How to collect support files when you troubleshoot Windows Defender issues

Article translations Article translations
Article ID: 923886 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

If you experience issues when you use support logging for Windows Defender, you may want to collect log files to help troubleshoot the issues. This article describes how to use the MpCmdRun.exe tool to enable definition updates diagnostics and lists the files that are collected when you use the tool.

MORE INFORMATION

To enable definition updates diagnostics to collect the log files, follow the steps that are listed for your operating system:

Windows XP

  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type the following commands. Press ENTER after each command:
    cd C:\Program Files\Windows Defender
    MpCmdRun -GetFiles
  3. At the command prompt, type exit, and then press ENTER to close the command prompt.
  4. Locate the following folder to view the log files:
    C:\Documents and settings\All users\Application data\Microsoft\Windows Defender\Support\
Note If you are collecting these files to send to a support representative, you only have to send the MPSupportFiles.cab file. This file contains a copy of all the created log files.

The following information is collected and packaged together in a compressed file in the "C:\Documents and settings\All users\Application data\Microsoft\Windows Defender\Support\" folder.
  • Any trace files from Windows Defender
  • The Windows Update history log
  • All WinDefend or WinDefendRtp events from the System and Application logs
  • All relevant Windows Defender registry locations
  • All software information from Software Explorer
The file names are as follows:
MPApplicationEvents.txt
MpLog-########-######.log
MPRegistry.txt
MpSigStub.log
MPSWE.txt
MPSystemEvents.txt
WindowsUpdate.log
Note For the MpLog-########-######.log file, "###" represents a sequence of numbers generated by your computer.

Windows Vista

  1. Click Start, type command prompt in the Start Search box, right-click Command Prompt in the Programs list, and then click Run as administrator.

    If you are prompted for an administrator password or for confirmation, type the password or provide confirmation.
  2. At the command prompt, type the following commands. Press ENTER after each command:
    cd C:\Program Files\Windows Defender
    MpCmdRun -GetFiles
  3. When the process is complete, type exit, and then press ENTER to close the command prompt.
  4. Locate the following folder to view the log files:
    C:\ProgramData\Microsoft\Windows Defender\Support
Note If you are collecting these files to send to a support representative, you only have to send the MPSupportFiles.cab file. This file contains a copy of all the created log files.

The following information is collected and packaged together in a compressed file in the "C:\ProgramData\Microsoft\Windows Defender\Support\" directory.
  • Any trace files from Windows Defender
  • The Windows Update history log
  • All WinDefend or WinDefendRtp events from the System and Application logs
  • All relevant Windows Defender registry locations
  • All software information from Software Explorer
The file names are as follows:
MPApplicationEvents.txt
MpCmdRun-NetworkService.log
MpCmdRun-System.log
MpLog-########-######.log
MPRegistry.txt
MpSigStub.log
MPSWE.txt
MPSystemEvents.txt
WindowsUpdate.log
Note For the MpLog-########-######.log file, "###" represents a sequence of numbers generated by your computer.

Windows 7

  1. Click Start, type command prompt in the Start Search box, right-click Command Prompt in the Programs list, and then click Run as administrator.

    If you are prompted for an administrator password or for confirmation, type the password or provide confirmation.
  2. At the command prompt, type the following commands. Press ENTER after each command:
    cd C:\Program Files\Windows Defender
    MpCmdRun -getfiles
  3. When the process is complete, type exit, and then press ENTER to close the command prompt.
  4. Locate the following folder to view the log files:
    C:\ProgramData\Microsoft\Windows Defender\Support\
Note If you are collecting these files to send to a support representative, you only have to send the MPSupportFiles.cab file. This file contains a copy of all the created log files.

The following information is collected and packaged together in a compressed file in the "C:\ProgramData\Microsoft\Windows Defender\Support\" directory.
  • Any trace files from Windows Defender
  • The Windows Update history log
  • All WinDefend or WinDefendRtp events from the System and Application logs
  • All relevant Windows Defender registry locations
  • The log file of this tool
  • The log file of the signature update helper tool
The file names are as follows:
MpCmdRun-NetworkService.log
MpCmdRun-System.log
MpLog-########-######.log
MPOperationalEvents.txt
MPRegistry.txt
MpSigStub.log
MPWHCEvents.txt
WindowsUpdate.log
Note For the MpLog-########-######.log file, "###" represents a sequence of numbers generated by your computer.

Properties

Article ID: 923886 - Last Review: September 28, 2011 - Revision: 4.0
APPLIES TO
  • Windows Defender
Keywords: 
kbhowto kbexpertiseinter kbinfo KB923886

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com