Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender Antivirus
- Microsoft Defender for Individuals
This article describes how to collect diagnostic data that's used by Microsoft support and engineering teams when they help troubleshoot issues with Microsoft Defender Antivirus.
Note
As part of the investigation or response process, you can collect an investigation package from a device. Here's how: Collect investigation package from devices.
For performance-specific issues related to Microsoft Defender Antivirus, see: Performance analyzer for Microsoft Defender Antivirus.
Get the diagnostic files
On at least two devices that are experiencing the same issue, obtain the .cab
diagnostic file by taking the following steps:
Open Command Prompt as an administrator by following these steps:
a. Open the Start menu.
b. Type cmd. Right-click on Command Prompt and then select Run as administrator.
c. Specify administrator credentials or approve the prompt.
Navigate to the directory for Microsoft Defender Antivirus:
cd C:\ProgramData\Microsoft\Windows Defender\Platform\<version>
Where
<version>
is the actual version that starts with4.18.2xxxx.x
Note
C:\ProgramData
is a hidden folder. If you don't have a folder that starts with4.18.2xxxx.x
inC:\ProgramData\Microsoft\Windows Defender\Platform\
, then you will need to go toC:\Program Files\Windows Defender\
.Type the following command, and then press Enter
mpcmdrun.exe -GetFiles
A
.cab
file is generated that contains various diagnostic logs. The location of the file is specified in the output in the command prompt. By default, the location isC:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab
.Note
To redirect the cab file to a different path or UNC share, use the following command:
mpcmdrun.exe -GetFiles -SupportLogLocation <path>
For more information, see Redirect diagnostic data to a UNC share.
Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
Redirect diagnostic data to a UNC share
To collect diagnostic data on a central repository, you can specify the SupportLogLocation parameter.
mpcmdrun.exe -GetFiles -SupportLogLocation <path>
Copies the diagnostic data to the specified path. If the path isn't specified, the diagnostic data is copied to the location specified in the Support Log Location Configuration.
When the SupportLogLocation
parameter is used, a folder structure like as follows will be created in the destination path:
<path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
field | Description |
---|---|
path | The path as specified on the command line or retrieved from configuration |
MMDD | Month and day when the diagnostic data was collected (for example, 0530) |
hostname | The hostname of the device on which the diagnostic data was collected |
HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422) |
Note
When using a file share please make sure that account used to collect the diagnostic package has write access to the share.
Specify location where diagnostic data is created
You can also specify where the diagnostic .cab
file is created using a Group Policy Object (GPO).
Open the Local Group Policy Editor and find the SupportLogLocation GPO at:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation
.Select Define the directory path to copy support log files.
Inside the policy editor, select Enabled.
Specify the directory path where you want to copy the support log files in the Options field.
Select OK or Apply.
See also
- Troubleshoot Microsoft Defender Antivirus reporting
- Performance analyzer for Microsoft Defender Antivirus
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.