79

I can't disable the Microsoft Antimalware service (MsMpSvc/MsMpEng.exe). I tried using services.msc, but the Startup Type drop-down is grayed out and I can't change it to Disabled nor stop the service. I also tried msconfig, but when I click Apply, the service gets enabled again. I even tried net stop msmpsvc and got system error 5 (access denied).

Any suggestions?

Sevenate
  • 1,456
  • 3
  • 16
  • 22
Italo
  • 891
  • 1
  • 6
  • 3
  • Do you have admin rights on the computer? –  Oct 27 '12 at 17:19
  • Yes, of course. –  Oct 27 '12 at 17:45
  • Which operating system? –  Oct 27 '12 at 21:33
  • 6
    This is **by design** for most any anti-virus software. If turning it off were that easy, the software could not be effective against malware. – Joel Coehoorn Feb 04 '13 at 20:57
  • Install an antivirus application, such as AVG. – Andy Jun 05 '15 at 00:17
  • Stupid thing had 5 GB of memory on my (Windows 10) PC just now. Couldn't even start FF without it crashing. Ended up having to restart. – Andrew Dec 12 '17 at 04:01
  • That thing is going **off**. Along with its **design**. – Andrew Dec 12 '17 at 04:02
  • *"If turning it off were that easy, the software could not be effective against malware."* This the stupidest myth that refuses to die. If you are an administrator, you have the ability to administrate - that includes disabling rogue anti-virus software that tries to prevent administrators from stopping it. The myth is that if it was that easy to stop: then any malware could do it. False. Malware cannot stop it because the malware isn't running as an administrator - because we invented Windows Vista and UAC. And if the malware *did* manage to elevate: then it can stop your AV software. – Ian Boyd Nov 16 '21 at 02:43
  • The reason you cannot (by default) stop an anti-virus service is because *permissions*, set through Access Control Lists (ACL) are set on the anti-virus services to not grant *"stop"* permission to Administrators. But Administrators have permission to *edit* the service's ACLs. Which means that Administrators (and any malware running as administrator) can disable anti-virus software. The security boundary is not being allowed to run as an administrator. Once you (or malware), is running as admin: you have full control of the PC. That is why we always run as *standard user*. – Ian Boyd Nov 16 '21 at 02:46
  • First it was standard users are limited, and Administrators can administrate. Then in the XP days people decided that since everyone runs as `Administrator`, we need a level of security ***higher*** than administrator. And so came the hacks and rootkits - modifying the OS to in an attempt to create a super-administrator. This just kicked off an unwinnable arms race. Vista fixed this, restoring security and sanity. The security boundary is between standard user and administrator ***and that's it***. Anyone who tries to block administrators is doing it wrong and doesn't understand security. – Ian Boyd Nov 16 '21 at 02:50
  • This way works for sure>>>https://superuser.com/a/1590934/40928 – Moab Jan 27 '22 at 15:52

10 Answers10

36

Just in case someone will face the same questions on Windows 8/8.1 - there is now build-in option to stop both Windows Defender-related services:

  • Windows Defender Network Inspection Service and
  • Windows Defender Service:

Turn off Windows Defender

Sevenate
  • 1,456
  • 3
  • 16
  • 22
  • 2
    Author is using `Windows 7` not `Windows 8` and your answer only applies to `Windows 8`. – Ramhound Apr 26 '14 at 23:11
  • 2
    It does not help for me (Win 8.1 prof). I disabled real time protection, turned off this app and there is still MsMpEng.exe consuming my CPU and disk. Computer is soo slow... – Tomas Kubes Oct 28 '14 at 19:56
  • @qub1n, well, this is kind of strange. It may sounds obvious, but have you tried to reboot your computer and after that check the check box from the image above? – Sevenate Oct 30 '14 at 17:01
  • Yes,I disabled it months ago. – Tomas Kubes Oct 31 '14 at 07:32
  • I also disabled on Windows 10 with almost the same steps. But there seems the notifications about the system at risk. But it was running all of the time when I was working and my disk was not be silenced (My computer is a bit old and it may be a special situation for this old computer but anyway there should be an error on the os), now it is ok when it is off. – Emre Guldogan Oct 23 '15 at 18:22
  • 2
    this answer works for Windows 7. I was able to Disable Real-time protection and uncheck the "Turn on this app" option. After clicking past the dire warnings, the icon removed itself from the task bar and the unstoppable Windows service stopped. – pdwalker Apr 20 '16 at 18:56
  • @pdwalker I guess MS updated the Defender app for all OS versions at some point, so this UI now available on Windows 7 as well (when I was using Windows 7 it was not there yet). – Sevenate Apr 20 '16 at 19:15
  • On Win8.1 it does not work. The service is still running. – Anixx May 16 '16 at 20:26
16

Another way to get around the protection:

  1. Go to options and
  2. Find where it says "Exclude files and folders"
  3. Then just add the "C:\" drive.

This way even if you can't disable it outright, it can't scan your computer at all.

Also do this for both Windows Defender and Microsoft Essentials.

Community
  • 1
Coding Carl
  • 161
  • 1
  • 3
  • 1
    Of course, don't forget to remove the exclusions once you're done with whatever you wanted to accomplish, otherwise it's as good as not having it installed at all. – Karan Jul 14 '13 at 03:55
  • 5
    Not having it installed at all sounds like exactly the solution to the problem. Anyone going to these lengths SHOULD know that they can't expect their babysitter to keep them from destroying their machine with warez and virusez any longer. – mightypile Oct 11 '15 at 17:10
  • 2
    That's not quite true +Karan, not having it installed at would be even better. – Jerry Asher Aug 01 '16 at 19:13
9

The best way to disable the Defender is to run regedit.exe, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender, take ownership of this registry key (inside regedit.exe or via the 3rd party tool RegOwnershipEx) and set the values DisableAntiSpyware and DisableAntiVirus both to 1.

enter image description here
click to enlarge

Note, if you only see 1 of the values, change this one.

magicandre1981
  • 97,301
  • 30
  • 179
  • 245
  • 1
    Appears to work under Windows 10, I think... – Andrew Dec 12 '17 at 04:11
  • 6
    @Andrew this question is for Win7,8. [For Windows 10](https://superuser.com/a/988550/174557), go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender and create the DWORDS here and set them to 1. – magicandre1981 Dec 12 '17 at 16:33
  • Yes, your answer doesn't change any. Thanks though! – Andrew Dec 16 '17 at 04:40
  • @Andrew for me setting the values under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender works fine for my Windows 10 1709 VM – magicandre1981 Dec 16 '17 at 16:43
  • Right. What I'm saying is, there's no need to visit that link. Your answer covers both Windows 7&8 and also Windows 10. – Andrew Dec 17 '17 at 18:03
  • 1
    This doesn't seem to work. MsMpEng.exe still runs – rollsch Oct 12 '19 at 15:27
  • 3
    @rolls Microsoft changes this from each windows 10 version to force users into their shitty program. I'm tired of updating this all time. Try the [reg from this blog](https://winaero.com/blog/disable-windows-defender-in-windows-10-version-1903/) – magicandre1981 Oct 13 '19 at 08:30
  • this is not valid for 1909 – Zombo Jun 22 '20 at 14:46
9

OK appears the UI has changed, at least with windows 10 "creators update":

Settings app -> "Update & Security" -> Windows Defender -> "Open Windows Defender Security Center" -> "Virus & Threat protection" -> "Virus & Thread Protection settings" (button) -> "Real-time protection" slide the selector button to "off"

Now MsMpEng.exe isn't using 100% cpu and system is faster (though unprotected).

For a disk intensive build my build times went from 8m33s to 1m49s whoa! Also note if you use WSL you can exclude its files from windows defender to get similar speedup. Or any other folders.

rogerdpack
  • 2,146
  • 7
  • 32
  • 49
6

If you just want to shut it down temporarily:

1) Open the search bar (right side of screen)

2) Search SETTINGS and type in ADVANCED

3) Select "Advanced startup options"

4) Scroll to the bottom and select "Restart now" (computer will restart and bring you to the Advanced Startup options menu.)

5) Select "Troubleshoot" at the Advanced Startup options menu.

6) Select the "Startup settings" option.

7) Select "Disable early-launch anti-malware protection" (option #8)

8) Select the restart button and you'll be brought to windows.

Do whatever you want to do, and the next time you restart your computer it will be enabled automatically again.

SQLiteNoob
  • 161
  • 1
  • 2
4

On Windows 7, this MsMpEng.exe service is part of Microsoft Security Essentials (find it under Start > All Programs). You can disable its real-time protection, in the Settings tab:

enter image description here

However, this might not disable the MsMpEng.exe service from running, so you'd probably have to uninstall Microsoft Security Essentials for this matter:

enter image description here

Noam Manos
  • 1,804
  • 1
  • 20
  • 20
4

Windows Defender/Microsoft Security Essentials is very tightly knit into the operating system in order to provide more security. It's best to disable it through the natural means than trying to cut it out piece by piece.

Go to your control panel, and select the entry for your Microsoft Antivirus. It might be listed as "Windows Defender" depending on your update history. Look in the 'settings' section in the Antivirus GUI for a "disable"

Depending on how updated your Windows Defender/MSE is, and how updated you received the program, these steps may vary, but the general idea is the same: disable it the way they provided you, not by trying to be crafty.

You'll find that many antiviruses will inject modifications into discrete crevasses of your operating system in the name of security.
Good rules of thumb to remember are to

  1. Always install, uninstall, disable, and so on, the way the manufacturer intended. If you fail to do so, and you don't know exactly what you're doing, start over. (e.g. Reinstall, then uninstall)
  2. Search for tools which allow you to clean up after failed operations. For example, Symantec provides the Norton Removal Tool, which will scan for leftovers of a damaged [un]installation and remove them.
jsvk
  • 315
  • 1
  • 3
  • 4
    Thanks for the advice, but that is not what I asked. I can of course uninstall it, and that's what I've been doing. But installing and uninstalling all the time is not practical. I am really looking for a way of disabling it temporally. – Italo Oct 30 '12 at 17:48
  • 2
    @Italo Disabling the antivirus via the GUI is a quicker and equally safe alternative to uninstalling. It's covered in my second paragraph. If you must use services.msc, run it *as an administrator* and disable the service. Note: If your username is not "Administrator", it means you are *an* administrator, and you must still open "services" by clicking "Run as Administrator" – jsvk Oct 30 '12 at 18:20
3

Here is how to completely disable Windows Defender service on Windows 10 and Windows Server 2019:

Run as trusted installer

  • Click on it, you will get this prompt:

Enter the command to run with Trusted Installer privileges

  • Enter C:\Windows\System32\regedt32.exe and click OK.

This will launch Registry Editor with Trusted Installer privileges. Be extra careful because now you will be able to change or delete ANY registry key which means if you delete or change the wrong one you will hose your system.

  • Open HKLM\SYSTEM\CurrentControlSet\Services\WinDefend registry key.

  • Change the Start value to 4.

  • Reboot.

  • Enjoy your PC without Microsoft's protection.

A word of warning, don't do this unless you are absolutely sure you know what you are doing, because it will leave you exposed to malware.

Igor Levicki
  • 355
  • 3
  • 7
  • This did not worked for me as is (Windows 10 20H2, Build 19042.1415), the service start mode was being reset to Automatic after a restart; it helped me thought because I was able to deny write access to `SYSTEM` on that `WinDefend` key, that did the trick so Windows wasn't able to reset my changes after the restart. – yv989c Jan 24 '22 at 03:02
  • @yv989c Service start mode should not be auto-resetting after reboot. Preventing write access to that key may break your Windows Update in case the update needs to write anything to that key. – Igor Levicki Feb 01 '22 at 13:24
-1

Go to Settings, Security, Virus & threat protection, Manage settings, Tamper protection. Set to Off. Then add this:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
Zombo
  • 1
  • 24
  • 120
  • 163
-1

I'm not sure if any of these methods work for anyone, and there is probably a better way (and I'm not sure how permanent this is either), but for me I did the following:

Located the executable for Windows Defender, using open file location in Task Manager. For me it was located at C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and was called MsMpEng.exe

Booted up a linux system via usb and used it to deleted the file (since the program was always running, I couldn't delete it while windows was running).

Steps using arch (assuming you have the iso, used rufus to extract onto a usb, and have booted into arch):

fdisk -l and located the name of the partition that would the C: drive (for me /dev/sda3)

mount the drive so that it can be accessed mount /dev/sda3 /mnt/c

used cd to navigate to the exe location. /mnt/c, cd /ProgramData/Microsoft/Windows Defender/Platform/4.18.2107.4-0 used ls to check it was there (you can also do it one dictionary at a time for convenience).

Deleted the file rm MsMpEng.exe

Navigated out of the /mnt filesystem with cd ../

Unmounted the disk with umount

Rebooted and the program was gone.

If nothing works for you. This might at least be a temporary solution :D

P.S. For most people I don't recommend

  1. turning off your antivirus. It's a good way to get malware on your system,

  2. tamper with windows systems in this way, at least without some sort of backup. This is a really good way to completely break your system

Xantium
  • 115
  • 8
  • Deleting files will break Windows Update -- it uses delta patching and expects original files to be present. – Igor Levicki Jan 17 '23 at 14:21
  • @IgorLevicki Ah yeah, I found that out later. I'll still use this here, as I do use this from time to time, and it might help someone else – Xantium Jan 24 '23 at 13:42
  • IMO, the safest way to remove Windows Defender is to install Windows Server 2022 -- it has an option to remove Windows Defender (remove roles and features). – Igor Levicki Jan 24 '23 at 21:49