locked
Why can't I modify any Value under the HKLM\SYSTEM\CurrentControlSet\Services\WinDefend registry sub-key or the WinDefender Service from Console? RRS feed

  • Question

  • I cannot modify the Windows Defender Service in any way, I even tried running the CMD with the System account using PsExec but I always get access denied. I also try to delete or change the WinDefend registry subkey, but does not matther if you are the owner, or you run Regedit.exe with the System account, that sub-key cannot be deleted. Same from the Service Console.

    Does anyone know why?

    Thanks!


    Blog | Twitter




    Wednesday, August 7, 2013 5:27 AM

Answers

  • Now I have confirmed it is not a bug. This is the answer from Mark Russinovich himself about why those registry keys cannot be modified:

    "Windows Defender has a kernel-mode driver (wdfilter.sys) that registers a Registry callback filter which protects Defender’s registry keys."


    Blog | Twitter

    Saturday, August 10, 2013 9:00 PM

All replies

  • Hi Sergio Calderón,

    Please try the following methods to solve this issue:

    Method 1: Disable Services in "Services" Window

    1. Click Windows + R, type services.msc in search box, and then press Enter.
    2. In the right pane of the Services snap-in, locate and double-click Windows Defender Service.
    3. Change the value of Service status to Stop.
    4. Click OK to save the changes.
    5. Close the Services window.

    Note:If the service will not stop and gives an error prompt, then you will need to restart the computer to stop it after you set it to Disabled and clicked OK.

    Method 2: Disable Services using "sc” commands

    1. Click Start, and type cmd in the Search box.
    2. Right-click cmd.exe in the Programs list, and then click Run as administrator.
    3. Type the command sc stop WinDefend in the elevated command prompt, press Enter
    4. Close the command prompt.

     

    Note: Disabling directly a service can be dangerous. Please make sure that it’s an unnecessary service.

    Hope this helps!

    Regards,

    Lany Zhang

    Wednesday, August 7, 2013 9:42 AM
    Moderator
  • Lany, thanks for answering but please, try yourself disabling this service in Windows 8.1 and you will see.

    As I said, it seems there is not way to disable it, from Service console is greyed out, from sc or net stop access denied, no matter if I use the system account, by the registry is the same thing.


    Blog | Twitter

    Wednesday, August 7, 2013 11:35 AM
  • Lany, thanks for answering but please, try yourself disabling this service in Windows 8.1 and you will see.

    As I said, it seems there is not way to disable it, from Service console is greyed out, from sc or net stop access denied, no matter if I use the system account, by the registry is the same thing.


    Blog | Twitter

    It is a bug in Windows 8.1

    It was the same bug in Windows 8 preview as well. They fixed it but now they (MS) broke it again in Windows 8.1.

    MS seems to copied code again instead of improving it.


    I don't know, it could be a bug, or a undocumented Security behavior. We will see...

    Anyway, the only way to change the Windows Defender Status from the Registry was using a Windows PE media, and you have to Load the SYSTEM hive, change the Start value from the WinDefend sub-key, unload the hive and restart the system.

    So for now, issue solved.


    Blog | Twitter


    Thursday, August 8, 2013 8:42 PM
  • How about reading his post first.

    Friday, August 9, 2013 2:36 AM
  • I was going to suggest using Safe Mode to disable.  But your solution is just as good--if not better.
    Friday, August 9, 2013 2:37 AM
  • I was going to suggest using Safe Mode to disable.  But your solution is just as good--if not better.

    I tried Safe Mode, but got the same error. That's a pretty unknown Windows behavior.

    Blog | Twitter


    Friday, August 9, 2013 3:59 AM
  • Now I have confirmed it is not a bug. This is the answer from Mark Russinovich himself about why those registry keys cannot be modified:

    "Windows Defender has a kernel-mode driver (wdfilter.sys) that registers a Registry callback filter which protects Defender’s registry keys."


    Blog | Twitter

    Saturday, August 10, 2013 9:00 PM
  • for me it works the way I always disable Defender.

    Run regedit.exe, take ownership of the key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

    and set the value DisableAntiSpyware to 1.

    This works fine.


    "A programmer is just a tool which converts caffeine into code"

    • Proposed as answer by Andre.Ziegler Monday, August 12, 2013 5:26 AM
    Sunday, August 11, 2013 7:21 PM
  • for me it works the way I always disable Defender.

    Run regedit.exe, take ownership of the key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

    and set the value DisableAntiSpyware to 1.

    This works fine.


    "A programmer is just a tool which converts caffeine into code"


    Yep, but as GPO, you can only disable the Service, you cannot modify the state.

    Blog | Twitter

    Sunday, August 11, 2013 7:23 PM
  • I don't udnerstand what you mean. Changing this vales disables the service correctly and Defender is completely off.

    "A programmer is just a tool which converts caffeine into code"

    Monday, August 12, 2013 5:09 AM
  • I don't udnerstand what you mean. Changing this vales disables the service correctly and Defender is completely off.

    "A programmer is just a tool which converts caffeine into code"


    Yes, but you cannot change the Service state. I mean, let's suppose something changed the WinDefend Service Start Type to Disabled (4), the only way to change it back to Automatic (2) is by using a WinPE.

    Blog | Twitter

    Monday, August 12, 2013 5:12 AM
  • you don't need to do this. Simply set the value I told you. This sets the service type to manual and this is fine. Now the service is disabled.

    "A programmer is just a tool which converts caffeine into code"

    Monday, August 12, 2013 5:14 AM
  • you don't need to do this. Simply set the value I told you. This sets the service type to manual and this is fine. Now the service is disabled.

    "A programmer is just a tool which converts caffeine into code"

    Yes, Andre. But I don't want to just disable the Service, I want to be able to modify it. I am going to change the title, cause the main reason was to know how you can disable the service, but after I found out there is not way to modify the service (only Disable it by using GPO or what you said).

    Thanks for understanding.


    Blog | Twitter

    Monday, August 12, 2013 5:18 AM
  • I gave it up. I answered it already. Set the value and the service is stopped immediately after the change.

    "A programmer is just a tool which converts caffeine into code"

    Monday, August 12, 2013 5:26 AM
  • I gave it up. I answered it already. Set the value and the service is stopped immediately after the change.

    "A programmer is just a tool which converts caffeine into code"


    I think you don't understand what I mean. I know the service stopped with that value, but that is not the "problem" I described. The real "problem" is that you cannot change the Windows Defender Startup type, you can stopped if it is running, I know, by try changing the Startup type from Automatic to Manual. Can you? That's the real change in 8.1 because the Registry callback.

    Blog | Twitter

    Monday, August 12, 2013 5:51 AM
  • The real "problem" is that you cannot change the Windows Defender Startup type, you can stopped if it is running, I know, by try changing the Startup type from Automatic to Manual. Can you?

    YES, by doing what I told you several times. Change the value DisableAntiSpyware to 1, this stops the service and changes the start type from automatic to manual. Is this SO HARD TO UNDERSTAND?

    *facepalm*


    "A programmer is just a tool which converts caffeine into code"

    Monday, August 12, 2013 7:36 PM
  • The real "problem" is that you cannot change the Windows Defender Startup type, you can stopped if it is running, I know, by try changing the Startup type from Automatic to Manual. Can you?

    YES, by doing what I told you several times. Change the value DisableAntiSpyware to 1, this stops the service and changes the start type from automatic to manual. Is this SO HARD TO UNDERSTAND?

    *facepalm*


    "A programmer is just a tool which converts caffeine into code"

    I see, I'm sorry, Andre.

    Can you please what happened when you got the Start value from WinDefend in 4 when you change that value to 0? Does the service change to Automatic startup type again?

    Thanks.


    Blog | Twitter

    Monday, August 12, 2013 7:44 PM
  • you should sit down 5 minutes and do what I wrote (and see the changed start type) instead of trolling around.

    "A programmer is just a tool which converts caffeine into code"

    Tuesday, August 13, 2013 6:55 PM
  • you should sit down 5 minutes and do what I wrote (and see the changed start type) instead of trolling around.


    "A programmer is just a tool which converts caffeine into code"


    I did. I does not work. This was a bug in Windows 8 as well.

    But, as I said before, the answer from Mark Russinovich (Technical Fellow, Microsoft) is that the Windows Defender behavior is not a bug; a Registry Callback does not allow to change the WinDefend Registry values.

    Blog | Twitter

    Thursday, August 15, 2013 5:40 PM
  • you should sit down 5 minutes and do what I wrote (and see the changed start type) instead of trolling around.


    "A programmer is just a tool which converts caffeine into code"


    I did. I does not work. This was a bug in Windows 8 as well.

    for it works in Vista,7,8 and 8.1 so you make a mistake.

    "A programmer is just a tool which converts caffeine into code"

    Thursday, August 15, 2013 7:25 PM
  • and I told you several time that you need to change the value  DisableAntiSpyware which triggers a change of the startvalue.

    Sorry Sergio, but I'll never reply to a question from you again, it makes no sense to discuss with a newbie like you. If you can get such simply things to work, shut the PC down and search a new job.


    "A programmer is just a tool which converts caffeine into code"

    Thursday, August 15, 2013 7:29 PM
  • and I told you several time that you need to change the value  DisableAntiSpyware which triggers a change of the startvalue.

    Sorry Sergio, but I'll never reply to a question from you again, it makes no sense to discuss with a newbie like you. If you can get such simply things to work, shut the PC down and search a new job.


    "A programmer is just a tool which converts caffeine into code"

    Andre, I told you it disables the service, great. I thank you. But, could you please go to HKLM\SYSTEM\CurrentControlSet\Services\WinDefend and try to make any change to any value like Start? That's what I'm talking about from the beginning, I am not looking for disable the service, I was looking for understand why the WinDefend or the Service itself cannot be modified either from the Windows Registry or the Service Console.

    So, before keep fighting, can you check it out by yourself? Instead of calling me newbie without even understand what I have been trying to explain you.

    I'm pretty sure those Values, or the Windows Defender Service cannot be modified within the Registry or Service Console. The only way to do it is by using a Windows PE media.

    If you don't want to answer any other of my question, Ok, but show some respect, please, cause I am not calling you noob/newbie or something else because you don't understand what this is all about.


    Blog | Twitter




    Thursday, August 15, 2013 7:34 PM
  • You asked  "Does anyone know how the Windows Defender Service can be stopped" and I told you how to do it. Yes you can't modify the start type directly (this is NOT what you asked at the beginning), thats why you should modify the value I posted.

    SO I ALWAYS ANSWERED YOUR QUESTION!

    That's it, you'll never ever get a reply from me again. I don't waste my time with users like you again.


    "A programmer is just a tool which converts caffeine into code"

    Thursday, August 15, 2013 7:49 PM
  • You asked  "Does anyone know how the Windows Defender Service can be stopped" and I told you how to do it. Yes you can't modify the start type directly (this is NOT what you asked at the beginning), thats why you should modify the value I posted.

    SO I ALWAYS ANSWERED YOUR QUESTION!

    That's it, you'll never ever get a reply from me again. I don't waste my time with users like you again.


    "A programmer is just a tool which converts caffeine into code"

    Look at all the thread, You answered my first question, yes, but I after said: "Yes, Andre. But I don't want to just disable the Service, I want to be able to modify it." and: "I am going to change the title."

    I did not change the tile, but come on!

    I should set the value you said if I was just looking to stop the Windows Server as I asked first, but I clarify you what I was looking for, so...


    Blog | Twitter

    Thursday, August 15, 2013 8:16 PM
  • you already know that you can't modify the value so why do you ask over and over again? Sit 5 minutes down and change my posted value and be happy.

    @mods, lock this topic, this  topic makes no sense. I've already answered the question so many time.


    "A programmer is just a tool which converts caffeine into code"

    Thursday, August 15, 2013 8:20 PM
  • you already know that you can't modify the value so why do you ask over and over again? Sit 5 minutes down and change my posted value and be happy.

    @mods, lock this topic, this  topic makes no sense. I've already answered the question so many time.


    "A programmer is just a tool which converts caffeine into code"

    Because you are still saying that I did not see the answer, even when I clarify what the real question/problem was, and because Under_info says it is a bug.

    I marked the answer I need and I have edited the title so you can be happy as well.

    Please, Andre. I am here just to learn and help, as I think you are. There is not reason to keep fighting don't you think? I accept my mistake, just accept yours and everyone happy.

    Thanks.


    Blog | Twitter


    Thursday, August 15, 2013 8:25 PM

  • Because you are still saying that I did not see the answer,


    you haven't see it otherwise you would not ask over and over again.

    "A programmer is just a tool which converts caffeine into code"

    Thursday, August 15, 2013 8:28 PM

  • Because you are still saying that I did not see the answer,


    you haven't see it otherwise you would not ask over and over again.

    "A programmer is just a tool which converts caffeine into code"

    As you can see in the modified title, I was not looking for disable the Service, just modify it. I have the answer I needed already.

    Blog | Twitter




    Thursday, August 15, 2013 8:33 PM
  • Modify the question to "Why can't I modify the value ´start` under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend?" and your marked answer makes sense.

    If you can't ask the question in a way that we KNOW what you want, you should not wonder that you can't get the answer you're looking for.


    "A programmer is just a tool which converts caffeine into code"


    Thursday, August 15, 2013 8:53 PM
  • Modify the question to "Why can't I modify the value ´start` under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend?" and your marked answer makes sense.

    If you can't ask the question in a way that we KNOW what you want, you should not wonder that you can't get the answer you're looking for.


    "A programmer is just a tool which converts caffeine into code"



    Modified adding all the clarity to the question.

    Blog | Twitter

    Thursday, August 15, 2013 9:02 PM
  • First all, excuse my english.

    With this solution:

    "Run regedit.exe, take ownership of the key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

    and set the value DisableAntiSpyware to 1"

    You can modify all the registry keys on HKLM\SYSTEM\CurrentControlSet\Services\WinDefend including the value "start" as you mention before. I did it and worked. I dont know which key is the one to change what you want, but you can change the start value and the rest of the keys.

    Thursday, August 29, 2013 4:22 PM
  • Modify the question to "Why can't I modify the value ´start` under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend?" and your marked answer makes sense.

    If you can't ask the question in a way that we KNOW what you want, you should not wonder that you can't get the answer you're looking for.


    "A programmer is just a tool which converts caffeine into code"



    Modified adding all the clarity to the question.

    Blog | Twitter


    This is a bug in Windows 8 Preview and Windows 8.1 preview. MS needs to fix this bug.

    As you can see, and as I said based on the Mark Russinovich answer, the RTM version of Windows 8.1 has the same behavior so that was not a bug.

    Blog | Twitter

    Tuesday, September 10, 2013 4:31 AM