无忧启动论坛

标题: PE下删除WD脚本亲测可用 [打印本页]

---

作者: j2rong    时间: 昨天 18:41
标题: PE下删除WD脚本亲测可用
装好系统以后重启之前运行会更好如果你的系统盘不在C盘就可以把C:改成其他盘的名字


@echo off

reg load HKLM\TEMPSYSTEM C:\Windows\System32\config\system
reg load HKLM\TEMPSOFTWARE C:\Windows\System32\config\software

REM ; 移除 Defender 和 Windows 安全服务
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\MsSecCore" /f
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\wscsvc" /f
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\WdNisDrv" /f
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\WdNisSvc" /f
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\WdFilter" /f
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\WdBoot" /f
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\SgrmAgent" /f
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\SgrmBroker" /f
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\WinDefend" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f
REM ; 禁用设备驱动
reg add "HKLM\TEMPSOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableAsyncScanOnOpen" /t REG_DWORD /d "1" /f
REM ; 禁用内核内缓解措施 In-kernel Mitigations
reg add "HKLM\TEMPSYSTEM\ControlSet001\Control\Session Manager\kernel" /v "MitigationAuditOptions" /t REG_BINARY /d "000000000000202200000000000000200000000000000000" /f
reg add "HKLM\TEMPSYSTEM\ControlSet001\Control\Session Manager\kernel" /v "MitigationOptions" /t REG_BINARY /d "002222202220222220000000002000200000000000000000" /f
reg add "HKLM\TEMPSYSTEM\ControlSet001\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f
REM ; 禁用Spectre熔毁缓解措施
reg add "HKLM\TEMPSYSTEM\ControlSet001\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSYSTEM\ControlSet001\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
reg add "HKLM\TEMPSYSTEM\ControlSet001\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
REM ; 禁用服务缓解
reg add "HKLM\TEMPSOFTWARE\Microsoft\FTH" /v "Enabled" /t REG_DWORD /d "0" /f
REM ; 禁用 UAC
reg add "HKLM\TEMPSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d "1" /f

REM ; 关闭实时防护
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableAsyncScanOnOpen" /t REG_DWORD /d "1" /f
REM ; 移除 Defender 和 Windows 安全相关服务
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\SecurityHealthService" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "1" /f
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\MsSecFlt" /f
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Services\MsSecWfp" /f
REM ; 强制禁用 Windows Defender 反病毒策略
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "value" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "PUAProtection" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "DisableLocalAdminMerge" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowArchiveScanning" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowCloudProtection" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowEmailScanning" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanOnMappedNetworkDrives" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanRemovableDriveScanning" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIntrusionPreventionSystem" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowOnAccessProtection" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowRealtimeMonitoring" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScanningNetworkFiles" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScriptScanning" /v "value" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AllowUserUIAccess" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\AvgCPULoadFactor" /v "value" /t REG_DWORD /d "50" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\CheckForSignaturesBeforeRunningScan" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\CloudBlockLevel" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\CloudExtendedTimeout" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\DaysToRetainCleanedMalware" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupFullScan" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupQuickScan" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\EnableControlledFolderAccess" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\EnableLowCPUPriority" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\EnableNetworkProtection" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\PUAProtection" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\RealTimeScanDirection" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\ScanParameter" /v "value" /t REG_DWORD /d "2" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanDay" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanTime" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\SignatureUpdateInterval" /v "value" /t REG_DWORD /d "24" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\Defender\SubmitSamplesConsent" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideDisableOnAccessProtection" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideRealtimeScanDirection" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideDisableIOAVProtection" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideDisableBehaviorMonitoring" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideDisableIntrusionPreventionSystem" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideDisableRealtimeMonitoring" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "RealtimeScanDirection" /t REG_DWORD /d "2" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "IOAVMaxSize" /t REG_DWORD /d "1298" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "LowCpuPriority" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "2" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t REG_DWORD /d "5184" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Microsoft Antimalware" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet" /v "LocalSettingOverrideSpyNetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingComponents" /t REG_DWORD /d "0" /f
reg add "HKLM\TEMPSYSTEM\ControlSet001\Control\CI\Policy" /v "VerifiedAndReputablePolicyState" /t REG_DWORD /d "0" /f
REM ; 禁用杀毒
REM ; 禁止覆盖实时保护设置
REM ; 禁用 Windows Defender 安全中心通知
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableEnhancedNotifications" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableNotifications" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\HideWindowsSecurityNotificationAreaControl" /f
reg delete "HKLM\TEMPSOFTWARE\Microsoft\Security Center" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\Security Center" /v "FirstRunDisabled" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\Security Center" /v "AntiVirusOverride" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Microsoft\Security Center" /v "FirewallOverride" /t REG_DWORD /d "1" /f
reg add "HKLM\TEMPSOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}" /f

reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}" /f
REM ; Defender 日志
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger" /f
reg delete "HKLM\TEMPSYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger" /f
REM ; 清除 Defender 任务计划
reg delete "HKLM\TEMPSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0ACC9108-2000-46C0-8407-5FD9F89521E8}" /f
reg delete "HKLM\TEMPSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D77BCC8-1D07-42D0-8C89-3A98674DFB6F}" /f
reg delete "HKLM\TEMPSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4A9233DB-A7D3-45D6-B476-8C7D8DF73EB5}" /f
reg delete "HKLM\TEMPSOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B05F34EE-83F2-413D-BC1D-7D5BD6E98300}" /f
REM ; 移除右键关联菜单中的杀毒扫描菜单项
reg delete "HKLM\TEMPSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}" /f
reg delete "HKLM\TEMPSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}" /f
reg delete "HKLM\TEMPSOFTWARE\Microsoft\Windows Defender" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\Folder\shell\WindowsDefender" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\DesktopBackground\Shell\WindowsSecurity" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\Folder\shell\WindowsDefender\Command" /f

rem reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\windowsdefender" /f
rem reg delete "HKCU\Software\Classes\ms-cxh" /f
rem reg delete "HKCU\Software\Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0" /f
rem reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
rem reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
rem reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f

reg delete "HKLM\TEMPSOFTWARE\Classes\AppUserModelId\Windows.Defender" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\Local Settings\MrtCache\C:%%5CWindows%%5CSystemApps%%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%%5Cresources.pri" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WindowsDefender" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WindowsDefender" /f
REM ; 移除外壳关联
reg delete "HKLM\SYSTEM\ControlSet001\Control\Ubpm" /v "CriticalMaintenance_DefenderCleanup" /f
reg delete "HKLM\SYSTEM\ControlSet001\Control\Ubpm" /v "CriticalMaintenance_DefenderVerification" /f
reg add "HKLM\SYSTEM\ControlSet001\Control\Ubpm" /f
reg add "HKLM\TEMPSYSTEM\ControlSet001\Control\Ubpm" /f
reg delete "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WindowsDefender-1" /f
reg delete "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WindowsDefender-2" /f
reg delete "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WindowsDefender-3" /f
reg add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /f
REM ; 禁用 Windows Defender 签名更新
REM ; 移除 Defender 启动项
reg add "HKLM\TEMPSYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /f

reg add "HKLM\TEMPSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /f
reg delete "HKLM\TEMPSOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
REM ; 移除 Web 防护
reg add "HKLM\TEMPSOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}" /f
reg delete "HKLM\TEMPSOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}" /f
reg delete "HKLM\TEMPSOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Service.UserSessionServiceManager" /f
reg delete "HKLM\TEMPSOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatExperienceManager.ThreatExperienceManager" /f
reg delete "HKLM\TEMPSOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatResponseEngine.ThreatDecisionEngine" /f
reg delete "HKLM\TEMPSOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Configuration.WTDUserSettings" /f
REM ; 隐藏 Windows 设置页面中的 Defender
reg add "HKLM\TEMPSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender;" /f

reg unload HKLM\TEMPSYSTEM
reg unload HKLM\TEMPSOFTWARE

echo 警告：计算机即将重启！
echo.
echo 按下任意键重启，直接关闭窗口取消...
pause > nul

REM 重启计算机
shutdown /r /t 0

---

作者: a66    时间: 昨天 18:52
支持，不错~

---

作者: fuldho    时间: 昨天 19:04
支持，辛苦了

---

作者: autumntree    时间: 昨天 19:39
没大看懂，要好好学习一下。

---

作者: mrzhonghb    时间: 昨天 19:41
感谢分享，不过在隔壁论坛看到的是一样的
https://bbs.pcbeta.com/forum.php ... 52&highlight=WD

---

作者: 轻松是心    时间: 昨天 19:51
支持，不错~

---

作者: skycafe    时间: 昨天 19:51
6666666666666666

---

作者: semiuel    时间: 昨天 19:54

mrzhonghb 发表于 2025-12-14 19:41
感谢分享，不过在隔壁论坛看到的是一样的
https://bbs.pcbeta.com/forum.php?mod=viewthread&tid=2045952& ...

论坛之间互相转载帖子吧。

---

作者: erdos47    时间: 昨天 20:04
感谢分享

---

作者: wn168cn@163.com    时间: 昨天 20:11
感谢分享

---

作者: smile_z    时间: 昨天 20:26
感谢分享

---

作者: zyy    时间: 昨天 22:20
谢谢分享

---

作者: gordonhf    时间: 16 小时前
纯路过

---

作者: ZDL214R    时间: 16 小时前
为什么要删WD?

---

作者: 俪尚皇    时间: 14 小时前
@echo off
title  PE中禁用原系统Windows Defender脚本

echo 警告：本脚本仅适合在PE中操作使用！
echo 在PE中原系统如果显示的不是C盘,请先将本脚本中的C:改成正确的盘符
echo.
echo 按任意键继续,或直接关闭本窗口取消操作...
pause > nul

REM ; 在PE中挂载原系统的注册表
REM ; 如原系统在PE中显示的不是C盘,请将C:改成正确的盘符
reg load HKLM\SYSTEM2 C:\Windows\System32\config\system
reg load HKLM\SOFTWARE2 C:\Windows\System32\config\software
reg load HKLM\CU2 C:\Users\Default\ntuser.dat

REM ; 移除 Defender 和 Windows 安全服务
reg delete "HKLM\SYSTEM2\ControlSet001\Services\MsSecCore" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\wscsvc" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\WdNisDrv" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\WdNisSvc" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\WdFilter" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\WdBoot" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\SgrmAgent" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\SgrmBroker" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\WinDefend" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f
REM ; 禁用设备驱动
reg add "HKLM\SOFTWARE2\Microsoft\Windows Defender\Real-Time Protection" /v "DisableAsyncScanOnOpen" /t REG_DWORD /d "1" /f
REM ; 禁用内核内缓解措施 In-kernel Mitigations
reg add "HKLM\SYSTEM2\ControlSet001\Control\Session Manager\kernel" /v "MitigationAuditOptions" /t REG_BINARY /d "000000000000202200000000000000200000000000000000" /f
reg add "HKLM\SYSTEM2\ControlSet001\Control\Session Manager\kernel" /v "MitigationOptions" /t REG_BINARY /d "002222202220222220000000002000200000000000000000" /f
reg add "HKLM\SYSTEM2\ControlSet001\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f
REM ; 禁用Spectre熔毁缓解措施
reg add "HKLM\SYSTEM2\ControlSet001\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM2\ControlSet001\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
reg add "HKLM\SYSTEM2\ControlSet001\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
REM ; 禁用服务缓解
reg add "HKLM\SOFTWARE2\Microsoft\FTH" /v "Enabled" /t REG_DWORD /d "0" /f
REM ; 禁用 UAC
reg add "HKLM\SOFTWARE2\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d "1" /f

REM ; 关闭实时防护
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableAsyncScanOnOpen" /t REG_DWORD /d "1" /f
REM ; 移除 Defender 和 Windows 安全相关服务
reg delete "HKLM\SYSTEM2\ControlSet001\Services\SecurityHealthService" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "1" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\MsSecFlt" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\MsSecWfp" /f
REM ; 强制禁用 Windows Defender 反病毒策略
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "value" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "PUAProtection" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "DisableLocalAdminMerge" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowArchiveScanning" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowCloudProtection" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowEmailScanning" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowFullScanOnMappedNetworkDrives" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowFullScanRemovableDriveScanning" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowIntrusionPreventionSystem" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowOnAccessProtection" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowRealtimeMonitoring" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowScanningNetworkFiles" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowScriptScanning" /v "value" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AllowUserUIAccess" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\AvgCPULoadFactor" /v "value" /t REG_DWORD /d "50" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\CheckForSignaturesBeforeRunningScan" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\CloudBlockLevel" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\CloudExtendedTimeout" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\DaysToRetainCleanedMalware" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\DisableCatchupFullScan" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\DisableCatchupQuickScan" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\EnableControlledFolderAccess" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\EnableLowCPUPriority" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\EnableNetworkProtection" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\PUAProtection" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\RealTimeScanDirection" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\ScanParameter" /v "value" /t REG_DWORD /d "2" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\ScheduleScanDay" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\ScheduleScanTime" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\SignatureUpdateInterval" /v "value" /t REG_DWORD /d "24" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\Defender\SubmitSamplesConsent" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideDisableOnAccessProtection" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideRealtimeScanDirection" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideDisableIOAVProtection" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideDisableBehaviorMonitoring" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideDisableIntrusionPreventionSystem" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "LocalSettingOverrideDisableRealtimeMonitoring" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "RealtimeScanDirection" /t REG_DWORD /d "2" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "IOAVMaxSize" /t REG_DWORD /d "1298" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Policy Manager" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Scan" /v "LowCpuPriority" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "2" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t REG_DWORD /d "5184" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\WOW6432Node\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Microsoft Antimalware" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Microsoft Antimalware\SpyNet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Microsoft Antimalware\SpyNet" /v "LocalSettingOverrideSpyNetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingComponents" /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM2\ControlSet001\Control\CI\Policy" /v "VerifiedAndReputablePolicyState" /t REG_DWORD /d "0" /f
REM ; 禁用杀毒
REM ; 禁止覆盖实时保护设置
REM ; 禁用 Windows Defender 安全中心通知
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableEnhancedNotifications" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\DisableNotifications" /f
reg add "HKLM\SOFTWARE2\Microsoft\PolicyManager\default\WindowsDefenderSecurityCenter\HideWindowsSecurityNotificationAreaControl" /f
reg delete "HKLM\SOFTWARE2\Microsoft\Security Center" /f
reg add "HKLM\SOFTWARE2\Microsoft\Security Center" /v "FirstRunDisabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Microsoft\Security Center" /v "AntiVirusOverride" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Microsoft\Security Center" /v "FirewallOverride" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE2\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\CU2\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}" /f

reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}" /f
REM ; Defender 日志
reg delete "HKLM\SYSTEM2\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Control\WMI\Autologger\DefenderApiLogger" /f
REM ; 清除 Defender 任务计划
reg delete "HKLM\SOFTWARE2\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0ACC9108-2000-46C0-8407-5FD9F89521E8}" /f
reg delete "HKLM\SOFTWARE2\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D77BCC8-1D07-42D0-8C89-3A98674DFB6F}" /f
reg delete "HKLM\SOFTWARE2\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4A9233DB-A7D3-45D6-B476-8C7D8DF73EB5}" /f
reg delete "HKLM\SOFTWARE2\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B05F34EE-83F2-413D-BC1D-7D5BD6E98300}" /f
REM ; 移除右键关联菜单中的杀毒扫描菜单项
reg delete "HKLM\SOFTWARE2\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}" /f
reg delete "HKLM\SOFTWARE2\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}" /f
reg delete "HKLM\SOFTWARE2\Microsoft\Windows Defender" /f
reg delete "HKLM\SOFTWARE2\Classes\Folder\shell\WindowsDefender" /f
reg delete "HKLM\SOFTWARE2\Classes\DesktopBackground\Shell\WindowsSecurity" /f
reg delete "HKLM\SOFTWARE2\Classes\Folder\shell\WindowsDefender\Command" /f

reg delete "HKLM\CU2\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\windowsdefender" /f
reg delete "HKLM\CU2\Software\Classes\ms-cxh" /f
reg delete "HKLM\CU2\Software\Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0" /f
reg delete "HKLM\CU2\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
reg delete "HKLM\CU2\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
reg add "HKLM\CU2\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f

reg delete "HKLM\SOFTWARE2\Classes\AppUserModelId\Windows.Defender" /f
reg delete "HKLM\SOFTWARE2\Classes\AppUserModelId\Microsoft.Windows.Defender" /f
reg delete "HKLM\SOFTWARE2\Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0" /f
reg delete "HKLM\SOFTWARE2\Classes\Local Settings\MrtCache\C:%%5CWindows%%5CSystemApps%%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%%5Cresources.pri" /f
reg delete "HKLM\SOFTWARE2\Classes\WindowsDefender" /f
reg delete "HKLM\SOFTWARE2\Classes\WindowsDefender" /f
REM ; 移除外壳关联
reg delete "HKLM\SYSTEM2\ControlSet001\Control\Ubpm" /v "CriticalMaintenance_DefenderCleanup" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Control\Ubpm" /v "CriticalMaintenance_DefenderVerification" /f
reg add "HKLM\SYSTEM2\ControlSet001\Control\Ubpm" /f
reg add "HKLM\SYSTEM2\ControlSet001\Control\Ubpm" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WindowsDefender-1" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WindowsDefender-2" /f
reg delete "HKLM\SYSTEM2\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WindowsDefender-3" /f
reg add "HKLM\SYSTEM2\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /f
REM ; 禁用 Windows Defender 签名更新
REM ; 移除 Defender 启动项
reg add "HKLM\SYSTEM2\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /f

reg add "HKLM\SOFTWARE2\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /f
reg delete "HKLM\SOFTWARE2\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
REM ; 移除 Web 防护
reg add "HKLM\SOFTWARE2\Microsoft\Windows\CurrentVersion\Run" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}" /f
reg delete "HKLM\SOFTWARE2\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}" /f
reg delete "HKLM\SOFTWARE2\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}" /f
reg delete "HKLM\SOFTWARE2\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Service.UserSessionServiceManager" /f
reg delete "HKLM\SOFTWARE2\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatExperienceManager.ThreatExperienceManager" /f
reg delete "HKLM\SOFTWARE2\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.ThreatResponseEngine.ThreatDecisionEngine" /f
reg delete "HKLM\SOFTWARE2\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Configuration.WTDUserSettings" /f
REM ; 隐藏 Windows 设置页面中的 Defender
reg add "HKLM\SOFTWARE2\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender;" /f

reg unload HKLM\SYSTEM2
reg unload HKLM\SOFTWARE2

echo 警告：计算机即将重启！
echo.
echo 按任意键重启,或直接关闭本窗口取消重启...
pause > nul

REM 重启计算机
shutdown /r /t 0

---

作者: 燕飞龙    时间: 8 小时前
感谢分享

---

作者: renlihl    时间: 8 小时前
谢谢分享

---

作者: nie956    时间: 8 小时前
感谢分享

---

作者: it323    时间: 7 小时前
都是离线移除干净再用，感谢分享!

---

作者: ebaqiang    时间: 7 小时前
这个好，感谢分享

---

作者: lanmeizhuangyua    时间: 7 小时前
多谢楼主分享

---

作者: sulong    时间: 7 小时前
谢谢楼主分享

---

作者: wang1126    时间: 7 小时前
谢谢楼主分享

---

作者: cncecpcy    时间: 6 小时前
好。。。。。。。。

---

作者: xpzzj    时间: 6 小时前

it323 发表于 2025-12-15 08:27
都是离线移除干净再用，感谢分享!

离线移除是什么意思，就是在PE下移除？

---

作者: kkddff    时间: 6 小时前
多谢楼主分享

---

作者: 路路路过    时间: 5 小时前
感谢大佬分享

---

作者: hmaaaa    时间: 5 小时前
謝謝大大分享，感恩喔~~! ^^ 辛苦了！

---

作者: 董大    时间: 5 小时前
没看懂，要学习一下

---

作者: guong    时间: 5 小时前
谢谢分享了！

---

作者: it323    时间: 4 小时前

xpzzj 发表于 2025-12-15 09:42
离线移除是什么意思，就是在PE下移除？

用NTLite移除重新封装，当然用楼主脚本移除也可以（没测试）前提是脚本没问题能用。

---

作者: showlin615    时间: 3 小时前
感谢分享

---

作者: win82    时间: 3 小时前
感谢分享

---

作者: cncecpcy    时间: 2 小时前
好。。。。。。。

---

欢迎光临 无忧启动论坛 (http://wuyou.net/)

Powered by Discuz! X3.3