Windows Defender from the Command Line

Tips: Windows Defender from the Command Line

This article will help you to handle better windows defender by command line utility

Windows Defender includes a command-line utility, MpCmdRun.exe, which can be handy if you want to automate the use of Windows Defender. The utility is located on Windows at %ProgramFiles%\Windows Defender\MpCmdRun.exe. 

The basic usage at the command prompt is: MpCmdRun.exe [command] [-options]

Command Description
-? Displays all available options for the tool
-Trace [-Grouping #] [-Level #] Starts diagnostic tracing
-RemoveDefinitions [-All] Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
-RestoreDefaults Resets the registry values for Windows Defender settings to known good defaults
-SignatureUpdate Checks for new definition updates
-Scan [-ScanType] Scans for malicious software
-GetFiles Collects support information
Client Action MpCmdRun Switches Additional Switches
Scan for malicious software based on default configuration -Scan -ScanType 0  
Quick scan for malicious software -Scan -ScanType 1  
Full system scan for malicious software -Scan -ScanType 2  
File and directory custom scan for malicious software -Scan -ScanType 3 -File -DisableRemediation -BootSectorScan -Timeout
Begins tracing Microsoft antimalware service's actions -Trace -Grouping -Level
Gathers a bunch of files and packages them together in a compressed file in the support directory -GetFiles -Scan
Restores the last set of signature definitions -RemoveDefinitions -All  
Remove all Dynamic Signatures -RemoveDefinitions -DynamicSignatures  
Performs definition updates directly from UNC path file share specified -SignatureUpdate -UNC -Path
Performs definition updates directly from Microsoft Malware Protection Center -SignatureUpdate -MMPC  
List all quarantined items -Restore -ListAll  
Restores the most recently quarantined item based on threat name -Restore -Name -Path
Restores all the quarantined items -Restore -All -Path
Adds a Dynamic Signature -AddDynamicSignature -Path
Lists SignatureSet ID's of all Dynamic Signatures -ListAllDynamicSignatures  
Removes a dynamic signature -RemoveDynamicSignature -SignatureSetID  
Enables integrity services -EnableIntegrityServices  
Submit all sample requests -SubmitSamples  

Use MpCmdRun alone to see additional information about the switches.

You will receive a return code if you use switch -Scan.

  • 0 if no malware is found or successfully remediated
  • if malware is found and not remediated

Happy Learning

Thanks & Regards,
Haresh Hirani
Follow me: Twitter @hirravi1


    No Comments

Leave a Comment