top of page
Search

How to Permanently Disable Windows Defender in Your Ethical Hacking Lab

  • Writer: Kyser Clark
    Kyser Clark
  • Apr 7
  • 3 min read
Disable Windows Defender

Setting up your Active Directory hacking lab is exciting...until Windows Defender starts blocking your tools and scripts at every turn. If you're trying to learn ethical hacking techniques, Defender can make your life miserable by shutting down 90% of the tools and exploits you're supposed to be practicing with.

This guide walks you through how to permanently disable Windows Defender on Windows 10 and Windows 11 so you can actually focus on learning offensive security techniques without constantly fighting your antivirus.

⚠️ Disclaimer: This guide is intended for educational purposes in a controlled lab environment. Never disable Defender or any antivirus on a production machine or without legal permission. Ethical hacking is legal only when performed with proper authorization.

Related Video:


Why Disable Windows Defender?

Windows Defender is a decent built-in antivirus solution for general use. But in a hacking lab where you're testing payloads, exploits, and tools like Mimikatz or Metasploit, Defender will treat everything you do as malware. Even basic scripts get flagged and blocked.

While there are one-liner scripts like Nuke-Defender.ps1 available on GitHub (for example, in the PimpMyADLab repo by Dewalt-archArch), those often get blocked by Defender before they can even run, ironically proving the point.


Step-by-Step: Permanently Disable Windows Defender

1. Boot into Safe Mode

You can only make these changes if Defender isn’t running, and that means booting into Safe Mode.

  • Press Windows + R and type msconfig

  • Go to the Boot tab

  • Check Safe boot, select Minimal, click Apply and OK

  • Restart your system

💡 Safe Mode disables Defender and gives you the access you need to make permanent changes.

2. Take Ownership of the Windows Defender Platform Folder

Once you're in Safe Mode:

  1. Open File Explorer

  2. Navigate to:C:\ProgramData\Microsoft\Windows Defender\Platform

  3. Right-click the Platform folder → Properties

  4. Go to the Security tab → click Advanced

  5. Click Change (next to Owner)

  6. Type in Administrators → click OK

  7. Disable inheritance (if prompted) and remove all users except for Administrators

  8. Apply changes and close out


This folder is responsible for Defender’s core functionality. Locking it down removes its ability to self-repair or reinstall.


3. Disable Defender-Related Services via Registry Editor

Still in Safe Mode:

  1. Press Windows + R, type regedit, and hit Enter

  2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

You’ll now edit several services and set their Start value to 4, which means disabled.

Locate each of these keys and make the change:

Service Name

Registry Path

SENSE

...\Services\SENSE\Start

WdBoot

...\Services\WdBoot\Start

WdFilter

...\Services\WdFilter\Start

WdNisDrv

...\Services\WdNisDrv\Start

WdNisSvc

...\Services\WdNisSvc\Start

WinDefend

...\Services\WinDefend\Start

For each one:

  • Click on the folder name (e.g., SENSE)

  • In the right panel, double-click Start

  • Change the value to 4 and click OK

Once all six are set to 4, close the Registry Editor.

4. Reboot Normally

  • Open msconfig again

  • Uncheck Safe boot

  • Click Apply → OK

  • Restart your machine

You're now back in normal mode, and Defender should be fully disabled.

Confirm It Worked

You can now test a script or tool that Defender previously blocked. For example, try running the Nuke-Defender.ps1 script again in PowerShell ISE as Administrator. It should no longer be blocked.

You don’t need to run the script, it’s just a confirmation. If it executes, your environment is now Defender-free and ready for testing.

Why This Method Works

Microsoft Defender is persistent. Even when disabled through the GUI, it turns itself back on. And when you try to script its removal, it often blocks the very scripts you're using to disable it.

By combining Safe Mode, folder permissions, and registry edits, you eliminate Defender’s ability to launch or repair itself, giving you full control over your hacking lab environment.

Final Thoughts

Now you can run payloads, test exploits, and follow along with cybersecurity courses without interruption. Just make sure this setup stays isolated from your main network, and don’t use it for day-to-day browsing or productivity.

If you're building a hacking lab or just starting your ethical hacking journey, check out my curated playlists and tutorials on tools, techniques, and certification prep.

Want More Practical Hacking Tips?

Subscribe to my newsletter at kyserclark.com/newsletter or follow me on YouTube for weekly content covering ethical hacking, penetration testing, and cybersecurity careers.


bottom of page