ToggleDefender

1. @(set "0=%~f0"^)#) & powershell -nop -c "iex([io.file]::ReadAllText($env:0))" & exit /b
2.  
3. ## Toggle Defender, AveYo 2023.08.07
4. ## for users that understand the risk but still need it off to prevent unexpected interference and i/o handicap
5. ## may copy-paste directly into powershell
6.  
7. ## Allowed check
8. if ((gp "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" "TamperProtection" -ea 0).TamperProtection -eq 0x5) {
9.   write-host "`n Toggle Defender only works after turning Tamper Protection off in Windows Security settings`n"
10.   choice /c EX1T
11.   if ((gp "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" "TamperProtection" -ea 0).TamperProtection -eq 0x5) {return}
12. }
13.  
14. ## Service check
15. if (get-process "MsMpEng" -ea 0) {$YES=6; $Q="Disable"; $NO=7; $V="ON"; $I=0} else {$YES=7; $Q="Enable"; $NO=6; $V="OFF"; $I=16}
16.  
17. ## Comment to hide dialog prompt with Yes, No, Cancel (6,7,2)
18. if ($env:1 -ne 6 -and $env:1 -ne 7) {
19.   $choice=(new-object -ComObject Wscript.Shell).Popup($Q + " Windows Defender?", 0, "Defender service is: " + $V, 0x1033 + $I)
20.   if ($choice -eq 2) {break} elseif ($choice -eq 6) {$env:1=$YES} else {$env:1=$NO}
21. }
22.  
23. ## Without the dialog prompt above would toggle automatically
24. if ($env:1 -ne 6 -and $env:1 -ne 7) {$env:1=$YES}
25.  
26. ## Toggle - can press No to Enable or Disable again so there are more variants:
27. if ( ($NO -eq 7 -and $env:1 -eq 6) -or ($NO -eq 6 -and $env:1 -eq 6) ) {$op="Disable"}
28. if ( ($NO -eq 7 -and $env:1 -eq 7) -or ($NO -eq 6 -and $env:1 -eq 7) ) {$op="Enable"}
29.  
30. ## RunAsTI mod
31. function RunAsTI { $id="Defender"; $key="Registry::HKU\S-1-5-21-*\Volatile Environment"; $code=@'
32.  $I=[int32]; $M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal"); $P=$I.module.gettype("System.Int`Ptr"); $S=[string]
33.  $D=@(); $DM=[AppDomain]::CurrentDomain."DefineDynami`cAssembly"(1,1)."DefineDynami`cModule"(1); $U=[uintptr]; $Z=[uintptr]::size
34.  0..5|%!!()|% {$D += $D[$_]."MakeByR`efType"()}; $F=@()
35.  $F+="kernel","Creat`eProcess",($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), "advapi","RegOp`enKeyEx",($U,$S,$I,$I,$D[9])
36.  $F+="advapi","RegSetVa`lueEx",($U,$S,$I,$I,[byte[]],$I),"advapi","RegF`lushKey",($U),"advapi","RegC`loseKey",($U)
37.  0..4|% {$9=$D[0]."DefinePInvok`eMethod"($F[3*$_+1], $F[3*$_]+"32", 8214,1,$S, $F[3*$_+2], 1,4)}
38.  $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
39.  1..5|%!!|% {$9=$D[$k]."Defin`eField"("f" + $n++, $_, 6)}}; $T=@(); 0..5|% {$T += $D[$_]."Creat`eType"()}
40.  0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0]."G`etMethod"($1).invoke(0,$2)}
41.  function M ($1,$2,$3) {$M."G`etMethod"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M "AllocHG`lobal" $I $_}
42.  if ([environment]::username -ne "system") { $TI="Trusted`Installer"; start-service $TI -ea 0; $As=get-process -name $TI -ea 0
43.  M "WriteInt`Ptr" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1
44.  $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)
45.  $R=@($null, "powershell -nop -c iex(`$env:R); # $id", 0, 0, 0, 0x0E080610, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))
46.  F "Creat`eProcess" $R; return}; $env:R=''; rp $key $id -force -ea 0; $e=[diagnostics.process]."GetM`ember"("SetPr`ivilege",42)[0]
47.  "SeSecurityPr`ivilege","SeTakeOwnershipPr`ivilege","SeBackupPr`ivilege","SeRestorePr`ivilege" |% {$e.Invoke($null,@("$_",2))}
48.  ################################################################################################################################
49.  
50.  ## The ` sprinkles are used to keep ps event log clean, not quote the whole snippet on every run
51.  $toggle = @(0,1)[$op -eq "Disable"]; write-host "`n $op Defender, please wait...`n"
52.  $HKLM=[uintptr][uint32]2147483650; $REG_OPTION_NONE=0; $KEY_SET_VALUE=2; $REG_DWORD=4                    
53.  $K1="Software\Policies\Microsoft\Windows Defender"; $K2="Software\Microsoft\Windows Defender"
54.  
55.  ## Toggling was unreliable due to multiple windows programs with open handles on these keys
56.  ## so I went with low-level functions instead! do not use them in other scripts without a trip to learn-microsoft-com  
57.  function ToggleDef ([byte[]]$d0,[byte[]]$d1) {
58.    $rok1=($HKLM, $K1, $REG_OPTION_NONE, $KEY_SET_VALUE, ($HKLM -as $D[9])); F "RegOp`enKeyEx" $rok1; $rsv1=$rok1[4]; #$rsv1
59.    $rok2=($HKLM, $K2, $REG_OPTION_NONE, $KEY_SET_VALUE, ($HKLM -as $D[9])); F "RegOp`enKeyEx" $rok2; $rsv2=$rok2[4]; #$rsv2
60.    $rsv1,$rsv2 |% {
61.      F "RegSetVa`lueEx" @($_[0], "ServiceK`eepAlive", 0, $REG_DWORD, $d0, 4)
62.      F "RegSetVa`lueEx" @($_[0], "Previou`sRunningMode", 0, $REG_DWORD, $d0, 4)
63.      F "RegSetVa`lueEx" @($_[0], "IsServic`eRunning", 0, $REG_DWORD, $d0, 4)
64.      F "RegSetVa`lueEx" @($_[0], "DisableAntiSp`yware", 0, $REG_DWORD, $d1, 4)
65.      F "RegSetVa`lueEx" @($_[0], "DisableAntiV`irus", 0, $REG_DWORD, $d1, 4)
66.      F "RegSetVa`lueEx" @($_[0], "Passiv`eMode", 0, $REG_DWORD, $d1, 4)
67.    }
68.    F "RegF`lushKey" @($rsv1); F "RegF`lushKey" @($rsv2); sleep 5; F "RegC`loseKey" @($rsv1); F "RegC`loseKey" @($rsv2)
69.    $rok1=$null; $rok2=$null; $rsv1=$null; $rsv2=$null; [GC]::Collect()
70.  }
71.  
72.  rnp "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" "Disabled" "Disabled_Old" -force -ea 0
73.  sp "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" "Disabled" 1 -type Dword -force -ea 0
74.  stop-service "wscsvc" -force -ea 0 >'' 2>''
75.  kill -name "OFFmeansOFF","MpCmdRun" -force -ea 0
76.  ToggleDef 0 $toggle
77.  
78.  pushd "$env:programfiles\Windows Defender"
79.  $mpcmdrun=("OFFmeansOFF.exe","MpCmdRun.exe")[(test-path "MpCmdRun.exe")]
80.  start -wait $mpcmdrun -args "-${op}Service -HighPriority"
81.  
82.  $wait=@(3,14)[$op -eq "Disable"]
83.  while ((get-process -name "MsMpEng" -ea 0) -and $wait -gt 0) {$wait--; sleep 1; write-host "`r $wait " -nonew}
84.  
85.  ## OFF means OFF
86.  pushd (split-path $(gp "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" ImagePath -ea 0).ImagePath.Trim('"'))
87.  if ($op -eq "Disable") {ren MpCmdRun.exe OFFmeansOFF.exe -force -ea 0} else {ren OFFmeansOFF.exe MpCmdRun.exe -force -ea 0}
88.  
89.  ## Comment to not clear per-user toggle notifications
90.  gi "Registry::HKU\S-1-5-21-*\SOFTWARE\Microsoft\Windows\CurrentVersion" |% {
91.    $n1=join-path $_.PSPath "Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance"
92.    ni $n1 -force -ea 0|out-null; ri $n1.replace("Settings","Current") -recurse -force -ea 0
93.    if ($op -eq "Enable") {rp $n1 "Enabled" -force -ea 0} else {sp $n1 "Enabled" 0 -type Dword -force -ea 0}
94.    ri "HKLM:\SOFTWARE\Microsoft\Windows Security Health\State\Persist" -recurse -force -ea 0
95.  }
96.  
97.  ## Comment to keep old scan history
98.  if ($op -eq "Disable") {del "$env:ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db" -force -ea 0}  
99.  if ($op -eq "Disable") {del "$env:ProgramData\Microsoft\Windows Defender\Scans\History\Service" -recurse -force -ea 0}
100.  
101.  ToggleDef 0 $toggle
102.  if ($op -eq "Enable") {start-service "windefend" -ea 0}
103.  start-service "wscsvc" -ea 0 >'' 2>''
104.  if ($op -eq "Enable") {rnp "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" "Disabled_Old" "Disabled" -force -ea 0}
105.  
106.  ################################################################################################################################
107. '@; $V='';"op","id","key"|%{$V+="`n`$$_='$($(gv $_ -val)-replace"'","''")';"}; sp $key $id $($V,$code) -type 7 -force -ea 0
108.  start powershell -args "-nop -c `n$V  `$env:R=(gi `$key -ea 0 |% {`$_.getvalue(`$id)-join''}); iex(`$env:R)" -verb runas
109. } # lean & mean snippet by AveYo, 2023.08.07
110.  
111. RunAsTI
112. return
113.