Qualified Path Wildcard?

  1. Rey Redbad's Avatar
    Posts : 10
    Windows 7 SP1 x64
       #1

    Qualified Path Wildcard?


    Microsoft Windows Version 10.0.18363.836 1909 Pro
    Administrator: Admin cmd

    C:\>"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\MpCmdRun.exe" -SignatureUpdate
    Signature update started . . .
    Signature update finished.
    C:\>"C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpCmdRun.exe" -SignatureUpdate
    The system cannot find the path specified.
    Apparently I wasn't paying attention in Wildcards 101 class.

    Google was not my friend. Online MS (and other) docs for the likes of schtasks and mpcmdrun.exe command-line tool aren't detailed at all for <path> and <version> minutia.

    What is a successful wildcard for this purpose? If any, I hope...

    Thank you!
      My Computers

  2. Try3's Avatar
    Posts : 4,588
    Windows 10 Home x64 Version 1909 Build 18363.900
       #2

    Rey,

    WD now adds & uses new versions of MpCmdRun.exe in new subfolders within C:\ProgramData\Microsoft\Windows Defender\Platform
    [it also keeps copies in a few other locations but this is the location it uses as you can see by checking the properties of the antimalware service executable in Task manager]

    To update definitions or run a scan, I use a batch file to identify the latest subfolder and then run the necessary command within that folder. The batch file code I use is

    Code:
    set GetLatestVersionPath="dir "C:\ProgramData\Microsoft\Windows Defender\Platform" /ad /od /b"
    FOR /F "tokens=*" %%i IN (' %GetLatestVersionPath% ') Do Set LatestVersionPath=%%i
    "C:\ProgramData\Microsoft\Windows Defender\Platform\%LatestVersionPath%\MpCmdRun.exe" -SignatureUpdate
    These are useful switches
    -Scan -1 runs Quick scan
    -Scan -2 runs Full scan
    -SignatureUpdate
    updates the malware definitions

    Denis
      My Computer

  3. Rey Redbad's Avatar
    Posts : 10
    Windows 7 SP1 x64
    Thread Starter
       #3

    Try3 said:
    WD now adds & uses new versions of MpCmdRun.exe in new subfolders
    Yep. I know that. Which is why I was inquiring about a wildcard. And I wanted to keep my post simple. Like not mentioning I even referred to MS-DOS Batch File Programming, Ronny Richardson, TAB Books, 1988.

    I have been using the previous path, C:\Program Files\Windows Defender, for the MpCmdRun every four hours in Task Scheduler. Though it's version is 4.18.1902.5 - lagging by about three months. It still works in its SignatureUpdate duty; I'm wanting to use current releases, now at 4.18.2005.5

    I'll whip up a batch file and try it Task Scheduler. Should work. Thanks!

    Anyhow, my curiosity is still getting the better of me. As with about 25 years in enterprise support and admin, I'm pretty sure I've used the esteemed and powerful asterisk in paths. Though I admit in the decade of retirement passed, I've lost a few brain cells.

    In my OP sample, what is a successful wildcard for this purpose? Anyone?
      My Computers

  4. Farvatten's Avatar
    Posts : 399
    Windows 10 Pro 64bit 2004 19041.329
       #4

    Rey Redbad said:
    In my OP sample, what is a successful wildcard for this purpose? Anyone?

    In this example even if the asterisk would work:

    C:\>"C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpCmdRun.exe" -SignatureUpdate

    The problem you'd face is there's often 2 or 3 version directory structures under:

    C:\ProgramData\Microsoft\Windows Defender\Platform


    Qualified Path Wildcard?-platformdirectories.jpg
      My Computers

  5. Try3's Avatar
    Posts : 4,588
    Windows 10 Home x64 Version 1909 Build 18363.900
       #5

    Rey Redbad said:
    What is a successful wildcard for this purpose? If any, I hope...
    Rey Redbad said:
    In my OP sample, what is a successful wildcard for this purpose? Anyone?
    For the purpose of what you were trying to achieve in your OP, what I posted achieves that purpose.

    Rey Redbad said:
    ..., I'm pretty sure I've used the esteemed and powerful asterisk in paths ...
    As for asking more generally about the use of asterisks in paths, might I suggest that you try to write down unambiguously what you meant by that asterisk in "C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpCmdRun.exe" -SignatureUpdate"
    - I think you won't be able to do so.
    - You might, however, be able to experiment with DIR "C:\ProgramData\Microsoft\Windows Defender\Platform\*" commands as a step towards a solution and that, in essence, is all I've done in my code.

    Denis
      My Computer

  6. Rey Redbad's Avatar
    Posts : 10
    Windows 7 SP1 x64
    Thread Starter
       #6

    Farvatten said:
    The problem you'd face is there's often 2 or 3 version directory structures
    Yep. That does explain it. Thanks for pointing out Teh Obvious for me!

    BTW FWIW: Much older ones eventually get removed by the Windows Defender Cleanup task, I believe. I have the two you've got while 14.18.2003.8-0 and 14.18.1911.3 are gone.

    Anyhow, I've got Try3's batch in Task Scheduler and it's A-OK:
    MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\MpCmdRun.exe" -SignatureUpdate
    Start Time: ‎Sat ‎Jun ‎06 ‎2020 16:02:02
    MpEnsureProcessMitigationPolicy: hr = 0x1
    Start: MpSignatureUpdate()
    Calling MpUpdateStartEx with option 0x1
    Update started
    Search Started (MU/WU update) (Path: https://fe2cr.update.microsoft.com/v6/)...
    Time Info - ‎Sat ‎Jun ‎06 ‎2020 16:02:15 Search Completed
    Update completed succesfully . no updates needed (hr:0x00000001)
    Finish: MpSignatureUpdate()
    MpCmdRun: End Time: ‎Sat ‎Jun ‎06 ‎2020 16:02:15
    Cheers.
      My Computers

  7. Farvatten's Avatar
    Posts : 399
    Windows 10 Pro 64bit 2004 19041.329
       #7

    Rey Redbad said:
    Yep. That does explain it. .
    I wasn't sure you were seeing more than one folder, your thinking then that a wildcard would cover a single changing version directory name. In any event sometimes an extra set of eyes helps, and this forum has some great extra eyes too, like @Try3 ;o)

    Rey Redbad said:
    BTW FWIW: Much older ones eventually get removed by the Windows Defender Cleanup task, I believe. I have the two you've got while 14.18.2003.8-0 and 14.18.1911.3 are gone.
    .
    Yes, it seems Windows likes to hold on to at least one old copy after updating, and for a day there can be 3 until it gets around to running it's clean up to remove that 3rd oldest.

    Also worth mentioning, as you too like to run custom scheduled Defender Tasks, is there's been some discussion that Windows might be identifying this as a type of 'Seeker' update behavior, and therefor offer you the latest Defender Platforms often a month or more before others. Just some idle speculation really, but the evidence fits the behavior.

    I've personally experienced this under 1909 where apparently these registry changes, identified by @tymes, take place on machines that then get the advanced versions, or by adding them you'll magically call down a version you've yet to see.

    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\MpEngine
        MpCampGradualRelease    REG_DWORD    0x1
        MpCampRing      REG_DWORD    0x3
        MpEngineRing    REG_DWORD    0x3
    I've currently clean installed 2004 and so I no longer have them in my registry, so I'm keeping an eye on when they appear. My hunch is after enough of my 2004 'seeker' tasks running perhaps. It could be the scheduled tasks or simply clicking 'Check for updates' under Settings > Update & Security > Windows Security > Virus & threat protection > Virus & thread protection updates, or some as yet unknown trigger.
    Last edited by Farvatten; 4 Weeks Ago at 22:57.
      My Computers

  8. Rey Redbad's Avatar
    Posts : 10
    Windows 7 SP1 x64
    Thread Starter
       #8

    Farvatten said:
    I wasn't sure you were seeing more than one folder, your thinking then that a wildcard would cover a single changing version directory name.
    Come to think of it, I never did drill down to that Platform folder to discover those "leftover" version folders. I just noticed the new paths in the MpSigStub.log and MpCmdRun.log files as in this snippet:
    ===================== Update =====================
    Product name: Microsoft Windows Defender (RS1+)
    Old platform directory: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2001.10-0
    New platform directory: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2003.6-0
    Farvatten said:
    as you too like to run custom scheduled Defender Tasks, is there's been some discussion that Windows might be identifying this as a type of 'Seeker' update behavior, and therefor offer you the latest Defender Platforms often a month or more before others.
    Seeker? Cool. I was once an Insider. Now I'm a Seeker. If I still needed a resume, that'd be right up on top.

    That is interesting. I'm going to look up tymes postings. I do whack check for updates in the a-v settings occasionally, too.

    Actually, the sigs update every four hours is the only scheduled Defender task I've built. I've been doing that for years, ever since Security Essentials in Windows 7 after having noticed MS updates the sigs several times a day. That is sufficient enough for me to turn off cloud delivered protection and automatic sample submission. Shocking, I know.

    Thanks for your input. And another "Thanks!" to Try3.

    - - - Updated - - -

    Well, 4.18.2005.5-0 and 4.18.2004.6-0 are both in my Platform folder and match the Update Catalog.

    What's really interesting that my firewall logs show the mpcmdrun.exe of both connecting with MS, with the 2004.5 taking in 4.7 MB so far today. 8.3 KB for 2005.5.

    This makes my head hurt.

    - - - Updated - - -

    A quick scrape found 2005.5 dlls properly registered, but MpClient.dll was still 2004.6. Drivers are 2005.5.

    And shellext.dll's home is in C:\Program Files\Windows Defender.

    Looks like those earlier folders are neither left over or legacy.

    I think I've found out all I care to find out about defender.

    I've bumped the update task to every hour in to find out if maybe I'm a... Seeker!

    Adios.
      My Computers


 

Related Threads
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 16:29.
Find Us




Windows 10 Forums