前提:自己对安全在行,不需要defender安全通知
思路:
1、提权禁止Defender计划任务
参考https://cloud.tencent.com/developer/article/2285183
把AdvancedRun.exe放到C:Windows目录下
然后在运行框管理员身份运行这句命令
代码语言:bash复制提权到TrustedInstaller
AdvancedRun.exe /Clear /EXEFilename "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" /StartDirectory "C:" /CommandLine "" /RunAs 8 /Run
提权到SYSTEM权限
AdvancedRun.exe /Clear /EXEFilename "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" /StartDirectory "C:" /CommandLine "" /RunAs 4 /Run
会打开一个提权后的powershell窗口,在那个窗口里执行这几句powershell(需要公网)
代码语言:powershell复制$client = new-object System.Net.WebClient
$client.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/2024-1-17forbid_taskschd.ps1','C:2024-1-17forbid_taskschd.ps1')
powershell -file C:2024-1-17forbid_taskschd.ps12、在安全模式修改C:ProgramDataMicrosoftWindows Defender的权限后禁用安全相关9或10个服务
属性 → 安全 → 高级 → 改变所有者 → Administrators(如下图) → 应用 → 是 → 是 → 确定 → 确定 → 确定
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSense" /v Start /t REG_DWORD /d 4 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWdBoot" /v Start /t REG_DWORD /d 4 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWdFilter" /v Start /t REG_DWORD /d 4 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWdNisDrv" /v Start /t REG_DWORD /d 4 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWdNisSvc" /v Start /t REG_DWORD /d 4 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinDefend" /v Start /t REG_DWORD /d 4 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMDCoreSvc" /v Start /t REG_DWORD /d 4 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecurityHealthService" /v Start /t REG_DWORD /d 4 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswscsvc" /v Start /t REG_DWORD /d 4 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMpsSvc" /v Start /t REG_DWORD /d 2 /f
reg query "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSense" /v Start
reg query "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWdBoot" /v Start
reg query "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWdFilter" /v Start
reg query "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWdNisDrv" /v Start
reg query "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWdNisSvc" /v Start
reg query "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinDefend" /v Start
reg query "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMDCoreSvc" /v Start
reg query "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecurityHealthService" /v Start
reg query "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswscsvc" /v Start
reg query "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMpsSvc" /v Start3、注册表干预取消安全通知
代码语言:powershell复制reg add "HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftWindowsExplorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
reg add "HKLMSoftwareMicrosoftWindows Defender Security CenterNotifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender Security CenterNotifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "SignatureDisableNotification" /d 0 /t REG_DWORD /f4、重启机器
代码语言:powershell复制restart-computer -force
