I've been trying to kill the msmpeng.exe process, which is part of Windows Defender, from an elevated command prompt. I even created a batch file that runs as SYSTEM to execute the command "taskkill.exe /F /IM MsMpEng.exe >foo.txt 2>&1". However, I keep seeing "Access is denied" in the output file, just like when I try to end it through Task Manager. I made sure to turn off Tamper Protection in Virus & Threat Protection beforehand. Is there a special trick I need to use to restart this process? It seems to be leaking around a gig of memory, and I just want to restart it temporarily rather than disable it permanently.
3 Answers
It sounds like you're running into Windows Defender’s built-in protections, which are specifically designed to prevent interference with its processes. Your approach seems a bit like a workaround, and while the high memory usage might be concerning, it’s not completely unusual for Defender to use up that much. Make sure your system isn't constantly triggering on-demand scans, as that can inflate memory usage. You might want to check Microsoft's documentation on this issue.
Exactly. I've had similar issues, and researching what triggers high memory usage helped me a lot. You’re not alone!
Ahh, interesting! It turns out SYSTEM isn't the highest privilege level—you have something called TrustedInstaller that’s even higher. There are ways to exploit that, but you'd need to be careful, especially on a work system with EDR. One way might be using a PowerShell module to get the right privileges and parent the process correctly. Just be aware that this could trigger alarms with Windows Defender.
Thanks for the heads-up! I’ll research that method but I'll be cautious.
Wow, didn't know that! Definitely sounds risky, though. Always best to tread lightly with these methods.
Keep in mind that msmpeng.exe runs at a kernel level, not just SYSTEM. This means that even with the highest privileges, you're still limited in what you can do. If it’s constantly using too much memory, there could be something else continuously triggering it. Have you checked for any scheduled tasks or scans? That might give you clues to the high usage.
I will check that out. I really just want to manage how it operates without turning it off completely.
Great point! If you're encountering these spikes, scheduling conflicts can often be the culprit.
Totally agree! Windows Defender shields its processes for a reason, and forcibly stopping it might lead to problems. Just keep an eye on it for any unusual behavior.