README.md

@@ -2,6 +2,7 @@
 Open source windows defender disabler.   
 Now you can disable windows defender permanently!   
 Tested from Windows 10 20H2.  
+Also working on Windows 11 (earlier versions)
 
 ## What is this project?  
 We all know that disabling windefender is very difficult since microsoft is constantly enforcing changes.  
@@ -9,13 +10,6 @@ The first solution is to install an anti-virus - but thats not the point if we a
 The next easiest solution is to use freeware thats already available on the internet - but none of them are native & open source...  
 I like open source, so I made a safe to use open source defender control.  
 
-## On windows updates / Windows 11
-Sometimes windows decides to update and turn itself back on.  
-A common issue is that defender control sometimes doesn't want to disable tamper protection again.  
-Please try turning off tamper protection manually then running disable-defender.exe again before posting an issue.  
-
-![Tamper](https://github.com/qtkite/defender-control/blob/main/resources/tamper.png?raw=true)
-
 ## What does it do?
 1. It gains TrustedInstaller permissions
 2. It will disable windefender services + smartscreen
@@ -39,6 +33,11 @@ Compile.
 You can find the first release over at the releases on the right.  
 Or alternatively click [here](https://github.com/qtkite/defender-control/releases/tag/v1.2).
 
-## Windows 11
+## Writeup
-Works for earlier versions of Windows 11. Correct registries have not been added yet for the latest version.
+If you are interested in how I developed this program check out the writeup [here](https://github.com/qtkite/defender-control/blob/main/Writeup.md).
-Update, Trusted Installer no longer has effect on the current live versions of Windows 11. Use with caution.
+
+## TO-DO
+- [ ] Confirm win 11 support
+- [ ] Disable security center
+- [ ] Better cli support 
+- [ ] Build an interface

src/defender-control/dcontrol.cpp

@@ -34,7 +34,7 @@ namespace dcontrol
     // https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess
     // The state of global data maintained by dynamic-link libraries 
     // (DLLs) may be compromised if TerminateProcess is used rather than ExitProcess.
-    // e.g. Injecting code to execute ExitProcess and manually unloaded everything 
+    // e.g. Injecting code to execute ExitProcess
 
     TerminateProcess(proc, 0);
 
@@ -132,36 +132,7 @@ namespace dcontrol
   //
   bool manage_security_center(bool enable)
   {
-    // handle registry calls
+    return manage_security_service(enable, "wscsvc");
-    // https://superuser.com/questions/1199112/how-to-tell-the-state-of-a-service-from-the-registry
-    // https://stackoverflow.com/questions/291519/how-does-currentcontrolset-differ-from-controlset001-and-controlset002
-    // https://web.archive.org/web/20110514163940/http://support.microsoft.com/kb/103000
-    //
-
-    // auto ret = manage_security_service(enable, "wscsvc");
-
-    HKEY hkey;
-    if (reg::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\wscsvc", hkey))
-    {
-      if (enable)
-      {
-        if (!reg::set_keyval(hkey, L"Start", 2)) // Automatic
-        {
-          printf("failed to write to wscsvc\n");
-          return false;
-        }
-      }
-      else
-      {
-        if (!reg::set_keyval(hkey, L"Start", 4)) // Disabled
-        {
-          printf("failed to write to wscsvc\n");
-          return false;
-        }
-      }
-    }
-
-    return true;
   }
 
   // Stop or run the windefend service
@@ -304,7 +275,9 @@ namespace dcontrol
     // Protected by anti-tamper
     // Start (3 off) (2 on)
     if (reg::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\WinDefend", hkey))
+    {
       reg::set_keyval(hkey, L"Start", 2);
+    }
     else
       printf("Failed to access CurrentControlSet\n");
 

src/defender-control/main.cpp

@@ -1,43 +1,25 @@
 // to-do:
 // make a ui for this
-// argument support -s check
 //
 #include "dcontrol.hpp"
 #include "wmic.hpp"
 #include "trusted.hpp"
 
-bool check_silent(int argc, char** argv)
-{
-  for (int i = 0; i < argc; i++)
-  {
-    if (!strcmp(argv[i], "-s"))
-      return true;
-  }
-  return false;
-}
-
 int main(int argc, char** argv)
 {
-  auto silent = check_silent(argc, argv);
-
   if (!trusted::has_admin())
   {
     printf("Must run as admin!\n");
-
-    if (!silent)
     system("pause");
-
     return EXIT_FAILURE;
   }
 
   // Because we are a primary token, we can't swap ourselves with an impersonation token.
   // There will always be a need to re-create the process with the token as primary.
-  // we check for argc == 1, assuming we aren't launching with any parameters
+  if (!trusted::is_system_group() && argc == 1)
-  //
-  if (!trusted::is_system_group()) // && argc == 1
   {
     printf("Restarting with privileges\n");
-    trusted::create_process(util::get_current_path().append(silent ? " -s" : ""));
+    trusted::create_process(util::get_current_path());
     return EXIT_SUCCESS;
   }
 
@@ -45,18 +27,16 @@ int main(int argc, char** argv)
   {
     dcontrol::kill_smartscreen();
     dcontrol::manage_windefend(false);
+    dcontrol::manage_security_center(false);
     dcontrol::toggle_tamper(false);
 
     printf(dcontrol::check_defender() ?
-      "Windows defender is currently ACTIVE\n" :
+      "Windows defender is ACTIVE\n" :
-      "Windows defender is currently OFF\n");
+      "Windows defender is OFF\n");
 
 #if DEFENDER_CONFIG == DEFENDER_DISABLE
     if (dcontrol::disable_defender())
-    {
-      dcontrol::manage_security_center(false);
       printf("Disabled windows defender!\n");
-    }
     else
       printf("Failed to disable defender...\n");
 #elif DEFENDER_CONFIG == DEFENDER_ENABLE
@@ -67,16 +47,12 @@ int main(int argc, char** argv)
 #elif DEFENDER_CONFIG == DEFENDER_GUI
 #endif
 
-
-
   }
   catch (std::exception e)
   {
     printf("%s\n", e.what());
   }
 
-  if (!silent)
   system("pause");
-
   return EXIT_SUCCESS;
 }

src/defender-control/reg.cpp

@@ -12,6 +12,7 @@ namespace reg
     DWORD buff_sz = sizeof(DWORD);
 
     // https://docs.microsoft.com/en-us/windows/win32/winprog64/accessing-an-alternate-registry-view
+    //
     status = RegOpenKeyExW(
       HKEY_LOCAL_MACHINE,
       root_name,
@@ -24,6 +25,7 @@ namespace reg
     {
       if (flags & DBG_MSG)
         wprintf(L"Error opening %ls key \n", root_name);
+
       return -1;
     }
 

src/defender-control/trusted.cpp

@@ -283,4 +283,5 @@ namespace trusted
 
     return ret;
   }
+
 }

src/defender-control/wmic.cpp

@@ -140,4 +140,6 @@ namespace wmic
   {
     return last_error;
   }
+
+
 }