Edit

Share via

Collect Microsoft Defender Antivirus diagnostic data

Applies to:

This article describes how to collect diagnostic data that's used by Microsoft support and engineering teams when they help troubleshoot issues with Microsoft Defender Antivirus.

Note

As part of the investigation or response process, you can collect an investigation package from a device. Here's how: Collect investigation package from devices.

For performance-specific issues related to Microsoft Defender Antivirus, see: Performance analyzer for Microsoft Defender Antivirus.

Get the diagnostic files

On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps:

  1. Open Command Prompt as an administrator by following these steps:

    a. Open the Start menu.

    b. Type cmd. Right-click on Command Prompt and then select Run as administrator.

    c. Specify administrator credentials or approve the prompt.

  2. Navigate to the directory for Microsoft Defender Antivirus:

    cd C:\ProgramData\Microsoft\Windows Defender\Platform\<version>

    Where <version> is the actual version that starts with 4.18.2xxxx.x

    Note

    C:\ProgramData is a hidden folder. If you don't have a folder that starts with 4.18.2xxxx.x in C:\ProgramData\Microsoft\Windows Defender\Platform\, then you will need to go to C:\Program Files\Windows Defender\.

  3. Type the following command, and then press Enter

    mpcmdrun.exe -GetFiles

  4. A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output in the command prompt. By default, the location is C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.

    Note

    To redirect the cab file to a different path or UNC share, use the following command:

    mpcmdrun.exe -GetFiles -SupportLogLocation <path>

    For more information, see Redirect diagnostic data to a UNC share.

  5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.

Redirect diagnostic data to a UNC share

To collect diagnostic data on a central repository, you can specify the SupportLogLocation parameter.

mpcmdrun.exe -GetFiles -SupportLogLocation <path>

Copies the diagnostic data to the specified path. If the path isn't specified, the diagnostic data is copied to the location specified in the Support Log Location Configuration.

When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path:

<path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
field Description
path The path as specified on the command line or retrieved from configuration
MMDD Month and day when the diagnostic data was collected (for example, 0530)
hostname The hostname of the device on which the diagnostic data was collected
HHMM Hours and minutes when the diagnostic data was collected (for example, 1422)

Note

When using a file share please make sure that account used to collect the diagnostic package has write access to the share.

Specify location where diagnostic data is created

You can also specify where the diagnostic .cab file is created using a Group Policy Object (GPO).

  1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation.

  2. Select Define the directory path to copy support log files.

    The local group policy editor

    The define path for log files setting

    The local group policy editor

    The define path for configuring the log files setting

  3. Inside the policy editor, select Enabled.

  4. Specify the directory path where you want to copy the support log files in the Options field.

    Screenshot showing the enabled directory path custom setting.

  5. Select OK or Apply.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.