+4 votes
Antivirus Windows CMD Command

in Security by (540k points)
reopened | 11 views

1 Answer

+5 votes
Best answer

How to use Windows antivirus in CMD

To stay up to date, remember to subscribe to our YouTube channel!


The antivirus in Windows is managed directly from the Windows Security utility and as such integrates a wide group of functions created so that the security and privacy of both the computer and the user are as protected as possible thanks to various processes that are executed both on foreground as background and the constant updates that allow the database of threats to be up to date and thus face this growing threat. But a much more comprehensive mechanism to analyze the computer is to do all this directly from the console thanks to the MpCmdRun command..


MpCmdRun (Microsoft Malware Protection Command Line Utility) is integrated into Windows as a command line function thanks to which it is possible to manage and execute tasks associated with Microsoft Defender Antivirus which, as we have mentioned, is the way Windows adds integrated security to protect your computer from malware, viruses, spyware, and other current threats.



With MpCmdRun we can perform some actions such as:


  • Configure multiple alternatives and tasks of Microsoft Defender Antivirus highlighting the scan schedule, configure actions for the threats that are detected, establish notifications of any analysis or threat and more.
  • Perform malware scans on the system and/or specific drives to find and remove threats using various scan options.
  • Perform a diagnosis and resolution of problems associated with the antivirus.
  • Detect and eliminate multiple types of threats.
  • It allows updating definitions, malware definitions are files where information about the latest known threats is recorded, the MpCmdRun command is responsible for updating these definitions to be in the battle against threats.


The basic use of this utility is as follows:

 MpCmdRun.exe [command] [-options] 


The commands available to use in Windows are:


  • -Scan (-ScanType): performs the scan for software, the values ​​we can use for ScanType are 0 (default), 1 (quick scan), 2 (full scan) or 3 (custom scan of files and directories)
  • -Trace: start the diagnostic trace (tracert)
  • -CaptureNetworkTrace -Path <path>: is responsible for capturing the network input in the Network Protection service and then stores it in a defined file
  • -GetFiles: is responsible for collecting support information
  • -GetFilesDiagTrack: collects details and sends them to the DiagTrack temporary folder
  • -RemoveDefinitions [-All] – Restores installed security intelligence to a previous backup or to the default set in Windows
  • -RemoveDefinitions [-DynamicSignatures]: will only remove dynamically downloaded signatures
  • -RemoveDefinitions [-Engine]: allows to restore the engine installed in previous dates
  • -SignatureUpdate: checks for new security intelligence updates
  • -Restore [-ListAll] - Restores or lists quarantined items
  • -ListAllDynamicSignatures: displays loaded dynamic security intelligence
  • -RemoveDynamicSignature: removes dynamic security intelligence
  • -ValidateMapsConnection: is responsible for validating that the network can establish communication with the Microsoft Defender Antivirus cloud service
  • -ResetPlatform: Resets platform binaries to %ProgramFiles%\Windows Defender
  • -RevertPlatform: Allows you to revert platform binaries to a previously installed version



Now let's see how to use this utility in Windows and thus analyze various aspects of the system..


How to use Windows antivirus in CMD


Step 1

To start we open the File Explorer and validate in the following path that the Windows Defender folder exists:
 C:\Program Files\Windows Defender 


Step 2

We access the folder to see that the executable is available:




Step 3

Now we are going to open the Command Prompt Console as administrator:




Step 4

In the console we access the Windows Defender path using the "cd" command:




step 5

First let's run a quick scan using type 1:
 MpCmdRun -Scan -ScanType 1 


step 6

We wait for it to be executed and when this process ends we will be notified of the result:




step 7

We can see the result of the executed exam:




step 8

Now, to perform a full Windows scan, we'll run the following command using type 2:
 MpCmdRun -Scan -ScanType 2 


step 9

If it takes too long we can cancel it using the following keys, at the end we can see the result of the exam.


Ctrl + C



step 10

As we said, it is possible to perform a custom analysis, for this we first go to File Explorer and validate the path to be analyzed:




step 11

Now in the console we execute the following syntax:
 MpCmdRun -Scan -ScanType 3 -File "path" 


step 12

We hope it ends:




step 13

One of the most special exams is the offline analysis of the system which is ideal since we avoid using various processes and services, to perform this analysis in the console we will execute the following:
 PowerShell Start-MpWDOScan 


step 14

By pressing Enter, the system will be rebooted:




step 15

We wait for it to start loading the system:




step 16

In a moment we will see that the system examination starts in offline mode:




step 17

Then it will be possible to see the status of the analysis in real time:




step 18

There we can see the analysis percentage:




step 19

Windows will automatically restart at the end of the analysis:




step 20

It is possible that when we log in we will have a result of this analysis:




step 21

Another of the available options is to analyze the boot of Windows, which can be compromised with some malware that makes the startup slow or that the data can be stolen from there, to execute this analysis we are going to open the console as administrator:




step 22

We go to the path where Windows Defender is and then we execute the following command for boot analysis:
 MpCmdRun.exe -Scan -ScanType -BootSectorScan 


Step 23

We wait for the analysis to finish:




step 24

If we want to list the files in quarantine, we will execute the following command. In this case we do not have elements there.
 MpCmdRun.exe -Restore -ListAll 


step 25

To update the signatures we execute the command:
 MpCmdRun.exe -SignatureUpdate 


Step 26

Now we can verify the status of the cloud service, for this we are going to execute the following command:
 MpCmdRun.exe -ValidateMapsConnection 


step 27

We can see the result of the connectivity tests.
We can recover files, for this we first execute the following command to create the respective file:
 MpCmdRun.exe -GetFiles 


Step 28

Numerous processes will be loaded there:




Step 29

We wait for the file to be created and we take into account the location:




step 30

Now we go to the path where the file was saved and to access it we will see the following:




step 31

We will see the file:




step 32

We right click on the .cab file and select "Open with - Windows Explorer":




Step 33

We will have access to the content:




Step 34

If we want to remove the definitions we will execute the following command:
MpCmdRun.exe -RemoveDefinitions -All




step 35

To remove only the dynamic signatures we will use the command:
MpCmdRun.exe -RemoveDefinitions -DynamicSignatures


3. 4


Step 36

After this it will be possible to update the signatures again with the command:


MpCmdRun.exe -SignatureUpdate




Step 37

In case of failures we can reset Windows Defender to its values ​​using the following command:
MpCmdRun.exe -ResetPlatform




Step 38

Or we can revert the platform to the previous version using the following command:
MpCmdRun.exe -RevertPlatform




This is how this utility gives us the opportunity to perform various types of analysis on the system to make sure that everything is protected, this covers both the parameters of the equipment and the system as well as the user's files and is an integral way of executing the alternatives provided by the Windows antivirus.



by (3.4m points)

Related questions

+4 votes
1 answer
asked Mar 26, 2021 in Windows 10 by backtothefuture (540k points) | 120 views
+5 votes
1 answer
+4 votes
1 answer
+3 votes
1 answer
+5 votes
1 answer
asked Oct 8, 2019 in Security by backtothefuture (540k points) | 328 views
Sponsored articles cost $40 per post. You can contact us via Feedback
10,415 questions
10,544 answers
3 users