How to Permanently Disable Windows Defender in Your Ethical Hacking Lab
- Kyser Clark
- Apr 7
- 3 min read

Setting up your Active Directory hacking lab is exciting...until Windows Defender starts blocking your tools and scripts at every turn. If you're trying to learn ethical hacking techniques, Defender can make your life miserable by shutting down 90% of the tools and exploits you're supposed to be practicing with.
This guide walks you through how to permanently disable Windows Defender on Windows 10 and Windows 11 so you can actually focus on learning offensive security techniques without constantly fighting your antivirus.
⚠️ Disclaimer: This guide is intended for educational purposes in a controlled lab environment. Never disable Defender or any antivirus on a production machine or without legal permission. Ethical hacking is legal only when performed with proper authorization.
Related Video:
Why Disable Windows Defender?
Windows Defender is a decent built-in antivirus solution for general use. But in a hacking lab where you're testing payloads, exploits, and tools like Mimikatz or Metasploit, Defender will treat everything you do as malware. Even basic scripts get flagged and blocked.
While there are one-liner scripts like Nuke-Defender.ps1 available on GitHub (for example, in the PimpMyADLab repo by Dewalt-archArch), those often get blocked by Defender before they can even run, ironically proving the point.
Step-by-Step: Permanently Disable Windows Defender
1. Boot into Safe Mode
You can only make these changes if Defender isn’t running, and that means booting into Safe Mode.
Press Windows + R and type msconfig
Go to the Boot tab
Check Safe boot, select Minimal, click Apply and OK
Restart your system
💡 Safe Mode disables Defender and gives you the access you need to make permanent changes.
2. Take Ownership of the Windows Defender Platform Folder
Once you're in Safe Mode:
Open File Explorer
Navigate to:C:\ProgramData\Microsoft\Windows Defender\Platform
Right-click the Platform folder → Properties
Go to the Security tab → click Advanced
Click Change (next to Owner)
Type in Administrators → click OK
Disable inheritance (if prompted) and remove all users except for Administrators
Apply changes and close out
This folder is responsible for Defender’s core functionality. Locking it down removes its ability to self-repair or reinstall.
3. Disable Defender-Related Services via Registry Editor
Still in Safe Mode:
Press Windows + R, type regedit, and hit Enter
Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
You’ll now edit several services and set their Start value to 4, which means disabled.
Locate each of these keys and make the change:
Service Name | Registry Path |
SENSE | ...\Services\SENSE\Start |
WdBoot | ...\Services\WdBoot\Start |
WdFilter | ...\Services\WdFilter\Start |
WdNisDrv | ...\Services\WdNisDrv\Start |
WdNisSvc | ...\Services\WdNisSvc\Start |
WinDefend | ...\Services\WinDefend\Start |
For each one:
Click on the folder name (e.g., SENSE)
In the right panel, double-click Start
Change the value to 4 and click OK
Once all six are set to 4, close the Registry Editor.
4. Reboot Normally
Open msconfig again
Uncheck Safe boot
Click Apply → OK
Restart your machine
You're now back in normal mode, and Defender should be fully disabled.
Confirm It Worked
You can now test a script or tool that Defender previously blocked. For example, try running the Nuke-Defender.ps1 script again in PowerShell ISE as Administrator. It should no longer be blocked.
You don’t need to run the script, it’s just a confirmation. If it executes, your environment is now Defender-free and ready for testing.
Why This Method Works
Microsoft Defender is persistent. Even when disabled through the GUI, it turns itself back on. And when you try to script its removal, it often blocks the very scripts you're using to disable it.
By combining Safe Mode, folder permissions, and registry edits, you eliminate Defender’s ability to launch or repair itself, giving you full control over your hacking lab environment.
Final Thoughts
Now you can run payloads, test exploits, and follow along with cybersecurity courses without interruption. Just make sure this setup stays isolated from your main network, and don’t use it for day-to-day browsing or productivity.
If you're building a hacking lab or just starting your ethical hacking journey, check out my curated playlists and tutorials on tools, techniques, and certification prep.
Want More Practical Hacking Tips?
Subscribe to my newsletter at kyserclark.com/newsletter or follow me on YouTube for weekly content covering ethical hacking, penetration testing, and cybersecurity careers.