No longer works as of FEB 22' patch #1
Description
Leaving this comment for others benefit, this tool no longer works as of the Feb 22' Microsoft patch. Microsoft removed TrustedInstaller as an owner of MsMpEng.exe, so impersonating it no longer grants access to the WinDefend service or any ability to start or kill MsMpEng.exe/WinDefend.
I did duplicate MsMpgEng's token and play around with what I could do with it. By doing so you become part of the WinDefend Service group, which is assigned Full permissions/ownership of MsMpEng.exe and the WinDefend service. While this allows you to open up WinDefend in the services panel and seemingly change settings (actions on failure, user the service runs as, etc), you receive an access denied message upon trying to apply any of those changes. Similarly you are still prohibited from stopping the service, killing MsMpEng.exe via taskkill, etc.
I spent quite a bit of time looking for alternatives but have come up empty handed.