Download WinDefCtl.7z Download generator.zip

🔐 ARCHIVE PASSWORD: github.com

WinDefCtl — Windows Defender Automation & Control Utility

RTP/TP slider control + full engine kill via IFEO + kvckiller.sys

📥 Download

kvc.pl (recommended)

WinDefCtl.7z — archive contains four files (current + legacy preserved for posterity):

File	Size	Description
`WinDefCtl_v2.exe`	~380 KB	v2.0 — engine kill + RTP/TP control (current, C++ binary)
`WinDefCtl-v2.ps1`	~65 KB	v2.0 — single-file PowerShell edition, same command palette (addon)
`WinDefCtl.exe`	~48 KB	v1.x — RTP/TP automation only (legacy C++ binary)
`WinDefCtl.ps1`	~23 KB	v1.x — PowerShell script version (legacy)

generator.zip — sources for rebuilding the PowerShell edition (template.ps1, build-ps.ps1, kvckiller.sys). Run build-ps.ps1 → emits a fresh out\WinDefCtl-v2.ps1 with the driver re-embedded as base64 LZX CAB.

Run as Administrator.

GitHub

Also available at github.com/wesmar/WinDefCtl — WinDefCtl.exe (v2.0 only) and password-protected WinDefCtl.7z (password: github.com, use if SmartScreen blocks the exe).

🚀 v2.0 — Quick Start

WinDefCtl kill          # Kill Defender engine (IFEO block + kernel kill, no restart)
WinDefCtl restore       # Restore Defender (remove IFEO + start services)
WinDefCtl rtp off       # Disable Real-Time Protection
WinDefCtl rtp on        # Enable Real-Time Protection
WinDefCtl rtp status    # Check RTP state
WinDefCtl tp off        # Disable Tamper Protection
WinDefCtl tp on         # Enable Tamper Protection
WinDefCtl tp status     # Check Tamper Protection state

📋 Changelog

v2.0 — 05.2026 — Full Engine Kill + Direct2D Overlay

New: kill / restore — engine kill without reboot

IFEO offline hive bypass — RegSaveKeyEx → RegLoadKey(TempIFEO) → write Debugger=systray.exe → RegUnLoadKey → RegRestoreKey(REG_FORCE_RESTORE) — bypasses Tamper Protection at kernel level without touching the live hive
Ring-0 kill via kvckiller.sys — digitally signed driver (service: wsftprm), IOCTL 0x22201C on \\.\Warsaw_PM, terminates MsMpEng.exe + SecurityHealthSystray.exe, SecurityHealthService stopped via SCM
Driver embedded in icon — LZX CAB appended to .ico resource, extracted at runtime via FDI in-memory decompression; no file dropped until kill is actually called
Smart service reuse — detects existing wsftprm from KVC DriverStore installation; reuses without overwriting

Improved: RTP/TP control

Direct2D full-screen overlay replaces console-maximization trick — WS_EX_LAYERED | WS_EX_TOPMOST window on dedicated background thread, Consolas Bold 80pt pulsing green text, animated PLEASE WAIT... dots, CRT scanline effect
Overlay shown during rtp/tp UI automation; kill/restore are silent (no overlay)

Build

/MT static CRT — no vcruntime140.dll / MSVCP*.dll dependency
Single WinDefCtl_v2.exe ~380 KB, no installer, no PDB in release build

v1.x — RTP/TP UI Automation Only

Original version — no engine kill, no driver. Controls RTP and Tamper Protection exclusively via Windows Security UI Automation API.

Key mechanisms:

Stealth window management ("Ghost Mode") — opens Windows Security completely invisibly: alpha=0, DWM cloak, off-screen positioning (-4000,-4000), ShowWindow without activate
Cold boot pre-warming — on first run after login, Windows Security UI components are not yet loaded; v1.x detects this via volatile registry key (HKCU\Software\WinDefCtl\WinDefCtl_Warmed) and pre-warms the window (~5-7 sec penalty, subsequent runs skip)
UAC suppression — temporarily sets ConsentPromptBehaviorAdmin=0 + PromptOnSecureDesktop=0, restores on completion; crash-safe (detects incomplete restore on next startup)
Structural density detection — counts UI elements before/after toggle to confirm state change (no fragile element-name matching)

Available as: compiled WinDefCtl.exe (~48 KB) and WinDefCtl.ps1 PowerShell script (identical logic, reviewable source).

Commands (v1.x):

WinDefCtl rtp status / on / off
WinDefCtl tp  status / on / off

⚙️ How It Works — v2.0 Engine Kill

IFEO Bypass (Tamper Protection circumvention)

Standard registry writes to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options are blocked by Tamper Protection. v2.0 works around this at kernel level:

RegSaveKeyEx — saves live IFEO hive to temp file (requires SE_BACKUP_NAME)
RegLoadKey — loads temp file as HKLM\TempIFEO (requires SE_RESTORE_NAME)
Write Debugger=systray.exe under TempIFEO\MsMpEng.exe
RegUnLoadKey — unloads temp hive
RegRestoreKey(REG_FORCE_RESTORE) — force-replaces live IFEO hive — Tamper Protection cannot intercept this path

restore reverses the process: same bypass, removes the Debugger value.

kvckiller.sys (Ring-0 Kill)

After IFEO block is set, MsMpEng.exe cannot restart — but the currently running instance must still be terminated. WinDefCtl loads kvckiller.sys (the same signed driver used by KVC) via service wsftprm:

Device: \\.\Warsaw_PM
IOCTL: 0x22201C — 1036-byte buffer, PID at offset 0
Terminates: MsMpEng.exe, SecurityHealthSystray.exe
SCM: stops SecurityHealthService

If wsftprm already exists (KVC installed), WinDefCtl detects the valid DriverStore path and reuses the service — no overwrite, no conflict.

📜 PowerShell Edition v2.0 (Addon)

WinDefCtl-v2.ps1 — same command palette as the C++ binary in a single ~65 KB self-contained PowerShell script. No compiler, no Visual Studio, no NuGet. Drop the file anywhere and run from elevated PowerShell.

.\WinDefCtl-v2.ps1                  # show help (also: /?, -?, -h, --help, "help")
.\WinDefCtl-v2.ps1 status           # read Defender state (read-only)
.\WinDefCtl-v2.ps1 kill             # IFEO block + BYOVD kernel kill
.\WinDefCtl-v2.ps1 restore          # remove IFEO + start WinDefend
.\WinDefCtl-v2.ps1 rtp off          # Real-Time Protection toggle off
.\WinDefCtl-v2.ps1 tp  on           # Tamper Protection toggle on

How it works

Layer	Implementation
Driver embedding	`kvckiller.sys` packed with `makecab.exe` (LZX) → base64-chunked → inline `$DriverCabB64`
Driver deployment	`expand.exe` decompresses CAB directly to `%SystemRoot%\System32\drivers\kvckiller.sys`
SCM lifecycle	`sc.exe create wsftprm type= kernel start= demand` → `sc.exe start` → `sc.exe stop`/`delete`
Kernel kill	P/Invoke `CreateFileW(\\.\Warsaw_PM)` + `DeviceIoControl(0x22201C, <PID buffer>)`
IFEO bypass	`reg.exe save` → `reg.exe load HKLM\TempIFEO` → write `Debugger` → `reg.exe unload` → `reg.exe restore /f` (`REG_FORCE_RESTORE`)
UI automation	`System.Windows.Automation` — `TogglePattern` on Real-Time / Tamper / Dev Drive protection toggles
UAC bypass	Both `ConsentPromptBehaviorAdmin` and `PromptOnSecureDesktop` packed into single `UACStatus` DWORD, restored after toggle
Overlay	Fullscreen multi-monitor WinForms, pulsing "PLEASE WAIT" label (sine-wave grey-to-white, 25 FPS)
Cold boot detect	Volatile marker `HKCU\Software\Temp\WinDefCtl_Warmed`

Zero trace after `kill`

wsftprm service stopped + DeleteService
%SystemRoot%\System32\drivers\kvckiller.sys deleted
%TEMP%\kk.cab and %TEMP%\Ifeo.hiv* deleted
Only IFEO entries remain (intentional — that is the active block; restore clears them)

Rebuild the script

Download generator.zip (top of page), extract, run build-ps.ps1. Generator runs makecab.exe, base64-encodes the CAB into 76-char lines, substitutes into template.ps1. Pure inbox Windows tooling — no external dependencies.

Limits vs C++ binary

Slower startup (~1.5 s PowerShell + .NET cold load vs ~200 ms native exe)
Requires -ExecutionPolicy Bypass or signed copy
Defender RTP may flag the script on disk (base64-encoded signed driver inside a .ps1); C++ binary embeds the same driver as ICO resource and sits below most heuristics
No Direct2D overlay — WinForms instead

🛠️ Technical Requirements

	v2.0 C++	v2.0 PS1	v1.x
OS	Windows 11	Windows 11	Windows 11
Privileges	Administrator	Administrator	Administrator
Dependencies	None (static CRT)	PowerShell 5.1+ / .NET	UI Automation, DWM
Size	~380 KB	~65 KB	~48 KB exe / ~23 KB ps1
Engine kill	✅ IFEO + kvckiller.sys	✅ IFEO + kvckiller.sys	❌
RTP/TP control	✅	✅	✅
Overlay	✅ Direct2D	✅ WinForms (pulsing)	❌ (console)
Compiler needed	Visual Studio 2022	none (inbox tools)	none

📞 Contact & Support

Email: [email protected]
Phone: +48 607-440-283
Website: https://kvc.pl
GitHub: https://github.com/wesmar/WinDefCtl/

Donations

PayPal: paypal.me/ext1
Revolut: revolut.me/marekb92

⚖️ Legal & Ethical Notice

Intended for authorized security testing and system administration only. User assumes full legal responsibility. Ensure proper authorization before use on any system.