I can't find any information on how to disable Windows Defender in Windows 10. There is some information about how to do it in the previews, but the configuration pages have changed with the final release.

Specifically, I want to stop and disable the Windows Defender Service.

  • Using net stop windefend from an elevated command prompt gives "access denied"
  • Stop and startup type are greyed out in sevices.msc, even when logged on as administrator
  • There doesn't seem to be a GUI way to disable UAC in Windows 10

Has anyone figured out how to disable Defender in Windows 10?

  • 3
    Simplest method. Just install a paid/free security suite and it will automatically disable itself. Outside of that just go to` Update and Security` and disable the Real-Time protection. You cannot disable UAC in Windows 8 and above to the same degree as you could in Windows 7. Of course I am not sure what the UAC has to do with Windows Defender.
    – Ramhound
    Commented Jul 30, 2015 at 20:58
  • I mentioned UAC because it seemed possible that UAC was preventing me from disabling Defender. I haven't deployed the latest Kaspersky that supports Windows 10 yet, and frankly I'm not so confident that Kaspersky will install well with Defender running. Plus I want to be able to disabled it on principle in case I need or want to for other reasons. Commented Jul 30, 2015 at 21:02
  • I opened Update & Security and I am able to disable Windows Defender. Personally I was able to disable the service though after I do that.
    – Ramhound
    Commented Jul 30, 2015 at 21:08
  • Windows Defender is designed to be easily replacable, just install another AV and it should automatically turn off.
    – gronostaj
    Commented Jul 30, 2015 at 21:15
  • 4
    @gronostaj If my question were how to replace Windows Defender with another A/V solution, I would suggest you post your comment as an answer and I'd accept it, except your comment is the same as Ramhound's, so I'd really suggest he do it. But that's not what I'm trying to do. Commented Jul 30, 2015 at 21:26

18 Answers 18


You are able to do this using a Group Policy.

open gpedit.msc

navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender

Turn off Windows Defender = Enabled

If you then try to open Windows Defender you'll see this: enter image description here

And even though in Settings it may appear to be on, the Service is not running:enter image description here

more info:


and http://www.download3k.com/articles/How-to-Turn-Off-Windows-Defender-Permanently-in-Windows-10-01350

  • I can't believe I didn't find this on my own. Thanks! Commented Sep 3, 2015 at 14:26
  • 4
    Is this also for Windows Home? I can't find gpedit.msc Commented Jan 4, 2016 at 10:14
  • 6
    No, it does not work for home users. Pro/Enterprise/Education only Commented Dec 6, 2016 at 22:00
  • 11
    Tried this... however service is still running in task manager.
    – Brig
    Commented Mar 25, 2017 at 19:00
  • 3
    In v2004 there is even no "Windows Defender" option
    – golimar
    Commented Jul 17, 2020 at 15:59

I found another way using the registry.

Using this article, I changed the startup type for the Defender services and drivers (!!) in the registry while logged on as an administrator. Here's a brief run-down:

  1. Browse the registry to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
  2. Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend.
  3. Change the Start value for each service to 0x4 (hex 4, decimal 4).
  4. Reboot.
  • 7
    I am logged in as administrator and I still get the error "Error writing start. Error writing the value's new contents."
    – Mark
    Commented Aug 27, 2015 at 8:44
  • 3
    Me too with the same error "Error writing start. Error writing the value's new contents. Any work around for us @Todd Wilcox?
    – Nam G VU
    Commented Oct 21, 2015 at 2:33
  • 2
    Have you tried right-clicking on regedit and running as administrator? Commented Oct 21, 2015 at 3:48
  • 2
    unfortunately on Win10 Home Single Language, I get the same error even if I started regedit as admin, any other other workaround. I'm really starting to depise windows 10 now.
    – gideon
    Commented Jan 2, 2018 at 13:18
  • 1
    FWIW I'm able write to these keys when booted in safe mode and running regedit as admin, Win10 Pro 19042.1288
    – nmr
    Commented Nov 12, 2021 at 16:15

It would be helpful to understand why you cannot stop a particular service.

  • I'm the administrator; worse than failure can't the Administrator administrate?!

It's because of the security permissions on the WinDefend service.

Note: WinDefend is the actual name of the "Windows Defender Antivirus Service"

enter image description here

Viewing Permissions

If you run from a command line:

>sc sdshow WinDefend


  • sdshow means "Displays a service's security descriptor."

You'll get the security descriptor:

C:\Users\Ian>sc sdshow WinDefend


This is quite the ugly blob, and it's completely undocumented by Microsoft, but we'll have a stab at decoding it. First by word-wrapping:


The D: means this is a discretionary access control list. An Access Control List is made up of a number of Access Control Entries (ACE):

  • D: discretionary access control list
    • ACE6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
    • ACE7: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

Each ACE is a set of 5 semicolon terminated settings, followed by who it applies to.

Looking first at who they apply to, a random blog article decode some of them (archive.is):

  • BU: Built-in users
  • SY: Local System
  • BA: Built-in administrators
  • UI: Interactively logged-on user
  • SU: Service logon user
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: Trusted Installer
  • S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736: Virtual NT service account NT SERVICE\WinDefend

You can get the name associated with an SID by running:

>wmic useraccount where sid='S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736' get name

Each ACE contains a list of permissions that the user is being allowed or denied.

  • D: discretionary access control list
    • ACE 1: A;;CCLCSWRPLOCRRC;;; Built-in users
    • ACE 2: A;;CCLCSWRPLOCRRC;;; Local system
    • ACE 3: A;;CCLCSWRPLOCRRC;;; Built-in administrators
    • ACE 4: A;;CCLCSWRPLOCRRC;;; Interactive user
    • ACE 5: A;;CCLCSWRPLOCRRC;;; Service logon user
    • ACE 6: A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; Trusted installer

Breaking down the remaining semicolon separated sections in an ACE:

    • AceFlags: (none)
    • AccessMask: CC LC SW RP LO CR RC
      • SW: SELF_WRITE
    • ObjectGuid: (none)
    • InheritObjectGuid: (none)

The leading A means Allowed, and the permissions are two-letter codes:

  • D: discretionary access control list
    • ACE 1: Allow, CC LC SW RP LO CR RC, Built-in users
    • ACE 2: Allow, CC LC SW RP LO CR RC, Local system
    • ACE 3: Allow, CC LC SW RP LO CR RC, Built-in administrators
    • ACE 4: Allow, CC LC SW RP LO CR RC, Interactive user
    • ACE 5: Allow, CC LC SW RP LO CR RC, Service logon user
    • ACE 6: Allow, CC LC SW RP LO CR RC DC WP DT SD WD WO, Trusted installer

And this is where i'm going to have to stop to save my work. This detour into how to stop the Windows Defender service is interesting and all: but i've already stopped it, and my PC is still misbehaving.


sc sdset WinDefend [newSDLString]

Bonus Reading

  • 1
    That was one of the most help replies I've ever read, thank you so much! Commented Apr 10, 2020 at 7:11
  • Thanks for your efforts! Don't get why wmic useraccount command doesn't work for me. What was your sdl string? And Defender was still active afterwards?
    – testing
    Commented Apr 4, 2021 at 11:01
  • @Ian What is your "spoiler" code supposed to do? Please clarify it.
    – JinSnow
    Commented Mar 21, 2022 at 14:38

Note: This may not work any more as of feature update 1909.

Short version

  1. Download
  2. Extract
  3. Double-click DisableDefender.reg


By far the most effective and clean way to permanently disable Windows Defender in Windows 10 is via Group Policy, as described by Aaron Hoffman. Unfortunately, Windows 10 Home lacks the necessary tools.

Here's a registry file that contains the changes made by gpedit.msc on a Windows 10 Pro machine. It's been tested on Windows 10 Home as well. Save the file as DisableDefender.reg with Windows-style line endings and double-click it to import it into your registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]

If you ever want to re-enable Defender, change 00000001 to 00000000 on both lines.

You can download the files to disable and re-enable defender from Gist.

  • 1
    You win the Internet today, sir.
    – Ivan Bilan
    Commented Oct 24, 2016 at 12:11
  • I had re-enable WD by the regedit the value to 00000000, results WD Real-time protection is off because you are using another AV. In fact I do not have any antivirus installed. How to fix this? Thanks Commented Nov 17, 2016 at 10:22
  • @SantosaSandy That could happen for a number of reasons, including malware. You should start a separate question.
    – Zenexer
    Commented Nov 17, 2016 at 15:41
  • Thanks Mr. PB. In an emergency and lack of error investigating clue, I just update the windows and run registry cleaner (e.g. CCleaner). The Windows Defender is active again. Thanks Commented Nov 21, 2016 at 4:41
  • 3
    Doesn't work in v1909 Commented Jun 19, 2020 at 5:25

To disable Windows Defender completely (not just the Real-Time protection) you can:

  1. Install another security suite (as Ramhound mentioned).
  2. If you're willing to use a third party application, you could use NoDefender: http://msft.gq/pub/apps/NoDefender.zip

More information about NoDefender can be found here: http://winaero.com/blog/nodefender-disable-windows-defender-in-windows-10-with-few-clicks/

  • 1
    I suspect NoDefender might just be an automated way to edit the registry, which I have done manually. Commented Jul 30, 2015 at 21:29
  • @ToddWilcox, Your method is better than mine then! One less third party application to worry about. Commented Jul 30, 2015 at 21:49
  • 1
    i still see antimalware service running, which runs windows defender. I have avg free edition installed
    – shorif2000
    Commented Aug 15, 2015 at 19:25
  • 3
    Exactly, @Sharif I'd like to see any confirmations that the antimalware service is also disabled.
    – Mark
    Commented Aug 27, 2015 at 8:39
  • From the comments on winaero site "...only thing it does is disable Defender things in registry"
    – KERR
    Commented Aug 25, 2020 at 7:50

I have written the batch file and registry files that should completely disable Windows Defender in Windows 10.

  1. Save the following files into the same folder.
  2. Run Disable Windows Defender.bat as administrator.
  3. After the batch file is done, restart.
  4. The latest versions of Windows 10 make it difficult to terminate the "MsMpEng.exe" process, so you will have to boot into a different operating system and rename or delete the Windows Defender folders in Program Files manually before proceeding to the next step.
  5. Run Disable Windows Defender.bat again as administrator.
  6. Windows Defender should be completely disabled now.

Disable Windows Defender.bat

@echo off

call :main %*
goto :eof

    setlocal EnableDelayedExpansion

    rem Check if Windows Defender is running.
    tasklist /fi "imageName eq "MsMpEng.exe"" | find /i "MsMpEng.exe" > nul 2> nul
    if %errorLevel% equ 0 (
        rem Windows Defender is running.
        echo Windows Defender is running.

        rem Performable operations while Windows Defender is running.
        rem Disable Windows Defender drivers.
        echo Disabling Windows Defender drivers...
        set "drivers="%SystemRoot%\System32\drivers\WdBoot.sys";"%SystemRoot%\System32\drivers\WdFilter.sys";"%SystemRoot%\System32\drivers\WdNisDrv.sys""
        set "drivers=!drivers:""="!"

        set "wasDriverDisabled=false"
        for %%d in (!drivers!) do (
            if exist "%%~d" (
                echo Disabling Windows Defender driver "%%~d"...
                call :disableFile "%%~d"
                set "wasDriverDisabled=true"

        rem Disable Windows Defender objects.
        echo Disabling Windows Defender objects...
        call :importRegistry "Disable Windows Defender objects.reg"

        rem Require restart to unload Windows Defender drivers and objects.
        echo Restart required.
    ) else (
        rem Windows Defender is not running.
        echo Windows Defender is not running.

        rem Performable operations while Windows Defender is not running.
        rem Disable Windows Defender features.
        echo Disabling Windows Defender features...
        call :importRegistry "Disable Windows Defender features.reg"
        rem Disable Windows Defender services.
        echo Disabling Windows Defender services...
        call :importRegistry "Disable Windows Defender services.reg"

        rem Disable Windows Defender files.
        echo Disabling Windows Defender files...
        ren "%ProgramFiles%\Windows Defender" "Windows Defender.bak"
        ren "%ProgramFiles(x86)%\Windows Defender" "Windows Defender.bak"
        ren "%ProgramData%\Microsoft\Windows Defender" "Windows Defender.bak"

    goto :eof

    set "filePath=%~1"
    set "user=%~2"
    takeown /f "%filePath%" /a
    icacls "%filePath%" /grant "%user%:F"
    goto :eof

    set "filePath=%~1"
    call :ownFile "%filePath%" "Administrators"
    ren "%filePath%" "%~nx1.bak"
    goto :eof

    set "filePath=%~1"
    call OwnRegistryKeys.bat "%filePath%"
    @echo off
    regedit /s "%filePath%"
    goto :eof

Disable Windows Defender objects.reg

Windows Registry Editor Version 5.00

; Disable "Scan with Windows Defender..." right click context menu.

; Disable PSFactoryBuffer ("mpuxhostproxy.dll").

; Disable "DefenderCSP.dll".

; Disable Windows Defender IOfficeAntiVirus implementation ("MpOav.dll").

; Disable InfectionState WMI Provider ("MpProvider.dll").

; Disable Status WMI Provider ("MpProvider.dll").

; Disable PSFactoryBuffer ("mpuxhostproxy.dll").

; Disable Microsoft Windows Defender ("MsMpCom.dll").

; Disable Windows Defender WMI Provider ("ProtectionManagement.dll").

; Disable AMMonitoring WMI Provider ("AMMonitoringProvider.dll").

; Disable MP UX Host ("MpUxSrv.exe").

Disable Windows Defender features.reg

Windows Registry Editor Version 5.00

; Disable Windows Defender features.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Real-Time Protection]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Scan]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\UX Configuration]

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender]

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection]

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\Scan]

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows Defender\UX Configuration]

Disable Windows Defender services.reg

Windows Registry Editor Version 5.00

; Disable "Windows Defender" services.


@echo off

rem Get the location of the PowerShell file.
for /f "usebackq tokens=*" %%f in (`where "OwnRegistryKeys.ps1"`) do (
    rem Run command for each argument.
    for %%a in (%*) do (
        powershell -executionPolicy bypass -file "%%~f" "%%~a"


$script:baseKey = @{
        "name" = "HKEY_CLASSES_ROOT";
        "shortName" = "HKCR";
        "key" = [Microsoft.Win32.Registry]::ClassesRoot
        "name" = "HKEY_CURRENT_CONFIG";
        "shortName" = "HKCC";
        "key" = [Microsoft.Win32.Registry]::CurrentConfig
        "name" = "HKEY_CURRENT_USER";
        "shortName" = "HKCU";
        "key" = [Microsoft.Win32.Registry]::CurrentUser
    "HKEY_DYN_DATA" = @{
        "name" = "HKEY_DYN_DATA";
        "shortName" = "HKDD";
        "key" = [Microsoft.Win32.Registry]::DynData
        "name" = "HKEY_LOCAL_MACHINE";
        "shortName" = "HKLM";
        "key" = [Microsoft.Win32.Registry]::LocalMachine
        "name" = "HKEY_PERFORMANCE_DATA";
        "shortName" = "HKPD";
        "key" = [Microsoft.Win32.Registry]::PerformanceData
    "HKEY_USERS" = @{
        "name" = "HKEY_USERS";
        "shortName" = "HKU";
        "key" = [Microsoft.Win32.Registry]::Users

function enablePrivilege {
        # The privilege to adjust. This set is taken from:
        # http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx

        # The process on which to adjust the privilege. Defaults to the current process.
        $processId = $pid,

        # Switch to disable the privilege, rather than enable it.
        [switch] $disable

    # Taken from P/Invoke.NET with minor adjustments.
    $definition = @'
using System;
using System.Runtime.InteropServices;

public class AdjustPrivilege {
    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
    internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
    internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

    [DllImport("advapi32.dll", SetLastError = true)]
    internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    internal struct TokPriv1Luid {
        public int Count;
        public long Luid;
        public int Attr;

    internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
    internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
    internal const int TOKEN_QUERY = 0x00000008;
    internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

    public static bool EnablePrivilege(long processHandle, string privilege, bool disable) {
        bool result;
        TokPriv1Luid tp;
        IntPtr hproc = new IntPtr(processHandle);
        IntPtr htok = IntPtr.Zero;
        result = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
        tp.Count = 1;
        tp.Luid = 0;
        if (disable) {
            tp.Attr = SE_PRIVILEGE_DISABLED;
        } else {
            tp.Attr = SE_PRIVILEGE_ENABLED;
        result = LookupPrivilegeValue(null, privilege, ref tp.Luid);
        result = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
        return result;

    $processHandle = (get-process -id $processId).handle
    $type = add-type $definition -passThru
    $type[0]::EnablePrivilege($processHandle, $privilege, $disable)

function getKeyNames {
        [parameter(mandatory = $true)]
        [string[]] $filePaths = $null

    return (get-content $filePaths | select-string -pattern "\[\-?(.*)\]" -allMatches | forEach-object {$_.matches.groups[1].value} | get-unique)

function splitKeyName {
        [parameter(mandatory = $true)]
        [string] $keyName = $null

    $names = $keyName.split("\\/", 2)

    $rootKeyName = $names[0]
    $subKeyName = $names[1]

    $keyPart = @{
        root = $baseKey[$rootKeyName];
        subKey = @{
            name = $subKeyName

    return $keyPart

function ownRegistryKey {
        [parameter(mandatory = $true)]
        [string] $keyName = $null

    write-host """$keyName"""

    # Check if the key exists.
    if ($(try { test-path -path "Registry::$keyName".trim() } catch { $false })) {
        write-host "    Opening..."

        $keyPart = splitKeyName -keyName $keyName
        $ownableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
        if ($ownableKey -ne $null) {
            # Set the owner.
            write-host "    Setting owner..."
            $acl = $ownableKey.getAccessControl([System.Security.AccessControl.AccessControlSections]::None)
            $owner = [System.Security.Principal.NTAccount] "Administrators"

            # Set the permissions.
            write-host "    Setting permissions..."
            $acl = $ownableKey.getAccessControl()
            $person = [System.Security.Principal.NTAccount] "Administrators"
            $access = [System.Security.AccessControl.RegistryRights] "FullControl"
            $inheritance = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit"
            $propagation = [System.Security.AccessControl.PropagationFlags] "None"
            $type = [System.Security.AccessControl.AccessControlType] "Allow"

            $rule = new-object System.Security.AccessControl.RegistryAccessRule($person, $access, $inheritance, $propagation, $type)


            write-host "    Done."

            # Own children subkeys.
            $readableKey = $keyPart.root.key.openSubKey($keyPart.subKey.name, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadSubTree, [System.Security.AccessControl.RegistryRights]::ReadKey)
            if ($readableKey -ne $null) {
                $subKeyNames = ($readableKey.getSubKeyNames() | forEach-object { "$keyName\$_" })
                if ($subKeyNames -ne $null) {
                    ownRegistryKeys -keyNames $subKeyNames
            } else {
                write-host "    Unable to open children subkeys."
        } else {
            write-host "    Unable to open subkey."
    } else {
        write-host "    Key does not exist."


function ownRegistryKeys {
        [parameter(mandatory = $true)]
        [string[]] $keyNames = $null

    $keyName = $null
    foreach ($keyName in $keyNames) {
        # Own parent key and children subkeys.
        ownRegistryKey -keyName $keyName

function requestPrivileges {
    $numberOfRetries = 10

    $privilegeResult = $false
    for ($r = 0; !$privilegeResult -band $r -lt $numberOfRetries; $r += 1) {
        $privilegeResult = enablePrivilege -privilege "SeTakeOwnershipPrivilege"

    if (!$privilegeResult) {
        write-host "Unable to receive privilege."
        exit 1

function main {
        [parameter(mandatory = $true)]
        [string[]] $filePaths = $null


    $keyNames = getKeyNames -filePaths $filePaths
    ownRegistryKeys -keyNames $keyNames

main $args
  • Thanks! BTW:This requires English version of windows to work correctly
    – M. A.
    Commented Sep 13, 2018 at 19:04

In my experience setting the Group Policy is the most reliable way to stop Windows Defender and its Antimalware Service Executable. However, I recently encountered a situation where setting a Group Policy had no effect, and the Antimalware executable kept running and eating into my CPU.

I ended up writing a small script to take ownership of the executable and deny read and execute access rights for it. This solved the problem. The script is below.

@echo off

echo Disabling Windows Defender Antimalware Executable
echo Note: must be run with Admin permissions

rem taking ownership of Windows Defender files so that we can change their permissions
takeown /f "%PROGRAMDATA%\Microsoft\Windows Defender\Platform" /A /r /d y > takeown-result.txt

rem denying read and execute for all MsMpEng.exe files found in the directory structure (there may be multiple versions)
icacls %PROGRAMDATA%"\Microsoft\Windows Defender\Platform\*MsMpEng.exe" /deny SYSTEM:(RX) /T /C  /deny Administrators:(RX) /T /C   /deny Users:(RX) /T /C

@echo on
  • This worked for me on Windows 10 Pro [Version 10.0.18362.476], and survived a reboot. But my path was c:\Program Files\Windows Defender\MsMpEng.exe
    – pgr
    Commented Nov 30, 2019 at 15:48

I found that the following procedure works well; it doesn't remove or disable Windows Defender, but it disables Windows Defender SERVICE, stops all start-up and real-time scanning, and prevents Windows Defender Real-Time Scan from turning itself back on. (It leaves Windows Defender in-place, so you can use it to perform on-demand scanning of suspicious files.)


  1. Find, download, install "SysInternals" program suite.
  2. Run program "AutoRuns".
  3. Find "Windows Defender Service".
  4. Uncheck the box.
  5. Restart your computer.

After doing that, my startup time decreased from 20min to 5min, and memory usage after startup (before launching any apps) decreased from 2.1GB to 1.2GB. And when I looked in "Services", I found that "Windows Defender Service", while still there, is now marked "NOT running, Disabled".

  • 2
    Gives "access is denied", even running as Administrator
    – pgr
    Commented Nov 30, 2019 at 12:18

It is not so easy to reliably and totally disable the Windows Defender. There is a PowerShell script that uninstalls Windows Defender, but you may not be able later to install it back. This script requires two reboots.

Just download the Debloat-Windows-10 and follow these steps, provided by the author:

  1. Unpack the archive;
  2. Enable execution of PowerShell scripts:

    PS> Set-ExecutionPolicy Unrestricted

  3. Unblock PowerShell scripts and modules within this directory:

    PS > ls -Recurse *.ps1 | Unblock-File PS > ls -Recurse *.psm1 | Unblock-File

  4. Run scripts\disable-windows-defender.ps1

  5. Reboot the computer (either usual way or via the PS > Restart-Computer)
  6. Run scripts\disable-windows-defender.ps1 one more time.
  7. Reboot the computer again.

This is not the easiest way, but very reliable and resilient.

There are also the scripts to remove unnecessary programs like BingFinance, Skype, OneDrive, etc - if you don't need them.

The archive does also contain lot of scripts that you may find useful.

Please be aware that these scripts irreversible delete files and can delete vital functions of Windows. For example, they may totally disable the Start menu!

Don't run disable-ShellExperienceHost.bat from this package, otherwise the Start Menu will stop opening.


Disabling defender as newer W10 versions are pushed out is getting harder.

I have successfully removed the windows defender service with no side effects so far.

Windows 10 Version 2004 build 19041.450

This eliminated defender service from the PC

Use an bootable offline registry editor of choice, I used a windows 7 64bit ERD disc to do it, not publicly available but can be found. It has a registry editor that ignores permissions.

Once booted into the registry editor navigate to


delete the WinDefend key

I would export the key first, then if you want it back you can merge the saved key back into the registry and reboot.

You can disable sidebar security messages about defender:

Disable Security Messages on Windows 10

Tap on the Windows-key, type regedit.exe, and hit the Enter-key on the keyboard afterwards. Confirm the UAC prompt that appears.

Go to


using the left sidebar menu. If Explorer does not exist, right-click on Windows Key and select New > Key, and name it Explorer. Right-click on Explorer, and select New > Dword (32-bit) Value.

Name it


Double-click the new entry afterwards, and set its value to 1.

Restart the PC


I've worked for days to achieve this, looking at almost any work done on Internet including the posts here. I did not find any way to do it without using third-party dependencies. So I wrote a script for it instead.

You can apply it directly using https://privacy.sexy or through its GitHub page with a nice UI and categories. It's community-tested and completely open-source.

I cannot copy it here due to character limitation, it's around 1000 lines batch script with some PowerShell calls. It's totally reversible to Windows defaults, but you need to run revert script twice.

I combined different strategies to achieve as much persistence as possible, including some techniques here so thank you all for posting your findings:

  1. Disable any configuration Microsoft made it configurable
  2. Disable scheduled tasks
  3. Disable services / drivers through (hacky way, but not possible without it):
    • Normal service management
    • Using privileged TrustedInstaller user because Administrator is not enough
    • Editing registry
    • Renaming files

I had to restart Antimalware service, not to disable it, downloaded Advanced Run

Then from drop-down list selected Run As Trusted Installer Program to run cmd.exe, click Run, then stopped and then started service

enter image description here

sc stop WinDefend
sc start WinDefend

Info for 2023-02-24: tried other answers but Windows Defender always come back.

How I succeeded:

  1. safe mode by msconfig, PowerShell script:
Set-ItemProperty -Path ($regpath+"\WinDefend") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\Sense") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\WdFilter") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\WdNisDrv") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\WdNisSvc") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\WdBoot") -Name Start -Value 4
  1. normal boot, PowerShell script:
Get-ScheduledTask "Windows Defender Cache Maintenance" | Disable-ScheduledTask
Get-ScheduledTask "Windows Defender Cleanup" | Disable-ScheduledTask
Get-ScheduledTask "Windows Defender Scheduled Scan" | Disable-ScheduledTask
Get-ScheduledTask "Windows Defender Verification" | Disable-ScheduledTask

Only need to turn off notifications.


Answer: IObit Unlocker or Unlocker to remove Antimalware Service Executable folder and file from your hard drive.

Recommended steps for a good debloat :)

After a fresh windows installation make sure you do all the windows updates. For some reason windows wont always find all the needed/recent updates for your device right away so let your PC on for a day or two, restart every 5-6 hours and check for windows updates during these two days. After these two days, make sure every device in device manager is working properly (no unknown devices or yellow triangles under devices), so either install windows optional updates (which should install the appropriate drivers), or download the drivers for your device yourself.

At the last day of the updates, use window's cleaner to clean the window's updates cache:
windows update cache
restart, and check for updates one last time.

After these are done:

Disable tamper protection in windows defender and then use:

winaerotweaker to disable windows update (and other crap) and restart,
IObit Unlocker or Unlocker to remove Antimalware Service Executable folder and file from your hard drive.


WPD.exe to disable telemetry and restart,
OOSU10.exe to disable whatever is left and restart.

Win-Debloat-Tools to debloat your system (they have some in-depth tweaks) and restart.

Finally, its useful to follow a video as this as every year, new people find new ways to debloat windows.

Remember that after a windows update, some of the disabled features might get re-installed/re-enabled. Make sure you have automatic windows updates turned off (check for windows updates when you want to check) and every now and then check the window's features configuration (if they got re-enabled).

I have achieved less than 2.5 GB ram usage with the above tools.

For daily use I recommend using BCuninstaller to uninstall files (its a deep uninstaller but open-source) in combination with everything which is a tool that can search everything in your PC, to delete leftovers from uninstalled programs (as BCuninstaller can't find everything).

Tools like CCleaner are good for registry cleaning and important: startup programs disabling. Disabling program's auto-update features and just enabling them once every 3-4 months just for the updates to happen, is a great way to save some GBs of ram. There are some startup stuff you might disable from CCleaner and ruin your day, like you can disable the Wifi completely, the printer capability and the audio of windows. They are reversible, just find out which service was the one for audio/wifi/printer and re-enable it.

After doing all of the above, you might want to do something to reduce latency (includes unlocking all cores of your CPU, using a debloater for your Nvidia drivers etc.), I recommend this video.


The easiest way I've found is to open an administrator command prompt and run:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /t REG_DWORD /v DisableAntiSpyware /f /d 1

Then reboot. I have not been able to find away to shutdown the service once it is started with out a reboot.


After trying heaps of methods both here and on other sites, I've finally found something that works (tested on v1909 and v2004)!

Sadly it's a 3rd party program but it's a portable EXE with GUI or can be run by command line.

Defender Control 1.6

Defender Control is a small Portable freeware which will allow you to disable Windows Defender in Windows 10 completely.

enter image description here

enter image description here

  • No need for external tools, can very well toggle Defender just with powershell see pastebin.com/hLsCCZQY (save as .bat script or copy-paste directly into console - it's a hybrid) - it shows a simple Yes,No,Cancel prompt
    – AveYo
    Commented Nov 16, 2020 at 20:31

The easy powershell method is here from an answer I posted on a question later marked duplicate for this.

The easiest way to do this would be to use powershell to disable it, the command you probably want is this

Set-MpPreference -DisableRealtimeMonitoring $true
Get-Service WinDefend | stop-service 

For an article on using powershell to disable/enable Windows Defender check here: http://wmug.co.uk/wmug/b/pwin/archive/2015/05/12/quickly-disable-windows-defender-on-windows-10-using-powershell

Here is the technet article for a more detailed look at available defender cmdlets: https://technet.microsoft.com/en-us/library/dn433280.aspx

  • 2
    I don't believe this would stop and disable the service itself. It just disables the real-time capabilities of Windows Defender which an be simply be done through Settings no need for a PowerShell applet.
    – Ramhound
    Commented Jan 14, 2016 at 19:48
  • @Ramhound edited for service mgmt with powershell. I'm not 100% it will stop the service without the same issue as net stop service but I have had more luck with powershell and don't believe get/stop-service alias to net-stop
    – Abraxas
    Commented Jan 14, 2016 at 19:57

Go to Settings, Security, Virus & threat protection, Manage settings, Tamper protection. Set to Off. Then add this:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .