Ultimate Guide to Managing Windows Defender from CMD: Essential Commands and Tricks

Administrator Windows Defender from the command line It has become an essential tool for both advanced users and system administrators looking to automate, customize, and gain greater control over the security of their Windows computers. Although most people use this antivirus' graphical interface, knowing the appropriate commands can facilitate tasks such as quick, scheduled, or custom scans, updates, quarantine restoration, and many other options, especially useful in situations where the interface is unavailable or not working properly.

In this article, we are going to explore All the possibilities and commands that Windows Defender offers you through CMD, mixing official information, practical experiences and Tricks Useful. If you've ever wondered what the point of running commands directly in the console to manage your antivirus is, here's a complete guide, written in Spanish from Spain and with a friendly language, so you can get the most out of your system's security capabilities.

Why use Windows Defender from CMD?

Although Microsoft Defender (formerly known as Windows Defender) is intended to be used primarily from its simple and visual graphical interface, The command line expands the range of possibilities for management and automation. It's not just about doing the same things you can already do with a mouse and clicks; the big difference is being able to Integrate commands into scripts, automate repetitive tasks, and schedule security actions who would otherwise need to always be in front of the team.

Some practical cases where command management makes a difference include:

• Network administration: ideal for managing multiple teams remotely or en masse.
• Troubleshooting: When the graphical interface doesn't work, the CMD option can save the day.
• Automation and scripting: Integration into .bat files, scheduled tasks, or advanced scripts to run scans, updates, and other operations without manual intervention.
• deep customization: access to advanced parameters that are not always visible in the standard interface.

However, using the Windows console to control the antivirus requires running CMD with administrator permissions., otherwise many functions will not be available or will give errors.

What is MpCmdRun.exe and where is it?

The Windows Defender “operations center” from CMD is the executable file MpCmdRun.exe (Microsoft Malware Protection Command Line Utility). This program is responsible for interpreting and executing all commands, parameters, and options related to antivirus protection.

You can usually find MpCmdRun.exe in the Windows Defender installation folder:

• In modern systems: C:\ProgramData\Microsoft\Windows Defender\Platform\(version number)
• In older versions or if the system is in Spanish: C:\Program Files\Windows Defender

It is advisable to first locate yourself in the correct path before launching any commands, by running in CMD:

cd C:\ProgramData\Microsoft\Windows Defender\Platform\4.18*

Remember that the location of 4.18* may vary depending on the version installed, so check the corresponding folder.

Main Windows Defender commands from CMD

Below we compile the most important, useful and versatile commands that you can use to get the most out of Windows Defender using MpCmdRun.exe in CMD:

Scan your system for viruses and malware

One of the main uses of CMD with Windows Defender is launch on-demand scans to check if your PC is clean or infected with malware. The basic command is:

MpCmdRun.exe -Scan -ScanType

The ScanType values ​​determine the type of scan you run:

• 0: Scanning according to default settings.
• 1: Analyze critical areas (quick scan).
• 2: Scans all files on the disk (full scan).
• 3: Custom scan, you must specify the folder or file.

Practical examples:

• Quick scan: MpCmdRun.exe -Scan -ScanType 1
• full scan: MpCmdRun.exe -Scan -ScanType 2
• Scan specific folder: MpCmdRun.exe -Scan -ScanType 3 -File "C:\Users\TuUsuario\Descargas"

For custom analysis, you can add additional parameters such as -DisableRemediation to only show the results without taking action, or -BootSectorScan to include the sector of Boot in the review (useful for persistent threats):

MpCmdRun.exe -Scan -BootSectorScan

Optionally, you can use -Timeout to set a time limit for the analysis and -CpuThrottling to control the CPU usage allocated to the scanning process.

Cancel ongoing analysis

If you accidentally run a scan or need to stop it before it finishes, you can do so easily:

MpCmdRun.exe -Cancel

This command interrupts any active scanVery useful if the scan is taking too long or if you've chosen the wrong scan type.

Update the signature database and antivirus engine

For effective protection it is essential to have virus signatures and engine always up to dateWithout opening the graphical interface, you can force the update from CMD:

MpCmdRun.exe -SignatureUpdate

There are variations for specifying the update source or whether you want to restore to a previous version:

• Update from MMPC: MpCmdRun.exe -SignatureUpdate -MMPC
• Update from UNC path: MpCmdRun.exe -SignatureUpdate -UNC
• Restore engine: MpCmdRun.exe -RemoveDefinitions -Engine

Remove faulty updates or troubleshoot problems

Sometimes, a faulty update can cause issues with Windows Defender. If you need to remove the latest updates and revert to a previous state, run:

MpCmdRun.exe -RemoveDefinitions -All

To delete only the dynamic signatures downloaded during use:

MpCmdRun.exe -RemoveDefinitions -DynamicSignatures

If the problem is with the antivirus platform, you can restore to previous versions:

• Reset platform: MpCmdRun.exe -ResetPlatform
• Revert to previous: MpCmdRun.exe -RevertPlatform

Manage quarantine and restore files

Suspicious files detected by Defender are usually moved to quarantine. You can view and manage these items using Command Prompt:

MpCmdRun.exe -Restore

• -ListAll: Shows all quarantined files.
• -Name: Restores the last matching threat with that name.
• -All: Restore all quarantined files.
• -FilePath: Restores a specific file based on its full path.

Check analysis exclusions

To check if a file or folder is excluded from antivirus scans:

MpCmdRun.exe -CheckExclusion -path "C:\Ruta\a\comprobar"

This way, you can determine if there are routes where Defender isn't checking for threats and act accordingly. To detect potential conflicts, you can also review Registry errors related to Windows Defender.

Collect support and diagnostic information

To resolve complex issues, you can collect useful diagnostic data for technical support:

MpCmdRun.exe -GetFiles

It can also be run -GetFilesDiagTrack to obtain specialized reports or activate diagnostic monitoring with:

MpCmdRun.exe -Trace

If you need a network traffic capture related to antivirus protection, you can use this command:

MpCmdRun.exe -CaptureNetworkTrace -Path "C:\Dónde\guardar\captura.etl"

Other advanced functions and useful parameters

MpCmdRun.exe's range of options goes far beyond these functions. There are commands for:

• Manage dynamic signatures (load, list or delete):
  MpCmdRun.exe -AddDynamicSignature -Path "firma"
MpCmdRun.exe -ListAllDynamicSignatures
MpCmdRun.exe -RemoveDynamicSignature -SignatureSetID #
• Check your connection to the Microsoft cloud:
  MpCmdRun.exe -ValidateMapsConnection
• View ECS connection URLs:
  MpCmdRun.exe -DisplayECSConnection
• Validate device control rules:
  MpCmdRun.exe -DeviceControl -TestPolicyXml "archivo.xml" -Rules
• View Azure Site Recovery custom rules:
  MpCmdRun.exe -ListCustomASR
• View OS copy acceleration status:
  MpCmdRun.exe -OSCA

These commands provide very granular control over your antivirus, making complex tasks easier for advanced users or IT administrators.

Remove viruses manually from CMD

Sometimes you may need to go beyond automatic analysis and manually delete suspicious files. Common steps include:

1. Close related processes, for example:
   taskkill /f /im explorer.exe
2. Navigate to the infected file folder.
3. Remove attributes that prevent deletion, such as hidden, read-only, or system:
   attrib -a -r -h nombrevirus.exe
attrib -a -r -h C:\Ruta\nombrevirus.exe
4. Delete the file:
   del nombrevirus.exe
del C:\Ruta\nombrevirus.exe

It's important to spell the file name and extension correctly to ensure you delete the correct item and not other files on your system.