Windows Defender (WinDefend) Service Defaults in Windows 7

Protection against spyware and potentially unwanted software.

Default Settings

Startup type:Automatic (Delayed Start)
Display name:Windows Defender
Service name:WinDefend
Service type:share
Error control:normal
Object:LocalSystem
Path:%SystemRoot%\System32\svchost.exe -k secsvcs
File:%ProgramFiles%\Windows Defender\mpsvc.dll
Registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
Privileges:
  • SeImpersonatePrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeDebugPrivilege
  • SeChangeNotifyPrivilege
  • SeSecurityPrivilege
  • SeShutdownPrivilege
  • SeIncreaseQuotaPrivilege
  • SeAssignPrimaryTokenPrivilege

Default Behavior

Windows Defender is a Win32 service. In Windows 7 it is starting automatically after the operating system is started. Then the Windows Defender service is running as LocalSystem in a shared process of svchost.exe. Other system components, such as drivers and services, may run in the same process. If Windows Defender fails to start, Windows 7 attempts to write the failure details into Event Log. Then Windows 7 startup should proceed and the user should be notified that the WinDefend service is not running because of the error.

Dependencies

Windows Defender is unable to start, if the Remote Procedure Call (RPC) service is stopped or disabled.

Restore Default Startup Configuration for Windows Defender

1. Select your Windows 7 edition and service pack, and then click Download.

2. Save the Win7_WinDefend_Service_Startup.cmd file to a local storage device.

3. Run the saved file as an administrator.

4. Restart the computer.

The WinDefend service is using the mpsvc.dll file that is located in the %ProgramFiles%\Windows Defender folder. If the file is changed, damaged or deleted, you can restore its original version from Windows 7 installation media.