Microsoft changes Windows Defender Path on Windows 10

Martin Brinkmann
Dec 18, 2017
Updated • Feb 13, 2018
Windows, Windows 10
|
12

A recent update for Windows Defender to version 4.12.17007.17123 changed the path of the built-in antivirus software on Windows 10 devices.

Microsoft changed the paths the of the Windows Defender Antivirus service component MsMpEng.exe  and the Network Realtime Inspection service component NisSrv.exe, as well as the path of Windows Defender Antivirus drivers.

The change affects machines running Windows 10 version 1703 and newer on Windows 10 Home, Pro and Enterprise machines.

Microsoft moved the files MsMpEng.exe and NisSrv.exe from %ProgramFiles%\Windows Defender to %ProgramData%\Microsoft\Windows Defender\Platform\, and Windows Defender Antivirus drivers from %Windir%\System32\drivers to %Windir%\System32\drivers\wd.

windows defender new paths

The support page KB4052623 confirms the update, but does not provide explanation why the change was made. Windows 10 Home, Pro and Enterprise, and Windows Server 2016 are affected by the change according to Microsoft.

This article describes an antimalware platform update package for Windows Defender for the following operating systems: Windows 10 (Enterprise, Pro, and Home), Windows Server 2016.

Because of a change in the file path location in the latest update (Antimalware Client Version: 4.12.17007.17123)..

The change did cause issues with Windows 10's AppLocker functionality, and that is the main reason why Microsoft published the support article.

According to Microsoft's information, the path change could cause AppLocker to block many downloads on the Windows machine.

The company published a workaround that requires that administrators set the following path %OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\* in the Group Policy.

The update may cause another rare issue according to Microsoft on systems on which Windows Defender Advanced Threat Protection runs together with Windows Defender Antivirus. Systems may be put into "passive mode" during installation of the update which disables real-time protection.

Administrators need to delete the PassiveMode value in the Windows Registry under HKLM\SOFTWARE\Microsoft\Windows Defender to resolve the issue. Microsoft notes that it may be necessary to take ownership of the Windows Defender subkey, and to enable full access to the user account to do so.

The following table lists the affected components, and the old and new storage location.

Component Old location New location

Windows Defender Antivirus service (MsMpEng.exe)

Network Realtime Inspection service (NisSrv.exe)

%ProgramFiles%\Windows Defender %ProgramData%\Microsoft\Windows Defender\Platform\<Version>
Windows Defender Antivirus drivers %Windir%\System32\drivers %Windir%\System32\drivers\wd

Closing Words

It is unclear at this point in time why Microsoft made the Windows Defender path changes in first place. (via Deskmodder)

Summary
Microsoft changes Windows Defender Path on Windows 10
Article Name
Microsoft changes Windows Defender Path on Windows 10
Description
A recent update for Windows Defender to version 4.12.17007.17123 changed the path of the built-in antivirus software on Windows 10 devices.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on October 7, 2021 at 2:02 am
    Reply

    Is this new route sufficiently secured against changes by malware programs? Does UAC protection work in this folder?

  2. Anonymous said on July 11, 2020 at 12:03 am
    Reply

    there is just nothing good about Microsoft anymore especially after win 10 in whitch I believe 100% was meant to spy on your every doing probably did it so the feds can spy on you and Microsoft thinks people are stupidi

  3. Curtis said on January 17, 2019 at 6:01 pm
    Reply

    This is NOT the fix for this. But this was very informative to figuring out the problem.

    There is no PassiveMode Value anywhere in the registry.

    I have the new location, but it is empty. Yet the service still points to the old location. It’s like windows update only did half the job. And it now fails when I try to update.

    All I need to do is change the ImagePath of the service…but you cannot! How does a windows update not auto-magically fix this?

    This is a production accounting server, I really do not want to start from scratch.

    Nice work Microsoft!

  4. Conn said on January 5, 2019 at 5:13 pm
    Reply

    Administrators need to delete the PassiveMode value in the Windows Registry under HKLM\SOFTWARE\Microsoft\Windows Defender to resolve the issue. Microsoft notes that it may be necessary to take ownership of the Windows Defender subkey, and to enable full access to the user account to do so.

    This is the part that I think will fix the issue I am having with Windows Defender, however this is still very vague as to the location of the PassiveMode value.

  5. Lars-Erik Østerud said on May 10, 2018 at 11:51 pm
    Reply

    Is this the reason I get error when the update “Windows Defender Antivirus-plattfor – KB4052623 (versjon 4.14.17639.18041)” is installed? The errorcode is “0x80070643”. Tried a “in place updgrade”. But it stops working again sonn after. See lots of people have this, and no Microsoft solution. Can’ do a “in place upgrade” each time there is a Defender platform update :-(

  6. Franck said on January 20, 2018 at 4:29 pm
    Reply

    Excellent article, thank you very much !

  7. Bamit said on December 21, 2017 at 9:56 pm
    Reply

    I dont know if this has happened to most others, but now, when Real Time Protection is on, file access to large folders takes forever now.

  8. SomeFulla said on December 20, 2017 at 8:21 pm
    Reply
  9. Jody Thornton said on December 18, 2017 at 3:59 pm
    Reply

    Funny that this came about. I am still on Windows 8, but I was trying to figure a way to move the Windows Defender “Signature Location” to another drive. You can change the registry location, but once you update Windows Defender – Boom! It changes back to the default folder location.

  10. David said on December 18, 2017 at 3:42 pm
    Reply

    Once again, change for the sake of change?

    1. gandalf said on December 19, 2017 at 12:48 am
      Reply

      To hide defender from you and seperate system and user installed software.
      ProgramData is a hidden folder and System32\drivers\wd is deep within the system most users dont know it exist.
      You most likely only go there if you are editing the host file inside System32\drivers\etc

  11. chesscanoe said on December 18, 2017 at 11:51 am
    Reply

    Running Windows 10 latest FCU x64 Home, going to Windows Update on 2017-12-18 shows me no history for KB4052623. However Belarc run at 2017-12-17 at 03:49:21 shows Defender at 4012.17007.17123 . No problems noticed so far, but I have not tested the environment that is purported to have issues.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.