Sometimes, to disable Windows protection , you don’t need to attack the antivirus directly. Simply preventing it from starting properly is sufficient.
A researcher who goes by the name Two Seven One Three ( TwoSevenOneT ) has published a tool called EDRStartupHinder on GitHub that exploits exactly this principle: blocking the startup of antivirus and EDR during the system boot phase, abusing a legitimate Windows mechanism based on path redirection.
The core of the technique is BindLink , a Windows API that allows you to “bind” a virtual local path to another location. In practice, file access is transparently redirected. Microsoft describes BindLink as a feature provided by the bindflt.sys driver, originally intended for compatibility reasons or for scenarios where physically remote files need to appear as if they were local.
The authors of EDRStartupHinder exploit this mechanism offensively. During Windows startup, the tool creates a redirect for a critical DLL in System32 , causing the targeted security process to load an “inappropriate” version of the library. This results in the immediate termination of the process, which is killed before it can initialize its defenses.
The project description is explicit: EDRStartupHinder prevents antivirus and EDR from starting by redirecting a key DLL from System32 to another location in the very early stages of boot.
The repository also cites a paper by Zero Salarium , which clarifies the technical context of the attack. Many security processes are started in PPL (Protected Process Light) , a mode that imposes severe restrictions on loadable libraries. If a critical dependency is manipulated before the checks are fully active, the process can “self-terminate” without ever initializing its self-defense mechanisms.
According to the author, the technique has been successfully tested on Windows Defender in Windows 11 25H2 , as well as on several commercial EDR solutions, the names of which have not been made public.
Version 1.0 of the tool was released on January 11, 2026. This is yet another example of how features designed to improve compatibility and flexibility can be transformed into powerful security bypass tools, especially during the delicate system boot phase, when first-mover security has a decisive advantage.
The Zero Salarium publication itself suggests some basic countermeasures: carefully monitor BindLink usage (especially bindlink.dll -related activity) and look for the appearance of suspicious services that start very early, even before EDR components.
If services suddenly appear in your infrastructure that are labeled as “required for compatibility,” and after a reboot, system protection is disabled, this is exactly the chain of events that should be analyzed first.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
