Skip to content

Instantly share code, notes, and snippets.

@sir-pinecone

sir-pinecone/disable_windows_defender.bat

Last active January 31, 2026 04:05
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save sir-pinecone/bf7c1653c7fc4e678a805fc97b887844 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save sir-pinecone/bf7c1653c7fc4e678a805fc97b887844 to your computer and use it in GitHub Desktop.
Download ZIP
Disables the Windows Defender service in Windows 10
Raw
disable_windows_defender.bat
@echo off
setlocal enableextensions enabledelayedexpansion
rem NOTE: Defender may see this file as malware, so you might need to exclude this before things can be disabled.
rem Modified version of:
rem https://github.com/ggannann/win10_disable_defender
rem https://gist.github.com/xezrunner/a7a42dbc1096a40b0c78f09488fe5a2b (as of Jan 2026 this seems to have been deleted or made private)
rem ============================
rem Self-elevate via UAC if needed
rem - Detect admin by checking membership in Administrators (SID S-1-5-32-544)
rem - Relaunch this script elevated using PowerShell Start-Process -Verb RunAs
rem ============================
rem Test for membership in Administrators group
whoami /groups | find "S-1-5-32-544" >nul
if errorlevel 1 (
echo Requesting administrative privileges...
rem Relaunch the same script elevated, preserving args and working directory
powershell -NoProfile -Command ^
"Start-Process -FilePath '%~f0' -ArgumentList '%*' -Verb RunAs -WorkingDirectory (Get-Location).Path"
exit /b
)
echo Running with administrative privileges.
echo.
reg query HKLM\SYSTEM\Setup /v DisabledDefenderServices | find "0x1"
if %errorlevel% == 0 goto already_patched
echo Please note that Defender can only be disabled in Win10 v2004 and upwards if Tamper Protection is disabled.
echo This setting can be found in Window settings (hint: search for 'tamper'). Please do this now and then,
pause
echo.
echo Disabling Windows Defender
rem from: https://pastebin.com/kYCVzZPz
rem Disable Tamper Protection First - on WIn10 vers which allow for this (not from 2004 onwards)
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
rem To disable System Guard Runtime Monitor Broker
rem reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
rem To disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
echo.
echo Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
echo.
echo Disable Logging
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
echo.
echo Disable WD Tasks
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
echo.
echo Disable WD systray icon
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
echo.
echo Remove WD context menu
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
echo.
echo Disable WD services
reg add HKLM\SYSTEM\CurrentControlSet\Services\wscsvc /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\wdFilter" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
echo.
echo Disable Security system tray icon
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f
echo.
echo Finishing up...
reg add HKLM\SYSTEM\Setup /v DisabledDefenderServices /t REG_DWORD /d 1 /f
echo.
echo Windows Defender has (hopefully) been disabled.
echo You might still be able to scan files going forward depending on your version of Windows. Also, the Antimalware Service Executable should immediately stop using CPU cycles.
echo Please restart your computer to see all changes.
goto eof
:already_patched
echo Defender has already been disabled by this script.
:eof
echo.
pause
Raw
enable_windows_defender.bat
@echo off
setlocal enableextensions enabledelayedexpansion
rem NOTE: Defender may see this file as malware, so you might need to exclude this before things can be disabled.
rem Modified version of:
rem https://github.com/ggannann/win10_disable_defender
rem https://gist.github.com/xezrunner/a7a42dbc1096a40b0c78f09488fe5a2b (as of Jan 2026 this seems to have been deleted or made private)
rem
rem Resources:
rem https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=win10-ps
rem https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection
rem https://github.com/AndyFul/ConfigureDefender
rem https://github.com/AndyFul/Hard_Configurator
rem ============================
rem Self-elevate via UAC if needed
rem - Detect admin by checking membership in Administrators (SID S-1-5-32-544)
rem - Relaunch this script elevated using PowerShell Start-Process -Verb RunAs
rem ============================
rem Test for membership in Administrators group
whoami /groups | find "S-1-5-32-544" >nul
if errorlevel 1 (
echo Requesting administrative privileges...
rem Relaunch the same script elevated, preserving args and working directory
powershell -NoProfile -Command ^
"Start-Process -FilePath '%~f0' -ArgumentList '%*' -Verb RunAs -WorkingDirectory (Get-Location).Path"
exit /b
)
echo Running with administrative privileges.
echo.
echo Enabling Windows Defender
reg query HKLM\SYSTEM\Setup /v DisabledDefenderServices | find "0x0"
if %errorlevel% == 0 goto already_patched
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "\"%windir%\system32\SecurityHealthSystray.exe\"" /f
echo.
echo Restore WD shell
reg add "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\EPP" /ve /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKLM\Software\Classes\Drive\shellex\ContextMenuHandlers\EPP" /ve /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\EPP" /ve /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
echo.
echo Enable WD services
reg add "HKLM\System\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\wdFilter" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "2" /f
echo.
echo 1 - Enable Logging
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f
echo.
echo Enable WD Tasks
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Enable
echo.
echo Setting various preferences
rem CloudExtendedTimeout / 1 - 50 / block a suspicious file for up to 60 seconds (Default is 10)
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d "0" /f
rem CloudBlockLevel / 0 - Default / 2 - High / 4 - High+ / 6 - Zero tolerance (block all unknown executables)
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f
rem 1 - Potentially Unwanted Application protection (PUP) is enabled, the applications with unwanted behavior will be blocked at download and install-time
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "1" /f
rem Block at First Sight / 0 - Enable / 1 - Disable
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "0" /f
rem Cloud-based Protection / 0 - Disable / 1 - Basic / 2 - Advanced
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "1" /f
rem Send file samples when further analysis is required / 0 - Always prompt / 1 - Send safe samples automatically / 2 - Never send / 3 - Send all samples automatically
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
echo.
echo Attempting to enable Tamper Protection. If this fails then you need to do it manually.
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "1" /f
rem To prevent WD using too much CPU, add this file to the exclusion list:
rem C:\Program Files\Windows Defender\MsMpEng.exe
echo.
echo Attempting to exclude MsMpEng.exe to reduce CPU usage
reg add "HKLM\Software\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files\Windows Defender\MsMpEng.exe" /t REG_DWORD /d "0" /f
echo.
echo Finishing up...
reg add HKLM\SYSTEM\Setup /v DisabledDefenderServices /t REG_DWORD /d 0 /f
echo Windows Defender has (hopefully) been enabled.
echo The Antimalware Service Executable should be active again.
echo Restart your computer to see all changes.
goto eof
:already_patched
echo Defender has already been enabled by this script.
:eof
echo.
pause
Raw
zeh readme.md

Disabling Defender can occasionally be useful, for example when wanting to avoid overhead during benchmarking or for low-latency applications like audio hosts.

Steps:

  1. Defender may see the files as malware, so you might need to exclude them before things can be disabled.
  2. Disable tamper protection in Windows settings (requires
  3. Run the batch file
  4. Restart your PC

If it worked then you should see a warning notication when logging in telling you the service isn't running. You should also see 0% CPU usage for the Antimalware processes, which can consume quite a lot of CPU time when running. On my PC I would have massive spikes when compiling code. Disabling Defender has noticeably sped up compile times.

I've successfully had it disabled for the last few years. Currently running Windows 10 version 22H2. I'm also still able to manually scan files/folders, but supposedly this might stop working for some.

I haven't tried this on Windows 11 and likely never will. If you happen to try it and it works then please leave a comment!

@J-Chris-Findlay-RESIDEO
Copy link

J-Chris-Findlay-RESIDEO commented Jan 29, 2026
edited
Loading

Sometimes AI can be useful... Self-elevate header:

@echo off
setlocal EnableExtensions EnableDelayedExpansion

:: ============================
:: Self-elevate via UAC if needed
:: - Detect admin by checking membership in Administrators (SID S-1-5-32-544)
:: - Relaunch this script elevated using PowerShell Start-Process -Verb RunAs
:: ============================

:: Test for membership in Administrators group (cleaner check)
whoami /groups | find "S-1-5-32-544" >nul
if errorlevel 1 (
    echo Requesting administrative privileges...
    rem Relaunch the same script elevated, preserving args and working directory
    powershell -NoProfile -Command ^
        "Start-Process -FilePath '%~f0' -ArgumentList '%*' -Verb RunAs -WorkingDirectory (Get-Location).Path"
    exit /b
)

:: From here on, we are elevated
echo Running with administrative privileges.

@sir-pinecone
Copy link
Author

sir-pinecone commented Jan 31, 2026

Sometimes AI can be useful... Self-elevate header

Nice! thanks @J-Chris-Findlay-RESIDEO

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment