MsMpEng.exe still accesses folders excluded in Windows Security settings


fruh

Active member
Local time
3:54 PM
Posts
111
OS
Windows 11
MsMpEng.exe (Windows Defender) still accesses my secondary HDD's programs folder even though it is exlicitly set as an exclusion, targeting seemingly random programs' subfolders too. I can't really figure out why it does but I'd not want ANY Defender activity on that drive. I have set the whole D: path as an exclusion, together with D:\Program Files etc.

Is there an actual way to forcefully specify which folders (drives would be better) MsMpEng.exe has access to? Could it be that some programs have some strange integration to be manually disabled too? I haven't been able to find anything on the web yet.

Thanks to anyone who will try to help :)
 
Windows Build/Version
22000.832

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)

glasskuter

Well-known member
Pro User
VIP
Local time
8:54 AM
Posts
2,578
Location
The Lone Star State of Texas
OS
Windows 11 Pro 22H2 22621.608
I have several entire drives excluded and defender never scans them. It honors everything else I have excluded as well.

When you say secondary hdd, is this an external drive configured as a NAS? Normally Defender does not scan mapped network drives but it can be changed in the registry. Did you make the registry change to make Defender scan NAS drives? If so, it's just a thought but possibly one setting might override the other.

Try the suggestions here. Windows Defender Exclusions not working [Fixed]
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2 22621.608
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 m.2 2230-256+1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 21H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium

fruh

Active member
Thread Starter
Local time
3:54 PM
Posts
111
OS
Windows 11
I have several entire drives excluded and defender never scans them. It honors everything else I have excluded as well.

When you say secondary hdd, is this an external drive configured as a NAS? Normally Defender does not scan mapped network drives but it can be changed in the registry. Did you make the registry change to make Defender scan NAS drives? If so, it's just a thought but possibly one setting might override the other.

Try the suggestions here. Windows Defender Exclusions not working [Fixed]

By secondary drive I mean a drive other than the one where Windows is installed, it's just the second (out of two) disk in my system.

Anyway, I had never been able to find the article you linked so thank you :)
By looking in the registry for HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions I have found out that the "Exclusions" key is completely missing. Should I manually add it and add the "DisableAutoExclusions" dword mentioned in the article?

Thanks :)
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)

Try3

Well-known member
Power User
VIP
Local time
2:54 PM
Posts
842
Location
The proper part of London
OS
Windows 11 Home x64 Version 21H2 Build 22000.978
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions I have found out that the "Exclusions" key is completely missing
The Exclusions Keys [the ones that list Exclusions] are in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions


Denis
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Home x64 Version 21H2 Build 22000.978

glasskuter

Well-known member
Pro User
VIP
Local time
8:54 AM
Posts
2,578
Location
The Lone Star State of Texas
OS
Windows 11 Pro 22H2 22621.608
"Exclusions" key is completely missing. Should I manually add it and add the "DisableAutoExclusions" dword mentioned in the article?
I do not believe so. The key nor any other dword exists in my registry either. I understand that to mean if one has enabled any group policy setting to manage windows security, one can disable the change in gpedit.msc OR by making the change in the registry. Since you nor I have made such a policy change in gpedit, no such keys will exist or should exist.
The article says "If you find any REG_DWORD value with Value data 1, double-click on it.
Enter the Value data as 0."
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2 22621.608
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 m.2 2230-256+1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 21H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium

fruh

Active member
Thread Starter
Local time
3:54 PM
Posts
111
OS
Windows 11
The Exclusions Keys [the ones that list Exclusions] are in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions


Denis

Alright, thanks. I have looked to that path too and I have found* the excluded paths under \Paths. Yet, MsMpEng.exe accesses some paths on the D:\ drive which has been explicitly been excluded :/ (*edited the post since I hadn't found them at first, my bad)

I do not believe so. The key nor any other dword exists in my registry either. I understand that to mean if one has enabled any group policy setting to manage windows security, one can disable the change in gpedit.msc OR by making the change in the registry. Since you nor I have made such a policy change in gpedit, no such keys will exist or should exist.
The article says "If you find any REG_DWORD value with Value data 1, double-click on it.
Enter the Value data as 0."

Ok. I will post here if I find something about this
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)

Try3

Well-known member
Power User
VIP
Local time
2:54 PM
Posts
842
Location
The proper part of London
OS
Windows 11 Home x64 Version 21H2 Build 22000.978
Yet, MsMpEng.exe accesses some paths on the D:\ drive which has been explicitly been excluded
I have also found Exclusions to be dishonoured in the past.
A couple of years ago, Windows 10, I kept getting things quarantined despite repeatedly adding them to Exclusions. Then it settled down and has not messed me about for, probably, a year now.
But I have never tried to monitor WD's access to drives-folders; I have only noticed its behaviour when I've had something quarantined that should not have been.

Best of luck,
Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 21H2 Build 22000.978

fruh

Active member
Thread Starter
Local time
3:54 PM
Posts
111
OS
Windows 11
I have also found Exclusions to be dishonoured in the past.
A couple of years ago, Windows 10, I kept getting things quarantined despite repeatedly adding them to Exclusions. Then it settled down and has not messed me about for, probably, a year now.
But I have never tried to monitor WD's access to drives-folders; I have only noticed its behaviour when I've had something quarantined that should not have been.

Best of luck,
Denis

Well, looks like Windows is so advanced it has a will of its own. This is kinda frustrating. I'm thinking WD could be able to ignore exclusions by being redirected to excluded paths from stuff it analyses in non-excluded paths, though I don't really know anything about how Defender scans work

😤
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)

glasskuter

Well-known member
Pro User
VIP
Local time
8:54 AM
Posts
2,578
Location
The Lone Star State of Texas
OS
Windows 11 Pro 22H2 22621.608
Just curious. Can you give a couple of examples of what exclusions are not being honored.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2 22621.608
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 m.2 2230-256+1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 21H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium

fruh

Active member
Thread Starter
Local time
3:54 PM
Posts
111
OS
Windows 11
Just curious. Can you give a couple of examples of what exclusions are not being honored.

One in particular is "D:\Programmi\Simcenter\v1610_student\Amesim\sys\mingw32", where Simcenter Amesim is a program for mechanical engineering installed on the D: drive (OS belongs to C: ). Ironically, I have set that exclusion after seeing that MsMpEng.exe accessed it even though I had already excluded the whole D:\ path; of course, the exclusion continues to be ignored. When that path is accessed, some of the higher folders on that path are accessed too. Unfortunately ProcessMonitor only shows the folder and not the exact files being accessed; D:\ alone is accessed too
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)

glasskuter

Well-known member
Pro User
VIP
Local time
8:54 AM
Posts
2,578
Location
The Lone Star State of Texas
OS
Windows 11 Pro 22H2 22621.608
Then removing that exclusion and back up to the path of the folder level. Try setting one for D:\Programmi\Simcenter\
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2 22621.608
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 m.2 2230-256+1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 21H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium

fruh

Active member
Thread Starter
Local time
3:54 PM
Posts
111
OS
Windows 11
Then removing that exclusion and back up to the path of the folder level. Try setting one for D:\Programmi\Simcenter\

I have now tried to do that, even though I had probably already done so at some point. Anyway, the D:\Programmi folder was already exlcuded at the same time together with the complete path

Since the whole drive was excluded too, something is wrong anyway
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)

glasskuter

Well-known member
Pro User
VIP
Local time
8:54 AM
Posts
2,578
Location
The Lone Star State of Texas
OS
Windows 11 Pro 22H2 22621.608
Also set an exclusion for Simcenter Amesim located in your username appdata folder. To see it you will first have to go to control panel-files explorer options-view tab-check show hidden files, folders, and drives.
Then locate C:\Users\yourusername\AppData\local (or roaming)
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2 22621.608
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 m.2 2230-256+1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 21H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium

fruh

Active member
Thread Starter
Local time
3:54 PM
Posts
111
OS
Windows 11
Also set an exclusion for Simcenter Amesim located in your username appdata folder. To see it you will first have to go to control panel-files explorer options-view tab-check show hidden files, folders, and drives.
Then locate C:\Users\yourusername\AppData\local (or roaming)

Didn't find much, it seems that Amesim does not spread a lot of stuff there; also looked into programdata. I have set exclusions for what I've found so let's see, thanks :)
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)

fruh

Active member
Thread Starter
Local time
3:54 PM
Posts
111
OS
Windows 11
Today I have noticed something sligthly different than usual. The process is svchost.exe rather than MsMpEng.exe, but it targets a "windowsdefender:\.DLL" thing that I was not able to find in the actual folder. Here is a screenshot, and what on earth is that?? (around 10th line)

Path in the screenshot is "D:\Programmi\Simcenter\v1610_student\Amesim\win64\windowsdefender:\.DLL", file explorer couldn't find anything after \win64

Immagine 2022-09-02 084916.png
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)

glasskuter

Well-known member
Pro User
VIP
Local time
8:54 AM
Posts
2,578
Location
The Lone Star State of Texas
OS
Windows 11 Pro 22H2 22621.608
Sorry, but when you get into dlls and svchost instances it's way above my pay grade.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2 22621.608
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 m.2 2230-256+1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 21H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium

fruh

Active member
Thread Starter
Local time
3:54 PM
Posts
111
OS
Windows 11
So, I think I might have found something. From the attached screenshot I have seen the "svchost.exe -k localsercivenetworkrestricted -p -s wscsvc" command line voice. Hence, I have summoned the web and I have found this page Security Center (wscsvc) Service Defaults in Windows 10 which suggests that the Windows Security Health app or whatever actually reports installed programs' security health settings to Windows. I think I have solved the MsMpEng.exe issue by disabling realtime protection (ironic huh), but could it be possible to disable that security health reporting stuff for selected programs?

Thanks :)Immagine 2022-09-06 171837 realtime_off at_pluggin.png
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)

fruh

Active member
Thread Starter
Local time
3:54 PM
Posts
111
OS
Windows 11
I have no hope left about this stuff but I will post this anyway, just in case anyone will find it useful in the future or whatever.

The current situation is shown in the attached screenshot.

Ironically, firefox now does what MsMpeng.exe did before, since I have completely disabled Defender; also, I have uninstalled Simcenter Amesim so the accessed path doesn't even exist anymore. I am speechless.

Immagine 2022-09-15 193007.png
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)
Top Bottom