Click here to Skip to main content
15,123,923 members
Please Sign up or sign in to vote.
1.00/5 (4 votes)
See more:
Hello guys,
I would like to disable Windows Defender ("WinDefend") service using C # code.
I have tried something like the code below, but this does not work with Windows 10.
This code below works with Windows 7, but not work at Windows 10.
Please for help. Thank you.

What I have tried:

private void disabledefender()
                    RunCmd("/c net stop WinDefend");
                    ProcStartargs("powershell", "-command \"Set-Service -Name WinDefend -StartupType Disabled\"");
                    _OutPut("Windows Defender disabled");       
               Registry.SetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinDefend", "Start", 4);          
Updated 13-Feb-17 5:26am
[no name] 12-Feb-17 13:05pm
Why would you want to do something malicious?
Afzaal Ahmad Zeeshan 12-Feb-17 14:48pm
Is yours off? If so, look for any hacking website and ask them to remotely connect and write the code for you. :-)

1 solution

The very same code will work so long as your executable is run with admin permissions.

Though, like everyone has already said, why would you want to do such a risky thing?

Oh, and setting the service to Disable may also require you to Stop the service first.
Dave Kreskowiak 1-Feb-20 9:42am
"Virus is detected". What does that say about the machine your developing this on?
@cromx 1-Feb-20 20:52pm
What do you mean what does it say? I'm working on a simple app that auto-checks and cleans USB drives if there is a virus detected by it. However, Windows Defender stops the process and causes an exception (as stated above).
Dave Kreskowiak 1-Feb-20 22:45pm
Well, either you have a virus on your dev machine that's building the executable and infecting it, or Defender is seeing what your code is doing and suspecting it's a virus.

Besides, NOBODY is going to want Defender deactivated so your app can do a terrible job of identifying viruses.
@cromx 1-Feb-20 23:18pm
No you do not understand . My dev machine doesn't have the virus, it is the USB drive that has (since I am experimenting/debugging). It is not my app that the Defender sees as virus. When my app auto-scans the inserted USB drive, the Windows Defender DOES NOT ALLOW it because the file it scans is A VIRUS (the code is that it reads the 2 bytes of the file).

So what I did is that I made the code to TEMPORARILY disable REAL-TIME protection for the scanning to continue then RE-ENABLE it again AFTER the scanning. Do you get it? (my bad I didn't make it clearer and English isn't my native lang)
Dave Kreskowiak 2-Feb-20 23:51pm
Yes, I do get it.

No, you can't disable it from your code. Think about it. If it was that easy, any old virus would do it itself.
@cromx 3-Feb-20 8:49am
But I just did :D with the use of Admin privileges and powershell
Dave Kreskowiak 3-Feb-20 10:38am
That's cute. Do that where company policy forbids it and you'll end up out of a job.

Oh, and stopping the service doesn't completely stop Defender.

@cromx 3-Feb-20 12:49pm
I don't know which part you did not understand but ok.
Btw, there's a lot of ways to completely stop Defender :)
Dave Kreskowiak 3-Feb-20 16:50pm
Oh, I understand it all.

1. Run your application
2. Application disables Defender
3. Application scans USB drive for virus (which is what Defender does by the way!)
4. Restart Defender

@cromx 4-Feb-20 7:39am
The application does not disable the whole Defender, only Real-time protection. I mean I've made it specific on the second time but ok. Plus Defender doesn't scan right away the inserted drive, please take note of that :)

Btw you said I'll be out of a job when I do that to a company where the policy forbids turning off/disabling Windows Defender. Does that also mean if I installed another AV (like 360TS) I'll be out of the job?
Dave Kreskowiak 4-Feb-20 8:14am
Defender, nor any virus scanning software, doesn't have to scan a drive when its inserted. Nothing is being executed off the drive unless you launch it or if there is an autorun.inf on it. When the executables are launched is when the scanners do their job.

Scanning anything else is a waste as its just data and you can't execute that stuff.

You will get fired for violating Security policy. In most places, that means tampering with the corporate AV, especially disabling it for any length of time unless you get approval for it.

Replacing the corporate approved AV without approval will also get you boxed.

If this isn't the policy in your company, it should be, and is also what you should assume if you start at a different company.
@cromx 4-Feb-20 8:46am
Ok now I'm intrigued and kind of confused. AV like 360 Total Security (which is the currently installed AV on my machine) automatically scans USB drive as soon as it is inserted. So like what you've said, does that mean this is not a virus scanning software?

Additionally, it actually disables Windows Defender when installing. Does this violate the policy?
Dave Kreskowiak 4-Feb-20 10:37am
That's not what I said.

And it only violates the policy if it's a policy where you work (it should be!) and what you installed is not approved by the company you work for.
@cromx 4-Feb-20 10:42am
"Defender, nor any virus scanning software, doesn't have to scan a drive when its inserted" but then 360TS is an antivirus that automatically scans the inserted drive!
Dave Kreskowiak 4-Feb-20 10:55am
So f***ing what? All I said was it doesn't HAVE to scan on insert.
@cromx 4-Feb-20 11:34am
"Scanning anything else is a waste" I have never said that my app scans anything else, it only scans executables and scripts (for now). Plus it is nice to have an AV that will automatically scan USB for viruses and deletes/quarantines it so that it doesn't have to spread to another computer with no AV or outdated Defender. I don't get your point as to why AV software doesn't have to scan.

FYI this is just a simple app, a fun project created by me, a mere student, since our school's computers are infected with shortcut viruses (and yes every USB drives got infected by it).
Dave Kreskowiak 4-Feb-20 11:52am
You cannot execute data so its a waste of resources to scan it for viruses that can never run.

Most scanning software just scans "on read", when an attempt to open a file, like an .EXE to launch or copy it, is made. It can then be quarantined instead of launched.

Why is that? Because inserting a drive than has, say, 200,000+ files on it takes a long time. It may be "nice to have", but there are plenty of cases where it isn't practical.

What you're doing (disabling Defender) will get you fired in the real world, because, lets face it, you're not helping the infection problem by disabling it and the school is doing even more harm by not keeping Defender up-to-date.

AV software is not pro-active, it's always re-active, even the companies that say theirs it pro-active cannot detect an actual virus it doesn't know about. All that stuff does is detect a "behavior pattern" that assumes a virus.

Yeah, it's "fun project" that every noob attempts, but what they don't realize is that new viruses are found EVERY SINGLE DAY and their software is obsolete the second they hit "compile" on their AV project. No one person or small team can create new virus definitions at the rate new viruses are found.

@cromx 4-Feb-20 12:29pm
Ok, let me explain my situation. In my school, every USB gets infected with this so-called Shortcut virus (idk how and why). I guess you already know what that is right? It hides all files and folders then turns everything to shortcuts and virus executables.

I have this teacher who doesn't want USB drives to be inserted on her laptop because it got infected before (idk how) but is now clean. Of course, when inserted, we can't copy school files because everything is hidden and I had to open cmd and type attrib again and again. Windows Defender doesn't do that anyway so I have to create my own. That's why I made a simple app. To be specific, my app is called USB Shortcut Cleaner and only cleans the USB drive using `attrib` then scan executables and delete if it has the same virus signature. The thing is, the process stops when it reads the virus executables so yeah I would have to just TEMPORARILY disable Defender (not totally) then ENABLE it RIGHT AFTER the process. I do not really care about the new virus definitions whatsoever since its the better AV or Defender's job. Of course, I would not do that in the real world or have any plans doing it, I was just intrigued to ask about the policies.
Dave Kreskowiak 4-Feb-20 12:35pm
Yes, I know about that virus.

The problem isn't going to be solved by you scanning the USB device on isert.

The problem is the virus is already running on the machines the USB drives are being inserted into. You can "clean" the USB keys all you want. They're just going to be infected again after your app is done with them.

The school has a massive problem and apparently doesn't know how to handle it. You're not going to fix it with your little app.

I'm out.
@cromx 4-Feb-20 12:40pm
Actually it helps, those laptops with my app installed don't have the shortcut virus.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900