I'm trying to restart msmpeng.exe (which is Windows Defender) because it has leaked a lot of memory, but I'm having a tough time. I even created a batch file to run the taskkill command as SYSTEM using schtasks in an elevated command prompt, but all I got in the output file was 'Access is denied,' just like when attempting to kill it from the Task Manager. Tamper Protection is already turned off. Is there any trick or method to force this process to restart? I don't want to disable it permanently, just need to give it a reset because it has accumulated around a gig of memory usage.
4 Answers
Honestly, I think it's working as intended. Antivirus solutions are designed to block attempts to interfere with them, including their processes. If the memory leak is a concern, managing other processes or considering an upgrade may be the practical route to take instead of wrestling with Defender directly.
Couldn’t agree more. Some people just want to ‘control’ what goes on their system, but it’s all part of keeping things secure.
It sounds like the access denial is by design. Windows Defender is specifically built to prevent its process from being killed to protect the system. Your script feels more like a workaround than a recommended solution. Just so you know, Defender's memory usage can sometimes blow up unexpectedly; it's not uncommon for it to reach high levels under certain conditions.
Yeah, I agree with you there. A GB of memory usage for Defender isn't totally out of the ordinary. It might just be the way it's handling its tasks, especially if it's getting triggered frequently.
I've noticed my msmpeng.exe usually runs around 200MB, so maybe it's just a temporary spike for you—could be an on-demand scan or something.
Just a heads up, msmpeng.exe operates at the kernel level, which is above even the highest SYSTEM privileges. That’s why you're having trouble stopping it. It’s designed this way to ensure the antivirus can do its job without interference. If it's consuming excessive resources, it might be worth looking into what triggers those memory spikes—check Microsoft's resource guide on this.
That makes sense! I had no idea it was running at that level. I guess there's no easy way to tweak it, huh?
Yeah, looking into the triggers might be your best bet. Sometimes, it's just overactive scanning based on your recent activity.
If you're determined to restart it, there's a complex method using PowerShell to gain higher privileges by leveraging TrustedInstaller. Just be careful with that since it can mess with your system's security settings. Maybe check out John Hammond’s video for a walkthrough, but beware of the risks, especially on work devices.
Sounds risky, but sometimes you gotta take those chances if you're trying to find a solution. Just make sure to back up important stuff!
I appreciate the insight! I had no idea about the TrustedInstaller class. I'll check out the video before trying anything drastic.
Totally! And I feel like rushing to tweak AV settings may not always be the best long-term strategy anyway.