An open-source windows defender manager. Now you can disable windows defender permanently.
1.9k
Stars
131
Forks
14
Open issues
1
Contributors
AI Analysis
Defender Control is an open-source Windows utility that disables Windows Defender by renaming its kernel drivers and setting restrictive policies, then restores it on demand. It serves a narrow technical niche: users who need to run software flagged by Defender, security researchers, or those managing enterprise deployments with alternative antivirus solutions. It is not for general end-users seeking antivirus protection or those unfamiliar with system administration.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
C++ tool to permanently disable Windows Defender; serves power users and security researchers despite Microsoft detection.
Defender Control is a Windows Defender disabler written in C++, designed for users who want permanent removal of Windows antivirus on their machines. It works by renaming Defender driver files and modifying registry policies, then provides a corresponding enable tool for restoration. The project is open source (MIT), well-documented, and actively maintained. It serves a narrow but real population: power users, researchers, and organizations with custom security stacks who view Defender as overhead or threat.
Created May 2021, the tool emerged into a category of Windows Defender removal utilities that have existed for years. The README explicitly acknowledges that Microsoft maintains signatures for this tool and others in the category, indicating this is a known adversarial niche rather than a novel capability.
Repository gained 14 stars in the last 7 days (as of 2026-07-04) on a total of 1,870. Growth appears steady rather than accelerating. The modest star count relative to similar repos (windows-defender-remover at 7,988 stars) suggests either: (a) this implementation serves a more technical audience that compiles from source rather than seeking pre-built releases, or (b) adoption is genuinely narrower. Last push 2026-06-26 indicates active maintenance; the project is not dormant.
Adoption not verified through README. No testimonials, case studies, enterprise deployments, or quantified usage metrics documented. The tool's presence on GitHub and the acknowledgment that Microsoft flags it suggests real-world use (otherwise why would Defender ship a signature?), but concrete numbers of users are absent. The category (Windows Defender removal) is known to attract security researchers and power users, but this specific implementation's penetration is unclear.
Based on README: likely a C++ Windows application that escalates to TrustedInstaller privilege level, then renames Defender system drivers (WdFilter.sys, WdBoot.sys) to .OLD and modifies registry policies to lock the Security UI. Appears to use a restore manifest stored in %ProgramData%\defender-control. No build system details, dependency list, or code structure documented in excerpt.
not documented in README. No mention of unit tests, integration tests, or test suite. Given the nature of the tool (system-level manipulation), testing likely requires Windows VMs or test machines; may not be part of public CI/CD.
Last push 2026-06-26 (8 days before analysis date) shows active recent work. Repository created 2021-05-15, now 5+ years old. Presence of compiled releases and regular updates suggests ongoing triage and support. However, star velocity (14 in 7 days) is modest, so maintenance may be routine rather than responding to major demand.
ADOPT IF: you are a power user, security researcher, or organization that needs to run a custom security stack and has decided Defender is incompatible; you are comfortable compiling from source or trusting pre-built binaries flagged by Windows; you need reversibility (the enable binary). AVOID IF: you rely on Defender as your primary antivirus and are not certain of alternative protection; you are in an enterprise environment without explicit IT approval to disable system security; you expect upstream support from the vendor (none available); you cannot tolerate being flagged by Defender during the deployment window. MONITOR IF: you are evaluating the C++ implementation quality (code review recommended before deployment); you want to track whether this tool remains maintained as Windows changes (recent push is positive, but long-term commitment unclear).
Independent dimensions
Mainstream potential
2/10
Technical importance
5/10
Adoption evidence
3/10
- Microsoft detection and flagging: the tool itself is quarantined by Defender, requiring temporary disable or compilation from source to deploy — creates chicken-and-egg problem for new users.
- System instability: disabling Defender at the driver level touches critical Windows paths; failures could require DISM/SFC repair or in-place upgrade per README's own guidance.
- Reversibility not guaranteed: while enable binary exists, README acknowledges cases where Defender 'won't come back' and recommends repair procedures, suggesting restoration is not 100% reliable.
- Limited adoption transparency: no visibility into whether users actually recover Defender successfully or how common failures are; anecdotal reports would help but are absent.
- Future Windows versions: as Windows architecture evolves (e.g., Pluton, UEFI Secure Boot changes, OS hardening), driver renaming and registry policy tricks may fail on future major releases.
Likely to remain a niche tool for power users and researchers, with steady but modest growth. As Windows security hardening accelerates (kernel patches, attestation, verified boot), traditional driver-level manipulation may become less viable, pushing the project toward maintenance-only mode or requiring architectural reimplementation. Microsoft's continued flagging will keep adoption limited to technically savvy users willing to compile or bypass security warnings.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Language
- C++
- License
- MIT
- Last updated
- 2w ago
- Created
- 63mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
hi
Not getting enabled after disabling it
Disable SmartScreen for Faster Performance
Windows slows down after install especially TiWorker win11 canary Version 10.0.25330.1000
I dont know if this is an issue, just checking in
Open pull requests
No open pull requests.
Top contributors
Similar repos
ionuttbara/windows-defender-remover
This tool removes or disables Windows Defender and related security components...
MSNightmare/RoguePlanet
RoguePlanet is a proof-of-concept exploit targeting a Windows Defender race...
zoicware/RemoveWindowsAI
RemoveWindowsAI is a PowerShell script that disables and removes AI-related...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
1.9k | +32 | C++ | 7/10 | 2w ago |
|
|
8k | — | Batchfile | 4/10 | 5mo ago |
|
|
2.5k | — | C++ | 8/10 | 3w ago |
|
|
1.5k | — | C++ | 5/10 | 1mo ago |
|
|
12.3k | — | PowerShell | 7/10 | 3d ago |
|
|
1.5k | — | C++ | 7/10 | 5d ago |
Much larger star count and uses Batch (lower barrier to entry, easier to audit). Defender Control is newer and offers C++ structure and presumably more sophisticated privilege escalation via TrustedInstaller. Defender Control provides reversibility (enable binary); unclear if competitor does.
Largest in category. PowerShell likely attracts broader user base (higher accessibility). Scope possibly broader (AI removal, not just Defender). Defender Control is more focused; unclear if this is advantage or disadvantage.
Similar star count and C++ foundation, but solves a different problem (input device hiding for gaming/VR, not antivirus removal). HidHide may be more niche by use case but arguably less adversarial (not flagged by security vendors).
