Can anyone explain why admin cant kill windefend service?  

Hi!

How do I kill current scan on my computer? All I can ever find in the internet is how to stop windows defender completely, but is there a way to stop the service just temporarily? It's gone in some infinite loop and scanning status is not even showing up in windows defender UI so there is no button to cancel it. Currently I dont want to reboot either.

If I run cmd as admin and type sc stop I get this:
C:\Windows\system32>sc stop windefend
[SC] OpenService FAILED 5:

Access is denied.

Can anyone tell how can service be immune to admin rights? I mean I know that kernel can protect itself from user mode process killing, but does windefend service run in kernel mode or is it just some clever permissions trick?

Current windows version: Version 10.0.17134.165

When a process starts it can define what permissions are needed to do various things, including killing the process. One option is such that even the SYSTEM account (the account with the highest rights in the system) would not be able to do this. Windows has provided this facility for a long time.

Malware would try to kill security software and because of this it must take active steps to defend itself. This is pretty much standard practice for security software. Because it is so well known Windows Defender may take steps beyond setting permissions.

Most security software, including Windows Defender, provides some means of temporarily turning protection off. This is designed so it can only be done by explicit user action. It cannot be done with external software.

This article describes how to turn temporarily off Defender security. After some undocumented period of time it will be automatically turned on.

How to Turn Off Windows Defender in Windows 10 (with Pictures)

Does this need something special to do this? Like some microsoft signed driver? Or can I also implement that kind of protection for my process if I have full admin rights but no driver, but just WinAPI calls?