fix defender not disabling

melo936 · melo936 · commit dcd8de5aa505 · 2026-02-04T13:43:11.000+04:00
diff --git a/src/lib/core/services/win_registry_service.dart b/src/lib/core/services/win_registry_service.dart
@@ -156,7 +156,9 @@ class WinRegistryService {
       path: r'SYSTEM\ControlSet001\Services',
     );
     try {
-      return key.subkeyNames.where((final String e) => e.startsWith(subkey)).toList();
+      return key.subkeyNames
+          .where((final String e) => e.startsWith(subkey))
+          .toList();
     } finally {
       key.close();
     }
@@ -238,7 +240,20 @@ class WinRegistryService {
     String name,
     T value, {
     int retryCount = 0,
+    bool useTrustedInstaller = false,
   }) async {
+    if (useTrustedInstaller) {
+      return TrustedInstallerServiceImpl().executeWithTrustedInstaller(
+        () async => writeRegistryValue<T>(
+          key,
+          path,
+          name,
+          value,
+          retryCount: retryCount,
+        ),
+      );
+    }
+
     final shouldClose = key != WinRegistryService.currentUser;
 
     try {
@@ -253,7 +268,7 @@ class WinRegistryService {
           '$tag(writeRegistryValue): Unsupported type: ${value.runtimeType}',
         ),
       };
-      
+
       final RegistryKey subKey = key.createKey(path);
       try {
         subKey.createValue(registryValue);
@@ -340,7 +355,14 @@ class WinRegistryService {
     String path,
     String name, {
     int retryCount = 0,
+    bool useTrustedInstaller = false,
   }) async {
+    if (useTrustedInstaller) {
+      return TrustedInstallerServiceImpl().executeWithTrustedInstaller(
+        () async => deleteValue(key, path, name, retryCount: retryCount),
+      );
+    }
+
     try {
       final RegistryKey subKey = key.createKey(path);
       try {
@@ -395,7 +417,14 @@ class WinRegistryService {
     RegistryKey key,
     String path, {
     int retryCount = 0,
+    bool useTrustedInstaller = false,
   }) async {
+    if (useTrustedInstaller) {
+      return TrustedInstallerServiceImpl().executeWithTrustedInstaller(
+        () async => deleteKey(key, path, retryCount: retryCount),
+      );
+    }
+
     try {
       key.deleteKey(path, recursive: true);
       logger.i('$tag(deleteKey): $path');
diff --git a/src/lib/features/tweaks/security/security_service.dart b/src/lib/features/tweaks/security/security_service.dart
@@ -325,68 +325,76 @@ class SecurityServiceImpl implements SecurityService {
   @override
   Future<void> disableDefender() async {
     try {
-      await WinPackageService.downloadPackage(WinPackageType.defenderRemoval);
-
-      await Future.wait([
-        WinRegistryService.writeRegistryValue(
-          Registry.localMachine,
-          r'SOFTWARE\Policies\Microsoft\Windows Defender',
-          'DisableAntiSpyware',
-          1,
-        ),
-        WinRegistryService.writeRegistryValue(
-          Registry.localMachine,
-          r'SOFTWARE\Policies\Microsoft\Windows Defender',
-          'DisableAntiVirus',
-          1,
-        ),
-        WinRegistryService.writeRegistryValue(
-          Registry.localMachine,
-          r'SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection',
-          'DisableRealtimeMonitoring',
-          1,
-        ),
-      ]);
-
-      await runPSCommand(
-        r'& $env:SystemRoot\System32\gpupdate.exe /Target:Computer /Force',
+      final String packagePath = await WinPackageService.downloadPackage(
+        WinPackageType.defenderRemoval,
       );
 
-      if (File(_mpCmdRunString).existsSync()) {
+      /// Internal helper
+      Future<void> applyPolicyWrites() async {
+        await Future.wait([
+          WinRegistryService.writeRegistryValue(
+            Registry.localMachine,
+            r'SOFTWARE\Policies\Microsoft\Windows Defender',
+            'DisableAntiSpyware',
+            1,
+          ),
+          WinRegistryService.writeRegistryValue(
+            Registry.localMachine,
+            r'SOFTWARE\Policies\Microsoft\Windows Defender',
+            'DisableAntiVirus',
+            1,
+          ),
+          WinRegistryService.writeRegistryValue(
+            Registry.localMachine,
+            r'SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection',
+            'DisableRealtimeMonitoring',
+            1,
+          ),
+        ]);
         await runPSCommand(
-          'Start-Process -FilePath "$_mpCmdRunString" -ArgumentList "-RemoveDefinitions -All" -NoNewWindow -Wait',
+          r'& $env:SystemRoot\System32\gpupdate.exe /Target:Computer /Force',
         );
+        if (File(_mpCmdRunString).existsSync()) {
+          await runPSCommand(
+            'Start-Process -FilePath "$_mpCmdRunString" -ArgumentList "-RemoveDefinitions -All" -NoNewWindow -Wait',
+          );
+        }
       }
 
-      await Future.wait([
-        WinRegistryService.writeRegistryValue(
-          Registry.localMachine,
-          r'SOFTWARE\Microsoft\Windows Defender',
-          'DisableAntiSpyware',
-          1,
-        ),
-        WinRegistryService.writeRegistryValue(
-          Registry.localMachine,
-          r'SOFTWARE\Microsoft\Windows Defender',
-          'DisableAntiVirus',
-          1,
-        ),
-        WinRegistryService.writeRegistryValue(
-          Registry.localMachine,
-          r'System\ControlSet001\Services\MDCoreSvc',
-          'Start',
-          4,
-        ),
-        WinRegistryService.deleteValue(
-          Registry.localMachine,
-          r'SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce',
-          'RevisionEnableDefenderCMD',
-        ),
-      ]);
+      await applyPolicyWrites();
 
-      final String packagePath = await WinPackageService.downloadPackage(
-        WinPackageType.defenderRemoval,
+      await WinRegistryService.writeRegistryValue(
+        Registry.localMachine,
+        r'SOFTWARE\Microsoft\Windows Defender',
+        'DisableAntiSpyware',
+        1,
+        useTrustedInstaller: true,
       );
+      await WinRegistryService.writeRegistryValue(
+        Registry.localMachine,
+        r'SOFTWARE\Microsoft\Windows Defender',
+        'DisableAntiVirus',
+        1,
+        useTrustedInstaller: true,
+      );
+
+      // WORKAROUND: Force a second policy update after modifying the core Defender registry keys. After the January 2026 security updates, 'gpupdate' automatically removes 'DisableAntiSpyware' in the Policies path, when security intelligence updates is installed. Re-applying policies after modifying the core Defender registries ensures both locations are synchronized, resolving permission errors that occur when trying to disable Defender services directly.
+      await applyPolicyWrites();
+
+      await WinRegistryService.writeRegistryValue(
+        Registry.localMachine,
+        r'System\ControlSet001\Services\MDCoreSvc',
+        'Start',
+        4,
+        useTrustedInstaller: true,
+      );
+
+      await WinRegistryService.deleteValue(
+        Registry.localMachine,
+        r'SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce',
+        'RevisionEnableDefenderCMD',
+      );
+
       await WinPackageService.installPackage(packagePath);
     } on Exception catch (e) {
       throw DefenderOperationException('Failed to disable Windows Defender', e);
