Programfiles windows defender mpcmdrun exe removedefinitions all

Windows Defender, now known as Windows Security, is the default antivirus software in Windows and no less capable than any third-party antivirus software. In fact, when it comes to system resource usage, Windows Security is one of the best. Though its GUI is pretty easy to use, you can also use Windows Security features via Command Prompt. Follow this tutorial to learn how.

Getting Started

Wondering why you should go through so much trouble to use Windows Security options from Command Prompt? Windows Security with Command Prompt is quite useful when you are creating your own scripts or scheduled tasks. It also allows you to have greater control over individual files and processes compared to GUI.

1. You need administrative privileges, so type Command Prompt in the search box, and select the «Run as Administrator» option.

1. Running Windows Security inside cmd also requires a small utility program called Microsoft Malware Protection Command Line Utility, or «MpCmdRun.exe.» This is a powerful tool that automates all Windows Security tasks. Most of the methods below use «MpCmdRun.exe.»
2. Instead of the default «C:\Windows\System32,» the Command Prompt application needs to point to the folder where «MpCmdRun.exe» is located. Therefore, first locate the Windows Defender folder on your PC.

1. The path for «MpCmdRun.exe» is usually «C:\Program Files\Windows Defender,» but if it’s slightly different on your device, you should jot down this location. It will be very useful in the next few sections.

Tip: Windows Security not opening? Find the solutions in this guide.

List of Windows Defender Scan Types

If you’ve used Windows Security GUI, you will know that it has four scan types. Below are some quick explanations of the different scan types.

1. Quick scan: as the name suggests, Quick scan is fast and only looks in the most common places, like registry keys and start-up folders, where the malware or virus could have an effect. Typically, Quick scan is completed within minutes or even seconds. In the command line, Quick scan is denoted by -ScanType 1.
2. Full scan: performs an in-depth scan of your entire system. Depending on how many files you have in your system, the scan can take hours to complete. In the command line, Full scan is denoted by -ScanType 2.
3. Custom scan: lets you perform an in-depth scan on a specific drive, folder, or file. In the command line, Custom scan is denoted by -ScanType 3 and has additional switches to tell which file or folder to scan.
4. Offline scan: a few variants of malware can be particularly difficult to remove from your computer. Microsoft Defender Antivirus’s offline scan helps you get rid of them using up-to-date threat definitions. Offline scan doesn’t have a number attached to it.

Apart from these, there are some additional scan types we will get into one by one.

Good to know: you can test the efficacy of your antivirus against real malware.

1. Before doing any of the scans, change the Command Prompt folder path to the Windows Defender folder location shown in the above step. It should be something similar to «C:\Program Files\Windows Defender.»

cd C:\Program Files\Windows Defender

1. To run the scans in cmd, use the «MpCmdRun.exe» application in each case, as shown below.

Quick Scan

1. If you want to perform a quick scan, use the below command. It will have a «scan started» and «scan finished» message indication.

MpCmdRun -Scan -ScanType 1

1. You will see a Windows Security notification alert on the right side of the System Tray, indicating that the quick scanning is over.

1. Once you check the Windows Security window, you will observe the most recent scans, such as a quick scan activity in Command Prompt.

Full Scan

For a full scan, replace «1» in the above command with «2.» It usually takes an hour or more.

MpCmdRun -Scan -ScanType 2

Tip: you can permanently disable Microsoft Defender if you would like.

Custom Scan

A custom scan can be based on a custom location on any drive on your computer, including external drives.

1. In this example, we are copying and pasting the path of a folder named «Videos» stored on the D drive.

1. To perform a custom scan, use the below command while replacing «FolderPath» with the actual folder or file path you want to scan. The scannable path in our example is simply «D:\», as there are no other folders in the D drive.

MpCmdRun -Scan -ScanType 3 -File "FolderPath"

Offline Scan

1. The offline scan is initiated as a PowerShell command in the Windows Defender Offline (WDO) utility. It requires a restart of your PC and takes around 15 minutes. Use the following command:

PowerShell Start-MpWDOScan

1. As soon as you enter the command as shown above, your Windows PC will restart, and the offline scan window will be visible on your screen. Wait a few minutes for the process to finish.

1. The offline scan will continue in the Command Prompt window while the process is running. You can see the number of items scanned and the percentage completed.

Tip: get up to speed with these essential PowerShell commands that you need to know.

Boot Sector Scan

Windows Defender has another scan type that checks the system boot sector for any infections. A boot sector virus can infect the Master Boot Record, which in turn infects the entire system when you boot it up.

1. To perform a boot sector scan, use the below command.

MpCmdRun.exe -Scan -ScanType -BootSectorScan

1. To cancel the scan, press the keyboard shortcut Ctrl + C or type ^C.

Applications of Windows Defender With Command Prompt

The Windows Defender command line lets you do a number of other things, as shown below.

1. Listing and Restoring Quarantined Files

When Windows Security finds a threat, it moves it to Quarantine so that it doesn’t infect your system. However, false positives can happen, and if you think Windows Defender moved a legitimate file to Quarantine, you can restore it quite easily.

1. Use the below command to list all the Quarantined Files.

MpCmdRun.exe -Restore -ListAll

1. From the list, identify the file and note its name. In the above example, no quarantined items were found, so the next step of restoring is not needed.
2. If you found a quarantined file, you can restore it easily by executing the below command. To do this, replace «FileName» with the actual file name you want to restore. If the command is executed successfully, the file will be restored to its original location.

MpCmdRun.exe -Restore -Name "FileName"

Tip: learn how to install unsigned drivers in Windows.

2. Doing Signature Updates

In general, Windows Security automatically updates itself with the latest antivirus definitions. However, if you want to make sure Windows Security is up to date, execute the below command.

MpCmdRun.exe -SignatureUpdate

3. Verify Windows Defender Antivirus Cloud Service

Is your Windows Security even connected to the cloud? Otherwise, there is no use in running any scans. This is something that you can only verify using the Command Prompt – not the GUI. For this purpose, we are using the following command. If there is a cloud connection, you will see a message, such as, «ValidateMapsConnection successfully established a connection to MAPS.»

MpCmdRun.exe -ValidateMapsConnection

4. Recover Files Deleted by Windows Defender

This is the hardest part of having Windows Security on your computer. Sometimes the antivirus will delete an important file or two, and you cannot recover it easily from the Recycle Bin. The best way to go about it is to use the Command Prompt.

1. Use the -GetFiles command as shown below. This will generate a list of files deleted by the program that are still recoverable. Wait for the entire list to populate your screen.

1. These files are saved in a file path shown at the bottom of the screen. Copy-paste the file name, which is a .CAB extension (Cabinet File System).

1. Navigate to the above path using File Explorer, and right-click on the .CAB file to open it with Windows Explorer. You can also use online programs.

1. You can find an entire list of deleted files that you can now extract to return them to where they were. (You can’t copy and paste them.)

FYI: experiencing issues after a Windows update? Check out our post on the latest Windows update problems to find your fix.

5. Remove and Restore Security Updates

If you’re testing apps or doing a bit of scripting, you may want to see how Windows interacts with the latest security updates, as well as those from the previous Windows update. Using the Command Prompt, you can remove, then restore security definitions.

Note: we strongly recommend that you restore the definitions to the latest ones after removing them so that your PC stays protected against the latest threats.

With that in mind, follow these steps to roll back your virus definitions:

1. To restore definitions to the defaults or those stored in the last backup copy (automatically created by Windows when updating to the latest ones), enter this command:

MpCmdRun.exe -RemoveDefinitions -All

1. Also, you can only remove the dynamically downloaded security signatures using this command:

MpCmdRun.exe -RemoveDefinitions -DynamicSignatures

1. Once you’re done dallying around removing security definitions, it’s time to restore them with this command:

MpCmdRun.exe -SignatureUpdate

6. Reset Your Windows Security

If Windows Security is experiencing errors, too many false positives, and failure to detect new malware threats, it is time to reset the platform to its default installed version.

1. Use the following command:

MpCmdRun.exe -ResetPlatform

1. Sometimes, instead of a reset, you just want to revert to the previously installed version, as shown below.

MpCmdRun.exe -RevertPlatform

Tip: SFC throwing up an error as you’re trying to run the scan? Learn how to fix it.

Frequently Asked Questions

Image credit: Unsplash. All screenshots by Sayak Boral.