Can anyone explain why admin cant kill windefend service?  

  1. Posts : 48
    Windows 10 Pro

    Can anyone explain why admin cant kill windefend service?


    How do I kill current scan on my computer? All I can ever find in the internet is how to stop windows defender completely, but is there a way to stop the service just temporarily? It's gone in some infinite loop and scanning status is not even showing up in windows defender UI so there is no button to cancel it. Currently I dont want to reboot either.

    If I run cmd as admin and type sc stop I get this:
    C:\Windows\system32>sc stop windefend
    [SC] OpenService FAILED 5:

    Access is denied.

    Can anyone tell how can service be immune to admin rights? I mean I know that kernel can protect itself from user mode process killing, but does windefend service run in kernel mode or is it just some clever permissions trick?

    Current windows version: Version 10.0.17134.165
      My Computer

  2. Posts : 1,254
    Windows 10 Pro

    When a process starts it can define what permissions are needed to do various things, including killing the process. One option is such that even the SYSTEM account (the account with the highest rights in the system) would not be able to do this. Windows has provided this facility for a long time.

    Malware would try to kill security software and because of this it must take active steps to defend itself. This is pretty much standard practice for security software. Because it is so well known Windows Defender may take steps beyond setting permissions.

    Most security software, including Windows Defender, provides some means of temporarily turning protection off. This is designed so it can only be done by explicit user action. It cannot be done with external software.

    This article describes how to turn temporarily off Defender security. After some undocumented period of time it will be automatically turned on.

    How to Turn Off Windows Defender in Windows 10 (with Pictures)
      My Computer

  3. Posts : 48
    Windows 10 Pro
    Thread Starter

    Does this need something special to do this? Like some microsoft signed driver? Or can I also implement that kind of protection for my process if I have full admin rights but no driver, but just WinAPI calls?
      My Computer


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:50.
Find Us

Windows 10 Forums