Windows Defender Command line tool (MpCmdRun.exe) occasionally gives the exit code = 2 when it is run under System account.

Volodymyr Bobko 0 Reputation points
2023-01-25T11:48:58.61+00:00

Hi,
I have a windows service that operates under System account.
The service uses MpCmdRun.exe to scan files.

When I scan multiple files simultaneously (multiple threads), 70% of the attempts fail with exit code 2. Here is the command which I use: C:\Program Files\Windows Defender\MpCmdRun.exe -Scan -ScanType 3 -File "C:\Temp\GitExtensions.msi" -DisableRemediation And WindowsDefender logs

MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Temp\GitExtensions.msi" -DisableRemediation
 Start Time: ‎Tue ‎Jan ‎24 ‎2023 16:06:56

When I use a regular user account to run the service, the issue is not reproducible.
It is also not reproducible when I scan the files one by one.
I tried it on two systems, and on both, the issue is reproducible:
1 - Azure VM (Windows Server 2022 Datacenter 21H2)
2 - Local machine (Windows 10 Pro 21H2)

Regards

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,214 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 9,541 Reputation points
    2023-01-26T16:35:36.4966667+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

    The exit code 2 from MpCmdRun.exe (Windows Defender Command-line tool) indicates that the command has failed. When this error occurs while running the tool under the System account, it could be caused by a few different issues. Here are a few troubleshooting steps you can try:

    1. Check the command syntax: Make sure that the command you are using is correct and that all the required arguments are being passed to the tool. You can refer to the official documentation of MpCmdRun.exe to ensure that the command is being used correctly.
    2. Check the permissions: Make sure that the System account has the necessary permissions to run the MpCmdRun.exe. By default, the System account has full permissions on the system, but in case if there is any restriction or group policy that is preventing it from running the command.
    3. Check the Windows defender status: Make sure that Windows Defender is running and that the real-time protection is enabled. You can check this by going to the Windows Security app or by running the command "MpCmdRun.exe -getversion"
    4. Check the updates: Make sure that the latest updates for Windows Defender are installed on your system. You can check for updates by running the command "MpCmdRun.exe -SignatureUpdate"
    5. Check the event viewer: Check the event viewer for any error messages related to the MpCmdRun.exe or Windows Defender that might provide more information on the cause of the issue.

    If the above steps do not help you resolve the issue, you can try running the MpCmdRun.exe as a different user that has the necessary permissions and see if that resolves the issue. If the issue persists, it may be best to seek assistance from Microsoft support.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    No comments