WSABuilds icon indicating copy to clipboard operation
WSABuilds copied to clipboard
Published 1 month ago verified publisher icon MustardChef

[BUGFIX]

Open wesmar opened this issue 5 months ago • 5 comments

Describe the bug

Based on the research conducted, here's the technical analysis regarding the Windows Defender Remover tool and its effectiveness in resolving WSA closing issues: Technical Analysis: Windows Defender Remover v12.8.4 WSA Compatibility Solution The utilization of the Windows Defender Remover tool (version 12.8.4, end of July 2025) from the repository:

https://github.com/ionuttbara/windows-defender-remover === effectively resolves WSA (Windows Subsystem for Android) premature termination issues encountered in the latest Windows 11 builds. Root Cause Analysis The Windows Defender ecosystem implements comprehensive security mechanisms including Windows Security Services, Windows Virtualization-Based Security (VBS), Windows SmartScreen, and System Mitigations [BUG] WSA starts loading, but then closes without an error. · Issue #106 · MustardChef/WSABuilds that interfere with WSA's virtualization layer and VHDX mounting operations. The Defender's real-time protection subsystem performs aggressive process scanning and memory allocation monitoring that conflicts with WSA's ARM translation layer and Android runtime environment. Windows Defender Remover Components Affected The tool systematically removes/disables the following critical components that impact WSA functionality: Security Infrastructure:

Windows Security Center Service (wscsvc), Windows Security Service (SgrmBroker, Sgrm Drivers) [BUG] WSA starts loading, but then closes without an error. · Issue #106 · MustardChef/WSABuilds Virtualization-Based Security (VBS) and Hypervisor startup configuration [BUG] WSA starts loading, but then closes without an error. · Issue #106 · MustardChef/WSABuilds System Mitigations and Exploit Guard mechanisms [BUG] WSA starts loading, but then closes without an error. · Issue #106 · MustardChef/WSABuilds Spectre and Meltdown Mitigation (providing +30% performance improvement on legacy Intel CPUs) [BUG] WSA starts loading, but then closes without an error. · Issue #106 · MustardChef/WSABuilds

Antivirus Components:

Windows Defender Antivirus filter and rootkit scanner drivers [BUG] WSA starts loading, but then closes without an error. · Issue #106 · MustardChef/WSABuilds Antivirus Service and scanning tasks [BUG] WSA starts loading, but then closes without an error. · Issue #106 · MustardChef/WSABuilds Windows Defender Definition Update mechanisms [BUG] WSA starts loading, but then closes without an error. · Issue #106 · MustardChef/WSABuilds

WSA Issue Context This solution directly addresses the persistent WSA termination problem documented in the WSABuilds project, where users experience application crashes during the "Starting WSA" splash screen phase, particularly affecting builds with Magisk and KernelSU implementations. Implementation Variants Available Two optimized WSA implementations are available:

Magisk-integrated build: Standard root solution with traditional su binary management (Private compilation) aPatch-enhanced build: Advanced ring-0/kernel-level root implementation offering superior privilege escalation and on-demand activation capabilities

Technical Debugging Context For comprehensive analysis of the underlying mechanisms, detailed process scanning telemetry, memory allocation patterns, and VHDX mounting behavior debugging methodologies can be provided upon request. However, the core resolution methodology centers on eliminating the Defender ecosystem's interference with WSA's virtualization subsystem. The Windows Defender Remover v12.8.4 provides a definitive solution to WSA compatibility issues by surgically removing the conflicting security components while preserving system stability and functionality.

Steps to reproduce the issue

EOF

Expected behaviour

restoring the functionality WSA

Downloaded Build Of WSA

latest

Windows build number

26100.40

PC Specification

XPS-7590

Additional context

No response

wesmar avatar Jul 29 '25 22:07 wesmar

this may be a fix, but this is a security nightmare unless you do this on a VM.

Vlatsky avatar Jul 29 '25 23:07 Vlatsky

You might want to set up an exclusion policy. Not just for Virtual Hard Disk v2 (vhdx) images, but for entire streams/processes. I personally don't use Defender. Besides, I write exploits, but Microsoft patches them. For example: https://forums.mydigitallife.net/threads/stopping-and-starting-the-windows-defender-service-on-demand.86948/ When I find the time, I'll write an EFI driver that can disable it on demand. I essentially have the BlackLotus code - I just need a few days to set up the VS2022 environment.

wesmar avatar Jul 29 '25 23:07 wesmar

This may be a relief and not very effective as a fix. Bugs should be fixed not come at the cost of compromising the security of the host. And WSA running in VMs may have a performance loss.

Snowlights2022 avatar Jul 31 '25 01:07 Snowlights2022

No performance degradation occurs. Virtualization and Hyper-V remain unaffected. In fact, a noticeable performance increase is expected. I compiled kernel 6.12 for WSA yesterday. Today I'll test with Defender enabled and aim to release patches. Meanwhile, others should try creating exclusions via security policies or test with AV solutions like ESET.

wesmar avatar Jul 31 '25 08:07 wesmar

No performance degradation occurs. Virtualization and Hyper-V remain unaffected. In fact, a noticeable performance increase is expected. I compiled kernel 6.12 for WSA yesterday. Today I'll test with Defender enabled and aim to release patches. Meanwhile, others should try creating exclusions via security policies or test with AV solutions like ESET.

I'll be trying exclusions n report back. Low end pc, need all the juice I can get.

xSeekTruthx avatar Nov 26 '25 01:11 xSeekTruthx