I'm trying to restart the msmpeng.exe process (Windows Defender) because it's using a lot of memory—over a gig, which seems excessive. I've attempted to use a batch file run as SYSTEM with the command "taskkill.exe /F /IM MsMpEng.exe >foo.txt 2>&1", but the log says 'Access is denied,' and I get the same result when trying to kill it from Task Manager. I disabled Tamper Protection beforehand, so I'm not sure what's going on. Is there any trick or method to force restart this process? I don't want to disable it permanently, just get it to restart and stop the memory leak.
3 Answers
There's a user group called TrustedInstaller that has a higher privilege than SYSTEM. You'd need to go through some steps involving PowerShell and might want to check out John Hammond's video on it. But be careful—doing this could really raise some flags if you're on a managed system!
Just make sure you know what you're doing because tampering with these permissions can lead to serious issues.
It sounds like MSMPENG is designed to protect itself from being killed, which is standard for Windows Defender. The high memory usage could be due to something triggering constant scans. You might want to check your system for any processes causing this.
Also, have you checked the Microsoft support page? They often have tips on what's causing high memory usage in Defender.
Good point! Monitoring which scans trigger those spikes could really help identify the issue.
Yeah, and if it's regularly using a gig, maybe some settings or background processes are causing it. It's worth taking a look.
Defender runs at the kernel level, which makes it quite tough to manage through normal means. While making the system believe you're running as a higher level (like TrustedInstaller) is theoretically possible, it's pretty risky and could trigger alarms on work computers with EDR. I wouldn't recommend going down that road if you can help it.
Exactly! Better to find a legit fix rather than risk messing up the system.
Right? I mean, it's not just about the memory leak; doing something risky could put you in a worse situation.
Yeah, if there's any risk of EDR alerting, it's probably best to stick with safer options.