I'm trying to kill the msmpeng.exe process on my Windows machine using a batch file run as SYSTEM. However, despite running the command "taskkill.exe /F /IM MsMpEng.exe" through schtasks, I just get an 'Access is denied' message in the output file. I've already turned off Tamper Protection. I just want to restart this process temporarily because it's leaked a significant amount of memory. Does anyone have a trick to kill it or restart it?
5 Answers
msmpeng.exe runs at the kernel level, which makes it tricky to stop, even with SYSTEM privileges. It's set up this way intentionally. You should look up the Microsoft article on high memory usage with Defender; sometimes, it could be a scanning issue that's causing these spikes in memory.
Honestly, it seems like no one has a straightforward solution to restart msmpeng.exe. If it's your machine, you should have the final say on what runs. But, at the same time, throwing more RAM at it isn't a great answer either.
Actually, SYSTEM isn’t the top tier of privilege you can get. There’s a group called TrustedInstaller that has even higher privileges. In fact, there's a trick involving PowerShell that allows you to gain those privileges, but be cautious—this can raise red flags in security systems.
Unfortunately, it sounds like what you're experiencing is by design. Most endpoint detection and response (EDR) tools will block attempts to interface with protected processes like Defender. You might just need to monitor its performance for now.
That process is part of Windows Defender, and it's designed to resist being killed for security reasons. It's likely that your attempt to kill it is more of a workaround and might not even be effective in the long run. If memory usage seems high, you might be looking at the working memory instead of an actual leak.
Sounds a bit suspect, like someone might be trying to build malware. Just be careful!
It's supposed to run around 200MB, but ballooning to a gig isn't that unusual. There might be something triggering scans constantly.