I ruined my vacation by reverse engineering WSC
32 comments
·May 12, 2025nyanpasu64
71bw
Group policies still work so effectively that I've set up a local domain using a controller in my homelab that does nothing but change the defender policies automatically for all users.
keepamovin
It's weird that windows wouldn't have a signed manifest that would detect that
vachina
You can also disable Windows Update entirely by taking ownership of wuaueng.dll and .exe. It’s the only effective method on Windows Home.
subscribed
But disabling updates on the system connected to the Internet is a terrible idea.
How do you update that afterwards?
ForOldHack
That is basically how a popular product does it,while taking down about 25% of the entire internet...
stuckkeys
I see what you did there.
qbane
FYI, WSC stands for Windows Security Center.
Washuu
Thank you for the help. It is really frustrating when authors do not define an acronym when it is first introduced in the text.
unmole
But they do:
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
rschiavone
They do. They understandably shorten it in the title, but then they define the acronym the first time they use it in the article.
raptorfactor
This is cursed:
https://github.com/es3n1n/defendnot/blob/master/defendnot-lo...
If you're curious what's actually going on there:
https://github.com/es3n1n/defendnot/blob/master/cxx-shared/s...
fc417fc802
What's cursed about this? I use this pattern all over in my code although the signature at the callsite looks a bit different (personal preference).
D (for example) has the concept of statements that trigger at end of scope built into the language.
chii
can someone well versed in explaining CPP magic explain what is going on and why it is cursed?
es3n1n
yeah sorry i didnt feel like implementing my own RAII stuff for all the COM thingies due to time constraints. it will be changed in the next update though
junon
Honestly if this isn't part of a public API this isn't very cursed in terms of C++, especially if you have a lot of one-off cleanup operations.
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
rootsudo
I recently read https://nostarch.com/windows-security-internals and this makes it much more relatable. I've know a bit about how alot of this back stuff works in Windows, but the timing is great - the last chapter of that book really goes into the same detail this author went about tokens and sids.
s4mbh4
Why would you want to disable WSC?
devrandoom
Performance reasons? Malware development? Hacking?
dark-star
For those wondering:
WSC stands for Windows Security Center.
I had to look it up as well
ForOldHack
This is a godsend. I should send you a jar of KimChee for this. Please return to Seoul, and enjoy the sights. South Korea is one of the most beautiful countries in the world. Try to plan into corrispond to either the cherry blossoms falling in the spring, or the leaves falling in the fall.
I miss Seoul.
nar001
Will you go back? Holidays, or are you from there?
yard2010
"Busan is Good"
<3
codeulike
What does CTF stand for?
raybb
A security competition of sorts https://en.wikipedia.org/wiki/Capture_the_flag_%28cybersecur...
AtomicByte
no idea there was so much going on behind the scenes of defendnot (I feel like someone sent it to me earlier; thought it was super cool)
ThrowawayTestr
Is the point to actually disable defender or to highlight a vulnerability?
geocar
I think the point is to disable defender: Air-gapped machines, kiosks, industrial applications, and so on, have no need to eat gobs of ram and waste loads of cpu checking the same files over and over again. For other applications, WD provides dubious benefits. It is annoying that there isn't a switch that says "I know how to operate a computer".
Evildoers don't need to bother with this: If they have access at this point you've got other problems.
Microsoft may extend WD to detect/block this vector since it is using undocumented interfaces; Microsoft would absolutely prefer you buy more cores, and if you're not going to do that, collect some additional licensing revenue through some other way.
ForOldHack
That is one possible point, but om machines with low memory, (like a lab full of 8Gb potatoes) this is a godsend. These lab PCs are so stripped down, that the only thing using most of the memory is WD.
You should be able to make a normal mode to run full security and a gaming mode just run a semi large game,and yes, this does expose a vulnerability,but it can be easily brought back up.
iforgotpassword
Oof, really? Haven't really used windows much after 7, but it always seemed to me defender was pretty lightweight. At least compared to all the other products where just opening the UI would lag out the average machine.
The most invasive but effective way I've found to disable Defender is to boot into a live Linux USB, rename "C:\ProgramData\Microsoft\Windows Defender", and create an empty file in its place.