SimHub (popular sim racing dashboard software) appears to silently disable Windows Defender via hidden Group Policy file
SimHub, a popular sim racing dashboard software, appears to silently disable Windows Defender by creating a hidden Group Policy Registry file (ntuser. pol) that enforces multiple Defender disabling policies on every boot. The file is hidden with system and read-only attributes and the associated registry key permissions are modified to deny even administrator write access, requiring Safe Mode intervention to remove. This behavior was observed coinciding with the installation of SimHub 9. 11. 3 and related screen drivers on a personal, non-domain-joined machine. The user discovered this after about three months of Defender being fully disabled. There is no confirmed official vendor advisory or patch information available. The intent behind this behavior is unclear, and it may be either a negligent side effect of driver installation or deliberate. The user has removed the file and registry keys, re-enabled Defender, and reported the issue to SimHub's GitHub.
AI Analysis
Technical Summary
A user-reported incident indicates that SimHub 9.11.3 installation coincided with the creation of a hidden Group Policy Registry file (ntuser.pol) at C:\ProgramData that disables multiple Windows Defender protections persistently by applying policies such as DisableRealtimeMonitoring and DisableOnAccessProtection. The registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender had its ACL modified to prevent administrator write access, complicating removal. The file is hidden with system and read-only attributes, making it invisible even with typical hidden file viewing enabled. This was discovered on a personal desktop with no domain Group Policy infrastructure, suggesting local policy manipulation. The user cannot definitively attribute the behavior to SimHub or its associated screen drivers but has taken remediation steps and notified the vendor. No official patch or advisory is available.
Potential Impact
Windows Defender was fully disabled for approximately three months on the affected machine, removing real-time protection and other Defender security features. This significantly increases the risk of malware infection and reduces endpoint security. The ACL modification preventing administrator write access to the Defender policy registry key complicates detection and removal, potentially allowing persistent disabling of Defender without user consent or awareness. No known exploits or active campaigns have been reported beyond this user disclosure.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the meantime, affected users should manually check for the presence of the hidden ntuser.pol file at C:\ProgramData and inspect the Defender policy registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender for disabling policies. Removal of the ntuser.pol file and resetting the registry permissions may require booting into Safe Mode. Users should re-enable Windows Defender protections after removal. Reporting the issue to SimHub's official channels is recommended to seek clarification and an official fix. No official vendor advisory or fix has been published at this time.
SimHub (popular sim racing dashboard software) appears to silently disable Windows Defender via hidden Group Policy file
Description
SimHub, a popular sim racing dashboard software, appears to silently disable Windows Defender by creating a hidden Group Policy Registry file (ntuser. pol) that enforces multiple Defender disabling policies on every boot. The file is hidden with system and read-only attributes and the associated registry key permissions are modified to deny even administrator write access, requiring Safe Mode intervention to remove. This behavior was observed coinciding with the installation of SimHub 9. 11. 3 and related screen drivers on a personal, non-domain-joined machine. The user discovered this after about three months of Defender being fully disabled. There is no confirmed official vendor advisory or patch information available. The intent behind this behavior is unclear, and it may be either a negligent side effect of driver installation or deliberate. The user has removed the file and registry keys, re-enabled Defender, and reported the issue to SimHub's GitHub.
Reddit Discussion
I'm a home user, not a security professional, but I stumbled onto something I think is worth sharing here for people more knowledgeable than me to weigh in on.
Background:
SimHub is a very popular piece of software in the sim racing community used to create custom dashboards, display telemetry, and interface with various hardware like button boxes and display screens. It has a large install base.
What I found:
While investigating an unrelated Windows Defender issue I noticed a .exe file type exclusion I never added. Attempting to remove it via PowerShell as administrator returned access denied errors. Further investigation revealed:
- The registry key
HKLM\SOFTWARE\Policies\Microsoft\Windows Defenderhad its ACL permissions modified to deny write access even to Administrator accounts, requiring Safe Mode intervention to remove. - A hidden file existed at
C:\ProgramData\ntuser.polwith System, Hidden, and ReadOnly attributes set invisible even with "show hidden files and protected system files" enabled in Explorer. - The file is a Windows PReg format Group Policy Registry file containing the following Defender-disabling policies that were being re-applied on every boot:DisableRealtimeMonitoring = 1 DisableRoutinelyTakingAction = 1 DisableBehaviorMonitoring = 1 DisableOnAccessProtection = 1 DisableScanOnRealtimeEnable = 1 DisableIOAVProtection = 1 DisableRawWriteNotification = 1 Exclusions\Extensions\exe = (blank value)
- The timestamp of the ntuser.pol file matches exactly the date SimHub 9.11.3 and its associated screen drivers were installed on my machine. The machine is a personal desktop, not domain-joined, with no enterprise Group Policy infrastructure.
Timeline:
- February 23, 2026: SimHub 9.11.3 installed along with USBD480, VOCORE, and AX206 screen drivers
- February 23, 2026: ntuser.pol file created, Defender policies applied
- May 25, 2026: Discovered while investigating unrelated Defender exclusion
- Duration of exposure: approximately 3 months of fully disabled Defender
My questions for this community:
- Is there any legitimate reason a consumer software installer would need to create a PReg policy file rather than simply requesting a Defender folder exclusion?
- The ACL modification blocking administrator access is what concerns me most, is this a known technique and how serious is it?
- Could this be an unintentional side effect of their driver installation process, or does the deliberate file hiding suggest intent?
- I cannot confirm with 100% certainty it was SimHub vs one of the three screen drivers installed simultaneously, how would you approach confirming the source definitively?
What I've done:
- Deleted the ntuser.pol file
- Removed the registry keys via Safe Mode
- Re-enabled Defender
- Run full MBAM and MpWDOScan scans (both clean)
- Submitted a bug report to SimHub's GitHub
- Posted a PSA to r/simracing
How to check if you're affected:
Admin PowerShell:
powershell
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /s Any values set to 0x1 under that key indicate you are affected. Also check for C:\ProgramData\ntuser.pol with hidden and system files visible.
I want to be clear I'm not making a definitive accusation, this could be negligent rather than malicious. But given the file hiding, ACL tampering, and scope of Defender being fully disabled, I think it warrants attention from people with more expertise than me.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A user-reported incident indicates that SimHub 9.11.3 installation coincided with the creation of a hidden Group Policy Registry file (ntuser.pol) at C:\ProgramData that disables multiple Windows Defender protections persistently by applying policies such as DisableRealtimeMonitoring and DisableOnAccessProtection. The registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender had its ACL modified to prevent administrator write access, complicating removal. The file is hidden with system and read-only attributes, making it invisible even with typical hidden file viewing enabled. This was discovered on a personal desktop with no domain Group Policy infrastructure, suggesting local policy manipulation. The user cannot definitively attribute the behavior to SimHub or its associated screen drivers but has taken remediation steps and notified the vendor. No official patch or advisory is available.
Potential Impact
Windows Defender was fully disabled for approximately three months on the affected machine, removing real-time protection and other Defender security features. This significantly increases the risk of malware infection and reduces endpoint security. The ACL modification preventing administrator write access to the Defender policy registry key complicates detection and removal, potentially allowing persistent disabling of Defender without user consent or awareness. No known exploits or active campaigns have been reported beyond this user disclosure.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the meantime, affected users should manually check for the presence of the hidden ntuser.pol file at C:\ProgramData and inspect the Defender policy registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender for disabling policies. Removal of the ntuser.pol file and resetting the registry permissions may require booting into Safe Mode. Users should re-enable Windows Defender protections after removal. Reporting the issue to SimHub's official channels is recommended to seek clarification and an official fix. No official vendor advisory or fix has been published at this time.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":35,"reasons":["external_link","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a15ee2e891d628fdc6e6735
Added to database: 5/26/2026, 7:02:06 PM
Last enriched: 5/26/2026, 7:02:14 PM
Last updated: 5/26/2026, 9:51:00 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.