I ruined my vacation by reverse engineering WSC
195 comments
·May 12, 2025nyanpasu64
71bw
Group policies still work so effectively that I've set up a local domain using a controller in my homelab that does nothing but change the defender policies automatically for all users.
devwastaken
group policy no longer works on win11. updates will reverse it. additionally defender detects turning off realtime monitoring as malware.
grishka
Group policies and registry keys are gentle suggestions. Deleting or renaming files is "I wasn't asking, it's my computer not yours" kind of approach.
smileybarry
I thought so too, but if you switch everything off (including Tamper Protection) in the UI, then turn it off via (local!) Group Policy, it sticks. I’ve set up a few Windows 10 22H2 & 11 24H2 test VMs this way and they still have Defender disabled.
(I think you need to disable Tamper Protection first, otherwise you later get a threat detected of “WinDefendDisable”, but if you allow/unquarantine it doesn’t auto-enable again)
71bw
And yet I have none of these issues on 11 LTSC 24H2? Sounds like you forgot to disable Tamper Protection
ForOldHack
That is basically how a popular product does it,while taking down about 25% of the entire internet...
noisem4ker
Are you talking about the recent CrowdStrike screwup?
stuckkeys
I see what you did there.
keepamovin
It's weird that windows wouldn't have a signed manifest that would detect that
vachina
You can also disable Windows Update entirely by taking ownership of wuaueng.dll and .exe. It’s the only effective method on Windows Home.
subscribed
But disabling updates on the system connected to the Internet is a terrible idea.
How do you update that afterwards?
da_chicken
It does have that. Windows uses code signing and either DISM or SFC to do that.
But this isn't about the binaries. It's where definitions and configuration are stored. It's C:\ProgramData, not C:\Program Files.
The system also can't object too severely. Third party endpoint protection exists.
nyanpasu64
This is about the binaries. I first tried renaming the folder in Program Files, but Defender still kept eating RAM and CPU resources which were scarce on a 12-year-old laptop.
keepamovin
My bad. You correctly understood my mistake here. I assumed it was clobbering a binary
arghwhat
> Third party endpoint protection exists.
much to everyone's dismay. :/
qbane
FYI, WSC stands for Windows Security Center.
Washuu
Thank you for the help. It is really frustrating when authors do not define an acronym when it is first introduced in the text.
unmole
But they do:
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
Washuu
It needs to be closer to where the acronym is first introduced. The definition, on my screen, is below the fold so it can not be seen in context of where the acronym is first introduced. If it was defined below the title, I would understand.
* https://apastyle.apa.org/style-grammar-guidelines/abbreviati...
* https://www.stylemanual.gov.au/grammar-punctuation-and-conve...
* https://learn.microsoft.com/en-us/style-guide/acronyms
I do a lot of copy editing for clarity and non-native speakers so I have keep these things in mind. ¯\_(ツ)_/¯
n4r9
At least that one is defined later on. I'm still scratching my head over "CTF".
[Edit - could be Capture The Flag?]
tempaway43563
You're right, that never gets defined. Yes, Capture The Flag cybersecurity sort of competition I think
rschiavone
They do. They understandably shorten it in the title, but then they define the acronym the first time they use it in the article.
gwbas1c
> the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request
I got really, really confused after that statement, because I don't understand what "the antivirus I was using" means and why they would have a reason to send the author a DMCA.
I think it means the author reverse-engineered another antivirus and put parts of it in their open-source project. But it could also mean other things. Skimming I see a heading with "Impersonating WinDefend".
So is the jist that the author somehow broke some kind of copyright law?
mmastrac
My understanding is he used the carcass of another AV tool to bypass signature requirements which is understandably grey (there's an argument for it being transformative, IMO but IANAL).
dec0dedab0de
yes, they broke copywright law by copying part of an existing AV program.
From the paragraph directly before the one you quoted:
The way how my project worked is that it was using a thirdparty code from some already existing antivirus and forced that av to register the antivirus in WSC.
raptorfactor
This is cursed:
https://github.com/es3n1n/defendnot/blob/master/defendnot-lo...
If you're curious what's actually going on there:
https://github.com/es3n1n/defendnot/blob/master/cxx-shared/s...
chii
can someone well versed in explaining CPP magic explain what is going on and why it is cursed?
quietbritishjim
We're starting with this code:
defer->void { CoUninitialize(); };
auto _defer_instance_1234 = Defer{} % [&]()->void { CoUninitialize(); };
* auto means infer the type of this local variable from the expression after the =.
* Defer{} means default construct a Defer instance. Defer is an empty type, but it allows the % following it to call a specific function because...
* Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
* [&]()->void { /*code here*/ }; is C++ syntax for a lambda function that captures any variables it uses by address (that's the [&] bit), takes no parameters (that's the () bit) and returns nothing (that's the ->void bit). The code goes in braces.
* DeferHolder calls the function it holds when it is destroyed.
It's subjective but some (including me!) would say it's cursed because it's using a macro to make something that almost looks like C++ syntax but isn't quite. I'm pretty confident with C++ but I had no idea what was going on at first (except, "surely this is using macros somehow ... right?"). [Edit: After some thought, I think the most confusing aspect is that defer->void looks like a method call through an object pointer rather than a trailing return type.]
I'd say it would be better to just be honest about its macroness, and also just do the extra typing of the [&] each time so the syntax of the lambda is all together. (You could then also simplify the implementation.) You end up with something like this:
DEFER([&]()->void { CoUninitialize(); });
DEFER({ CoUninitialize(); });jeffbee
A way to do the same thing that is less gross: https://github.com/abseil/abseil-cpp/blob/master/absl/cleanu...
chii
That's interesting! So i assume that this macro allows code to get registered to be run after the 'current' scope exits.
But from my understanding (or lack thereof), the `auto _defer_instance_1234 =` is never referenced post construction. Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
vitus
I don't think we actually need `->void` -- shouldn't the compiler be able to infer the return type (or rather, absence thereof)? My experience is that the compiler only struggles when the return value needs to be implicitly converted to some other type.
Would it have looked any less cursed if it just read `defer { CoUninitialize(); };`?
Agreed that the simplest "fix" would be to just rename the macro to be all-caps.
Sebb767
> * Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
Is there any reason to use operator% instead of a normal method call? Except possibly looking cool, which doesn't seem useful given that the call is hidden away in a macro anyway.
variadix
Eh, there are better implementations that are less syntactically obtuse (no ->void) but other than that it’s fine. Fairly obvious what it’s supposed to do and I’ve needed similar things in the past. There’s a cppcon talk that use ->* operator for precedence reasons and the macro lets you use it like ‘defer { … };’
aa-jv
This is a class which implements a 'defer' mechanism, similar to Go and Javascript constructs, which do the same thing - delay execution of the given block until the current block scope is exited. Its pretty clever, actually, and quite useful.
I personally don't find it that cursed, but for many old C++ heads this may be an overwhelming smell - adding a class to implement what should be a language feature may tweak some folks' ideology a bit too far.
eru
C++ sort-of guarantees that your objects' destructors will be called when they go out of scope.
So you can abuse this mechanic to 'register' things to be executed at the end of the current scope, almost no matter how you exit the current scope.
es3n1n
yeah sorry i didnt feel like implementing my own RAII stuff for all the COM thingies due to time constraints. it will be changed in the next update though
gavinray
https://en.cppreference.com/w/cpp/experimental/scope_exit
scope_exit{[&]{ ... } };junon
Honestly if this isn't part of a public API this isn't very cursed in terms of C++, especially if you have a lot of one-off cleanup operations.
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
quietbritishjim
I think the syntax is exactly why they're saying it's cursed. IMO your suggestion is no better - yes it makes defer look like a keyword, but it's not! As I said in a sibling comment, I think it's clearer if you're honest that you're using a macro: DEFER([](){something();});
Or you could even make a non-macro version (but then you need to think of variable names for each defer):
auto defer_uninitialise = do_defer([](){CoUninitialize();});Asooka
Why did you write it with two structs though? You could do
#define defer(body) DeferHolder COMMON_CAT(_defer_instance, __LINE__) {([&]()->void body)};
defer({
function body here;
});
fc417fc802
What's cursed about this? I use this pattern all over in my code although the signature at the callsite looks a bit different (personal preference).
D (for example) has the concept of statements that trigger at end of scope built into the language.
drabbiticus
Code is a way you treat your coworkers - Michael Feather, https://x.com/mfeathers/status/1031176879577780224
TL;DR, not AI
The code defers a function call until the point in time that an object goes out of scope. The implementation uses C macros to create a more succinct syntax that omits parts of the necessary C lambda/unnamed function definition and to create a unique variable name for managing the deferred function call. However, the resulting syntax eschews the common convention of using UPPER CASE to denote C macros, and instead appears similar at first glance to a function call from an object pointer.
This can cause confusion if one is not familiar with this pattern and expects macros to be communicated differently. Some commenters say this is common enough, or useful enough to them, to be considered almost idiomatic in some contexts.
For technical explanation, https://news.ycombinator.com/item?id=43959403#43960905 provides a useful breakdown of how the macro works.
lepicz
lol, i significantly improved my vacation by reverse engineering the virtual desktops on windows :) best memories of last year: reverse engineering is hellovafun!
learned a lot of interesting thing, namely there is an undocumented messaging underlying the RPC in windows: https://csandker.io/2022/05/24/Offensive-Windows-IPC-3-ALPC....
xyst
Every time I see anime characters in pfp, I know it’s going to be a good write up. Thanks for sharing.
Keeping this saved in case I return to a crappy windows env.
dark-star
For those wondering:
WSC stands for Windows Security Center.
I had to look it up as well
einsteinx2
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
It’s in the article
dark-star
true, but you have to read until the 4th paragraph to find it. Putting it in the title would have been better
einsteinx2
Fair point
s4mbh4
Why would you want to disable WSC?
devrandoom
Performance reasons? Malware development? Hacking?
fransje26
Is there a more performant, less resource-crippling, antivirus for Windows?
joshuaissac
Yes, a small number, but it changes each year due to AV vendors (including Microsoft) changing how their AV works. It also depends on whether one looks at the impact from passively running the antivirus vs actively running a scan.
hoseja
It's called no antivirus. It's what this is supposed to do. Antiviruses are useless malware.
bob1029
A skilled user.
I understand and mostly support the idea of mandatory AV for the people who can barely handle the concept of a file system.
There is also a class of user forged in the fires of the primordial internet who would never in a trillion years be tricked into clicking a fake explorer.exe window in their browser.
Giving users choice is the best option. Certainly, make it very hard to disable the AV. But, don't make me go dig through DMCA'd repos and dark corners of the internet (!) to find a way to properly disable this bullshit.
dangus
This whole topic is a massive eye roll.
In what universe is windows defender “resource-crippling?” There are windows laptops that will sip battery for an entire workday plus extra hours while running defender the entire time. So clearly it’s not “resource-crippling” if it can run on a laptop with a single digit wattage power draw.
And then we’ve got the “I need to control my system I’m too smart for antivirus” folks all over this thread.
Well, if you’re so smart why are you using a consumer OS designed for idiots?
(I like OP’s tongue-in-cheek work and post a whole lot better than the neckbeard army describing how Windows is broken and totally doesn’t work and how we have to disable updates and antivirus because we are power users I guess so we just do that for no reason)
Hilift
If you are a threat actor, you could get lucky and there isn't another Endpoint Detection and Response product installed, which would almost certainly intercept this.
If you are an EDR vendor, this is an obfuscated API call that EDR vendors can use to suppress or disable the Windows Firewall. CrowdStrike for example, can do either I believe, use Windows Firewall or use their implementation.
xyst
It’s my hardware. I’ll do what I want with it, m8.
Simple as that.
AStonesThrow
Well this is a straightforward sentiment with a real "my body, my choice" ring to it, isn't it? Until it isn't.
Perhaps your hardware, when connected to a network, has real effects on the rest of that network. What if your system joined a botnet and began DDOS activities for payment? What if your system was part of a residential proxy network, and could be rented in the grey market for any kind of use or abuse of others' systems? What if your system became a host for CSAM or copyright-violating materials, unbeknownst to you, until the authorities confiscated it?
And what if your hardware had a special privileged location on a corporate network, or you operated a VPC with some valuable assets, and that was compromised and commandeered by a state-level threat actor? Is it still "your hardware, your choice"? Or do your bad choices affect other people as well?
Novosell
Man that is a silly line of thought. Your conclusion now has to be that all freedom is bad because peoples choices can have ramifications, yeah?
Oh, you chose to buy new shoes even though they were too tight which distracted you for 1 sec in your car on the way home, due to the discomfort, so you hit someone and they died.
Clearly people can not be trusted to buy their own shoes!
SecretDreams
I got measles just reading this
ahoka
There's the "Malicious Software Removal Tool" for that case.
Fokamul
I presume you use Apple products, right?
VMtest
I guess I have to start audit all devices that connect to my home internet...oh wait
xoa
Geez what a cluster* of a comment. You mix in a bunch of theoreticals you came up with in 5 seconds that cover different domains and then don't actually go to the effort of critically examining your own statements, which is appreciated and makes for much higher quality comments.
>Perhaps your hardware, when connected to a network, has real effects on the rest of that network. What if your system joined a botnet and began DDOS activities for payment? What if your system was part of a residential proxy network, and could be rented in the grey market for any kind of use or abuse of others' systems?
This at least is "you, affecting others". But the obvious immediate response is that such things done via the network can be mitigated or blocked at the network layer, and indeed must be anyway since attackers are doing such things from across the world 24/7 regardless. I'd fully support ISPs having to throttle or even potentially block-until-fixed any customers who participate in active network attacks, and other parts of the internet throttling or black listing ISPs that refused to cooperate. But making someone deal with the consequences of their choices is no reason to deny them the choices in the first place, given that most of those making such choices are not, in fact, actually going to end up doing any of what you listed.
>What if your system became a host for CSAM or copyright-violating materials, unbeknownst to you, until the authorities confiscated it?
Here (and seriously ZOMG THINK OF THE CHILDREN, lol really? on HN, in 2025?) you veer off into personal consequences to the person making the choice, as opposed to them being part of an attack on others. This is just saying "there could be risks to you if you mess it up!" which is a complete non-statement.
>And what if your hardware had a special privileged location on a corporate network, or you operated a VPC with some valuable assets, and that was compromised and commandeered by a state-level threat actor? Is it still "your hardware, your choice"? Or do your bad choices affect other people as well?
Um. Hello? Why is corporate IT allowing you to BYOD to a special privileged location on the corporate network without even so much as any sort of management agreement or contractual responsibilities? At this point you've veered off the road of reality. Because in actual reality you don't own hardware in special privileged locations or at least don't have full choice over it by your own agreement. And if that's not the case hooboy is there a kind of a lot of other fundamental issues there. That's not an argument for a blanket universal policy.
nicman23
because all antivirus softwares are at least powerviruses.
i do not care for anyone baby sitting me telling me that netcat.exe is a no no
ahoka
Because why would you want to rootkit yourself on purpose?
rootsudo
I recently read https://nostarch.com/windows-security-internals and this makes it much more relatable. I've know a bit about how alot of this back stuff works in Windows, but the timing is great - the last chapter of that book really goes into the same detail this author went about tokens and sids.
ForOldHack
This is a godsend. I should send you a jar of KimChee for this. Please return to Seoul, and enjoy the sights. South Korea is one of the most beautiful countries in the world. Try to plan into corrispond to either the cherry blossoms falling in the spring, or the leaves falling in the fall.
I miss Seoul.
nar001
Will you go back? Holidays, or are you from there?
yard2010
"Busan is Good"
<3
einsteinx2
> As you might still remember, I was working on an arm64 macbook and there currently is no sane solutions how to emulate x86 windows on arm macbooks.
What about UTM? Also Parallels recently added initial support for Intel VMs as well.
belthesar
The dynarec systems in QEMU aren't as efficient as the native dynarec systems in Windows and macOS (Rosetta 2). You can definitely run x86 Windows with UTM, and it works, but the performance characteristics are pretty poor. From a utility perspective, I've found that running an ARM Windows VM and using Windows' dynarec system to run x86 apps, or using WINE (both using native compiled subsystem code) is a much better experience. It's one of those things where it's okay if you need to run a workload in a pinch.
I'm not sure if performance characteristics are part of what the OP considers "sane", but if it is, I get the position.
nottorp
I tried UTM and it's unusable for x86 Windows.
Maybe command line Linux would be acceptably slow, but anything with a GUI isn't.
You can run arm64 Windows pretty well, but that's not x86 Windows and won't help with reverse engineering an x86 system component.
einsteinx2
I hadn’t tried it myself I just knew it could run it, sucks to hear it’s so unusable.
nottorp
It depends on what you need though, because arm windows has its own rosetta-like translation and does run x86 applications.
I set up a windows arm inside an UTM VM as a test, then installed visual studio (not code!) which is an x86 application and it was pretty much usable.
The codebase i was working on was complaining about missing some OpenGL parts so I stopped and haven't investigated further (I have x86 boxes for working on it). But depending on your requirements the above setup may be just fine(tm).
grishka
Correct me if I'm wrong, but isn't the emulation of an MMU-equipped CPU a fundamentally slow and unoptimizable task? Apple's Rosetta and its Microsoft equivalent only work as fast as they do because they only run userspace code so they don't have to emulate the MMU.
duskwuff
I wouldn't go as far as to say unoptimizable, but it's certainly harder, particularly if your emulator is running in userspace (like Rosetta does).
feldrim
What's worse for me is that the Check Point Harmony does notnutilize the interfaces of Defender crafted for this purpose, but write a knowledge base article to tell the users to disable the Defender themselves.
The most invasive but effective way I've found to disable Defender is to boot into a live Linux USB, rename "C:\ProgramData\Microsoft\Windows Defender", and create an empty file in its place.