I recently tried using schtasks in an elevated command prompt to run a batch file as SYSTEM to kill the msmpeng.exe process. However, my command, which was "taskkill.exe /F /IM MsMpEng.exe >foo.txt 2>&1", resulted in an "Access is denied" error, similar to when I attempted to kill the process via Task Manager. I had already turned off Tamper Protection in Windows Defender prior to this. Is there a trick to getting around this so I can restart the process? It's leaked about a gig of memory, and I'm not looking to disable it permanently, just to restart it temporarily.
5 Answers
Windows Defender works as it’s supposed to. Many EDR tools prevent interference to ensure your system stays secured. Unless you have a solid reason to change how processes are managed, it's best to let it be.
Absolutely. I've learned that trying to bypass these systems often leads to more trouble than it's worth.
Is everyone just going to ignore my need to manage msmpeng.exe? I see lot of "you shouldn't touch it" but no real advice on how to restart it! This is my device after all, and I want to decide what runs and when! Can someone share a meaningful suggestion instead of cautionary tales?
I feel your pain! It's annoying when others dictate how we should manage our own systems. You deserve better responses!
Exactly! Just looking for tangible help, not theoretical discussions.
Just to clarify, msmpeng.exe operates at the kernel level, which makes it almost impossible to stop it with regular commands, even those run as SYSTEM. It's coded this way to maintain security. I also notice mine generally uses around 200MB. You might want to see if anything is causing constant on-demand scans – that can contribute significantly to memory usage. You can refer to this Microsoft post for more insights: [link].
I appreciate the link! I'll check it out.
Good point! I had a similar issue, and it turned out my PC was constantly triggering scans.
You might be wrong about SYSTEM being the highest privilege level. There's actually a pseudo-group called TrustedInstaller that has higher permissions. I found a method involving a powershell module to elevate processes, which can be a bit tricky but could help. Just a heads-up though, if you're on a work machine, this could raise some alarms with EDR software.
Thanks for the warning! I'll stick to testing at home.
That sounds risky! Definitely not something to try on a work PC without caution.
What you're encountering is pretty standard with Windows Defender. It's designed to resist being killed to protect your system. It seems like your workaround isn't really the most reliable approach. Also, a process using a lot of memory isn't exactly a rarity for Defender, especially during scans or updates, so it might not be a leak after all.
That's true. If it’s constantly taking that much memory, it’s likely just the nature of how Defender operates, especially if it’s running on-demand scans.
Yeah, I saw it go high too! I had roughly a gig at one point, but it normalized after a while without hassle.
I understand, but it's frustrating to have control taken away from me on my own machine!