I ruined my vacation by reverse engineering WSC
todsacerdoti | 357 points | 50day ago | blog.es3n1n.eu
nyanpasu64|50day ago
The most invasive but effective way I've found to disable Defender is to boot into a live Linux USB, rename "C:\ProgramData\Microsoft\Windows Defender", and create an empty file in its place.
71bw|49day ago
Group policies still work so effectively that I've set up a local domain using a controller in my homelab that does nothing but change the defender policies automatically for all users.
devwastaken|49day ago
group policy no longer works on win11. updates will reverse it. additionally defender detects turning off realtime monitoring as malware.
grishka|49day ago
Group policies and registry keys are gentle suggestions. Deleting or renaming files is "I wasn't asking, it's my computer not yours" kind of approach.
tbrownaw|49day ago
Oh, I thought the "I wasn't asking" option was to just reimage it with Linux.
smileybarry|49day ago
…until Windows Update Repair or the like undo your changes.
grishka|49day ago
You can do this to Windows Update too.
smileybarry|49day ago
Which itself gets repaired by Windows Update Repair.
grishka|48day ago
Either way, removing C:\windows\system32\wua* did it for me
smileybarry|49day ago
I thought so too, but if you switch everything off (including Tamper Protection) in the UI, then turn it off via (local!) Group Policy, it sticks. I’ve set up a few Windows 10 22H2 & 11 24H2 test VMs this way and they still have Defender disabled.
(I think you need to disable Tamper Protection first, otherwise you later get a threat detected of “WinDefendDisable”, but if you allow/unquarantine it doesn’t auto-enable again)
71bw|49day ago
And yet I have none of these issues on 11 LTSC 24H2? Sounds like you forgot to disable Tamper Protection
OsrsNeedsf2P|49day ago
As someone who moved to Linux 10 years ago, this comment chain shows Windows became the real hacker distro
animuchan|49day ago
In a sense, it has been for a long time.
With Linux, there's often a good clean way to do a thing, and then there are weird hacks.
On Windows, it often starts with weird hacks, as Microsoft is further enclosing its ecosystem.
(I use Windows mostly for gaming and VR, and still have to constantly fiddle with the system to keep it working on a basic level, sad face emoji. Who would've thunk that merely playing a 8K European documentary in VR would require configuring DirectShow filters found on GitHub.)
SSLy|49day ago
> Who would've thunk that merely playing a 8K European documentary in VR would require configuring DirectShow filters found on GitHub.
Dios Mio, get mpv, enable gpu-hq
animuchan|48day ago
Thanks! How do I run it in VR though? Can't find it in the manual[1]
[1]: https://mpv.io/manual/master/
SSLy|48day ago
via Virtual Desktop I suppose. So mpv would do all of the video stuff and then would blit a SbS video onto VD, and VD would warp the two halves on a spherical surface?
Honestly I've never thought about that before.
cjbgkagh|49day ago
By doing it slowly they enabling a hacker spirit to evolve, which I’m sure is unintentional.
71bw|49day ago
The 'weird hack' is actually just a normal option left hanging in Defender options that clearly states it will prevent "other" stuff from changing Defender settings
Fokamul|49day ago
To prepare Win11 Enterprise edition image for distribution, I run ~200 lines long powershell script, nuking every bloatware MS puts into Win. It's ridiculous.
Linux distro devs, working for free, pushing excellent product can't compare with these clowns in high-paying jobs at Microsoft, pretending they're working.
RedCardRef|49day ago
Care to share the powershell script with us?
qingcharles|49day ago
https://github.com/Raphire/Win11Debloat
I start with Tiny11 first though these days, then run that to get rid of the last few bits.
nyanpasu64|49day ago
I found that this script broke Win+R Run dialog history by setting Start_TrackProgs. This was undocumented, and I had to disable it manually. (Worse yet, it doesn't show up on GitHub search because the .reg files are UTF-16.)
devwastaken|49day ago
its been disabled. defender group policy auto re-enabling is readily reproducible. i have a screenshot showing defender detecting the group policy change as a malware detection.
any control you think you have over windows is imaginary.
71bw|48day ago
Once again: Tamper Protection
ForOldHack|49day ago
That is basically how a popular product does it,while taking down about 25% of the entire internet...
noisem4ker|49day ago
Are you talking about the recent CrowdStrike screwup?
stuckkeys|49day ago
I see what you did there.
keepamovin|49day ago
It's weird that windows wouldn't have a signed manifest that would detect that
vachina|49day ago
You can also disable Windows Update entirely by taking ownership of wuaueng.dll and .exe. It’s the only effective method on Windows Home.
subscribed|49day ago
But disabling updates on the system connected to the Internet is a terrible idea.
How do you update that afterwards?
stuffoverflow|49day ago
I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.
I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.
I would guess that keeping your browser updated is more important.
keepamovin|49day ago
Correct! The browser is now the key vector because it's the most promiscuous and lascivious-for-code-and-data software on most devices.
Browser-zero days are why I factored out a way to distribute "web RPA agent creation" on any device, with no download - into its own product layer for browser-isolation. It's a legitimate defense layer but main barriers to adoption are operating friction, even tho it makes the task of hackers who want to compromise your network with browser 0-days much harder.
Because of that the RBI aspect is not as popular as ways its being used where you need a really locked down browser, with policies for preventing upload/download, even copy and paste, etc - for DLP (data loss prevention), for regulated enterprises.
Even so I think the potential applications of this tech layer are just starting.
amne|49day ago
Just the other day I went to a website to flash a new firmware on a zigbee dongle. Straight from a chrome tab. wild!
Then it hit me: the only thing keeping a rogue website from sweeping your entire life is a browser's permissions popup.
keepamovin|48day ago
Crazy right? On the whole I think it’s great and wonderful that the web platform has grown into the gorgeous monster that it is. I mean what better than a unified technology to serve us all the worlds information from any device in a basically sandboxed environment. I’m even all for the beautiful way The platform has developed rapidly added capabilities on how the language JavaScript HTMLNCSS has evolved. I think all that is wonderful. And I really enjoyed the ride.
But all of that growth and integration comes with these vulnerabilities, and so the cyber and DLP control aspect of web browsers is a very important one.
If this resonates with you, i invite you to check out my company’s project BrowserBox on GitHub
mr_toad|49day ago
> I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.
It’s much less likely than it was 20 years ago. A lot of attack vectors have already been fixed. But hypothetically a bug in the network stack could still leave an internet connected machine vulnerable.
tmcdos|48day ago
Do not connect it directly - use a dedicated router device.
kenjackson|49day ago
You benefit from the fact that most machines are patched. If a lot more people used 2016 builds and didn’t patch you’d see a lot more exploits.
tmcdos|48day ago
I use stock Win7 SP1 with just a couple updates (recently TLS and SHA-512, but only 27 hotfixes in total) and the only way to break something is if I deliberately run unverified executables that were manually downloaded from untrusted sources. And since I don't do this - my machine is still running the same installation that I did on December 24th 2014.
e12e|49day ago
> browsing all kinds of sketchy sites with Firefox and chrome
How did you install those - downloaded via another system? Because with that old system, you are missing ssl certificates (Firefox and Chrome bring their own).
smileybarry|49day ago
Maybe, but with good old Windows PKI you’re bound to still have a working chain of trust with Mozilla/Google.
…either that or the machine cheated and updated root CAs in the background (which isn’t Windows Update-controlled anymore).
Yizahi|49day ago
How do you know your system weren't infected in that experiment?
vachina|49day ago
By reinstating the ownership of those files.
londons_explore|49day ago
Since the rest of the world updates their PC's, malware authors rarely focus on exploiting older versions.
Both Chrome and Windows are now in that position.
Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.
p_ing|49day ago
Path traversal attacks against IIS (or any web server) are still routine yet those were fixed back in the Win 2K days.
Your thought process is not correct.
eru|49day ago
That seems like pretty sketchy reasoning.
Like leaving your door unlocked, because you live in such a sketchy neighbourhood that everyone else always locks their doors.
TeMPOraL|49day ago
It would make sense if the cost/danger for the thieves to check every door would be prohibitive. Unfortunately, with networked computers, checking the doors is usually both riskless and effectively free.
eru|49day ago
And turning off your old door checker, just because someone fixed the vulnerability in the latest version, is probably more hassle than it's worth.
hansbo|49day ago
More like, continue living in a sketchy neighbourhood because all the thieves go to the newer, more polished neighbourhoods anyway.
shakna|49day ago
There are still active attacks against DOS and Win98. Automated driveby attacks, just looking to increase the size of a bot farm. There are still new exploits being released against rather old systems.
Sesse__|49day ago
Now I'm curious, how do you attack DOS? I mean, it comes without networking support, and if you have local access, you're already privileged.
leeter|49day ago
You attack the networking stacks for it, those are still actively developed (mTCP was last updated Jan 2025) as businesses use networked DOS for quite a few things. A DOS networking stack consists of a packet driver, a NIC driver, and a protocol library. All of those have attack surface. NIC drivers in particular often haven't really had updates since they were first released. Because for hardware manufacturers of the time the goal was on getting people to use the hardware, not on supporting them. There are newer DOS NIC drivers than you'd think too. Realtek last I checked still makes and supports an ISA NIC.
Sesse__|49day ago
So you are not talking about attacking old code at all, but networking stacks that are indeed actively developed? That feels like a very different ball game from attacking Win98, even if the platform they are running on top of is old.
leeter|49day ago
It's a complicated space. There are attacks on both maintained and unmaintained stacks. There are definitely attacks against windows 95/98 too because people have things like mills or other industrial automation that are powered by those OSes still connected to the internet. There is a lot of SCADA[1] too that fits that bill. It's easy to think "but why wasn't this replaced!" and the answer is almost always "cost or process certification". If the operator is lucky and has good networking folks all of this is in a very very well firewalled VLAN. But, never underestimate the amount of people that are not that savvy and just have it plugged into the internet.
For anyone saying these aren't targets, no they are probably already hacked. These are the things that keep the national security folks up at night knowing an adversary has them already backdoored and set up for take down. Moreover if they execute on that they would go for maximum damage first to either create chaos, or prevent the system from being repaired easily.
perching_aix|49day ago
Would suck if an exploit was present for years, sometimes decades. Would especially suck if people piled up old exploits and fell back on them as needed.
nsteel|49day ago
Imagine if this was all automated, even scripted, so even kiddies could do it, or others with almost zero security knowledge.
I'd really, really like to think most of us don't follow this terrible security practice based on a bad premise.
LoganDark|49day ago
Actually riddle me this: what if you want to exploit exactly the type of person to disable updates? They are potentially more lucrative targets if nobody else targets them. Just a thought. It's sort of how "delete me" services profit off paranoia, they're a lucrative market because of the paranoia.
ZiiS|49day ago
Everything was a zero-day at one point in time. The effort is indeed usually put in whilst it is the current version. But retying all old malware isn't effort; it is more or less the definition of script-kiddy (though state level attackers will do it too).
kjs3|49day ago
Those of us who actually do this stuff for a living still routinely see probes for Slammer, Zotob, Blaster and more from when we booted our computers by rubbing two sticks together.
da_chicken|49day ago
It does have that. Windows uses code signing and either DISM or SFC to do that.
But this isn't about the binaries. It's where definitions and configuration are stored. It's C:\ProgramData, not C:\Program Files.
The system also can't object too severely. Third party endpoint protection exists.
nyanpasu64|49day ago
This is about the binaries. I first tried renaming the folder in Program Files, but Defender still kept eating RAM and CPU resources which were scarce on a 12-year-old laptop.
keepamovin|49day ago
My bad. You correctly understood my mistake here. I assumed it was clobbering a binary
arghwhat|49day ago
> Third party endpoint protection exists.
much to everyone's dismay. :/
qbane|50day ago
FYI, WSC stands for Windows Security Center.
Washuu|49day ago
Thank you for the help. It is really frustrating when authors do not define an acronym when it is first introduced in the text.
unmole|49day ago
But they do:
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
Washuu|49day ago
It needs to be closer to where the acronym is first introduced. The definition, on my screen, is below the fold so it can not be seen in context of where the acronym is first introduced. If it was defined below the title, I would understand.
* https://apastyle.apa.org/style-grammar-guidelines/abbreviati...
* https://www.stylemanual.gov.au/grammar-punctuation-and-conve...
* https://learn.microsoft.com/en-us/style-guide/acronyms
I do a lot of copy editing for clarity and non-native speakers so I have keep these things in mind. ¯\_(ツ)_/¯
es3n1n|49day ago
This is a somewhat useful feedback, however I am not too sure how this can be fixed given the structure of my blog post. Do you think if I just add a line `*WSC is short for Windows Security Center` in the first paragraph this will be enough?
magicalhippo|49day ago
My suggestion:
In this post I will briefly describe the journey I went through while implementing defendnot, a tool that disables Windows Defender by using the Windows Security Center (WSC) service API directly.
es3n1n|49day ago
thank you! i changed the first paragraph to include these changes
cheschire|49day ago
Ah that makes sense. I saw this subthread and was quite confused because WSC was clearly and obviously defined in the first sentence.
Now I see why. Thanks for incorporating the feedback! It had a positive impact for me coming later to this article.
Washuu|49day ago
Appreciated, thank you!~ \( ̄︶ ̄*\))
mdaniel|49day ago
Or use the abbr (and its title attribute) that was designed for that purpose; no extraneous "flow" breaking required. Mobile people can long press on the indicator to read more, everyone who magically knew what WSC gets to continue to know what WSC means
https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/...
alias_neo|49day ago
The typical solution, is to include the expansion in brackets after the first use.
Simple rule I learned on my Electronic Engineering degree (where we're guilty of many, many acronyms): When you write an acronym/initialism in a paper (or anywhere for others to read reall), assume the reader doesn't know what it stands for and include the expansion in brackets immediately after the first use.
EDIT: As my sibling comment also suggests, writing it in full the first time, and using the acronym/initialism in brackets is also acceptable.
lawgimenez|49day ago
Just wondering is this Slack? Just wondering what kind of logging flow you’re using.
https://blog.es3n1n.eu/posts/how-i-ruined-my-vacation/pics/p...
GranPC|49day ago
Looks like Discord.
es3n1n|49day ago
this is discord in "Compact" theme
n4r9|49day ago
At least that one is defined later on. I'm still scratching my head over "CTF".
[Edit - could be Capture The Flag?]
tempaway43563|49day ago
You're right, that never gets defined. Yes, Capture The Flag cybersecurity sort of competition I think
rschiavone|49day ago
They do. They understandably shorten it in the title, but then they define the acronym the first time they use it in the article.