Process Locations
The following table focuses on Windows 10/11 and Windows Server 2012 R2 and later, covering core antivirus, EDR, and related processes. Note that some processes may vary slightly depending on the Windows version or Defender platform update.
| Process | Location | Purpose |
|---|---|---|
| ConfigSecurityPolicy.exe | C:\Program Files\Windows Defender | Security Policy Configuration: Applies security policies and configurations for Microsoft Defender |
| MpCmdRun.exe | C:\Program Files\Windows Defender or C:\ProgramData\Microsoft\Windows Defender\Platform\<version> | Antivirus command-line utility |
| MpDlpCmd.exe | C:\Program Files\Windows Defender | Data loss prevention (DLP) command-line utility |
| MsMpEng.exe | C:\Program Files\Windows Defender or C:\ProgramData\Microsoft\Windows Defender\Platform\<version> | Defender Antivirus service |
| MpDefenderCoreService.exe | C:\Program Files\Windows Defender or C:\ProgramData\Microsoft\Windows Defender\Platform\<version> | Microsoft Defender Core Service: Manages telemetry collection, configuration updates, and reliability tasks for Microsoft Defender Antivirus and MDE components |
| MsSense.exe | C:\Program Files\ Windows Defender Advanced Threat Protection | Defender for Endpoint EDR sensor service |
| NisSrv.exe | C:\Program Files\Windows Defender | Defender Antivirus Network Real-Time Inspection/Network Protection service |
| SenseCnCProxy.exe | C:\Program Files\ Windows Defender Advanced Threat Protection | Command and Control Proxy: Facilitates communication between the EDR sensor (MsSense.exe) and the Microsoft 365 Defender cloud |
| SenseIR.exe | C:\Program Files\ Windows Defender Advanced Threat Protection | Sense Incident Response (IR) module, used for LR and all other commands |
| SenseCE.exe | C:\Program Files\ Windows Defender Advanced Threat Protection | Sense Classification Engine (CE) module, used for DLP |
| SenseSampleUploader.exe | C:\Program Files\ Windows Defender Advanced Threat Protection | EDR sample upload module |
| SenseNdr.exe | C:\Program Files\ Windows Defender Advanced Threat Protection | Sense Network Detection and Response (NDR) module |
| SenseSC.exe | C:\Program Files\ Windows Defender Advanced Threat Protection | Sense Screenshot Capture (SC) module |
| SenseCM.exe | C:\Program Files\ Windows Defender Advanced Threat Protection | Configuration Manager: Manages onboarding and configuration updates for MDE |
| WdNisSvc.exe | C:\Program Files\Windows Defender | Network Inspection Service |
| MpSvc.dll | C:\Program Files\Windows Defender or C:\ProgramData\Microsoft\Windows Defender\Platform\<version> | Antivirus Service Library: Core library loaded by MsMpEng.exe |
| MpRtMon.dll | C:\Program Files\Windows Defender or C:\ProgramData\Microsoft\Windows Defender\Platform\<version> | Real-Time Monitoring Library |
| NisDrv.sys | C:\Windows\System32\drivers | Network Inspection Driver: Works with WdNisSvc.exe to inspect network packets and detect malicious network behavior in real time |
| WdBoot.sys | C:\Windows\System32\drivers | Boot-Time Protection Driver: Detect and block rootkits before the OS fully initializes |
| WdFilter.sys | C:\Windows\System32\drivers | File System Filter Driver: Monitors file system operations for real-time protection |
| WdDevFlt.sys | C:\Windows\System32\drivers | Device Filter Driver: Device control and monitoring (e.g. USB drives) |
Registry Locations
The following table shows some registry locations that contain MDE configurations, including exclusions, protection settings, and operational parameters. (Note that the order of precedence is group policy wins over MDM, which wins over preferences).
| Registry | Purpose |
|---|---|
| HKLM\SOFTWARE\Microsoft\Windows Defender | Primary registry hive for Defender Antivirus and MDE settings |
| HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\ | Stores Group Policy or Intune-configured settings for MDE |
| HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection | Contains EDR settings delivered from MDE |
| HKLM\SYSTEM\CurrentControlSet\Services\Eventlog | Stores configuration for Event Viewer log file locations, which can be modified to redirect MDE-related logs |
Log File Locations
MDE generates several log files that provide detailed information about scans, detections, and system health.
| Log | Location | Purpose |
|---|---|---|
| MPLog-YYYYMMDD-HHMMSS.log | C:\ProgramData\Microsoft\Windows Defender\Support | Logs detailed Defender AV activities, including scans, detections, and errors |
| MpSupportFiles.cab | C:\ProgramData\Microsoft\Windows Defender\Support | Contains diagnostic data collected via MpCmdRun.exe -GetFiles. Includes registry outputs (MPRegistry) and other troubleshooting data |
| MpSigStub.log | C:\Windows\Temp | Logs definition update attempts |
| pfirewall.log | C:\Windows\System32\LogFiles\Firewall | Logs Windows Firewall events, which MDE uses for network reporting |
Event Viewer Locations
The following event viewer logs are useful sources of real-time and historical data on MDE operations, including scans, detections, and errors.
| Event | Purpose |
|---|---|
| Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational | Primary log for Microsoft Defender Antivirus activities 1000: Scan started. 1001: Scan finished. 1006: Malware detected during a scan. 1007: Action taken against malware (e.g., quarantined, deleted). 2000: Signature version updated. 5007: Configuration change (e.g., exclusions added, script scanning disabled). |
| Applications and Services Logs > Microsoft > Windows > SENSE > Operational | EDR sensor (SENSE) events. Check for Critical, Warning, or Error levels to identify onboarding or connectivity issues |
| Windows Logs > Application | Contains MDE onboarding script errors |
| Windows Logs > System | Contains system-level events related to MDE services |
References
Anich, Joe, Justen Graves, and Paul Huijbregts. Microsoft Defender for Endpoint in Depth: Take Any Organization's Endpoint Security to the Next Level. Birmingham: Packt Publishing, 2023.
