pgkt04

pgkt04/defender-control

C++ MIT Security Single maintainer risk

An open-source windows defender manager. Now you can disable windows defender permanently.

1.9k stars
131 forks
recent
GitHub +32 / week

1.9k

Stars

131

Forks

14

Open issues

1

Contributors

v2.0 24 Jun 2026

AI Analysis

Defender Control is an open-source Windows utility that disables Windows Defender by renaming its kernel drivers and setting restrictive policies, then restores it on demand. It serves a narrow technical niche: users who need to run software flagged by Defender, security researchers, or those managing enterprise deployments with alternative antivirus solutions. It is not for general end-users seeking antivirus protection or those unfamiliar with system administration.

Security Security Tool Discovery value: 4/10
Documentation 8/10
Activity 8/10
Community 7/10
Code quality 5/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 7/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

windows-system-management security-configuration defender-manipulation kernel-driver-control system-administration
MIT licensed Actively maintained Niche/specialized use case Well documented Production ready
Deep Analysis · Based on README and public signals
6d ago

C++ tool to permanently disable Windows Defender; serves power users and security researchers despite Microsoft detection.

Defender Control is a Windows Defender disabler written in C++, designed for users who want permanent removal of Windows antivirus on their machines. It works by renaming Defender driver files and modifying registry policies, then provides a corresponding enable tool for restoration. The project is open source (MIT), well-documented, and actively maintained. It serves a narrow but real population: power users, researchers, and organizations with custom security stacks who view Defender as overhead or threat.

Origin

Created May 2021, the tool emerged into a category of Windows Defender removal utilities that have existed for years. The README explicitly acknowledges that Microsoft maintains signatures for this tool and others in the category, indicating this is a known adversarial niche rather than a novel capability.

Growth

Repository gained 14 stars in the last 7 days (as of 2026-07-04) on a total of 1,870. Growth appears steady rather than accelerating. The modest star count relative to similar repos (windows-defender-remover at 7,988 stars) suggests either: (a) this implementation serves a more technical audience that compiles from source rather than seeking pre-built releases, or (b) adoption is genuinely narrower. Last push 2026-06-26 indicates active maintenance; the project is not dormant.

In production

Adoption not verified through README. No testimonials, case studies, enterprise deployments, or quantified usage metrics documented. The tool's presence on GitHub and the acknowledgment that Microsoft flags it suggests real-world use (otherwise why would Defender ship a signature?), but concrete numbers of users are absent. The category (Windows Defender removal) is known to attract security researchers and power users, but this specific implementation's penetration is unclear.

Code analysis
Architecture

Based on README: likely a C++ Windows application that escalates to TrustedInstaller privilege level, then renames Defender system drivers (WdFilter.sys, WdBoot.sys) to .OLD and modifies registry policies to lock the Security UI. Appears to use a restore manifest stored in %ProgramData%\defender-control. No build system details, dependency list, or code structure documented in excerpt.

Tests

not documented in README. No mention of unit tests, integration tests, or test suite. Given the nature of the tool (system-level manipulation), testing likely requires Windows VMs or test machines; may not be part of public CI/CD.

Maintenance

Last push 2026-06-26 (8 days before analysis date) shows active recent work. Repository created 2021-05-15, now 5+ years old. Presence of compiled releases and regular updates suggests ongoing triage and support. However, star velocity (14 in 7 days) is modest, so maintenance may be routine rather than responding to major demand.

Honest verdict

ADOPT IF: you are a power user, security researcher, or organization that needs to run a custom security stack and has decided Defender is incompatible; you are comfortable compiling from source or trusting pre-built binaries flagged by Windows; you need reversibility (the enable binary). AVOID IF: you rely on Defender as your primary antivirus and are not certain of alternative protection; you are in an enterprise environment without explicit IT approval to disable system security; you expect upstream support from the vendor (none available); you cannot tolerate being flagged by Defender during the deployment window. MONITOR IF: you are evaluating the C++ implementation quality (code review recommended before deployment); you want to track whether this tool remains maintained as Windows changes (recent push is positive, but long-term commitment unclear).

Independent dimensions

Mainstream potential

2/10

Technical importance

5/10

Adoption evidence

3/10

Risks
  • Microsoft detection and flagging: the tool itself is quarantined by Defender, requiring temporary disable or compilation from source to deploy — creates chicken-and-egg problem for new users.
  • System instability: disabling Defender at the driver level touches critical Windows paths; failures could require DISM/SFC repair or in-place upgrade per README's own guidance.
  • Reversibility not guaranteed: while enable binary exists, README acknowledges cases where Defender 'won't come back' and recommends repair procedures, suggesting restoration is not 100% reliable.
  • Limited adoption transparency: no visibility into whether users actually recover Defender successfully or how common failures are; anecdotal reports would help but are absent.
  • Future Windows versions: as Windows architecture evolves (e.g., Pluton, UEFI Secure Boot changes, OS hardening), driver renaming and registry policy tricks may fail on future major releases.
Prediction

Likely to remain a niche tool for power users and researchers, with steady but modest growth. As Windows security hardening accelerates (kernel patches, attestation, verified boot), traditional driver-level manipulation may become less viable, pushing the project toward maintenance-only mode or requiring architectural reimplementation. Microsoft's continued flagging will keep adoption limited to technically savvy users willing to compile or bypass security warnings.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

C++
96.6%
C
3.4%

Information

Language
C++
License
MIT
Last updated
2w ago
Created
63mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

ionuttbara

ionuttbara/windows-defender-remover

This tool removes or disables Windows Defender and related security components...

8k Batchfile Security
Mattiwatti

Mattiwatti/EfiGuard

EfiGuard is a UEFI bootkit for x64 Windows that patches the boot process to...

2.5k C++ Security
MSNightmare

MSNightmare/RoguePlanet

RoguePlanet is a proof-of-concept exploit targeting a Windows Defender race...

1.5k C++ Security
zoicware

zoicware/RemoveWindowsAI

RemoveWindowsAI is a PowerShell script that disables and removes AI-related...

12.3k PowerShell Security
nefarius

nefarius/HidHide

HidHide is a Windows device firewall that hides human interface devices...

1.5k C++ Gaming
vs. alternatives
windows-defender-remover (7,988 stars, Batch)

Much larger star count and uses Batch (lower barrier to entry, easier to audit). Defender Control is newer and offers C++ structure and presumably more sophisticated privilege escalation via TrustedInstaller. Defender Control provides reversibility (enable binary); unclear if competitor does.

RemoveWindowsAI (12,232 stars, PowerShell)

Largest in category. PowerShell likely attracts broader user base (higher accessibility). Scope possibly broader (AI removal, not just Defender). Defender Control is more focused; unclear if this is advantage or disadvantage.

HidHide (1,458 stars, C++)

Similar star count and C++ foundation, but solves a different problem (input device hiding for gaming/VR, not antivirus removal). HidHide may be more niche by use case but arguably less adversarial (not flagged by security vendors).