I've been trying to kill the msmpeng.exe process, which is part of Windows Defender, using a script run as SYSTEM. I created a batch file that includes the command "taskkill.exe /F /IM MsMpEng.exe >foo.txt 2>&1" but when I check the output in foo.txt, it says "Access is denied." This happens even when I try to kill the process from Task Manager. I had Tamper Protection turned off in Virus & Threat Protection before I tried this. My goal isn't to disable it permanently, just to restart it because it appears to be leaking memory — I've seen it use over a gigabyte! Is there any trick or method I might be missing to get around this and successfully restart the process?
5 Answers
You might want to check if TrustedInstaller is blocking your attempts. It's actually higher than SYSTEM level. Some advanced techniques involving PowerShell can help, but be cautious if you’re on a work network. It could trigger all sorts of alarms with security software.
Interesting! How do I access that PowerShell trick?
Honestly, your best bet might be to just accept how Defender works. Instead of trying to kill it, consider just letting it function as intended or look into third-party alternatives if you really don’t want it running. There's usually no magic fix for these built-in security features.
I get that frustration. Just be wary of forcing something that could destabilize your system. You might have to adjust your usage patterns instead.
That seems like a cop-out! What if I genuinely need to manage resources better?
Just a heads up, msmpeng.exe runs at the kernel level and is specifically shielded from being interacted with by other processes. That's why you're having trouble stopping it. Even if you're using SYSTEM privileges, it’s likely not enough because the process is designed to be resilient against such actions.
Pretty much! You might want to keep an eye on what's triggering high memory usage, as that could be a separate issue.
That's frustrating. So there’s really no way to restart it under any conditions?
It sounds like you're hitting a wall because Windows Defender is purposefully designed to protect itself from being killed by anything. Your approach with the script might come off as a workaround rather than a proper solution. Additionally, memory usage can be tricky; what you see as a leak might just be Windows Defender's normal behavior, especially during scans.
I see your point, but if it's using a gig when it normally uses around 200MB, that's concerning. What other options do I have to manage it?
If it's meant to be protective, shouldn't there be a way that allows for restarts? Seems like a design flaw.
If memory usage spikes drastically, it's good to monitor what's happening in the background. Something might be causing repeated scans or actions that inflate Defender's resource consumption. I suggest looking into Windows’ performance logs to see what's triggering those spikes. There's a performance metric in those logs that might help diagnose the root cause.
You can use the built-in Resource Monitor or Performance Monitor in Windows; they might give you enough insight.
Sounds like a tedious process! Is there a specific tool you recommend for monitoring this?
Look up some guides on gaining NtDebugPrivilege and using a TrustedInstaller process. Just make sure you know what you're doing to avoid any trouble.