The most invasive but effective way I've found to disable Defender is to boot into a live Linux USB, rename "C:\ProgramData\Microsoft\Windows Defender", and create an empty file in its place.
Group policies still work so effectively that I've set up a local domain using a controller in my homelab that does nothing but change the defender policies automatically for all users.
With Linux, there's often a good clean way to do a thing, and then there are weird hacks.
On Windows, it often starts with weird hacks, as Microsoft is further enclosing its ecosystem.
(I use Windows mostly for gaming and VR, and still have to constantly fiddle with the system to keep it working on a basic level, sad face emoji. Who would've thunk that merely playing a 8K European documentary in VR would require configuring DirectShow filters found on GitHub.)
I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.
I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.
I would guess that keeping your browser updated is more important.
> I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.
It’s much less likely than it was 20 years ago. A lot of attack vectors have already been fixed. But hypothetically a bug in the network stack could still leave an internet connected machine vulnerable.
Correct! The browser is now the key vector because it's the most promiscuous and lascivious-for-code-and-data software on most devices.
Browser-zero days are why I factored out a way to distribute "web RPA agent creation" on any device, with no download - into its own product layer for browser-isolation. It's a legitimate defense layer but main barriers to adoption are operating friction, even tho it makes the task of hackers who want to compromise your network with browser 0-days much harder.
Because of that the RBI aspect is not as popular as ways its being used where you need a really locked down browser, with policies for preventing upload/download, even copy and paste, etc - for DLP (data loss prevention), for regulated enterprises.
Even so I think the potential applications of this tech layer are just starting.
Everything was a zero-day at one point in time. The effort is indeed usually put in whilst it is the current version. But retying all old malware isn't effort; it is more or less the definition of script-kiddy (though state level attackers will do it too).
There are still active attacks against DOS and Win98. Automated driveby attacks, just looking to increase the size of a bot farm. There are still new exploits being released against rather old systems.
It would make sense if the cost/danger for the thieves to check every door would be prohibitive. Unfortunately, with networked computers, checking the doors is usually both riskless and effectively free.
Would suck if an exploit was present for years, sometimes decades. Would especially suck if people piled up old exploits and fell back on them as needed.
Actually riddle me this: what if you want to exploit exactly the type of person to disable updates? They are potentially more lucrative targets if nobody else targets them. Just a thought. It's sort of how "delete me" services profit off paranoia, they're a lucrative market because of the paranoia.
It needs to be closer to where the acronym is first introduced. The definition, on my screen, is below the fold so it can not be seen in context of where the acronym is first introduced. If it was defined below the title, I would understand.
This is a somewhat useful feedback, however I am not too sure how this can be fixed given the structure of my blog post. Do you think if I just add a line `*WSC is short for Windows Security Center` in the first paragraph this will be enough?
In this post I will briefly describe the journey I went through while implementing defendnot, a tool that disables Windows Defender by using the Windows Security Center (WSC) service API directly.
The typical solution, is to include the expansion in brackets after the first use.
Simple rule I learned on my Electronic Engineering degree (where we're guilty of many, many acronyms): When you write an acronym/initialism in a paper (or anywhere for others to read reall), assume the reader doesn't know what it stands for and include the expansion in brackets immediately after the first use.
EDIT: As my sibling comment also suggests, writing it in full the first time, and using the acronym/initialism in brackets is also acceptable.
lol, i significantly improved my vacation by reverse engineering the virtual desktops on windows :)
best memories of last year: reverse engineering is hellovafun!
It depends on what you need though, because arm windows has its own rosetta-like translation and does run x86 applications.
I set up a windows arm inside an UTM VM as a test, then installed visual studio (not code!) which is an x86 application and it was pretty much usable.
The codebase i was working on was complaining about missing some OpenGL parts so I stopped and haven't investigated further (I have x86 boxes for working on it). But depending on your requirements the above setup may be just fine(tm).
yeah sorry i didnt feel like implementing my own RAII stuff for all the COM thingies due to time constraints. it will be changed in the next update though
Honestly if this isn't part of a public API this isn't very cursed in terms of C++, especially if you have a lot of one-off cleanup operations.
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
I think the syntax is exactly why they're saying it's cursed. IMO your suggestion is no better - yes it makes defer look like a keyword, but it's not! As I said in a sibling comment, I think it's clearer if you're honest that you're using a macro: DEFER([](){something();});
Or you could even make a non-macro version (but then you need to think of variable names for each defer):
auto defer_uninitialise = do_defer([](){CoUninitialize();});
Using the macros in the second linked file, this expands to:
auto _defer_instance_1234 = Defer{} % [&]()->void { CoUninitialize(); };
* The 1234 is whatever the line number is, which makes the variable name unique.
* auto means infer the type of this local variable from the expression after the =.
* Defer{} means default construct a Defer instance. Defer is an empty type, but it allows the % following it to call a specific function because...
* Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
* [&]()->void { /*code here*/ }; is C++ syntax for a lambda function that captures any variables it uses by address (that's the [&] bit), takes no parameters (that's the () bit) and returns nothing (that's the ->void bit). The code goes in braces.
* DeferHolder calls the function it holds when it is destroyed.
It's subjective but some (including me!) would say it's cursed because it's using a macro to make something that almost looks like C++ syntax but isn't quite. I'm pretty confident with C++ but I had no idea what was going on at first (except, "surely this is using macros somehow ... right?"). [Edit: After some thought, I think the most confusing aspect is that defer->void looks like a method call through an object pointer rather than a trailing return type.]
I'd say it would be better to just be honest about its macroness, and also just do the extra typing of the [&] each time so the syntax of the lambda is all together. (You could then also simplify the implementation.) You end up with something like this:
DEFER([&]()->void { CoUninitialize(); });
Or if you go all in with no args lambda, you could shorten it to:
I don't think we actually need `->void` -- shouldn't the compiler be able to infer the return type (or rather, absence thereof)? My experience is that the compiler only struggles when the return value needs to be implicitly converted to some other type.
Would it have looked any less cursed if it just read `defer { CoUninitialize(); };`?
Agreed that the simplest "fix" would be to just rename the macro to be all-caps.
> * Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
Is there any reason to use operator% instead of a normal method call? Except possibly looking cool, which doesn't seem useful given that the call is hidden away in a macro anyway.
If you used a normal method call then there would need to be a corresponding close bracket at the end of the overall line of code, after the end of the lambda function. But the macro ("defer") only occurs at the start of the line, so it has no way to supply that close bracket. So the caller of the macro would have to supply it themselves. As I mentioned near the end of my comment, it seems like the defer macro is specifically engineered to avoid the caller needing a close bracket.
If you don't mind that, I said that you can "simplify the implementation" - what I meant was, as you say, you don't need the overloaded Defer::operator% (or indeed the Defer class at all). Instead you could do:
That's interesting! So i assume that this macro allows code to get registered to be run after the 'current' scope exits.
But from my understanding (or lack thereof), the `auto _defer_instance_1234 =` is never referenced post construction. Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
> Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
Yes, exactly. The destructor is allowed to have some visible side effect such as closing a file handle or unlocking a mutex that could violate the assumption of the code in that block. (Even just freeing some memory could be an issue for code in the block.) It is guaranteed that the destructor is closed at the end of the block, and that all the destructors called in that way happen in reverse order to the order of their corresponding constructors.
This is a class which implements a 'defer' mechanism, similar to Go and Javascript constructs, which do the same thing - delay execution of the given block until the current block scope is exited. Its pretty clever, actually, and quite useful.
I personally don't find it that cursed, but for many old C++ heads this may be an overwhelming smell - adding a class to implement what should be a language feature may tweak some folks' ideology a bit too far.
I recently read https://nostarch.com/windows-security-internals and this makes it much more relatable. I've know a bit about how alot of this back stuff works in Windows, but the timing is great - the last chapter of that book really goes into the same detail this author went about tokens and sids.
I understand and mostly support the idea of mandatory AV for the people who can barely handle the concept of a file system.
There is also a class of user forged in the fires of the primordial internet who would never in a trillion years be tricked into clicking a fake explorer.exe window in their browser.
Giving users choice is the best option. Certainly, make it very hard to disable the AV. But, don't make me go dig through DMCA'd repos and dark corners of the internet (!) to find a way to properly disable this bullshit.
> There is also a class of user forged in the fires of the primordial internet who would never in a trillion years be tricked into clicking a fake explorer.exe window in their browser.
Until they've had a couple drinks. Might still need a more sophisticated fake than that, but they exist. I'm with you on the disabling part though: I think Apple gets it right with SIP, it takes a reboot in recovery mode to disable it temporarily and a single command while in recovery mode to make it permanent.
In what universe is windows defender “resource-crippling?” There are windows laptops that will sip battery for an entire workday plus extra hours while running defender the entire time. So clearly it’s not “resource-crippling” if it can run on a laptop with a single digit wattage power draw.
And then we’ve got the “I need to control my system I’m too smart for antivirus” folks all over this thread.
Well, if you’re so smart why are you using a consumer OS designed for idiots?
(I like OP’s tongue-in-cheek work and post a whole lot better than the neckbeard army describing how Windows is broken and totally doesn’t work and how we have to disable updates and antivirus and jump through some hoops to not just use a different OS and be done with it)
Well this is a straightforward sentiment with a real "my body, my choice" ring to it, isn't it? Until it isn't.
Perhaps your hardware, when connected to a network, has real effects on the rest of that network. What if your system joined a botnet and began DDOS activities for payment? What if your system was part of a residential proxy network, and could be rented in the grey market for any kind of use or abuse of others' systems? What if your system became a host for CSAM or copyright-violating materials, unbeknownst to you, until the authorities confiscated it?
And what if your hardware had a special privileged location on a corporate network, or you operated a VPC with some valuable assets, and that was compromised and commandeered by a state-level threat actor? Is it still "your hardware, your choice"? Or do your bad choices affect other people as well?
Geez what a cluster* of a comment. You mix in a bunch of theoreticals you came up with in 5 seconds that cover different domains and then don't actually go to the effort of critically examining your own statements, which is appreciated and makes for much higher quality comments.
>Perhaps your hardware, when connected to a network, has real effects on the rest of that network. What if your system joined a botnet and began DDOS activities for payment? What if your system was part of a residential proxy network, and could be rented in the grey market for any kind of use or abuse of others' systems?
This at least is "you, affecting others". But the obvious immediate response is that such things done via the network can be mitigated or blocked at the network layer, and indeed must be anyway since attackers are doing such things from across the world 24/7 regardless. I'd fully support ISPs having to throttle or even potentially block-until-fixed any customers who participate in active network attacks, and other parts of the internet throttling or black listing ISPs that refused to cooperate. But making someone deal with the consequences of their choices is no reason to deny them the choices in the first place, given that most of those making such choices are not, in fact, actually going to end up doing any of what you listed.
>What if your system became a host for CSAM or copyright-violating materials, unbeknownst to you, until the authorities confiscated it?
Here (and seriously ZOMG THINK OF THE CHILDREN, lol really? on HN, in 2025?) you veer off into personal consequences to the person making the choice, as opposed to them being part of an attack on others. This is just saying "there could be risks to you if you mess it up!" which is a complete non-statement.
>And what if your hardware had a special privileged location on a corporate network, or you operated a VPC with some valuable assets, and that was compromised and commandeered by a state-level threat actor? Is it still "your hardware, your choice"? Or do your bad choices affect other people as well?
Um. Hello? Why is corporate IT allowing you to BYOD to a special privileged location on the corporate network without even so much as any sort of management agreement or contractual responsibilities? At this point you've veered off the road of reality. Because in actual reality you don't own hardware in special privileged locations or at least don't have full choice over it by your own agreement. And if that's not the case hooboy is there a kind of a lot of other fundamental issues there. That's not an argument for a blanket universal policy.
Yeah, well, so what if they are hypotheticals? They could all be mitigated by simply running the standard Windows Defender/WSC and not being an arrogant bitch about "my hardware, m8."
"Oh no, someone got into my home and stole my electronics/burned it down!" "Oh no, someone planted drugs in my airline luggage!" "Oh no, identity thief took out loans in my name and committed bank fraud!"
All sorts of situations can be prevented entirely, or mitigated, or you can be absolved of liability, just by taking common sense steps, and not, as we say, being an arrogant bitch?
cost-benefit. the time/electricity/battery/frustration cost of windows defender dwarfs its utility. i’d be better off with some east euro hackerman’s crypto miner running in the background than WSC. at least hackerman knows how to not peg my CPU at 90% while he’s mining his moneros.
This is a godsend. I should send you a jar of KimChee for this. Please return to Seoul, and enjoy the sights. South Korea is one of the most beautiful countries in the world. Try to plan into corrispond to either the cherry blossoms falling in the spring, or the leaves falling in the fall.
Lmao reverse engineering WSC on vacation sounds like some real dedication - honestly can't tell if that's commitment or just a cry for help. Made me think: if tuning all this stuff gives you a headache, would you rather have max security or just peace of mind and a fast machine?
I think the point is to disable defender: Air-gapped machines, kiosks, industrial applications, and so on, have no need to eat gobs of ram and waste loads of cpu checking the same files over and over again. For other applications, WD provides dubious benefits. It is annoying that there isn't a switch that says "I know how to operate a computer".
Evildoers don't need to bother with this: If they have access at this point you've got other problems.
Microsoft may extend WD to detect/block this vector since it is using undocumented interfaces; Microsoft would absolutely prefer you buy more cores, and if you're not going to do that, collect some additional licensing revenue through some other way.
That is one possible point, but om machines with low memory, (like a lab full of 8Gb potatoes) this is a godsend. These lab PCs are so stripped down, that the only thing using most of the memory is WD.
You should be able to make a normal mode to run full security and a gaming mode just run a semi large game,and yes, this does expose a vulnerability,but it can be easily brought back up.
Oof, really? Haven't really used windows much after 7, but it always seemed to me defender was pretty lightweight. At least compared to all the other products where just opening the UI would lag out the average machine.
The most invasive but effective way I've found to disable Defender is to boot into a live Linux USB, rename "C:\ProgramData\Microsoft\Windows Defender", and create an empty file in its place.
Group policies still work so effectively that I've set up a local domain using a controller in my homelab that does nothing but change the defender policies automatically for all users.
group policy no longer works on win11. updates will reverse it. additionally defender detects turning off realtime monitoring as malware.
And yet I have none of these issues on 11 LTSC 24H2? Sounds like you forgot to disable Tamper Protection
As someone who moved to Linux 10 years ago, this comment chain shows Windows became the real hacker distro
In a sense, it has been for a long time.
With Linux, there's often a good clean way to do a thing, and then there are weird hacks.
On Windows, it often starts with weird hacks, as Microsoft is further enclosing its ecosystem.
(I use Windows mostly for gaming and VR, and still have to constantly fiddle with the system to keep it working on a basic level, sad face emoji. Who would've thunk that merely playing a 8K European documentary in VR would require configuring DirectShow filters found on GitHub.)
> Who would've thunk that merely playing a 8K European documentary in VR would require configuring DirectShow filters found on GitHub.
Dios Mio, get mpv, enable gpu-hq
It's weird that windows wouldn't have a signed manifest that would detect that
You can also disable Windows Update entirely by taking ownership of wuaueng.dll and .exe. It’s the only effective method on Windows Home.
But disabling updates on the system connected to the Internet is a terrible idea.
How do you update that afterwards?
I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.
I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.
I would guess that keeping your browser updated is more important.
> I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.
It’s much less likely than it was 20 years ago. A lot of attack vectors have already been fixed. But hypothetically a bug in the network stack could still leave an internet connected machine vulnerable.
Correct! The browser is now the key vector because it's the most promiscuous and lascivious-for-code-and-data software on most devices.
Browser-zero days are why I factored out a way to distribute "web RPA agent creation" on any device, with no download - into its own product layer for browser-isolation. It's a legitimate defense layer but main barriers to adoption are operating friction, even tho it makes the task of hackers who want to compromise your network with browser 0-days much harder.
Because of that the RBI aspect is not as popular as ways its being used where you need a really locked down browser, with policies for preventing upload/download, even copy and paste, etc - for DLP (data loss prevention), for regulated enterprises.
Even so I think the potential applications of this tech layer are just starting.
By reinstating the ownership of those files.
Since the rest of the world updates their PC's, malware authors rarely focus on exploiting older versions.
Both Chrome and Windows are now in that position.
Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.
Everything was a zero-day at one point in time. The effort is indeed usually put in whilst it is the current version. But retying all old malware isn't effort; it is more or less the definition of script-kiddy (though state level attackers will do it too).
There are still active attacks against DOS and Win98. Automated driveby attacks, just looking to increase the size of a bot farm. There are still new exploits being released against rather old systems.
Now I'm curious, how do you attack DOS? I mean, it comes without networking support, and if you have local access, you're already privileged.
That seems like pretty sketchy reasoning.
Like leaving your door unlocked, because you live in such a sketchy neighbourhood that everyone else always locks their doors.
It would make sense if the cost/danger for the thieves to check every door would be prohibitive. Unfortunately, with networked computers, checking the doors is usually both riskless and effectively free.
And turning off your old door checker, just because someone fixed the vulnerability in the latest version, is probably more hassle than it's worth.
More like, continue living in a sketchy neighbourhood because all the thieves go to the newer, more polished neighbourhoods anyway.
Would suck if an exploit was present for years, sometimes decades. Would especially suck if people piled up old exploits and fell back on them as needed.
Imagine if this was all automated, even scripted, so even kiddies could do it, or others with almost zero security knowledge.
I'd really, really like to think most of us don't follow this terrible security practice based on a bad premise.
Actually riddle me this: what if you want to exploit exactly the type of person to disable updates? They are potentially more lucrative targets if nobody else targets them. Just a thought. It's sort of how "delete me" services profit off paranoia, they're a lucrative market because of the paranoia.
It does have that. Windows uses code signing and either DISM or SFC to do that.
But this isn't about the binaries. It's where definitions and configuration are stored. It's C:\ProgramData, not C:\Program Files.
The system also can't object too severely. Third party endpoint protection exists.
> Third party endpoint protection exists.
much to everyone's dismay. :/
That is basically how a popular product does it,while taking down about 25% of the entire internet...
Are you talking about the recent CrowdStrike screwup?
I see what you did there.
FYI, WSC stands for Windows Security Center.
Thank you for the help. It is really frustrating when authors do not define an acronym when it is first introduced in the text.
But they do:
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
It needs to be closer to where the acronym is first introduced. The definition, on my screen, is below the fold so it can not be seen in context of where the acronym is first introduced. If it was defined below the title, I would understand.
* https://apastyle.apa.org/style-grammar-guidelines/abbreviati...
* https://www.stylemanual.gov.au/grammar-punctuation-and-conve...
* https://learn.microsoft.com/en-us/style-guide/acronyms
I do a lot of copy editing for clarity and non-native speakers so I have keep these things in mind. ¯\_(ツ)_/¯
This is a somewhat useful feedback, however I am not too sure how this can be fixed given the structure of my blog post. Do you think if I just add a line `*WSC is short for Windows Security Center` in the first paragraph this will be enough?
My suggestion:
In this post I will briefly describe the journey I went through while implementing defendnot, a tool that disables Windows Defender by using the Windows Security Center (WSC) service API directly.
Just wondering is this Slack? Just wondering what kind of logging flow you’re using.
https://blog.es3n1n.eu/posts/how-i-ruined-my-vacation/pics/p...
Looks like Discord.
The typical solution, is to include the expansion in brackets after the first use.
Simple rule I learned on my Electronic Engineering degree (where we're guilty of many, many acronyms): When you write an acronym/initialism in a paper (or anywhere for others to read reall), assume the reader doesn't know what it stands for and include the expansion in brackets immediately after the first use.
EDIT: As my sibling comment also suggests, writing it in full the first time, and using the acronym/initialism in brackets is also acceptable.
At least that one is defined later on. I'm still scratching my head over "CTF".
[Edit - could be Capture The Flag?]
You're right, that never gets defined. Yes, Capture The Flag cybersecurity sort of competition I think
https://news.ycombinator.com/item?id=43960389
They do. They understandably shorten it in the title, but then they define the acronym the first time they use it in the article.
pole colin insulte en mon insue
lol, i significantly improved my vacation by reverse engineering the virtual desktops on windows :) best memories of last year: reverse engineering is hellovafun!
learned a lot of interesting thing, namely there is an undocumented messaging underlying the RPC in windows: https://csandker.io/2022/05/24/Offensive-Windows-IPC-3-ALPC....
> As you might still remember, I was working on an arm64 macbook and there currently is no sane solutions how to emulate x86 windows on arm macbooks.
What about UTM? Also Parallels recently added initial support for Intel VMs as well.
I tried UTM and it's unusable for x86 Windows.
Maybe command line Linux would be acceptably slow, but anything with a GUI isn't.
You can run arm64 Windows pretty well, but that's not x86 Windows and won't help with reverse engineering an x86 system component.
I hadn’t tried it myself I just knew it could run it, sucks to hear it’s so unusable.
It depends on what you need though, because arm windows has its own rosetta-like translation and does run x86 applications.
I set up a windows arm inside an UTM VM as a test, then installed visual studio (not code!) which is an x86 application and it was pretty much usable.
The codebase i was working on was complaining about missing some OpenGL parts so I stopped and haven't investigated further (I have x86 boxes for working on it). But depending on your requirements the above setup may be just fine(tm).
This is cursed:
https://github.com/es3n1n/defendnot/blob/master/defendnot-lo...
If you're curious what's actually going on there:
https://github.com/es3n1n/defendnot/blob/master/cxx-shared/s...
yeah sorry i didnt feel like implementing my own RAII stuff for all the COM thingies due to time constraints. it will be changed in the next update though
https://github.com/es3n1n/defendnot/pull/6
Honestly if this isn't part of a public API this isn't very cursed in terms of C++, especially if you have a lot of one-off cleanup operations.
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
I think the syntax is exactly why they're saying it's cursed. IMO your suggestion is no better - yes it makes defer look like a keyword, but it's not! As I said in a sibling comment, I think it's clearer if you're honest that you're using a macro: DEFER([](){something();});
Or you could even make a non-macro version (but then you need to think of variable names for each defer):
can someone well versed in explaining CPP magic explain what is going on and why it is cursed?
We're starting with this code:
Using the macros in the second linked file, this expands to: * The 1234 is whatever the line number is, which makes the variable name unique.* auto means infer the type of this local variable from the expression after the =.
* Defer{} means default construct a Defer instance. Defer is an empty type, but it allows the % following it to call a specific function because...
* Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
* [&]()->void { /*code here*/ }; is C++ syntax for a lambda function that captures any variables it uses by address (that's the [&] bit), takes no parameters (that's the () bit) and returns nothing (that's the ->void bit). The code goes in braces.
* DeferHolder calls the function it holds when it is destroyed.
It's subjective but some (including me!) would say it's cursed because it's using a macro to make something that almost looks like C++ syntax but isn't quite. I'm pretty confident with C++ but I had no idea what was going on at first (except, "surely this is using macros somehow ... right?"). [Edit: After some thought, I think the most confusing aspect is that defer->void looks like a method call through an object pointer rather than a trailing return type.]
I'd say it would be better to just be honest about its macroness, and also just do the extra typing of the [&] each time so the syntax of the lambda is all together. (You could then also simplify the implementation.) You end up with something like this:
Or if you go all in with no args lambda, you could shorten it to:I don't think we actually need `->void` -- shouldn't the compiler be able to infer the return type (or rather, absence thereof)? My experience is that the compiler only struggles when the return value needs to be implicitly converted to some other type.
Would it have looked any less cursed if it just read `defer { CoUninitialize(); };`?
Agreed that the simplest "fix" would be to just rename the macro to be all-caps.
> * Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
Is there any reason to use operator% instead of a normal method call? Except possibly looking cool, which doesn't seem useful given that the call is hidden away in a macro anyway.
If you used a normal method call then there would need to be a corresponding close bracket at the end of the overall line of code, after the end of the lambda function. But the macro ("defer") only occurs at the start of the line, so it has no way to supply that close bracket. So the caller of the macro would have to supply it themselves. As I mentioned near the end of my comment, it seems like the defer macro is specifically engineered to avoid the caller needing a close bracket.
If you don't mind that, I said that you can "simplify the implementation" - what I meant was, as you say, you don't need the overloaded Defer::operator% (or indeed the Defer class at all). Instead you could do:
Disclaimer: I haven't tried it and I don't normally write macros so this could have glaring issues.That's interesting! So i assume that this macro allows code to get registered to be run after the 'current' scope exits.
But from my understanding (or lack thereof), the `auto _defer_instance_1234 =` is never referenced post construction. Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
> Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
Yes, exactly. The destructor is allowed to have some visible side effect such as closing a file handle or unlocking a mutex that could violate the assumption of the code in that block. (Even just freeing some memory could be an issue for code in the block.) It is guaranteed that the destructor is closed at the end of the block, and that all the destructors called in that way happen in reverse order to the order of their corresponding constructors.
Yes, this is guaranteed. The compiler cannot simply elide statements with effects.
A way to do the same thing that is less gross: https://github.com/abseil/abseil-cpp/blob/master/absl/cleanu...
C++ sort-of guarantees that your objects' destructors will be called when they go out of scope.
So you can abuse this mechanic to 'register' things to be executed at the end of the current scope, almost no matter how you exit the current scope.
This is a class which implements a 'defer' mechanism, similar to Go and Javascript constructs, which do the same thing - delay execution of the given block until the current block scope is exited. Its pretty clever, actually, and quite useful.
I personally don't find it that cursed, but for many old C++ heads this may be an overwhelming smell - adding a class to implement what should be a language feature may tweak some folks' ideology a bit too far.
What's cursed about this? I use this pattern all over in my code although the signature at the callsite looks a bit different (personal preference).
D (for example) has the concept of statements that trigger at end of scope built into the language.
I recently read https://nostarch.com/windows-security-internals and this makes it much more relatable. I've know a bit about how alot of this back stuff works in Windows, but the timing is great - the last chapter of that book really goes into the same detail this author went about tokens and sids.
Every time I see anime characters in pfp, I know it’s going to be a good write up. Thanks for sharing.
Keeping this saved in case I return to a crappy windows env.
Why would you want to disable WSC?
Performance reasons? Malware development? Hacking?
Is there a more performant, less resource-crippling, antivirus for Windows?
It's called no antivirus. It's what this is supposed to do. Antiviruses are useless malware.
A skilled user.
I understand and mostly support the idea of mandatory AV for the people who can barely handle the concept of a file system.
There is also a class of user forged in the fires of the primordial internet who would never in a trillion years be tricked into clicking a fake explorer.exe window in their browser.
Giving users choice is the best option. Certainly, make it very hard to disable the AV. But, don't make me go dig through DMCA'd repos and dark corners of the internet (!) to find a way to properly disable this bullshit.
> There is also a class of user forged in the fires of the primordial internet who would never in a trillion years be tricked into clicking a fake explorer.exe window in their browser.
Until they've had a couple drinks. Might still need a more sophisticated fake than that, but they exist. I'm with you on the disabling part though: I think Apple gets it right with SIP, it takes a reboot in recovery mode to disable it temporarily and a single command while in recovery mode to make it permanent.
The worst is when they silently re-enable the AV with a mandatory update later.
This whole topic is a massive eye roll.
In what universe is windows defender “resource-crippling?” There are windows laptops that will sip battery for an entire workday plus extra hours while running defender the entire time. So clearly it’s not “resource-crippling” if it can run on a laptop with a single digit wattage power draw.
And then we’ve got the “I need to control my system I’m too smart for antivirus” folks all over this thread.
Well, if you’re so smart why are you using a consumer OS designed for idiots?
(I like OP’s tongue-in-cheek work and post a whole lot better than the neckbeard army describing how Windows is broken and totally doesn’t work and how we have to disable updates and antivirus and jump through some hoops to not just use a different OS and be done with it)
Because why would you want to rootkit yourself on purpose?
because all antivirus softwares are at least powerviruses.
i do not care for anyone baby sitting me telling me that netcat.exe is a no no
It’s my hardware. I’ll do what I want with it, m8.
Simple as that.
Well this is a straightforward sentiment with a real "my body, my choice" ring to it, isn't it? Until it isn't.
Perhaps your hardware, when connected to a network, has real effects on the rest of that network. What if your system joined a botnet and began DDOS activities for payment? What if your system was part of a residential proxy network, and could be rented in the grey market for any kind of use or abuse of others' systems? What if your system became a host for CSAM or copyright-violating materials, unbeknownst to you, until the authorities confiscated it?
And what if your hardware had a special privileged location on a corporate network, or you operated a VPC with some valuable assets, and that was compromised and commandeered by a state-level threat actor? Is it still "your hardware, your choice"? Or do your bad choices affect other people as well?
There's the "Malicious Software Removal Tool" for that case.
I got measles just reading this
I guess I have to start audit all devices that connect to my home internet...oh wait
Geez what a cluster* of a comment. You mix in a bunch of theoreticals you came up with in 5 seconds that cover different domains and then don't actually go to the effort of critically examining your own statements, which is appreciated and makes for much higher quality comments.
>Perhaps your hardware, when connected to a network, has real effects on the rest of that network. What if your system joined a botnet and began DDOS activities for payment? What if your system was part of a residential proxy network, and could be rented in the grey market for any kind of use or abuse of others' systems?
This at least is "you, affecting others". But the obvious immediate response is that such things done via the network can be mitigated or blocked at the network layer, and indeed must be anyway since attackers are doing such things from across the world 24/7 regardless. I'd fully support ISPs having to throttle or even potentially block-until-fixed any customers who participate in active network attacks, and other parts of the internet throttling or black listing ISPs that refused to cooperate. But making someone deal with the consequences of their choices is no reason to deny them the choices in the first place, given that most of those making such choices are not, in fact, actually going to end up doing any of what you listed.
>What if your system became a host for CSAM or copyright-violating materials, unbeknownst to you, until the authorities confiscated it?
Here (and seriously ZOMG THINK OF THE CHILDREN, lol really? on HN, in 2025?) you veer off into personal consequences to the person making the choice, as opposed to them being part of an attack on others. This is just saying "there could be risks to you if you mess it up!" which is a complete non-statement.
>And what if your hardware had a special privileged location on a corporate network, or you operated a VPC with some valuable assets, and that was compromised and commandeered by a state-level threat actor? Is it still "your hardware, your choice"? Or do your bad choices affect other people as well?
Um. Hello? Why is corporate IT allowing you to BYOD to a special privileged location on the corporate network without even so much as any sort of management agreement or contractual responsibilities? At this point you've veered off the road of reality. Because in actual reality you don't own hardware in special privileged locations or at least don't have full choice over it by your own agreement. And if that's not the case hooboy is there a kind of a lot of other fundamental issues there. That's not an argument for a blanket universal policy.
Yeah, well, so what if they are hypotheticals? They could all be mitigated by simply running the standard Windows Defender/WSC and not being an arrogant bitch about "my hardware, m8."
"Oh no, someone got into my home and stole my electronics/burned it down!" "Oh no, someone planted drugs in my airline luggage!" "Oh no, identity thief took out loans in my name and committed bank fraud!"
All sorts of situations can be prevented entirely, or mitigated, or you can be absolved of liability, just by taking common sense steps, and not, as we say, being an arrogant bitch?
cost-benefit. the time/electricity/battery/frustration cost of windows defender dwarfs its utility. i’d be better off with some east euro hackerman’s crypto miner running in the background than WSC. at least hackerman knows how to not peg my CPU at 90% while he’s mining his moneros.
For those wondering:
WSC stands for Windows Security Center.
I had to look it up as well
> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
It’s in the article
true, but you have to read until the 4th paragraph to find it. Putting it in the title would have been better
Fair point
What does CTF stand for?
A security competition of sorts https://en.wikipedia.org/wiki/Capture_the_flag_%28cybersecur...
https://en.wikipedia.org/wiki/Capture_the_flag_(cybersecurit... I believe
This is a godsend. I should send you a jar of KimChee for this. Please return to Seoul, and enjoy the sights. South Korea is one of the most beautiful countries in the world. Try to plan into corrispond to either the cherry blossoms falling in the spring, or the leaves falling in the fall.
I miss Seoul.
Will you go back? Holidays, or are you from there?
"Busan is Good"
<3
Lmao reverse engineering WSC on vacation sounds like some real dedication - honestly can't tell if that's commitment or just a cry for help. Made me think: if tuning all this stuff gives you a headache, would you rather have max security or just peace of mind and a fast machine?
> Max security or just peace of mind and a fast machine
Or, to avoid making that choice at all, just don't use Windows.
There's plenty of other insecure systems.
Windows in its entirety is security theatre. WSC is an example of this
no idea there was so much going on behind the scenes of defendnot (I feel like someone sent it to me earlier; thought it was super cool)
It'simply disgusting, not what the guy did, but the fact that he needed to do it at all, because this whole Windows environment is so crappy
This is literally Hacker News :)
Is the point to actually disable defender or to highlight a vulnerability?
I think the point is to disable defender: Air-gapped machines, kiosks, industrial applications, and so on, have no need to eat gobs of ram and waste loads of cpu checking the same files over and over again. For other applications, WD provides dubious benefits. It is annoying that there isn't a switch that says "I know how to operate a computer".
Evildoers don't need to bother with this: If they have access at this point you've got other problems.
Microsoft may extend WD to detect/block this vector since it is using undocumented interfaces; Microsoft would absolutely prefer you buy more cores, and if you're not going to do that, collect some additional licensing revenue through some other way.
> It is annoying that there isn't a switch that says "I know how to operate a computer".
I found one such switch: Install Linux
Why would Microsoft care how much money I spend with my CPU core vendor?
Because Microsoft charges per core:
https://www.microsoft.com/en-us/windows-server/pricing
That is one possible point, but om machines with low memory, (like a lab full of 8Gb potatoes) this is a godsend. These lab PCs are so stripped down, that the only thing using most of the memory is WD.
You should be able to make a normal mode to run full security and a gaming mode just run a semi large game,and yes, this does expose a vulnerability,but it can be easily brought back up.
Oof, really? Haven't really used windows much after 7, but it always seemed to me defender was pretty lightweight. At least compared to all the other products where just opening the UI would lag out the average machine.