Process
msmpeng.exe
MsMpEng.exe is the core engine of Microsoft Defender Antivirus, the service that performs real-time scanning, behavior monitoring, and threat remediation. It is present and busy on most Windows machines. For an analyst it is both a thing to recognize as normal and a process attackers try to disable or impersonate.
File identity
- File type
- PE32+ executable
- Magic
- PE32+ executable (GUI)
- Original name
- MsMpEng.exe
- Internal name
- MsMpEng.exe
- Product
- Microsoft® Windows® Operating System
- Status
- Signed
- Publisher
- Microsoft Corporation
- Signer
- Microsoft Windows Publisher
- Issuer
- Microsoft Windows Production PCA 2011
- Signature rate
- 100%
4.18.26040.7 (8d846dd50fd7adca65beb1b013a5fda76a9ec807)100%
283.90 KB100%
Execution context
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26040.7-0\MsMpEng.exe100%
Not observed.
Not observed.
1100%
Session 0100%
SeDebugPrivilege100%SeSecurityPrivilege100%SeSystemEnvironmentPrivilege100%SeRestorePrivilege100%SeChangeNotifyPrivilege100%
Ancestry
Not observed.
Not observed.
Not observed.
Not observed.
Behavior
Not observed.
Not observed.
svchost.exe100%nissrv.exe66.7%vmtoolsd.exe33.3%powershell.exe33.3%runtimebroker.exe33.3%
Not observed.
Indicators
Not observed.
Analysis
MsMpEng.exe (Microsoft Malware Protection Engine) is the heart of Microsoft Defender Antivirus. It scans files and processes in real time, watches for malicious behavior, and quarantines or removes threats. It runs as a SYSTEM service, and on current Windows it is a protected process (PPL), which keeps other software, even administrators, from reading its memory or injecting into it. Because Defender updates into versioned platform folders, the genuine binary lives under C:\ProgramData\Microsoft\Windows Defender\Platform\<version>\MsMpEng.exe.
Legitimately, MsMpEng runs continuously whenever Defender is the active antivirus, and high CPU during scans is normal. A second copy, a wrong path, or a loss of its protected status is what stands out.
MsMpEng.exe is mostly something to recognize as normal, but it matters in two ways. Its trusted name invites impersonation (T1036.005): a process called MsMpEng.exe outside the Defender platform folder, or one lacking the protected-process status the real engine always has, is suspect.
It is also a target for being switched off (T1685). Attackers disable Defender's real-time protection, stop the service, or add exclusions so the engine stops inspecting their activity, and on hardware that supports it the PPL protection is what makes the engine itself hard to kill or tamper with directly. MsMpEng disappearing, or its protection settings changing, on a machine that is supposed to run Defender means the primary defense has been neutralized.
- Image path outside the Windows Defender Platform locationhigh
- A process named MsMpEng.exe running without the protected-process (PPL) attributehigh
- More than one instance, or one running as a non-SYSTEM accounthigh
- MsMpEng absent or stopped on a machine where Defender is the configured antivirusmed
- Child processes spawned by MsMpEngmed
Telemetry
Microsoft Windows 11 Enterprise Evaluation100%
- First seen
- 2026-06-08
- Last seen
- 2026-06-08
- Machines
- 1