Starts a Defender threat scan. Module Defender ships with Start-MpScan
which essentially calls the method in this class.
Methods
MSFT_MpScan has 1 methods:
Method | Description |
---|---|
Start | TBD |
Learn more about Invoke-CimMethod
and how to invoke commands. Click any of the methods listed above to learn more about their purpose, parameters, and return value.
Properties
MSFT_MpScan returns no properties.
Examples
List all instances of MSFT_MpScan
Get-CimInstance -ClassName MSFT_MpScan -Namespace root/microsoft/windows/defender
Learn more about Get-CimInstance
and the deprecated Get-WmiObject
.
View all properties
Get-CimInstance -ClassName MSFT_MpScan -Namespace root/microsoft/windows/defender -Property *
View key properties only
Get-CimInstance -ClassName MSFT_MpScan -Namespace root/microsoft/windows/defender -KeyOnly
Selecting Properties
To select only some properties, pipe the results to Select-Object -Property a,b,c
with a comma-separated list of the properties you require. Wildcards are permitted.
Get-CimInstance
always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object
if you want to limit the visible properties, i.e. for reporting.
Selecting Properties
The code below lists all available properties. Remove the ones you do not need:
$properties =
Get-CimInstance -ClassName MSFT_MpScan -Namespace root/microsoft/windows/defender | Select-Object -Property $properties
Limiting Network Bandwidth
If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:
Get-CimInstance -Class MSFT_MpScan -Namespace root/microsoft/windows/defender -Property $property |
Select-Object -Property $property
Selecting Instances
To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).
The parameter -Filter runs a simple query.
Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class MSFT_MpScan -Namespace root/microsoft/windows/defender -Filter 'Caption LIKE "a%"'
Using a WQL Query
The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:
Get-CimInstance -Query "SELECT FROM MSFT_MpScan WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender
Any property you did not specify is still present but empty. You might need to use
Select-Object
to remove all unwanted properties:Get-CimInstance -Query "SELECT FROM MSFT_MpScan WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender | Select-Object -Property
Accessing Remote Computers
To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.
Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with your current identity:
$result = Get-CimInstance -ClassName MSFT_MpScan -Namespace root/microsoft/windows/defender -ComputerName $list
$result
Authenticating as Different User
Use a CIMSession object to authenticate with a new identity:
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred
$result = Get-CimInstance MSFT_MpScan -Namespace root/microsoft/windows/defender -CimSession $session
# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session
$result
Learn more about accessing remote computers.
Requirements
To use MSFT_MpScan, the following requirements apply:
PowerShell
Get-CimInstance
was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.
If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.
Operating System
MSFT_MpScan was introduced on clients with Windows 8.1 [desktop apps only] and on servers with Windows Server 2012 R2 [desktop apps only].
Namespace
MSFT_MpScan lives in the Namespace Root/Microsoft/Windows/Defender. This is not the default namespace. Use parameter -Namespace root/microsoft/windows/defender with all CIM cmdlets..
Implementation
MSFT_MpScan is implemented in ProtectionManagement.dll and defined in ProtectionManagement.mof. Both files are located in the folder C:\Windows\system32\wbem
:
explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\ProtectionManagement.mof