EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup

A new proof-of-concept tool released on January 11, 2026, demonstrates how attackers can prevent antivirus and endpoint detection and response (EDR) solutions from launching during Windows startup by exploiting the Windows Bindlink API and Protected Process Light (PPL) security mechanisms.

Security researcher Two Seven One Three has published EDRStartupHinder, a tool that successfully blocks Windows Defender and multiple commercial security products on Windows 11 25H2 systems by redirecting critical system DLLs during the boot process.

The technique represents an evolution in a series of attacks targeting security software by manipulating Windows’ bindflt.sys driver.

Technical Attack Methodology

EDRStartupHinder employs a sophisticated four-step attack chain that exploits fundamental vulnerabilities in Windows architecture.

The tool first creates a malicious service configured to launch before targeted security services by manipulating Windows service group priorities.

It then uses the Bindlink API to redirect critical DLLs from the System32 folder, which every Windows process requires to function, to attacker-controlled locations.

The attack’s effectiveness stems from exploiting EDR software’s own protection mechanisms.

When an EDR process running with PPL protection attempts to load a redirected DLL, it discovers that the file has an invalid signature because EDRStartupHinder modifies a single byte in the PE header.

Since PPL-protected processes refuse to load unsigned DLLs, the security software terminates itself rather than operating in a potentially compromised state.

After the target security process exits, EDRStartupHinder removes the malicious redirect to prevent system instability and maintain operational stealth.

This cleanup step ensures that other Windows processes continue to function normally while the security software remains disabled.

Successful deployment requires attackers to perform reconnaissance on target systems.

Using tools like Process Monitor and Process Explorer, threat actors must identify critical DLLs that security products load during startup, specifically DLLs outside the Windows KnownDLLs registry list, to ensure they aren’t preloaded into memory.

Attackers must also determine the service group of targeted EDR software by examining the ServiceGroupOrder registry key, then configure their malicious service with a higher priority.

A researcher demonstrated this against Windows Defender by identifying that MsMpEng.exe loads msvcp_win.dll at startup and that services in the TDI group launch before Defender.

In laboratory testing, the tool successfully prevented Windows Defender from launching on Windows 11 25H2 systems.

The researcher also confirmed effectiveness against multiple unnamed commercial antivirus and EDR products, but withheld specific vendor names to prevent exploitation before defensive measures could be implemented.

This attack builds upon the researcher’s previous Bindlink exploitation work, including EDR-Redir tools that redirected security software folders after services launched.

However, EDRStartupHinder represents a more fundamental attack by targeting System32 before security services are initialized, thereby circumventing vendor-implemented folder protection mechanisms.

Security teams can detect this attack vector by monitoring Bindlink activity via bindlink.dll usage, tracking unauthorized Windows service creation, and implementing defense-in-depth strategies.

System administrators should establish baseline monitoring for registry modifications to service groups and service startup configurations.

The tool’s source code is publicly available on GitHub, raising concerns about potential weaponization by threat actors.

Organizations running Windows 11 environments with endpoint security solutions should implement enhanced monitoring for service manipulation and DLL redirection activities as immediate defensive measures.

The disclosure highlights ongoing challenges in securing privileged system processes and the potential for security mechanisms like PPL to be weaponized against the products they’re designed to protect.

Microsoft has not yet issued a public statement regarding patches or mitigations for this attack technique.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup appeared first on Cyber Security News.