Running MpCmdRun.exe in command line

fatryan

[H]ard|Gawd
Joined
Feb 19, 2004
Messages
1,402
I stupidly infected my system with a virus. I was trying a less-than-legal cracked program in my Win10 VM and it immediately came up as a virus. I tried cleaning the VM, then I shut it down. But then I noticed my host's resources had jumped up, memory was at 75% utilization when it normally hangs around 20-30%. The problem service for memory usage is System (ntoskrnl.exe).

A scan of the host turned up a virus. I tried cleaning... Windows apparently said it was cleaned (showed "0 threats" afterwards). I scanned again to be sure, and the virus popped up again. Cleaned again, same thing. So i tried the 4th and final Windows Defender scan option, which is some kind of advanced scan than will shut down the system on its own. I tried that like 3 times but it refused to launch. I let it sit for a few minutes and nothing ever happened, so I decided to boot into safe mode.

I booted into safe mode with command line and ran a full scan:

Code:
MpCmdRun.exe -Scan -ScanType 2

CMD immediately responded with "Scan Starting..."
That was about 45 minutes ago and it still says the same thing. I was anticipating some kind of real-time statistics on the scan. Does this not occur with the command I ran? My fans kicked up about 5min after running and just went down maybe 10min ago, but still there's no change. I just want to make sure it's supposed to behave this way. Also, does the "Full Scan" check every drive or just boot drive? If it checks every drive, this is going to take like a week to complete...
 
When in doubt, reformat and start over. At this point, I wouldn't even trust any USB devices plugged in recently.

Expecting software to clean it out is a gamble at best. Nah, kill it with fire.

Hopefully you had BIOS guard enabled during this period.
 
Last edited:
The exe may have been replaced or rewritten so it doesn't execute properly. I'd just wipe and reinstall. Scan any drives you had connected to the system from a secure environment (read-only live usb/cd, for example), preferrably one made on an uncompromised pc with a clean cd/usb drive.
 
I'm trying to avoid a wipe at all costs. I have so much shit configured on this thing now that it would just be a complete nightmare to wipe.

With that said, I ended up checking the actual path of the Trojan and it turns out Defender was identifying an Android virus that i had archived in an old backup directory for a phone i got rid of years ago. Whatever virus i got initially must have been cleared the first time around, then it started picking up in this other Android virus afterwards. I have no idea how this virus was never caught before, considering it's on multiple computers in my house. Must be buried deep.

Anyway, the command line scan eventually finished, so it didn't take a week lol. It said nothing was found. The indicator lights on my 5.25" HDD/SSD caddy as well as the drive head noises lead me to believe that it did in fact check all 9 of my drives. Though I still downloaded AVG and I'm individually deep scanning a couple specific directories and drives. Turns out my DVDFab also had a trojan in it 😬 I should probably just not use cracked software anymore lol.

The System is still using 8GB ram, putting my total utilization at 50%. I did revert O&O Shutup10 back to Windows defaults when this happened, so i wonder if the is just a 10-20% bump from Cortana and all the other Windows bloat that was allowed to turn back on.
 
I'm trying to avoid a wipe at all costs. I have so much shit configured on this thing now that it would just be a complete nightmare to wipe.

With that said, I ended up checking the actual path of the Trojan and it turns out Defender was identifying an Android virus that i had archived in an old backup directory for a phone i got rid of years ago. Whatever virus i got initially must have been cleared the first time around, then it started picking up in this other Android virus afterwards. I have no idea how this virus was never caught before, considering it's on multiple computers in my house. Must be buried deep.

Anyway, the command line scan eventually finished, so it didn't take a week lol. It said nothing was found. The indicator lights on my 5.25" HDD/SSD caddy as well as the drive head noises lead me to believe that it did in fact check all 9 of my drives. Though I still downloaded AVG and I'm individually deep scanning a couple specific directories and drives. Turns out my DVDFab also had a trojan in it 😬 I should probably just not use cracked software anymore lol.

The System is still using 8GB ram, putting my total utilization at 50%. I did revert O&O Shutup10 back to Windows defaults when this happened, so i wonder if the is just a 10-20% bump from Cortana and all the other Windows bloat that was allowed to turn back on.
Probably. As long as prpgrams aren't hanging and crashing, high memory usage isn't a huge deal. Unless it's firefox–firefox (sqlite...) likes to hog all the ram and not give it back...
 
Probably. As long as prpgrams aren't hanging and crashing, high memory usage isn't a huge deal. Unless it's firefox–firefox (sqlite...) likes to hog all the ram and not give it back...
Really? I don't use FF as my regular browser, but it is installed. I use it occasionally. Should I just uninstall? I've been using brave, but I'm starting to get annoyed with it. It's so much like chrome and is a massive resource hog as well. Aren't there any good browsers anymore?

It seems to me like 8GB for one service is a lot, especially at idle. I have 32GB, but 4-8GB is dedicated to Win10 VM, 2GB to Kali VM (I'm just playing around with it lol), and 8GB to a RAMdisk for Plex. So i only have about 16GB for the host OS.
 
Really? I don't use FF as my regular browser, but it is installed. I use it occasionally. Should I just uninstall? I've been using brave, but I'm starting to get annoyed with it. It's so much like chrome and is a massive resource hog as well. Aren't there any good browsers anymore?

It seems to me like 8GB for one service is a lot, especially at idle. I have 32GB, but 4-8GB is dedicated to Win10 VM, 2GB to Kali VM (I'm just playing around with it lol), and 8GB to a RAMdisk for Plex. So i only have about 16GB for the host OS.
Seems to be a recurring bug on firefox. I haven't used fx on desktop in a while though, so maybe it's gone or not so bad.

Anyway, yeah, generally should be fine. Programs load their libraries and frequently accessed files into memory so they run faster, but if it hasn't been used in a while or the program is closed, it'll be moved from ram to swap so other programs can run. The foreground program has priority after the oskernel, and then other background processes (not sure if user or os has priority in the background).
 
Seems to be a recurring bug on firefox. I haven't used fx on desktop in a while though, so maybe it's gone or not so bad.

Anyway, yeah, generally should be fine. Programs load their libraries and frequently accessed files into memory so they run faster, but if it hasn't been used in a while or the program is closed, it'll be moved from ram to swap so other programs can run. The foreground program has priority after the oskernel, and then other background processes (not sure if user or os has priority in the background).
well i just turned back on Shutup10 and memory is down to 43%. Still seems a little high. I watch resources like a hawk, so I know this isn't normal for my system at idle. And the strangest part is that the System service uses the most memory at all times. Usually there's some fluctuation. The system service also keeps indicating GPU usage in quick bursts.
 
well i just turned back on Shutup10 and memory is down to 43%. Still seems a little high. I watch resources like a hawk, so I know this isn't normal for my system at idle. And the strangest part is that the System service uses the most memory at all times. Usually there's some fluctuation. The system service also keeps indicating GPU usage in quick bursts.
I would say its...probably fine. Some of that could be the system UI causing the graphics card to spin up and then clock back down–you could disable compositing to maybe rule that out.

Only way to know for sure on the memory usage would be a fresh install. There are so many things that could cause that, from ms updates, app updates, services from programs you had installed (firefox and chrome both have background update services), that it's hard to say for sure.
 
Maybe open resource monitor, filter to the offending process, and see what files/processes it's interacting with?

Check the event log too.
 
Maybe open resource monitor, filter to the offending process, and see what files/processes it's interacting with?

Check the event log too.
If I need to reinstall, i might seriously consider switching to a completely different os or maybe a baremetal hypervisor. But it doesn't seem like I'm going to need to do that.

Resource monitor provided no more information, unless I'm missing something. I've been spending a lot of time in event viewer in the last week, and i just don't get it at all. The only use i can extract from it is by googling errors, but that rarely gets me an answer. I've had a lot of COM & DCOM errors over the last week, whatever that means. I was trying to figure out why my mouse tracking has been so bad. I actually think i figured it out yesterday when i realized that neither monitor had drivers installed. After loading the monitors drivers, my mouse tracking started acting normal again. But this means nothing for my current problem. I see no new errors in the log outside the errors i always get.
 
You don't have to wipe what you have – assuming you have a spare disk laying around, just do a fresh install on there. Don't worry about activating windows, just install the stuff you usually would, and see if the memory usage is similar. See what it looks like before you install anything else too, just to get a baseline.
 
You don't have to wipe what you have – assuming you have a spare disk laying around, just do a fresh install on there. Don't worry about activating windows, just install the stuff you usually would, and see if the memory usage is similar. See what it looks like before you install anything else too, just to get a baseline.
Can I just use my Win10 VM as a baseline?
 
Good luck... with bad luck you have a timed cryptoattack or a rootkit waiting to activate. Make sure to do a lot of internet banking and use your credit card online. Yeah, do it right!
 
Back
Top