Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MpCmdRun.exe running, but I use a different antivirus, why?


  • Please log in to reply
30 replies to this topic

#1 rp88

rp88

  • Members
  • 3,067 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:31 AM

Posted 05 October 2015 - 01:46 PM

I just logged on today and found a process running in task manager called MpCmdRun.exe, I researched online and found it to be a part of windows defender, which is included on the windows 8.1 laptop on which this is occuring, BUT this laptop doesn't use windows defender as it's antivirus, I uses avast on it, so shouldn't windows defender be disabled and not running anything in the background? What is gong on here, is it normal for this utitlity to run when a user has another antivirus installed?


The fle is found in C:\Program Files\Windows Defender\
It is 378KB in size (380KB on disk), it was "created" 12th auagust 2015 and modified 7th july 2015, it has two digital signatures, a sha1 and a sha256 from microsoft.

Thanks

Edited by rp88, 05 October 2015 - 01:47 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:31 AM

Posted 05 October 2015 - 01:53 PM

mpcmdrun.exe is a process belonging to Microsoft Windows Defender Antispyware....not antivirus


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 05 October 2015 - 02:12 PM

mpcmdrun.exe is a process belonging to Microsoft Windows Defender Antispyware....not antivirus


This. Even thought you don't use Windows Defender as your Antivirus, the process exist because Windows Defender is also a service and feature on Windows, so it's normal for it to run in the background. It won't cause any interference with your current avast! installation.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 rp88

rp88
  • Topic Starter

  • Members
  • 3,067 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:31 AM

Posted 05 October 2015 - 02:42 PM

It is still running at this time. So you say it's fine but it does seem odd, I've never seen it before and as far as I know avast acts as antispyware as well as antivirus.

Edited by rp88, 05 October 2015 - 02:42 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 05 October 2015 - 02:43 PM

It's normal, yes. You are using Windows 8/8.1, right?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 rp88

rp88
  • Topic Starter

  • Members
  • 3,067 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:31 AM

Posted 05 October 2015 - 02:44 PM

I am, windows 8.1.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 RolandJS

RolandJS

  • Members
  • 4,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:31 AM

Posted 05 October 2015 - 02:44 PM

diddle not with Windows processes, services, etc. -- I did once [involving WD in fact], ended up doing a fresh ReInstall.

[my diddling invalidated/unauthenticated my Windows]


Edited by RolandJS, 05 October 2015 - 02:45 PM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#8 rp88

rp88
  • Topic Starter

  • Members
  • 3,067 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:31 AM

Posted 05 October 2015 - 02:46 PM

It's just I haven't, ever , seen it running before. Obviously that doesn't mean it's never run before, but it does mean that it hasn't run often enough for it's running to have ever before co-incided with my opening of task manager (which I usually do a few times every day). And yet today I see it running for over an hour. Does this perhaps mean it's "found something"?
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#9 rp88

rp88
  • Topic Starter

  • Members
  • 3,067 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:31 AM

Posted 05 October 2015 - 02:50 PM

I just took a look in the services panel of task manager, obvously not altering them, just looking, it seems the windows defender service (WinDefend) is stopped, don't know how long it has been stopped for, but the MpCmdRun.exe process is still running, should I be concerned?
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 05 October 2015 - 02:52 PM

I wouldn't be concerned. It's possible that another service or program called it (like the Action Center). Where is the executable being launched from?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 RolandJS

RolandJS

  • Members
  • 4,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:31 AM

Posted 05 October 2015 - 02:53 PM

Probably not, whenever Windows detects another anti-virus software, it automatically disables and keeps disabled WD.

That service running, dunno what it is, what it does.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#12 rp88

rp88
  • Topic Starter

  • Members
  • 3,067 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:31 AM

Posted 05 October 2015 - 03:30 PM

"Where is the executable being launched from? "

Please clarify what you mean here more precisely, do you mean what folder the mpccmdrun.exe filde is in?





"That service running, dunno what it is, what it does."
which service, I said there was one which was stopped, never mentioned a running one.
P.S. it's still running

Edited by rp88, 05 October 2015 - 03:32 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#13 RolandJS

RolandJS

  • Members
  • 4,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:31 AM

Posted 05 October 2015 - 03:55 PM

Sys[tem] Internals' Autorun, start, let it completely do its work, it takes several moments to fully list everything it finds running, or having been called up during Startup and such.  Find MpCmdRun -- go right, there should be a column that gives the path where MpCmdRun.exe is being called from.  [Great, my own autoruns didn't find via the Find function.  Mine WD is working, I dunno what to tell ya.]


Edited by RolandJS, 05 October 2015 - 03:57 PM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 05 October 2015 - 04:06 PM

Please clarify what you mean here more precisely, do you mean what folder the mpccmdrun.exe filde is in?


That exactly. Right-click on the process and select Open File Location.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 rp88

rp88
  • Topic Starter

  • Members
  • 3,067 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:31 AM

Posted 05 October 2015 - 04:10 PM

Post #13, if you just want to know the folder it is in C:\Program Files\Windows Defender\, I turned on an extra column in task manager, the one called "Command line" and can say that this exe file is being run under the folowing "command"


"C:\Program Files\Windows Defender\MpCmdRun.exe" -IdleTask -TaskName WdCleanup

the description column in task manager says:
Microsoft Malware Protection Command Line Utility

the username running it is:
SYSTEM

Edited by rp88, 05 October 2015 - 04:10 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users