Windows Defender Service (WinDefend) Defaults in Windows 8

Helps protect users from malware and other potentially unwanted software.

Default Settings

Startup type:Automatic
Display name:Windows Defender Service
Service name:WinDefend
Service type:own
Error control:normal
Object:LocalSystem
Path:%ProgramFiles%\Windows Defender\MsMpEng.exe
Registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
Privileges:
  • SeLoadDriverPrivilege
  • SeImpersonatePrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeDebugPrivilege
  • SeChangeNotifyPrivilege
  • SeSecurityPrivilege
  • SeShutdownPrivilege
  • SeIncreaseQuotaPrivilege
  • SeAssignPrimaryTokenPrivilege
  • SeTcbPrivilege
  • SeSystemEnvironmentPrivilege

Default Behavior

The Windows Defender Service is a Win32 program that can be started by the Service Controller and that obeys the service control protocol. In Windows 8 it is starting automatically during the operating system startup. Then the Windows Defender Service runs as LocalSystem in its own process of MsMpEng.exe. If Windows Defender Service fails to start, the error details are added to Windows 8 error log. When the operating system startup is complete, the user is being notified that the WinDefend service hasn't been started.

Dependencies

Windows Defender Service can't start, if the Remote Procedure Call (RPC) service is disabled or not available.

Restore Default Startup Configuration for Windows Defender Service

Before you begin doing this, make sure that all the services on which Windows Defender Service depends are configured by default and function properly. See the list of dependencies above.

1. Run the Command Prompt as an administrator.

2. Copy the commands below, paste them into the command window and press ENTER:

sc config WinDefend start= auto
sc start WinDefend

3. Close the command window and restart the computer.

The WinDefend service is using the MsMpEng.exe file that is located in the %ProgramFiles%\Windows Defender folder. If the file is corrupted or deleted, you can put it back in there.