Turn On or Off Tamper Protection for Microsoft Defender Antivirus  

Anixx said:

Well, actually the posts above provided information on how I can disable temper limitatios using safe mode, which I actually did and uninstalled the defender service.
I note though: deleting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features as advised above is impossible even in safe mode and even after taling ownership over it. Still, changing the value of the temper service is possible.

IMO changing permissions is fraught with pitfalls, especially if you don't revert permissions back after fiddling. From what I've read, reverting permissions rarely works 'properly'.

On the very rare occasions I've changed protected keys I've run Registry Editor as System or Trusted Installer instead of changing permissions or using Safe Mode. I could be wrong but IMO this is a better method more in line with what Windows does itself. For example, here's the Tamper Protection key removed completely:


Note that I don't advise this - it's up to you if you break your Windows install - it's just to show what is possible. There are many third-party utilities that allow you to elevate to System and/or Trusted Installer:


Hope this helps...

RickC said:

On the very rare occasions I've changed protected keys I've run Registry Editor as System or Trusted Installer instead of changing permissions or using Safe Mode. I could be wrong but IMO this is a better method more in line with what Windows does itself. For example, here's the Tamper Protection key removed completely:
Hope this helps...

Do you claim that you can change this registry key by running regedit as TrustedInstaller or System? In that case, not. you cannot change it without safe mode.

Anixx said:

Do you claim that you can change this registry key by running regedit as TrustedInstaller or System? In that case, not. you cannot change it without safe mode.

To be honest, I removed that registry key so long ago I can't remember... but I do know that I've never used Safe Mode ever.

For a live system, Tamper Protection cannot be changed except through the Security Center UI. That's by design.

For an "offline" system, where you booted from another Windows instance (WinPE, Recovery, dual boot), the registry key requires TrustedInstaller (not SYSTEM) privileges to update. The reason it can be easily done in Linux, is because those tools don't care about Windows rights.

garlin said:

For a live system, Tamper Protection cannot be changed except through the Security Center UI. That's by design.

For an "offline" system, where you booted from another Windows instance (WinPE, Recovery, dual boot), the registry key requires TrustedInstaller (not SYSTEM) privileges to update. The reason it can be easily done in Linux, is because those tools don't care about Windows rights.

I took ownership of this key using safe mode and turned off the temper protection. But I ould not delete or rename that key. It is still there. Even by taking ownership in safe mode, I cannot give admins "special privileges" on the key, only can give "read" and "write". Temper protection is off, but deleting the key is impossible.

Taking ownership by itself doesn't grant you full privileges, the missing step is running icacls to give yourself write permissions. You can own something which you don't have write privileges.

This step is much on harder to perform on a registry entry, vs. a folder or file. You need a specialized tool like SetACL.exe.

The cleaner method is to download PowerRun and temporarily open a CMD or Registry Editor session which has TrustedInstaller rights, and not bother messing with changing permissions. But again, Windows will protect the key if you've booted with the value enabled. It has to be done from a different booted Windows.

Anixx said:

I took ownership of this key using safe mode and turned off the temper protection. But I ould not delete or rename that key. It is still there. Here. Even by taking ownership in safe mode, I cannot give admins "special privileges" on the key, only can give "read" and "write". Temper protection is off, but deleting the key is impossible.

I had the same problem! I struggled for a long time and was unable to remove these keys even in safe mode!