Jump to content

How to disable/enable Microsoft Security Essentials(MsMpSvc) from the command line?


iNooB

Recommended Posts

I am trying to stop service MsMpSvc but it dosen't seem to work. I have tried following :

1) net stop MsMpSvc

2) sc config MsMpSvc start= disabled

It gives me following error :

[SC] OpenService FAILED 5:

Access is denied.

 

And I do have admin privileges.

Link to comment
Share on other sites

A possibility is it could have SYSTEM privileges. Although I think Admin can stop those programs anyway.

Make sure you are running cmd/PowerShell as Admin. You may have Admin privileges but that doesn't mean the cmd/PowerShell does. Type 'cmd' (or 'powershell') into the Start menu and right click on the program and go 'Run as Administrator'. That should do the trick.

Link to comment
Share on other sites

This is for avg Anti-Virus :

I am able to stop avgsvc from cmd with : sc config avgsvc start=disabled

but anti-virus still works because a service named "AVG Antivirus" keeps running, this service acts in same manner as MsMpSvc whenver I try to stop service it gives me error access denied :(

When I query the service it says :


SERVICE_NAME: AVG Antivirus
        TYPE               : 20  WIN32_SHARE_PROCESS  
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1184
        FLAGS              :

Attributes of STATE is same as MsMpSvc

Link to comment
Share on other sites

You need to elevate your privileges, and some services, being admin will not stop either. For those you'd need a system shell to do so, which should still be possible, but I'd not like to do it with a ducky since timing issues can get you stuck in the system shell.

 

The following BAT script, will elevate you to system(not admin, but actual SYSTEM level)

:::: Elevate form Admin to System on windows with started service
:::: Copy and paste to sys.bat and right click, Run as Admin
@echo off
@break off
title root
cls
::create an interactive service spawning a shell as system
sc create evil binpath= "cmd.exe /K start" type= own type= interact > nul 2>&1
pause
sc start evil > nul 2>&1
pause
whoami
pause
rem ping 127.0.0.1 -n 4 > nul 2>&1
echo Removing service.
echo.
sc delete evil > nul 2>&1

Once system, you can kill the ms essentials task, and its service with taskkill( /? for help) from the command line as well as the above sc query. You can even delete it if needed, but if trying to hide your steps for a reboot later to come back on it's own, just sc query it to stop.

I haven't tried the above bat lately, so not sure if patched, but I doubt it, as I've used it for years without issue.

Link to comment
Share on other sites

open the new window and a command prompt, it will be as system level. You have to right click it and run as admin to get to the system shell. from there, you can literally do anything you want on the system, take ownership of user files, delete them, stop and start services, etc.

 

Also, use "sc stop MsMpSvc" first, which will bring the service down first, that is, if it's the correct name of the service. You can run "sc query" first to see what is running. If it won't stop, use taskkill as system, and it will stop the services executable from running.

 

you can also do "sc qc servicename" where servicename is the name of the service you want to look at, and will tell you if it's started, stopped, paused, pending changes, etc.

edit:

Note, when you run the bat script as admin, hit enter once, then look in the tool-bar for the prompt, click it, it opens a new desktop shell as system. See screenshots:

You should also see this desktop when in system:

 

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...