question

frapc-2930 avatar image
0 Votes"
frapc-2930 asked CandyLuo-MSFT commented

MsMpEng.exe - difference from MpCmdRun.exe, and scheduled tasks

Hi, my PC's secondary HDD gets periodically spun up by MsMpeng.exe doing just a couple of IRP_MN_QUERY_INFORMATION operations on the D:\Programs folder (as observed from Process Monitor). Otherwise, the HDD remains in the spun-down state as expected.

Set aside that I have excluded the whole D: directory in Defender settings, I've tried looking at the Defender scheduled tasks at least to prolong the interval at which these operations are executed, but the scheduled tasks are relative to MpCmdRun.exe, not MsMpEng.exe.

I couldn't find any information about this on the web nor on Microsoft Docs, what's the difference between MsMpEng.exe and MpCmdRun.exe? Is it possible to take control of MsMpEng.exe scheduled activity?

Thanks to anyone that will help :)

(Windows 10 Home)

windows-10-setup
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

CandyLuo-MSFT avatar image
1 Vote"
CandyLuo-MSFT answered CandyLuo-MSFT commented

Hi ,

Based on my understanding, MpCmdRun.exe is a command-line user mode, it is used for scheduling scans and monitors requests for signature updates.

Msmpeng.exe is a system service, started at boot, which provided Real-Time protection.

Is it possible to take control of MsMpEng.exe scheduled activity?

I did not find any Microsoft official documents talking about this scenario, I am afraid we cannot achieve it.

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Alright, now this is clearer.
About MsMpEng.exe scheduled activity, I understand. It would be enough even to be able to just manually select which drives it looks for (since even by excluding the whole drive folder it will still wake the drive) but I haven't found a way to do it yet; do you think it's possible in some way?

0 Votes 0 ·

I am not sure because I did not find a way.

1 Vote 1 ·