Permanently disabling Windows Defender/MsMpEng.exe

Standard

After some googling I’ve found that either nobody managed this so far or nobody bothered to publicise how to do it so here’s the current (Windows 11 23H2) solution. I tested this on Win11 Pro but I’d expect it to work on Home as well because we’re not using Group Policies; the idea is to ban the System (account) from accessing MsMpEng’s location.

Please note that Windows Defender seems to sit in two locations – when you have a fresh Windows installation it will launch from C:|Program Files\Windows Defender and eventually it will migrate to C:\ProgramData\Microsoft\Windows Defender (possibly a subfolder within one, such as C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24020.7-0\ — in that case we’re still only going to be interested in the C:\ProgramData\Microsoft\Windows Defender part, not the subfolders themselves) so you’ll have to do the below procedure twice (once for each of those locations).

I’ve tested an update from 22H2 to 23H2 and the folder in Program Files would need to be “redone” (the procedure rerun that is) post-update but the ProgramData place remains ok. A caveat is that since the monthly Windows Update usually tries to patch the ProgramData location that update will keep failing because SYSTEM (acct.) will be denied write/modify access.

Tools you need:

  • TakeOwnership -> https://vsthemes.org/en/dnew/810.html (then click on Download file. It should be a zip file – unzip and exec Take Ownership Menu Hacks\Add Take Ownership to Context menu.reg, okay-ing all prompts)
  • ExecTI -> https://winaero.com/downloads/ExecTI.zip (no need to install, just run when prompted)
  • Total Commander (this is optional but makes things a bit easier) -> https://www.ghisler.com/download.htm
  • You’ll generally need Admin access, mere User (level) accounts won’t work. [you don’t need to enable the Admin acct per se but you need to be able to pass UAC]

Steps:

  1. As mentioned above, if not already then run the reg file for TakeOwnership, clicking through anything it asks (no need to repeat once done).
  2. Install TC, you don’t need a key for it/it’s free to try.
  3. Run ExecTI and point it at the TC exe file. This is likely to be C:\Program Files\totalcmd\TOTALCMD64.EXE but will likely produce an error if TC is already running so make sure it’s closed. Also possible to produce an error if you’re running ExecTI from a network drive so run it from a local drive.
  4. Within TC navigate to C:\ProgramData\Microsoft or C:\Program Files\ (depending on which folder you’re doing) and then scroll down to the folder Windows Defender and use the keyboard shortcut Alt+Enter (or right-click and click Properties).
  5. Then click on Security. You’ll see something like the below. Once you’re here click into Advanced towards the bottom.
  6. Within Advanced you’ll see the owner being TrustedInstaller or (System, if you’re in ProgramData). The reason why we’re running TC in ExecTI is because ETI mimics TrustedInstaller, which is above the Admins in terms of permissions and is a sort of Root-ish level account.
  7. Next to Owner, click Change
  8. Click Advanced again
  9. Once you see the below click Find Now – no need to fill in anything, but after you click that button it’s likely you’ll need to widen the first column of results (“Name”).
  10. Scroll and pick your own username and then click OK and then . [yes I’ve jumped horses for those of you more observant the computer name has changed]
  11. Once you get to the below make sure that Replace owner on Subcontainers and Objects is checked. Also click Enable Inheritance. Also make sure that the Replace all child ….. is checked. Once all that’s done, click OK and then Yes through anything you get asked.
  12. Once you’ve OK’d out of the above the main TC window will return (the Security/Permissions window will close). Alt-Enter again to open it up again. This time click Edit.
  13. Once there click SYSTEM and then Deny and then Full Control. Basically you should generally look like the below.
  14. Once you click OK there should be a warning about setting a denial. Just click Yes. The process will take a while. OK again if needed till you’re totally out of Properties
  15. Restart Windows
  16. If once you’ve restarted Windows and Antimalware Service Executive is still running then make sure you’ve applied the above procedure to the location of the file. While that might sound stupid of a request but I tried the procedure with a fresh copy of 22H2 and there had been nothing in the ProgramData\Microsoft\Windows Defender\Platforms folder so I blocked the stuff in Program Files but upon restart it just ran from within Platforms and had to redo the procedure.
  17. ps: not having _any_ antivirus is a bad idea, obviously, so do this at your own risk.
  18. pps: I hate WordPress’s “New” editor and I hope it rots in hell along with all those that enforced the disablement of Classic Editor. F-you.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.