MpCmdRun.exe

Microsoft Defender Command-Line Tool (MpCmdRun.exe)

CPU Usage

N/A

Memory

N/A

Location

N/A

Publisher

N/A

Tips

Run MpCmdRun.exe with elevated rights to perform scans, but avoid running untrusted switches. Check the Defender signature version and quarantine folder before making changes. Always verify the file path and publisher to ensure the binary is legitimate.

Best Practices

Utilize MpCmdRun.exe for automation: schedule scans with Task Scheduler, keep signatures current, log results to files, and cross-check results with the Defender UI when needed.

What is MpCmdRun.exe?

MpCmdRun.exe is the Microsoft Defender Antivirus command-line interface that ships with Windows. It enables rapid, scripted control over Defender features, including quick and full scans, signature updates, quarantine management, and log export, all without launching the graphical Defender UI. It is commonly used by admins and power users.

MpCmdRun.exe interacts with the Defender protection engine to initiate scans (quick, full, or custom), update signatures, and handle quarantine. It accepts switches such as -Scan, -ScanType, and -SignatureUpdate, and runs with elevated privileges to modify Defender state when invoked from CMD/PowerShell.

Is it Safe?

Is it a Virus?

Why is it Running?

Reasons it's running:

Scheduled or manual Defender scans: Admins use MpCmdRun.exe to trigger quick, full, or custom scans on demand or via Task Scheduler, providing automated protection without launching the GUI.
Signature and definition updates: MpCmdRun.exe updates Defender threat definitions to ensure current protection against new malware, either on demand or as part of a maintenance window.
Quarantine and remediation actions: The tool can manage quarantine items, restore legitimate files, or remove threats as part of scripted remediation workflows.
Automation in enterprise environments: In large deployments, MpCmdRun.exe is used in scripts to enforce consistent scanning and updating across endpoints.
Diagnostics and logging for incident response: MpCmdRun.exe can generate logs and diagnostic outputs that help security teams investigate threats and verify protection status.

Can I Disable or Remove It?

Common Problems

Common Causes & Solutions

: Check for active scans and switch to a quieter scan type; verify no conflicting security tools are running; ensure Defender is up to date.
: Run an elevated Command Prompt or PowerShell; verify user permissions and that Defender is enabled; ensure the path to MpCmdRun.exe is correct.
: Verify internet connectivity, Windows Update service status, and that a proxy or firewall isn’t blocking Defender update channels.
: Check the scan type used, verify Defender signatures are current, and review the logs to confirm the scan completed successfully.
: Ensure quarantine path is accessible, review permissions, and use MpCmdRun.exe with proper switches or via the Defender UI for restoration.
: Inspect event logs for errors, confirm there’s enough disk space, and verify there are no conflicting security tools running concurrently.

Frequently Asked Questions

Is MpCmdRun.exe a virus or malware?

No. MpCmdRun.exe is a legitimate Microsoft Defender Antivirus command-line utility signed by Microsoft Corporation and used for scripted protection tasks.

How do I update Defender signatures with MpCmdRun.exe?

Open an elevated prompt and run MpCmdRun.exe -SignatureUpdate to fetch the latest definitions from Microsoft.

How can I run a quick scan using MpCmdRun.exe?

Use MpCmdRun.exe -Scan -ScanType 1 from an elevated command prompt to perform a quick scan with Defender.

Can MpCmdRun.exe be used in scheduled tasks?

Yes. MpCmdRun.exe is designed for automation and can be invoked by Task Scheduler to run scans, updates, or log exports on a schedule.

Why is MpCmdRun.exe using Defender resources in the background?

Defender may run MpCmdRun.exe as part of background protection tasks, but resource usage should be modest. If spikes persist, check for active scans and ensure Defender is up to date.

How do I verify MpCmdRun.exe is legitimate on my system?

Check the file path (e.g., C:\Program Files\Windows Defender\MpCmdRun.exe), verify the digital signature shows Microsoft Corporation, and confirm the version matches Windows Defender expectations.

Related Processes

Microsoft Defender Antivirus Engine

Windows Security Health Service

Security Health System Tray UI

Windows Defender Network Inspection Service