "RegSetVa`lueEx" @($_[0], "ServiceK`eepAlive", 0, $REG_DWORD, $d0, 4)
  62.      F "RegSetVa`lueEx" @($_[0], "Previou`sRunningMode", 0, $REG_DWORD, $d0, 4)
  63.      F "RegSetVa`lueEx" @($_[0], "IsServic`eRunning", 0, $REG_DWORD, $d0, 4)
  64.      F "RegSetVa`lueEx" @($_[0], "DisableAntiSp`yware", 0, $REG_DWORD, $d1, 4)
  65.      F "RegSetVa`lueEx" @($_[0], "DisableAntiV`irus", 0, $REG_DWORD, $d1, 4)
  66.      F "RegSetVa`lueEx" @($_[0], "Passiv`eMode", 0, $REG_DWORD, $d1, 4)
  67.    }
  68.    F "RegF`lushKey" @($rsv1); F "RegF`lushKey" @($rsv2); sleep 5; F "RegC`loseKey" @($rsv1); F "RegC`loseKey" @($rsv2)
  69.    $rok1=$null; $rok2=$null; $rsv1=$null; $rsv2=$null; [GC]::Collect()
  70.  }
  71.  
  72.  rnp "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" "Disabled" "Disabled_Old" -force -ea 0
  73.  sp "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" "Disabled" 1 -type Dword -force -ea 0
  74.  stop-service "wscsvc" -force -ea 0 >'' 2>''
  75.  kill -name "OFFmeansOFF","MpCmdRun" -force -ea 0
  76.  ToggleDef 0 $toggle
  77.  
  78.  pushd "$env:programfiles\Windows Defender"
  79.  $mpcmdrun=("OFFmeansOFF.exe","MpCmdRun.exe")[(test-path "MpCmdRun.exe")]
  80.  start -wait $mpcmdrun -args "-${op}Service -HighPriority"
  81.  
  82.  $wait=@(3,14)[$op -eq "Disable"]
  83.  while ((get-process -name "MsMpEng" -ea 0) -and $wait -gt 0) {$wait--; sleep 1; write-host "`r $wait " -nonew}
  84.  
  85.  ## OFF means OFF
  86.  pushd (split-path $(gp "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" ImagePath -ea 0).ImagePath.Trim('"'))
  87.  if ($op -eq "Disable") {ren MpCmdRun.exe OFFmeansOFF.exe -force -ea 0} else {ren OFFmeansOFF.exe MpCmdRun.exe -force -ea 0}
  88.  
  89.  ## Comment to not clear per-user toggle notifications
  90.  gi "Registry::HKU\S-1-5-21-*\SOFTWARE\Microsoft\Windows\CurrentVersion" |% {
  91.    $n1=join-path $_.PSPath "Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance"
  92.    ni $n1 -force -ea 0|out-null; ri $n1.replace("Settings","Current") -recurse -force -ea 0
  93.    if ($op -eq "Enable") {rp $n1 "Enabled" -force -ea 0} else {sp $n1 "Enabled" 0 -type Dword -force -ea 0}
  94.    ri "HKLM:\SOFTWARE\Microsoft\Windows Security Health\State\Persist" -recurse -force -ea 0
  95.  }
  96.  
  97.  ## Comment to keep old scan history
  98.  if ($op -eq "Disable") {del "$env:ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db" -force -ea 0}  
  99.  if ($op -eq "Disable") {del "$env:ProgramData\Microsoft\Windows Defender\Scans\History\Service" -recurse -force -ea 0}
  100.  
  101.  ToggleDef 0 $toggle
  102.  if ($op -eq "Enable") {start-service "windefend" -ea 0}
  103.  start-service "wscsvc" -ea 0 >'' 2>''
  104.  if ($op -eq "Enable") {rnp "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" "Disabled_Old" "Disabled" -force -ea 0}
  105.  
  106.  ################################################################################################################################
  107. '@; $V='';"op","id","key"|%{$V+="`n`$$_='$($(gv $_ -val)-replace"'","''")';"}; sp $key $id $($V,$code) -type 7 -force -ea 0
  108.  start powershell -args "-nop -c `n$V  `$env:R=(gi `$key -ea 0 |% {`$_.getvalue(`$id)-join''}); iex(`$env:R)" -verb runas
  109. } # lean & mean snippet by AveYo, 2023.08.07
  110.  
  111. RunAsTI
  112. return
  113.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement