What Is “Antimalware Service Executable” and Why Is It Running on My PC?

Windows 10 includes Windows Defender, Microsoft’s built-in antivirus. The “Antimalware Service Executable” process is Windows Defender’s background process. This program is also known as MsMpEng.exe, and is part of the Windows operating system.

This article is part of our ongoing series explaining various processes found in Task Manager, like Runtime Brokersvchost.exedwm.exectfmon.exerundll32.exeAdobe_Updater.exe, and many others. Don’t know what those services are? Better start reading!

What Is Antimalware Service Executable?

Windows Defender is part of Windows 10, and is the successor to the free Microsoft Security Essentials antivirus for Windows 7. This ensures that all Windows 10 users always have an antivirus program installed and running, even if they haven’t chosen to install one. If you have an out-of-date antivirus application installed, Windows 10 will deactivate it and activate Windows Defender for you.

The Antimalware Service Executable process is Windows Defender’s background service, and it always remains running in the background. It’s responsible for checking files for malware when you access them, performing background system scans to check for dangerous software, installing antivirus definition updates, and anything else a security application like Windows Defender needs to do.

While the process is named Antimalware Service Executable on the Processes tab in Task Manager, its file name is MsMpEng.exe, and you’ll see this on the Details tab.

You can configure Windows Defender, perform scans, and check its scan history from the Windows Defender Security Center application included with Windows 10.

To launch it, use the “Windows Defender Security Center” shortcut in the Start menu. You can also right-click the shield icon in the notification area on your taskbar and select “Open”, or head to Settings > Update & security > Windows Defender > Open Windows Defender Security Center.

Why Is It Using So Much CPU?

If you see the Antimalware Service Executable process using a large amount of CPU or disk resources, it’s likely scanning your computer for malware. Like other antivirus tools, Windows Defender performs regular background scans of the files on your computer.

It also scans files when you open them, and regularly installs updates with information about new malware. This CPU usage could also indicate that it’s installing an update, or that you just opened a particularly large file Windows Defender needs some extra time to analyze.

Windows Defender generally performs background scans only when your computer is idle and isn’t being used. However, it may still use CPU resources performing updates or scanning files as you open them, even while you use your computer. But the background scans shouldn’t run while you’re using your PC.

This is all normal with any antivirus program, all of which need to use some system resources to check your PC and keep you protected.

Can I Disable It?

We do not recommend disabling the Windows Defender antivirus tool if you don’t have any other antivirus software installed. In fact, you can’t disable it permanently. You can open the Windows Defender Security Center application from your Start menu, navigate to Virus & threat protection > Virus & threat protection settings and disable “Real-time protection”. However, this is just temporary, and Windows Defender will re-enable itself after a short period of time if it doesn’t detect other antivirus apps installed.

Despite some misleading advice you’ll see online, Windows Defender performs its scans as a system maintenance task you can’t disable. Disabling its tasks in the Task Scheduler won’t help. It will only permanently stop if you install another antivirus program to take its place.

If you do have another antivirus program installed (like Avira or BitDefender), Windows Defender will automatically disable itself and get out of your way. If you head to Windows Defender Security Center > Virus & threat protection, you’ll see a message saying “You’re using other antivirus providers” if you have another antivirus program installed and activated. This means that Windows Defender is disabled. The process may run in the background, but it shouldn’t use CPU or disk resources attempting to scan your system.

However, there is a way to use both your antivirus program of choice and Windows Defender. On this same screen, you can expand “Windows Defender Antivirus options” and enable “Periodic scanning”. Windows Defender will then perform regular background scans even while you’re using another antivirus program, providing a second opinion and potentially catching things your main antivirus might miss.

If you see Windows Defender using CPU even while you have other antivirus tools installed and want to stop it, head here and ensure the Periodic scanning feature is set to “Off”. If it doesn’t bother you, feel free to enable Periodic scanning—it’s another layer of protection and additional security. However, this feature is off by default.

Is It a Virus?

We haven’t seen any reports of viruses pretending to imitate the Antimalware Service Executable process. Windows Defender is itself an antivirus, so it should ideally stop any malware attempting to do this in its tracks. As long as you’re using Windows and have Windows Defender enabled, it’s normal for it to be running.

If you’re really concerned, you can always run a scan with another antivirus application to confirm nothing malicious is running on your PC.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.