MsMpEng.exe still accesses folders excluded in Windows Security settings


fruh

Well-known member
Member
VIP
Local time
6:53 PM
Posts
162
OS
Windows 11
MsMpEng.exe (Windows Defender) still accesses my secondary HDD's programs folder even though it is exlicitly set as an exclusion, targeting seemingly random programs' subfolders too. I can't really figure out why it does but I'd not want ANY Defender activity on that drive. I have set the whole D: path as an exclusion, together with D:\Program Files etc.

Is there an actual way to forcefully specify which folders (drives would be better) MsMpEng.exe has access to? Could it be that some programs have some strange integration to be manually disabled too? I haven't been able to find anything on the web yet.

Thanks to anyone who will try to help :)
 
Windows Build/Version
22000.832

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)
I have several entire drives excluded and defender never scans them. It honors everything else I have excluded as well.

When you say secondary hdd, is this an external drive configured as a NAS? Normally Defender does not scan mapped network drives but it can be changed in the registry. Did you make the registry change to make Defender scan NAS drives? If so, it's just a thought but possibly one setting might override the other.

Try the suggestions here. Windows Defender Exclusions not working [Fixed]
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
I have several entire drives excluded and defender never scans them. It honors everything else I have excluded as well.

When you say secondary hdd, is this an external drive configured as a NAS? Normally Defender does not scan mapped network drives but it can be changed in the registry. Did you make the registry change to make Defender scan NAS drives? If so, it's just a thought but possibly one setting might override the other.

Try the suggestions here. Windows Defender Exclusions not working [Fixed]

By secondary drive I mean a drive other than the one where Windows is installed, it's just the second (out of two) disk in my system.

Anyway, I had never been able to find the article you linked so thank you :)
By looking in the registry for HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions I have found out that the "Exclusions" key is completely missing. Should I manually add it and add the "DisableAutoExclusions" dword mentioned in the article?

Thanks :)
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions I have found out that the "Exclusions" key is completely missing
The Exclusions Keys [the ones that list Exclusions] are in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions


Denis
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3296
"Exclusions" key is completely missing. Should I manually add it and add the "DisableAutoExclusions" dword mentioned in the article?
I do not believe so. The key nor any other dword exists in my registry either. I understand that to mean if one has enabled any group policy setting to manage windows security, one can disable the change in gpedit.msc OR by making the change in the registry. Since you nor I have made such a policy change in gpedit, no such keys will exist or should exist.
The article says "If you find any REG_DWORD value with Value data 1, double-click on it.
Enter the Value data as 0."
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
The Exclusions Keys [the ones that list Exclusions] are in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions


Denis

Alright, thanks. I have looked to that path too and I have found* the excluded paths under \Paths. Yet, MsMpEng.exe accesses some paths on the D:\ drive which has been explicitly been excluded :/ (*edited the post since I hadn't found them at first, my bad)

I do not believe so. The key nor any other dword exists in my registry either. I understand that to mean if one has enabled any group policy setting to manage windows security, one can disable the change in gpedit.msc OR by making the change in the registry. Since you nor I have made such a policy change in gpedit, no such keys will exist or should exist.
The article says "If you find any REG_DWORD value with Value data 1, double-click on it.
Enter the Value data as 0."

Ok. I will post here if I find something about this
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)
Yet, MsMpEng.exe accesses some paths on the D:\ drive which has been explicitly been excluded
I have also found Exclusions to be dishonoured in the past.
A couple of years ago, Windows 10, I kept getting things quarantined despite repeatedly adding them to Exclusions. Then it settled down and has not messed me about for, probably, a year now.
But I have never tried to monitor WD's access to drives-folders; I have only noticed its behaviour when I've had something quarantined that should not have been.

Best of luck,
Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3296
I have also found Exclusions to be dishonoured in the past.
A couple of years ago, Windows 10, I kept getting things quarantined despite repeatedly adding them to Exclusions. Then it settled down and has not messed me about for, probably, a year now.
But I have never tried to monitor WD's access to drives-folders; I have only noticed its behaviour when I've had something quarantined that should not have been.

Best of luck,
Denis

Well, looks like Windows is so advanced it has a will of its own. This is kinda frustrating. I'm thinking WD could be able to ignore exclusions by being redirected to excluded paths from stuff it analyses in non-excluded paths, though I don't really know anything about how Defender scans work

😤
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)
Just curious. Can you give a couple of examples of what exclusions are not being honored.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
Just curious. Can you give a couple of examples of what exclusions are not being honored.

One in particular is "D:\Programmi\Simcenter\v1610_student\Amesim\sys\mingw32", where Simcenter Amesim is a program for mechanical engineering installed on the D: drive (OS belongs to C: ). Ironically, I have set that exclusion after seeing that MsMpEng.exe accessed it even though I had already excluded the whole D:\ path; of course, the exclusion continues to be ignored. When that path is accessed, some of the higher folders on that path are accessed too. Unfortunately ProcessMonitor only shows the folder and not the exact files being accessed; D:\ alone is accessed too
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)
Then removing that exclusion and back up to the path of the folder level. Try setting one for D:\Programmi\Simcenter\
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
Then removing that exclusion and back up to the path of the folder level. Try setting one for D:\Programmi\Simcenter\

I have now tried to do that, even though I had probably already done so at some point. Anyway, the D:\Programmi folder was already exlcuded at the same time together with the complete path

Since the whole drive was excluded too, something is wrong anyway
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)
Also set an exclusion for Simcenter Amesim located in your username appdata folder. To see it you will first have to go to control panel-files explorer options-view tab-check show hidden files, folders, and drives.
Then locate C:\Users\yourusername\AppData\local (or roaming)
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
Also set an exclusion for Simcenter Amesim located in your username appdata folder. To see it you will first have to go to control panel-files explorer options-view tab-check show hidden files, folders, and drives.
Then locate C:\Users\yourusername\AppData\local (or roaming)

Didn't find much, it seems that Amesim does not spread a lot of stuff there; also looked into programdata. I have set exclusions for what I've found so let's see, thanks :)
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)
Today I have noticed something sligthly different than usual. The process is svchost.exe rather than MsMpEng.exe, but it targets a "windowsdefender:\.DLL" thing that I was not able to find in the actual folder. Here is a screenshot, and what on earth is that?? (around 10th line)

Path in the screenshot is "D:\Programmi\Simcenter\v1610_student\Amesim\win64\windowsdefender:\.DLL", file explorer couldn't find anything after \win64

Immagine 2022-09-02 084916.png
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)
Sorry, but when you get into dlls and svchost instances it's way above my pay grade.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
So, I think I might have found something. From the attached screenshot I have seen the "svchost.exe -k localsercivenetworkrestricted -p -s wscsvc" command line voice. Hence, I have summoned the web and I have found this page Security Center (wscsvc) Service Defaults in Windows 10 which suggests that the Windows Security Health app or whatever actually reports installed programs' security health settings to Windows. I think I have solved the MsMpEng.exe issue by disabling realtime protection (ironic huh), but could it be possible to disable that security health reporting stuff for selected programs?

Thanks :)Immagine 2022-09-06 171837 realtime_off at_pluggin.png
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)
I have no hope left about this stuff but I will post this anyway, just in case anyone will find it useful in the future or whatever.

The current situation is shown in the attached screenshot.

Ironically, firefox now does what MsMpeng.exe did before, since I have completely disabled Defender; also, I have uninstalled Simcenter Amesim so the accessed path doesn't even exist anymore. I am speechless.

Immagine 2022-09-15 193007.png
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell g5 5590
    CPU
    intel 9th gen
    Memory
    8GB LOL
    Graphics Card(s)
    nvidia
    Hard Drives
    C: nVME kioxia SSD
    D: SATA toshiba HDD
    Browser
    Firefox
    Antivirus
    Defender (if it hasn't been disabled yet)

Latest Support Threads

Back
Top Bottom