Commands to manage Windows Defender from CMD

Last update: 09/05/2025
Author Cristian Garcia

  • Managing Windows Defender from CMD allows for advanced automation and control.
  • MpCmdRun.exe is the key tool for scanning, updating, and removing threats.
  • PowerShell further expands scripting and remote administration options.
Commands to manage Windows Defender from CMD

Do you know the commands to manage Windows Defender from CMDManaging Windows Defender from the command line (CMD) is one of the advanced features offered by Microsoft's operating system, one that often goes unnoticed by many users. However, mastering these commands not only increases the effectiveness and control you have over your computer's protection, but also allows you to solve problems that the conventional graphical interface can't resolve, all in an agile and automatable way.

In this article, you'll find the most comprehensive compilation of essential (and also lesser-known) commands for controlling Windows Defender from CMD or PowerShell. You'll learn everything from how to launch quick or specific scans to how to automate and schedule tasks, restore definitions, or remove specific threats, among many other actions. You'll also discover several Useful tips and tricks that will help you get the most out of this powerful tool, whether you are an advanced user, a system administrator, or just someone curious who wants to get more out of Windows security.

Why use Windows Defender from CMD?

 

Commands to manage Windows Defender from CMD Windows Defender has been evolving for years to position itself as one of the most reliable, lightweight, and effective antivirus programs in the Microsoft ecosystem. The graphical version is more than adequate for most users, but when it comes to having absolute control, automating tasks, or recovering the system from serious problems, the command line becomes an essential ally.

  • Task automation: Create .bat scripts that run scheduled scans, automatic updates, or recurring tasks without user intervention.
  • Problem solving: When the graphical interface doesn't start, you're in safe mode or the system has errors that prevent you from accessing normal functions.
  • advanced control: Precisely define what to scan, restore threats from quarantine, manage exclusions, or update components from the command line.
  • Network use and remote administration: Ideal for IT administrators who need to centrally manage the security of multiple devices.

The main tool you'll be using is MpCmdRun.exe (Microsoft Malware Protection Command Line Utility), the engine behind most of Defender's advanced features in CMD.

Before continuing we recommend that you take a look at this article about how to add exceptions in Windows Defender, may be useful to you.

Getting Started: Locating and Running MpCmdRun.exe

Before you start running commands, you must locate the MpCmdRun.exe tool on your system. It's usually located at:

  • %ProgramFiles%\Windows Defender
  • C:\ProgramData\Microsoft\Windows Defender\Platform\ (for recent versions of Windows; there is usually a folder with a version number here, for example, 4.18…)

To work comfortably from CMD, access the appropriate path with the command:

cd "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18*"

Always remember to run CMD or PowerShell with administrator privileges, as many of the operations you're about to perform require elevated permissions to take effect.

Malware analysis and searches from CMD

CMD Windows Defender malware analysis

System scanning is one of the most popular features of this antivirus, and you can customize it to the fullest extent from the command line. The generic command you'll use is:

MpCmdRun.exe -Scan -ScanType <valor>
  • 0: Analysis according to default settings.
  • 1: Quick scan (scans critical locations where threats often hide).
  • 2: Full scan (scans all system files and sectors; slower but more thorough).
  • 3: Custom analysis, ideal for specific folders or files.
Exclusive content - Click Here  Is the ProtonVPN service fast?

Practical examples:

  • Quick scan:
    MpCmdRun.exe -Scan -ScanType 1
  • Complete analisis:
    MpCmdRun.exe -Scan -ScanType 2
  • Custom scan (e.g. your user folder):
    MpCmdRun.exe -Scan -ScanType 3 -File "C:\Users\tu_usuario"

Other advanced options for analysis:

  • -DisableRemediation: Performs the scan without applying corrective actions, saving logs, or displaying results in the graphical interface; you'll only see detections in the console.
  • -BootSectorScan: Specifically scans the boot sectors of the hard drive, essential for detecting persistent malware such as rootkits.
  • -Cancel: Ends any ongoing scan (in case you make a mistake when launching a long scan or need to interrupt it).

For example, to scan the boot sector:

MpCmdRun.exe -Scan -BootSectorScan

And to stop any analysis in progress:

MpCmdRun.exe -Cancel

Remove threats and infected files from CMD

What are false positives in antivirus software and how to avoid them?

Beyond detecting viruses, managing infected files without the Windows graphical interface can save you in critical situations. Here are the recommended steps:

  1. Close Windows Explorer If the suspicious file is blocked:
    taskkill /f /im explorer.exe
  2. Access the folder where the infected file is located.
  3. Remove system attributes, read-only and hidden:
    attrib -a -r -h nombredelvirus.exe
    Or with the full path:
    attrib -a -r -h C:\ruta\nombredelvirus.exe
  4. Delete the malicious file:
    del nombredelvirus.exe
    O:
    del C:\ruta\nombredelvirus.exe

Don't forget to specify the correct virus extension when removing it, otherwise Windows won't find it.

Quarantine management and restoration

Windows Defender manages a safe zone where files that have been classified as dangerous are stored. You can view and restore threats from quarantine with the -Restore command.

  • -ListAll: Displays all quarantined files.
  • -Yam: Restores the most recent item whose name matches the specified name.
  • -All: Restores all threats in quarantine.
  • -FilePath: Restores items to the specified location.

Example:

MpCmdRun.exe -Restore -ListAll

This way, you can manually review which items are quarantined and decide if any need to be restored because, for example, they were a false positive.

Update Windows Defender from CMD: Always Protected

Windows Defender

One of the great advantages of Windows Defender is its constantly updated threat database. If you want to ensure you have the latest signatures and protection engines, you can update from CMD using:

MpCmdRun.exe -SignatureUpdate

To clear and reset definitions in case of update problems:

  • -RemoveDefinitions -All: Deletes all installed signatures and restores the original ones.
  • -RemoveDefinitions -DynamicSignatures: Removes only downloaded dynamic signatures.

How to do it:

MpCmdRun.exe -RemoveDefinitions -All
MpCmdRun.exe -RemoveDefinitions -DynamicSignatures

After this, you can update again with the command above to get the signatures clean and updated.

Customizing and querying available commands

MpCmdRun.exe offers many other configuration and diagnostic options. If you're not sure what parameters exist or how to use them, consult the help directly in the console:

MpCmdRun.exe -?
MpCmdRun.exe -h

There you'll see the full list of settings, including advanced ones like network monitoring, diagnostics, security rule validation, exclusion checking, and custom signature management.

Exclusive content - Click Here  How to circumvent the unlock pattern of a phone?

Automation through scripts and task scheduler

One of the best things about using Windows Defender via commands is the ease of automating tasks. You can create .bat scripts that launch the scans or processes you want, and schedule them with Windows Task Scheduler.

Basic steps:

  1. Open Notepad or your favorite editor.
  2. Paste the command or commands you need (for example, a quick scan and an update).
  3. Save the file with a .bat extension.
  4. Schedule it to run with Task Scheduler, or put it in your startup folder to scan your computer at startup or shutdown.

Keep in mind that most of these scripts will require administrator permissions to function properly, especially if they need to remove threats or modify security settings.

Windows Defender in PowerShell: An Advanced Alternative

PowerShell is the most powerful automation environment in Windows and offers even more flexibility than CMD for managing Defender. The most common routines have dedicated cmdlets, with a simple and powerful syntax.

  • Update signatures:
    Update-MpSignature
  • Quick scan:
    Start-MpScan -ScanType QuickScan
  • Complete analisis:
    Start-MpScan -ScanType FullScan
  • Schedule periodic scans:
    Quick scan: Set-MpPreference -ScanScheduleQuickScanTime 22:00:00
    full scan: Set-MpPreference -ScanScheduleFullScanTime 22:00:00

PowerShell also simplifies the management of multiple networked devices, allowing you to run scan scripts, updates, and restores remotely.

Case studies: when CMD is essential

The graphical interface is sufficient for most users, but there are situations where the command line is the only viable option:

  • The system does not boot or the Windows interface does not load, but you can open a recovery console or access it from a repair USB.
  • You need to analyze or clean equipment in bulk, for example, in a company environment or in laboratories, where doing it one by one would be too slow.
  • Automation to reduce human error, ensure that all devices receive their periodic scans or updates without depending on the end user.

If you have access to the drive from an installation disc or from tools like Hiren's Boot, you can enter the console and run all of these commands.

Other useful commands and advanced parameters

There are dozens of additional parameters to thoroughly control Windows Defender from CMD:

  • -GetFiles: Collects technical support information, useful for advanced diagnostics.
  • -CaptureNetworkTrace: Saves all network traffic processed by Defender for forensic analysis.
  • -CheckExclusion -path «path»: Check if a folder or file is excluded from scans.
  • -RestoreDefaults: Restore the original antivirus settings.
  • -AddDynamicSignature and -RemoveDynamicSignature: Manages custom smart signatures, used in enterprise environments.
  • -TrustCheck -File «file»: Check the trust status of a specific file.
  • -ValidateMapsConnection: Check your device's connection to Microsoft Defender cloud services, which is required for Windows 10 version 1703 or higher.
Exclusive content - Click Here  How to Recover a Blocked TikTok Account?

These commands are typically intended for advanced scenarios and system administrators who require fine-grained security management on critical computers or servers.

How to open DLL files in Windows 11
Related article:
How to Open DLL Files in Windows 11: Complete Guide

What are the differences between the interface and CMD?

While the Windows Defender graphical interface is designed to be intuitive, hiding sensitive options and making life easier for the average user, the CMD (and PowerShell) reveal the full potential of the antivirus, allowing you to modify any setting and adapt it to very specific needs.

The advantages of CMD:

  • Possibility of automation and advanced scripting.
  • Full control, even when the system is in safe mode or the GUI is unresponsive.
  • Ideal for recovery from serious incidents.
  • Perfect for managing large volumes of corporate equipment.

However, this method is not suitable for inexperienced users, as the commands are not intuitive and can lead to errors if not used correctly. Therefore, it is essential to read the help (-?), understand the meaning of each parameter, and not execute anything blindly.

Is Defender better than a paid antivirus?

antivirus

Windows Defender has evolved to compete head-to-head with the best paid antivirus programs in terms of protection, performance, and resource consumption. In independent tests, it has achieved very high scores for malware detection and removal. It's true that commercial antivirus programs often come with extras like a VPN, password manager, mobile device protection, and additional layers of defense like an advanced firewall, ransomware and phishing protection, and more.

Still, for the vast majority of home users, Defender is more than sufficient, especially if kept up-to-date and combined with good browsing practices and common sense. In businesses, it's common to use it alongside remote management tools like Intune or Configuration Manager, taking advantage of its native Windows integration capabilities.

Tips and precautions when using Windows Defender commands

If you want to try using Defender from CMD, keep in mind:

  • Always launch CMD or PowerShell as administrator.
  • Read and understand each parameter before executing commands.
  • Do not modify or delete files blindly.
  • Back up your data before removing threats manually.
  • Use scripts only if you fully understand their implications.
  • Apply logic: If your antivirus doesn't recognize a file as malicious, investigate it before deleting it.
JPS Virus Maker what is it
Related article:
JPS Virus Maker: What it is, how it works and the risks of this malicious software

In short, control Windows Defender From the command line, it offers a world of possibilities for those looking for extra security, automation, and maximum customization. You can schedule scans at PC startup, launch automatic updates, clean problematic files, and even restore a system when nothing else works. Of course, it's important to use these functions responsibly, always ensuring the integrity and security of your data. This way, you'll take advantage of all the muscle Microsoft has put into its native protection tool, both in your daily work and in emergency scenarios. We hope you now know all the commands to manage Windows Defender from CMD.