How to Use Windows Defender from the Command Prompt

[ad_1]

Windows Defender, now known as Windows Security, is the default antivirus software in Windows and no less capable than any third-party antivirus software. In fact, when it comes to system resource usage, Windows Security is one of the best. Though its GUI is pretty easy to use, you can also use Windows Security features via Command Prompt. Follow this tutorial to learn how.

Getting Started

Wondering why you should go through so much trouble to use Windows Security options from Command Prompt? Windows Security with Command Prompt is quite useful when you are creating your own scripts or scheduled tasks. It also allows you to have greater control over individual files and processes compared to GUI.

  1. You need administrative privileges, so type Command Prompt in the search box, and select the “Run as Administrator” option.
Run Command Prompt as Administrator.
  1. Running Windows Security inside cmd also requires a small utility program called Microsoft Malware Protection Command Line Utility, or “MpCmdRun.exe.” This is a powerful tool that automates all Windows Security tasks. Most of the methods below use “MpCmdRun.exe.”
  2. Instead of the default “C:WindowsSystem32,” the Command Prompt application needs to point to the folder where “MpCmdRun.exe” is located. Therefore, first locate the Windows Defender folder on your PC.
Windows Defender Program Files location of the app.
  1. The path for “MpCmdRun.exe” is usually “C:Program FilesWindows Defender,” but if it’s slightly different on your device, you should jot down this location. It will be very useful in the next few sections.
Windows Defender "MpCmdRun" location path in Program Files folder.

Tip: Windows Security not opening? Find the solutions in this guide.

List of Windows Defender Scan Types

If you’ve used Windows Security GUI, you will know that it has four scan types. Below are some quick explanations of the different scan types.

  1. Quick scan: as the name suggests, Quick scan is fast and only looks in the most common places, like registry keys and start-up folders, where the malware or virus could have an effect. Typically, Quick scan is completed within minutes or even seconds. In the command line, Quick scan is denoted by -ScanType 1.
  2. Full scan: performs an in-depth scan of your entire system. Depending on how many files you have in your system, the scan can take hours to complete. In the command line, Full scan is denoted by -ScanType 2.
  3. Custom scan: lets you perform an in-depth scan on a specific drive, folder, or file. In the command line, Custom scan is denoted by -ScanType 3 and has additional switches to tell which file or folder to scan.
  4. Offline scan: a few variants of malware can be particularly difficult to remove from your computer. Microsoft Defender Antivirus’s offline scan helps you get rid of them using up-to-date threat definitions. Offline scan doesn’t have a number attached to it.

Apart from these, there are some additional scan types we will get into one by one.

Good to know: you can test the efficacy of your antivirus against real malware.

Run Windows Defender Scan From Command Prompt

  1. Before doing any of the scans, change the Command Prompt folder path to the Windows Defender folder location shown in the above step. It should be something similar to “C:Program FilesWindows Defender.”
cd C:Program FilesWindows Defender
  1. To run the scans in cmd, use the “MpCmdRun.exe” application in each case, as shown below.

Quick Scan

  1. If you want to perform a quick scan, use the below command. It will have a “scan started” and “scan finished” message indication.
MpCmdRun -Scan -ScanType 1
Windows Defender scanning in Command Prompt. Scan Type 1 started and finished.
  1. You will see a Windows Security notification alert on the right side of the System Tray, indicating that the quick scanning is over.
Windows Defender scanning Type 1 result in System Tray.
  1. Once you check the Windows Security window, you will observe the most recent scans, such as a quick scan activity in Command Prompt.
Checking Command Prompt scan 1 test results in Windows Security app with details of the scan.

Full Scan

For a full scan, replace “1” in the above command with “2.” It usually takes an hour or more.

MpCmdRun -Scan -ScanType 2
Windows Defender full scan in Command Prompt called Scan 2.

Tip: you can permanently disable Microsoft Defender if you would like.

Custom Scan

A custom scan can be based on a custom location on any drive on your computer, including external drives.

  1. In this example, we are copying and pasting the path of a folder named “Videos” stored on the D drive.
Finding the folder location in D drive.
  1. To perform a custom scan, use the below command while replacing “FolderPath” with the actual folder or file path you want to scan. The scannable path in our example is simply “D:”, as there are no other folders in the D drive.
MpCmdRun -Scan -ScanType 3 -File "FolderPath"
Windows Defender Custom scan for a folder located in D drive.

Offline Scan

  1. The offline scan is initiated as a PowerShell command in the Windows Defender Offline (WDO) utility. It requires a restart of your PC and takes around 15 minutes. Use the following command:
PowerShell Start-MpWDOScan
Windows Defender Offline (WDO) scan initiated in Command Prompt.
  1. As soon as you enter the command as shown above, your Windows PC will restart, and the offline scan window will be visible on your screen. Wait a few minutes for the process to finish.
Microsoft Defender Antivirus offline scan in action.
  1. The offline scan will continue in the Command Prompt window while the process is running. You can see the number of items scanned and the percentage completed.
Offline scan in command prompt for Windows Defender.

Tip: get up to speed with these essential PowerShell commands that you need to know.

Boot Sector Scan

Windows Defender has another scan type that checks the system boot sector for any infections. A boot sector virus can infect the Master Boot Record, which in turn infects the entire system when you boot it up.

  1. To perform a boot sector scan, use the below command.
MpCmdRun.exe -Scan -ScanType -BootSectorScan
Running a boot sector scan in Windows Defender via Command Prompt.
  1. To cancel the scan, press the keyboard shortcut Ctrl + C or type ^C.
Cancelling boot sector scan in Windows Defender via Command Prompt.

Applications of Windows Defender With Command Prompt

The Windows Defender command line lets you do a number of other things, as shown below.

1. Listing and Restoring Quarantined Files

When Windows Security finds a threat, it moves it to Quarantine so that it doesn’t infect your system. However, false positives can happen, and if you think Windows Defender moved a legitimate file to Quarantine, you can restore it quite easily.

  1. Use the below command to list all the Quarantined Files.
MpCmdRun.exe -Restore -ListAll
No quarantined items in Windows Defender while running a command for Listing all.
  1. From the list, identify the file and note its name. In the above example, no quarantined items were found, so the next step of restoring is not needed.
  2. If you found a quarantined file, you can restore it easily by executing the below command. To do this, replace “FileName” with the actual file name you want to restore. If the command is executed successfully, the file will be restored to its original location.
MpCmdRun.exe -Restore -Name "FileName"
Restoring a quarantined file in Windows Defender by name in the Command Prompt.

Tip: learn how to install unsigned drivers in Windows.

2. Doing Signature Updates

In general, Windows Security automatically updates itself with the latest antivirus definitions. However, if you want to make sure Windows Security is up to date, execute the below command.

MpCmdRun.exe -SignatureUpdate
Signature updates done in Windows Defender using Command Prompt.

3. Verify Windows Defender Antivirus Cloud Service

Is your Windows Security even connected to the cloud? Otherwise, there is no use in running any scans. This is something that you can only verify using the Command Prompt – not the GUI. For this purpose, we are using the following command. If there is a cloud connection, you will see a message, such as, “ValidateMapsConnection successfully established a connection to MAPS.”

MpCmdRun.exe -ValidateMapsConnection
Verify and validate Windows Defender cloud Antivirus Cloud service.

4. Recover Files Deleted by Windows Defender

This is the hardest part of having Windows Security on your computer. Sometimes the antivirus will delete an important file or two, and you cannot recover it easily from the Recycle Bin. The best way to go about it is to use the Command Prompt.

  1. Use the -GetFiles command as shown below. This will generate a list of files deleted by the program that are still recoverable. Wait for the entire list to populate your screen.
Recover files deleted by Windows Defender using -GetFiles.
  1. These files are saved in a file path shown at the bottom of the screen. Copy-paste the file name, which is a .CAB extension (Cabinet File System).
Recovered files path in Windows Cmd.
  1. Navigate to the above path using File Explorer, and right-click on the .CAB file to open it with Windows Explorer. You can also use online programs.
Recovered cabinet file in File Explorer window opened using right click and Windows Explorer.
  1. You can find an entire list of deleted files that you can now extract to return them to where they were. (You can’t copy and paste them.)
List of recovered Windows Defender files using -GetFiles in Command Prompt.

FYI: experiencing issues after a Windows update? Check out our post on the latest Windows update problems to find your fix.

5. Remove and Restore Security Updates

If you’re testing apps or doing a bit of scripting, you may want to see how Windows interacts with the latest security updates, as well as those from the previous Windows update. Using the Command Prompt, you can remove, then restore security definitions.

Note: we strongly recommend that you restore the definitions to the latest ones after removing them so that your PC stays protected against the latest threats.

With that in mind, follow these steps to roll back your virus definitions:

  1. To restore definitions to the defaults or those stored in the last backup copy (automatically created by Windows when updating to the latest ones), enter this command:
MpCmdRun.exe -RemoveDefinitions -All
Windows Defender running scan for entire list of definitions removal.
  1. Also, you can only remove the dynamically downloaded security signatures using this command:
MpCmdRun.exe -RemoveDefinitions -DynamicSignatures
Dynamic signatures removal using Remove Definitions command in Cmd.
  1. Once you’re done dallying around removing security definitions, it’s time to restore them with this command:
MpCmdRun.exe -SignatureUpdate
Windows Defender Signature update started and finished.

6. Reset Your Windows Security

If Windows Security is experiencing errors, too many false positives, and failure to detect new malware threats, it is time to reset the platform to its default installed version.

  1. Use the following command:
MpCmdRun.exe -ResetPlatform
Reset the Windows Defender platform to its original value in Command Prompt.
  1. Sometimes, instead of a reset, you just want to revert to the previously installed version, as shown below.
MpCmdRun.exe -RevertPlatform
Revert the Windows Defender platform to its previously installed version.

Tip: SFC throwing up an error as you’re trying to run the scan? Learn how to fix it.

Frequently Asked Questions

How can I stop Windows Defender Scan from taking too long?

If a scan seems stuck or not moving beyond a certain number, you may have too many files and folders or a large program holding it back. More often than not, you did not perform a PC scan in a very long time.

It is better to automate running Quick scan on a regular basis by scheduling it. This can be done by opening the Task Scheduler app. When it opens, go to “Task Scheduler Library -> Microsoft -> Windows -> Windows Defender.” Select “Windows Defender Scheduled Scan,” right-click to view its Properties, and follow it by clicking the “Trigger” tab. You must click the “New” button to create a new scheduled task.

Are there any risks associated with using Windows Defender with Command Prompt?

Windows Defender is generally safe to use with Command Prompt, but you may accidentally download malicious files by running the wrong script or restoring a quarantined file that was exploiting your PC security gaps. However, on a normal basis, you should not encounter these issues.

Image credit: Unsplash. All screenshots by Sayak Boral.

Sayak Boral
Sayak Boral

Sayak Boral is a technology writer with over eleven years of experience working in different industries including semiconductors, IoT, enterprise IT, telecommunications OSS/BSS, and network security. He has been writing for MakeTechEasier on a wide range of technical topics including Windows, Android, Internet, Hardware Guides, Browsers, Software Tools, and Product Reviews.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

[ad_2]

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Call Us