Windows 10 includes Windows Defender, which protects your PC against viruses and other threats. The "Microsoft Network Realtime Inspection Service" process, also known as NisSrv.exe, is part of Microsoft's antivirus software.

This process is also present on Windows 7 if you've installed the Microsoft Security Essentials antivirus software. It's part of other Microsoft anti-malware products, as well.

This article is part of our ongoing series explaining various processes found in Task Manager, like Runtime Broker, svchost.exe, dwm.exe, ctfmon.exe, rundll32.exe, Adobe_Updater.exe, and many others. Don't know what those services are? Better start reading!

Windows Defender Basics

On Windows 10, Microsoft's Windows Defender antivirus is installed by default. Windows Defender automatically runs in the background, scanning files for malware before you open them and protecting your PC against other types of attacks.

The main Windows Defender process is named "Antimalware Service Executable," and has the file name MsMpEng.exe. This process checks files for malware when you open them and scans your PC in the background.

On Windows 10, you can interact with Windows Defender by launching the "Windows Defender Security Center" application from your Start menu. You can also find it by heading to Settings > Update & Security > Windows Security > Open Windows Defender Security Center. On Windows 7, launch the "Microsoft Security Essentials" application instead. This interface lets you scan for malware manually, and configure the antivirus software.

Related: What's the Best Antivirus for Windows 10 and 11? (Is Microsoft Defender Good Enough?)

What Does NisSrv.exe Do?

The NisSrv.exe process is also known as the "Windows Defender Antivirus Network Inspection Service." According to Microsoft's description of the service, it "helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in network protocols."

In other words, this service always runs in the background in your PC, monitoring and inspecting network traffic in real time. It's looking for suspicious behavior that suggests an attacker is attempting to exploit a security hole in a network protocol to attack your PC. If such an attack is detected, Windows Defender immediately shuts it down.

Updates for the network inspection service that contain information about new threats arrive through definition updates for Windows Defender---or Microsoft Security Essentials, if you're using a Windows 7 PC.

This feature was originally added to Microsoft's antivirus programs back in 2012. A Microsoft blog post explains it in a bit more detail, saying that this "is our zero-day vulnerability shielding feature that can block network traffic matching known exploits against unpatched vulnerabilities." So, when a new security hole is found in either Windows or an application, Microsoft can immediately release a network inspection service update that temporarily protects it. Microsoft---or the application vendor---can then work on a security update that permanently patches the security hole, which may take a while.

Is It Spying on Me?

The name "Microsoft Network Realtime Inspection Service" may sound a little creepy at first, but it's really just a process that's watching your network traffic for evidence of any known attacks. If an attack is detected, it gets shut down. This works just like standard antivirus file scanning, which watches the files you open and checks if they're dangerous. If you try opening a dangerous file, the antimalware service stops you.

This particular service is not reporting information about your web browsing and other normal network activity to Microsoft. However, with the default "Full" system-wide telemetry setting, information about web addresses you visit in Microsoft Edge and Internet Explorer may be sent to Microsoft.

Windows Defender is configured to report any attacks it detects to Microsoft. You can disable this, if you like. To do so, open the Windows Defender Security Center application, click "Virus & Threat Protection" in the sidebar, and then click the " Virus & Threat Protection Settings" setting. Disable the "Cloud-delivered protection" and "Automatic sample submission" options.

We don't recommend you disable this feature, as information about attacks sent to Microsoft can help protect others. The Cloud-delivered protection feature can help your PC receive new definitions much more quickly, too, which can help protect you against zero-day attacks.

Can I Disable It?

This service is a crucial part of Microsoft's antimalware software, and you can't easily disable it on Windows 10. You can temporarily disable real-time protection in the Windows Defender Security Center, but it will re-enable itself.

However, if you install another antivirus program, Windows Defender will automatically disable itself. This will disable the Microsoft Network Realtime Inspection Service, too. That other antivirus app probably has its own network protection component.

In other words: You can't disable this feature, and you shouldn't. It helps protect your PC. If you install another antivirus tool, it will be disabled, but only because that other antivirus tool is doing the same job and Windows Defender doesn't want to get in its way.

Is It a Virus?

This software is not a virus. It's part of the Windows 10 operating system, and it's installed on Windows 7 if you have Microsoft Security Essentials on your system. It may also be installed as part of other Microsoft anti-malware tools, such as Microsoft System Center Endpoint Protection.

Viruses and other malware do often attempt to disguise themselves as legitimate processes, but we haven't seen any reports of malware impersonating the NisSrv.exe process. Here's how to check the files are legitimate if you're concerned anyway.

On Windows 10, right-click the "Microsoft Network Realtime Inspection Service" process in the Task Manager and select "Open File Location."

On the latest versions of Windows 10, you should see the process in a folder like C:\ProgramData\Microsoft\Windows Defender\Platform\4.16.17656.18052-0, although the number of the folder will likely be different.

On Windows 7, the NisSrv.exe file will appear under C:\Program Files\Microsoft Security Client.

If the NisSrv.exe file is in a different location---or if you're just suspicious and want to give your PC a double-check---we recommend scanning your PC with your antivirus program of choice.