Many people ask- “Whether MSE/WD can be used with Command Prompt?”. Answer is ‘Yes’. But do we really need it? Well, the answer again is ‘Yes’. It is reasonable because in many cases when MSE/WD GUI (the interface you see) is not accessible or its corrupted or its not functioning well (because of malware attacks, incorrect installation, etc.), in these cases you can use MSE/WD using Command Prompt to get some details about the error.
Now before we jump into all that command stuff we need to know something; some terminology and technologies to understand commands easily. So here we go:
1. What are definitions and signatures?
An easy explanation, a signature is something that is unique in a malware (or multiple malwares) and can be used to identify it/them, compare it with fingerprints for humans. Definitions are files that consists of signatures along with other information. When you update your antivirus you basically download these definitions. Say if your PC was last updated on 31st Sept. (hypothetical date, <wink>) then it would not be able to detect malwares released in Oct. Thus, you should update your antivirus regularly.
2. What is MAPS and Dynamic Signature?
Suppose a process has some evil intentions and tries to invade into your sensitive Operating System files and registry. MSE/WD, with its heuristic detections (certain set of rules to identify evil processes as suspects, even though they are not yet identified as malware), will detect, “Hmmm, this process doesn’t seems to be a decent one, let’s open its history and geography”. At that point, MSE/WD contacts MAPS (Microsoft Active Protection Service) and asks them, “Hey buddy, have you seen this particular process before?”. Now hold a second, what is MAPS? Actually, MAPS is a service of Microsoft where suspicious programs (which are yet to be identified as malware) are reported and a member of MAPS gets protection from those yet-to-be-identified evils. So continuing, if MAPS has identified that particular program or process as ‘suspicious’ then it creates a ‘Dynamic’ signature (well, you now know what signature is) which contains instructions to remove, restrict or quarantine that process/program. Therefore, MAPS is also known as Dynamic Signature Service.
Now time for commands in MpCmdRun.exe. MpCmdRun basically has 11 commands:
Now, I’ll explain each of them.
As name suggests, it is used to scan file/folder.
Usage: mpcmdrun.exe -scan -scantype X -path <path> -disableremediation
-scantype defines which type of scan you want, quick scan, full scan or custom scan. ‘X‘ is a number ranging from 0 to 3. All options are explained below:
- 0 – Default Scan.
Now explaining this is really a big topic. A whole separate blog will be based on this. All I can say right now is ‘Default scan’ is by default Full Scan for MSE and Quick Scan for Windows Defender in Windows 8. It can’t be changed using GUI, but can be using a complex process.
- 1 – Quick Scan.
Quick scans your PC.
* I have seen many people who think Quick Scan scans whole PC for a severe threats only and do not scan for minor threats, thereby reducing scan time (and I was among one of them). But, instead Quick Scan scans PC’s critical areas (like critical Windows files, registry, etc.) for all known threats (whether severe or minor) and thereby reduce scan time.
- 2 – Full Scan.
Scan your whole PC.
* According to my opinion, full scan is only needed when quick scan detects something. OK, you would say what if a malware is hidden in my documents in D: drive. I would say until & unless Quick Scan didn’t find it you can consider that malware as inactive (as Quick Scan scans for areas that a malware affects). If its inactive (ex. : when its in a compressed file) then you have no threat with it. Whenever you will reach that file (or unzip a file containing malware) then MSE/WD’s Real Time Protection will detect the malware and take necessary action. So no need of a Full Scan. However, I recommend one Full Scan after installing antivirus and one each month or in two months.
- 3 – Custom Scan.
Scan only the file/folder you define in <path>.
-file defines the path for custom scan, therefore its needed with -scantype 3.
-disableremediation option is catch-everything-do-nothing kind of thing. With this option (its available with Custom Scan i.e -scantype 3 only) scan will not leave even excluded files. It will scan archive files (files inside archive), ignore exclusions set by you, event entries in Event Manager are not written (007 kind of thing, huh?) and (as name says) it do not take any action on any malware found.
- For a normal Full Scan:
mpcmdrun.exe -scan -scantype 2
- For a Custom Scan of C:\Windows folder:
mpcmdrun.exe -scan -scantype 3 -path C:\Windows
[you need to enclose <path> in quotes if path contain a blank space, like "C:\Program Files"]
- For a Custom Scan of a ‘E:\Test Folder’ without removing any malware found:
mpcmdrun.exe -scan -scantype 3 -path “E:\Test Folder” -disableremediation[notice quotes for path]
A better example to show what difference -disableremediation makes:
I downloaded EICAR test virus and placed it in folder ‘E:\New Folder’. I excluded ‘E:\New Folder’ in Windows Defender settings.
After this, I scanned the folder twice, once without -disableremediation and once with it. See its results yourself:
As you can clearly see first scan doesn’t found anything (the folder is excluded) but with that argument it found one threat (EICAR test virus).
I’ll not discuss much about this command because its of no use for us. When you will type ‘mpcmdrun.exe -trace’ and hit enter you will a screen with message like “Tracing started. Press any key to stop…” and when you will press any key it will stop. After running this command, open C:\ProgramData\Microsoft\Microsoft Security Client (or Windows Defender)\Support and you will see a file like MPTrace-XXXXXXXX-XXXXXX.bin (where ‘X’ are some digits). This is the ‘trace’ i.e. record of every activity Windows Defender has performed after you pressed enter (after entering mpcmdrun.exe -trace command) and pressed any key to stop tracing. Its pretty large file and is of no use for us. Actually, this file can’t be decoded (read) until you have some special files which only Microsoft has and it doesn’t distribute it. So it is used only when Microsoft asks for trace file in Paid Supports, etc.
Now this is most important feature of mpcmdrun.exe, according to me. It gathers all log files related to MSE/WD, pack them in an archive and place them in C:\ProgramData\Microsoft\Microsoft Security Client (or Windows Defender)\Support with file name MPSupportFiles.cab. The following log files are collected:
- Traces of MS Antimalware service.
Files in this category are numerous. Some are files with names like MpWppTracing-XXXXXXX…..bin and are useless like -trace command. Some are MpCmdRun.log, MpCmdRun-System.log and MpCmdRun-NetworkService.log. Some are MpLogXXXX….log. Some are MpCacheStats.log. Means almost anything that contains MS Antimalware service in its log is listed in this.
- Windows Update history.
Saved with name WindowsUpdate.log.
- MS Antimalware service events.
Saved with name MPWHCEvents.txt and MPOperationalEvents.txt.
- MS Antimalware registry entries.Saved with name MPRegistry.txt and WSCInfo.txt.
- Log file of tool gathering all information.
Saved with name cbs.log.
- Log of signature update helper tool (MpSigStub.exe).
Saved with name MpSigStub.log.
Now this is actually more than enough for now. Explanation for other commands and some more secrets are about to be revealed in my next blog.
Till then I would request you to please provide feedback on this first part, so please comment your views on it. If you have anything to ask then don’t hesitate. Anything about this blog will be helpful.