Simple way to Turn Off / Disable Windows Defender

   March 9, 2026  Posted in zerosalarium
Share: XFacebookPinterestRedditVKDiggLinkedinMix


 

I. Introduction

I will guide you through two methods on how to stop Defender that I have
tested and successfully worked with the latest versions of Windows 10 and
Windows 11.

The first method is to use the advanced boot options of Windows to disable
Windows Defender permanently. By intervening in the loading process of the antimalware service executable.

The second method, which is extremely simple, is to use the open-source tool
Windows Defender Manager” to turn Windows Defender off.

Of course, you may have your reasons for turning off Windows Defender,
although this is not recommended. If you want to learn how to protect and keep
your computer safe, you can explore my series of articles on
Operations Security (OPSEC) to configure and use your computer more securely.

II. How to stop Defender

Windows Defender, now known as Microsoft Defender Antivirus, is a built-in
antivirus program included in Windows 10, Windows 11, and Windows Server. It
provides real-time protection against malware, viruses, and other security
threats.

1. Disable windows defender permanently

In this section, I will guide you on how to disable Defender through the
advanced boot options of Windows. This method is effective on both Windows 11
and 10. I will demonstrate it on the latest version of Windows 11, with
updates installed up to December 2024.

A. Some basic information you need to know about Windows Defender

When wanting to stop Windows Defender, we need to pay attention to 2 Windows
services.

The Microsoft Defender Antivirus Service is a core security component
of Windows that provides real-time protection against malware, viruses, and
other threats. It continuously monitors your system, performs scheduled scans,
and updates its threat definitions to keep your device safe. The service runs
in the background under the process name “MsMpEng.exe” (Antimalware
Service Executable) and integrates with the Windows Security app for easy
management.

The Microsoft Defender Core Service is a vital component of Microsoft
Defender Antivirus designed to enhance the stability and performance of the
antivirus platform. It integrates with the Experimentation and Configuration
Service (ECS) to receive updates on configurations, feature rollouts, and
experiment payloads, ensuring that the antivirus protection remains up-to-date
and effective. The background process name for the Microsoft Defender Core
Service is “MpDefenderCoreService.exe”.

Both of these services are protected at the kernel level. This means that
regardless of how high the privileges of the user account you are using
(Trusted Installer, SYSTEM, Administrator), you will not be able to affect
them.

Therefore, as long as you can prevent the execution of the Antimalware Service Executable and Core service from running, it means
you have effectively turned off Microsoft Defender.

B. How to disable Defender

We will use the advanced boot options feature to affect the two services
mentioned above. All operations will be performed on Windows 11 version 24H2,
updated until December 2024.

Where is Windows Defender executable?

We will obtain the path information of the Windows Defender executable through
the Services Manager.

To open the Services Manager:

  1. Press the Start button (Windows icon) or press Windows + X to open the WinX
    Menu.
  2. Select “Run” from the menu.
  3. Type “services.msc” in the Run dialog box and press Enter.
  4. In the Services Manager window, locate the two services named “Microsoft Defender Antivirus Service” and “Microsoft Defender Core Service“.
  5. Double-click on the found service, and in the new popup window, you will
    find the path to Windows Defender in the “Path to executable” section.
Microsoft Defender Antivirus executable file path

Disable windows defender permanently

Continuing from above.  For my machine, the paths of the executable files
for the two services are as follows:

"C:ProgramDataMicrosoftWindows
DefenderPlatform4.18.24090.11-0MpDefenderCoreService.exe"

"C:ProgramDataMicrosoftWindows
DefenderPlatform4.18.24090.11-0MsMpEng.exe"

Please note that you should also copy the double quotation marks to avoid any
issues with invalid paths.

To facilitate command line operations, I will create a folder
C:defend” Then, in this folder, I will create a text file named
tmp.txt

Paste these two paths into the content of the “C:defendtmp.txt” file
created earlier.

Sequentially copy the two executable files “MpDefenderCoreService.exe
and “MsMpEng.exe” to the folder “C:defend” and rename them to
MpDefenderCoreService_backup.exe” and “MsMpEng_backup.exe“. The
purpose of this is to keep the original two files as a backup, in case you
change your mind and want to run Windows Defender again as before.

After completing the steps above, open CMD and execute the command:

shutdown /r /o /f /t 0

You should close all running programs, as this command will restart Windows.

After the above command is executed, Windows will restart to the “Advanced boot options” screen. Here, you should select “Troubleshoot“.

windows advance boot options

On the “Troubleshoot” screen, select “Advanced options“. Then
select “Command Prompt” to open the CMD window.

advance boot options troubleshot

advanced options cmd

In the newly opened CMD, execute the following two commands:

c:

cd c:defend

If you executed correctly, you should now be in the directory
C:defend“.

Do you remember the “tmp.txt” file you created earlier? Execute the
following command:

type tmp.txt

recovery cmd window 002

We will need the paths to the executable files of the two services that were
found earlier.

Execute the two commands below to overwrite the original service files.

copy /y c:windowssystem32cmd.exe "C:ProgramDataMicrosoftWindows
DefenderPlatform4.18.24090.11-0MpDefenderCoreService.exe"

copy /y c:windowssystem32cmd.exe "C:ProgramDataMicrosoftWindows
DefenderPlatform4.18.24090.11-0MsMpEng.exe"

copy cmd to overwrite original defender

After the copy is successful, close the CMD window and select “Continue” to
boot Windows normally.

advance boot continue

At this point, when you return to the “Services Manager” you will see
that the two Windows Defender services are no longer running. The processes
MsMpEng.exe” and “MpDefenderCoreService.exe” will also no
longer exist.

disable defender windows 11 success

2. Turn off Windows Defender with open-source tool

This method will be extremely simple and more suitable for everyone. By using
a tool called “Windows Defender Manager“.

You can download this tool via the GitHub link:
Windows Defender Manager

This tool, once installed, will run in the background and check every minute.
Whenever the “Real-time protection” feature is somehow enabled, the
background program will automatically disable it.

In other words, the following features of Defender are always disabled:

  • Real-time protection
  • Cloud-delivered protection
  • Automatic sample submission

Windows Defender Manager” requires the “Tamper Protection
feature to be disabled. Since it needs to interact with Defender’s
configurations, the program will not function if this feature is enabled.

To turn off Tamper Protection in Windows Defender, follow these steps:

Open Windows Security:

  1. Press Windows + I to open the Settings app.
  2. Go to Update & Security > Windows Security.
  3. Go to Virus & Threat Protection:
  4. Click on Virus & threat protection in the Windows Security window.

Manage Settings:

  1. Click on Manage settings under Virus & threat protection settings.
  2. Scroll down to find Tamper Protection and toggle the switch to Off.

After downloading and extracting, you run the program
WinDefendMan.exe“. At this point, Windows SmartScreen may issue a
warning because the program lacks a digital signature and was downloaded from
the Internet. You can select “Run Anyway“.

windows defender manager main screen

The program will display a message indicating what it will do; you can click
OK” to continue.

If no errors occur, the program will display a popup notification indicating
successful installation. Alternatively, it will provide a message explaining
the reason for the installation failure.

You should restart your computer or log out and log back in to activate the
newly installed “Windows Defender Manager”.

Each time you log in, “Windows Defender Manager” will display a status
notification in the notification area at the bottom of the screen.

defender mananger running notify

At this point, you will see that Windows Defender Real-time protection has
been disabled.

III. Conclusion

Microsoft Windows Defender is an antivirus that comes pre-installed on
Windows. It is protected at the kernel level.

The “Real-time protection” feature of Defender will automatically
re-enable itself upon Windows startup.

We can disable Windows Defender permanently by using advanced boot options.

Windows Defender Manager” is a tool that operates as a background
program, ensuring that the “Real-time protection” feature of Defender remains
disabled.

Windows Defender exists to ensure your safety. However, relying solely on
antivirus is not enough; you should explore configuration methods and safe
computer usage through my series on
basic Operations Security. This series will be continuously updated to keep pace with technological
changes.

IV. READING

Some books you should read to sharpen your cybersecurity skills, especially in offensive security:

Books on Programming and Cybersecurity recommended by Zero Salarium Researchers

Essential hardware tools that every security researcher and hacker should have in their toolkit:

Hardware Tools For Security Researcher and Hacker



Source link