Author Topic: Is MpCmdRun.exe supposed to run if Windows Defender is disabled?  (Read 19643 times)

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Hello,

Mods, please move this thread to the correct part of the forum if this isn't the right part. Sorry, I don't know where to put this exactly.  :-\

Alright, so the problem I'm having is that MpCmdRun.exe, which is a part of MSE and now also Windows Defender (pretty much MSE) in Windows 8, is constantly running and changing registry keys and constantly writing files (logs). One would think that such behavior would be gone once the Windows Defender service has been disabled?

The reason this is a problem is because:
1. I don't know exactly what it's purpose is when Windows Defender is disabled.
2. It's actually doing s**t which means CPU usage. (Sure I have an overclocked i5 3570k but I still don't want such programs to do useless s**t)
3. I have an SSD which is probably on it's last legs at this moment and I'd like to reduce the amount of useless writings since an SSD has a finite amount of writings, and MpCmdRun.exe seems to write things all the time.
(R.I.P my old Corsair F80, you survived many things like encryption.. and re-encryption, but the latest one was one to much. :()

I'm not asking how to stop it, I can probably figure that one out myself, what I am wondering is whether it's safe to stop MpCmdRun.exe or not?

I have tried google but I can't reach any information about it's usage after MSE or Windows Defender has been disabled. Is Comodo Internet Security using this process?

Thanks,
Sanya IV

Edit: Changed the title since I noticed that it made no sense at all. ^-^''
« Last Edit: March 16, 2013, 06:53:49 AM by SanyaIV »
I support privacy and freedom online - eff.org

Offline Boris 3

  • Comodo's Hero
  • *****
  • Posts: 1360
Re: Is MpCmdRun.exe if Windows Defender is disabled?
« Reply #1 on: March 15, 2013, 02:56:18 AM »
I have filled a bug report, if I remember well during beta period, signalling that though V 6 disables Windows Defender, MpCmdRun.exe keeps running.

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Is MpCmdRun.exe if Windows Defender is disabled?
« Reply #2 on: March 15, 2013, 03:43:07 AM »
I have filled a bug report, if I remember well during beta period, signalling that though V 6 disables Windows Defender, MpCmdRun.exe keeps running.
Is this common on machines without CIS and disabled Windows Defender? Or is it only with CIS that it happens?

It would be nice to know exactly what this process does as the service is supposed to be disabled yet the process is actively doing stuff. ???
I support privacy and freedom online - eff.org

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Is MpCmdRun.exe if Windows Defender is disabled?
« Reply #3 on: March 15, 2013, 04:00:06 AM »
It's the Windows Defender Command Line Utility. With regard to CIS disabling the service on Windows 8, that's only partly true, it actually leaves it as Manual (Trigger Start) and you'll find several eferences for this under task Scheduler.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Is MpCmdRun.exe if Windows Defender is disabled?
« Reply #4 on: March 15, 2013, 04:07:31 AM »
It's the Windows Defender Command Line Utility. With regard to CIS disabling the service on Windows 8, that's only partly true, it actually leaves it as Manual (Trigger Start) and you'll find several eferences for this under task Scheduler.
So if I disable the Windows Defender Service by changing it from Manual to the one that is disabled and then restarting, will the MpCmdRun.exe finally stop writing things? Or are there more things I have to do?(I can't remember what the option was called, I did change that but I haven't restarted yet)

Btw this is what the log file says:
Code: [Select]
-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wddisable
 Start Time: ‎Fri ‎Mar ‎15 ‎2013 09:44:18

ERROR: WDEnable() failed (800106BA)
MpCmdRun: End Time: ‎Fri ‎Mar ‎15 ‎2013 09:44:18
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wddisable
 Start Time: ‎Fri ‎Mar ‎15 ‎2013 09:47:50

ERROR: WDEnable() failed (800106BA)
MpCmdRun: End Time: ‎Fri ‎Mar ‎15 ‎2013 09:47:50
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wddisable
 Start Time: ‎Fri ‎Mar ‎15 ‎2013 09:48:18

ERROR: WDEnable() failed (800106BA)
MpCmdRun: End Time: ‎Fri ‎Mar ‎15 ‎2013 09:48:18
-------------------------------------------------------------------------------------

Edit: the log file has now increased to 208 lines... now 217... it keeps building.

Edit 2: I restarted and the MpCmdRun.exe is still making those logs. =/

Edit 3: I also set the service to not do anything (instead of restarting service) if it failed, but the log is still being filled. <_<

I know I can block it in CIS, but I'm trying to find an "official" way to turn the god damn thing off.

Is it somehow possible to remove Windows Defender all together? That would be swell.
« Last Edit: March 15, 2013, 04:38:02 AM by SanyaIV »
I support privacy and freedom online - eff.org

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 24503
Re: Is MpCmdRun.exe if Windows Defender is disabled?
« Reply #5 on: March 15, 2013, 05:04:03 PM »
So if I disable the Windows Defender Service by changing it from Manual to the one that is disabled and then restarting, will the MpCmdRun.exe finally stop writing things? Or are there more things I have to do?(I can't remember what the option was called, I did change that but I haven't restarted yet)
Changing the starting of a service does not disable or enable it.

To properly test whether the logging stops either restart the computer or manually stop the service from Services.

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Is MpCmdRun.exe if Windows Defender is disabled?
« Reply #6 on: March 15, 2013, 05:14:52 PM »
Changing the starting of a service does not disable or enable it.

To properly test whether the logging stops either restart the computer or manually stop the service from Services.
But the Windows Defender Service is stopped when MpCmdRun.exe is working =S I can't find any other entries regarding just MpCmdRun.exe.
I support privacy and freedom online - eff.org

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Is MpCmdRun.exe if Windows Defender is disabled?
« Reply #7 on: March 15, 2013, 05:25:26 PM »
It looks like WD is caught in some kind of loop. The first command is trying to disable it - strangely, 'wddisable' doesn't seem to be a registered switch for mpcmdrun - but this is failing with "WDEnable() failed (800106BA)"
Unfortunately, I can't reproduce on the windows 8 system I have here. Try setting the service to 'Automatic' and the reboot. See what happens next.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 24503
Re: Is MpCmdRun.exe if Windows Defender is disabled?
« Reply #8 on: March 15, 2013, 05:27:09 PM »
But the Windows Defender Service is stopped when MpCmdRun.exe is working =S I can't find any other entries regarding just MpCmdRun.exe.
Can you see if there are tasks scheduled in Schedule Tasks (Control Panerl --> Administrative Tools --> Task Scheduler --> Microsoft --> Windows --> Windows Defender)?

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Is MpCmdRun.exe if Windows Defender is disabled?
« Reply #9 on: March 15, 2013, 05:40:22 PM »
It looks like WD is caught in some kind of loop. The first command is trying to disable it - strangely, 'wddisable' doesn't seem to be a registered switch for mpcmdrun - but this is failing with "WDEnable() failed (800106BA)"
Unfortunately, I can't reproduce on the windows 8 system I have here. Try setting the service to 'Automatic' and the reboot. See what happens next.
After restarting the logs are still filled with the same information by MpCmdRun.exe and the Windows Defender Service have changed from Automatic to Manual, don't know why.
Can you see if there are tasks scheduled in Schedule Tasks (Control Panerl --> Administrative Tools --> Task Scheduler --> Microsoft --> Windows --> Windows Defender)?
It's blank :-\

Is it possible to delete Windows Defender completely? I'd assume that it's not recommended.


Edit: I change the name of the "Windows Defender" folder "Windows Defender old" and that seems like it did the trick, no logs being made so far for 5 minutes (it used to write one time every minute)

I didn't remove the folder in case I would need the files again.
« Last Edit: March 15, 2013, 06:05:07 PM by SanyaIV »
I support privacy and freedom online - eff.org

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek