MSFT_MpThreat

Represents the Microsoft Antimalware service infection status. Module Defender ships with Get-MpThreat and Remove-MpThreat which essentially manage the same information.

Represents the Microsoft Antimalware service infection status. Module Defender ships with Get-MpThreat and Remove-MpThreat which essentially manage the same information.

Methods

MSFT_MpThreat has 1 methods:
Method Description
Remove TBD

Learn more about Invoke-CimMethod and how to invoke commands. Click any of the methods listed above to learn more about their purpose, parameters, and return value.

Properties

MSFT_MpThreat returns 10 properties:

'CategoryID','DidThreatExecute','IsActive','Resources','RollupStatus','SchemaVersion',
'SeverityID','ThreatID','ThreatName','TypeID'

Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:

Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender -Property *

Most WMI classes return one or more instances.

When Get-CimInstance returns no result, then apparently no instances of class MSFT_MpThreat exist. This is normal behavior.

Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).

CategoryID

UINT8

Category ID - Enumeration

CategoryID returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$CategoryID_map = @{
      0 = 'INVALID'
      1 = 'ADWARE'
      2 = 'SPYWARE'
      3 = 'PASSWORDSTEALER'
      4 = 'TROJANDOWNLOADER'
      5 = 'WORM'
      6 = 'BACKDOOR'
      7 = 'REMOTEACCESSTROJAN'
      8 = 'TROJAN'
      9 = 'EMAILFLOODER'
     10 = 'KEYLOGGER'
     11 = 'DIALER'
     12 = 'MONITORINGSOFTWARE'
     13 = 'BROWSERMODIFIER'
     14 = 'COOKIE'
     15 = 'BROWSERPLUGIN'
     16 = 'AOLEXPLOIT'
     17 = 'NUKER'
     18 = 'SECURITYDISABLER'
     19 = 'JOKEPROGRAM'
     20 = 'HOSTILEACTIVEXCONTROL'
     21 = 'SOFTWAREBUNDLER'
     22 = 'STEALTHNOTIFIER'
     23 = 'SETTINGSMODIFIER'
     24 = 'TOOLBAR'
     25 = 'REMOTECONTROLSOFTWARE'
     26 = 'TROJANFTP'
     27 = 'POTENTIALUNWANTEDSOFTWARE'
     28 = 'ICQEXPLOIT'
     29 = 'TROJANTELNET'
     30 = 'FILESHARINGPROGRAM'
     31 = 'MALWARE_CREATION_TOOL'
     32 = 'REMOTE_CONTROL_SOFTWARE'
     33 = 'TOOL'
     34 = 'TROJAN_DENIALOFSERVICE'
     36 = 'TROJAN_DROPPER'
     37 = 'TROJAN_MASSMAILER'
     38 = 'TROJAN_MONITORINGSOFTWARE'
     39 = 'TROJAN_PROXYSERVER'
     40 = 'VIRUS'
     42 = 'KNOWN'
     43 = 'UNKNOWN'
     44 = 'SPP'
     45 = 'BEHAVIOR'
     46 = 'VULNERABILTIY'
     47 = 'POLICY'
}
Use a switch statement
switch([int]$value)
{
  0          {'INVALID'}
  1          {'ADWARE'}
  2          {'SPYWARE'}
  3          {'PASSWORDSTEALER'}
  4          {'TROJANDOWNLOADER'}
  5          {'WORM'}
  6          {'BACKDOOR'}
  7          {'REMOTEACCESSTROJAN'}
  8          {'TROJAN'}
  9          {'EMAILFLOODER'}
  10         {'KEYLOGGER'}
  11         {'DIALER'}
  12         {'MONITORINGSOFTWARE'}
  13         {'BROWSERMODIFIER'}
  14         {'COOKIE'}
  15         {'BROWSERPLUGIN'}
  16         {'AOLEXPLOIT'}
  17         {'NUKER'}
  18         {'SECURITYDISABLER'}
  19         {'JOKEPROGRAM'}
  20         {'HOSTILEACTIVEXCONTROL'}
  21         {'SOFTWAREBUNDLER'}
  22         {'STEALTHNOTIFIER'}
  23         {'SETTINGSMODIFIER'}
  24         {'TOOLBAR'}
  25         {'REMOTECONTROLSOFTWARE'}
  26         {'TROJANFTP'}
  27         {'POTENTIALUNWANTEDSOFTWARE'}
  28         {'ICQEXPLOIT'}
  29         {'TROJANTELNET'}
  30         {'FILESHARINGPROGRAM'}
  31         {'MALWARE_CREATION_TOOL'}
  32         {'REMOTE_CONTROL_SOFTWARE'}
  33         {'TOOL'}
  34         {'TROJAN_DENIALOFSERVICE'}
  36         {'TROJAN_DROPPER'}
  37         {'TROJAN_MASSMAILER'}
  38         {'TROJAN_MONITORINGSOFTWARE'}
  39         {'TROJAN_PROXYSERVER'}
  40         {'VIRUS'}
  42         {'KNOWN'}
  43         {'UNKNOWN'}
  44         {'SPP'}
  45         {'BEHAVIOR'}
  46         {'VULNERABILTIY'}
  47         {'POLICY'}
  default    {"$value"}
}
Use Enum structure
Enum EnumCategoryID
{
  INVALID                     = 0
  ADWARE                      = 1
  SPYWARE                     = 2
  PASSWORDSTEALER             = 3
  TROJANDOWNLOADER            = 4
  WORM                        = 5
  BACKDOOR                    = 6
  REMOTEACCESSTROJAN          = 7
  TROJAN                      = 8
  EMAILFLOODER                = 9
  KEYLOGGER                   = 10
  DIALER                      = 11
  MONITORINGSOFTWARE          = 12
  BROWSERMODIFIER             = 13
  COOKIE                      = 14
  BROWSERPLUGIN               = 15
  AOLEXPLOIT                  = 16
  NUKER                       = 17
  SECURITYDISABLER            = 18
  JOKEPROGRAM                 = 19
  HOSTILEACTIVEXCONTROL       = 20
  SOFTWAREBUNDLER             = 21
  STEALTHNOTIFIER             = 22
  SETTINGSMODIFIER            = 23
  TOOLBAR                     = 24
  REMOTECONTROLSOFTWARE       = 25
  TROJANFTP                   = 26
  POTENTIALUNWANTEDSOFTWARE   = 27
  ICQEXPLOIT                  = 28
  TROJANTELNET                = 29
  FILESHARINGPROGRAM          = 30
  MALWARE_CREATION_TOOL       = 31
  REMOTE_CONTROL_SOFTWARE     = 32
  TOOL                        = 33
  TROJAN_DENIALOFSERVICE      = 34
  TROJAN_DROPPER              = 36
  TROJAN_MASSMAILER           = 37
  TROJAN_MONITORINGSOFTWARE   = 38
  TROJAN_PROXYSERVER          = 39
  VIRUS                       = 40
  KNOWN                       = 42
  UNKNOWN                     = 43
  SPP                         = 44
  BEHAVIOR                    = 45
  VULNERABILTIY               = 46
  POLICY                      = 47
}

Examples

Use $CategoryID_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "CategoryID" to friendly text

  Note: to use other properties than "CategoryID", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "CategoryID" 
# to translate other properties, use their translation table instead
$CategoryID_map = @{
      0 = 'INVALID'
      1 = 'ADWARE'
      2 = 'SPYWARE'
      3 = 'PASSWORDSTEALER'
      4 = 'TROJANDOWNLOADER'
      5 = 'WORM'
      6 = 'BACKDOOR'
      7 = 'REMOTEACCESSTROJAN'
      8 = 'TROJAN'
      9 = 'EMAILFLOODER'
     10 = 'KEYLOGGER'
     11 = 'DIALER'
     12 = 'MONITORINGSOFTWARE'
     13 = 'BROWSERMODIFIER'
     14 = 'COOKIE'
     15 = 'BROWSERPLUGIN'
     16 = 'AOLEXPLOIT'
     17 = 'NUKER'
     18 = 'SECURITYDISABLER'
     19 = 'JOKEPROGRAM'
     20 = 'HOSTILEACTIVEXCONTROL'
     21 = 'SOFTWAREBUNDLER'
     22 = 'STEALTHNOTIFIER'
     23 = 'SETTINGSMODIFIER'
     24 = 'TOOLBAR'
     25 = 'REMOTECONTROLSOFTWARE'
     26 = 'TROJANFTP'
     27 = 'POTENTIALUNWANTEDSOFTWARE'
     28 = 'ICQEXPLOIT'
     29 = 'TROJANTELNET'
     30 = 'FILESHARINGPROGRAM'
     31 = 'MALWARE_CREATION_TOOL'
     32 = 'REMOTE_CONTROL_SOFTWARE'
     33 = 'TOOL'
     34 = 'TROJAN_DENIALOFSERVICE'
     36 = 'TROJAN_DROPPER'
     37 = 'TROJAN_MASSMAILER'
     38 = 'TROJAN_MONITORINGSOFTWARE'
     39 = 'TROJAN_PROXYSERVER'
     40 = 'VIRUS'
     42 = 'KNOWN'
     43 = 'UNKNOWN'
     44 = 'SPP'
     45 = 'BEHAVIOR'
     46 = 'VULNERABILTIY'
     47 = 'POLICY'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "CategoryID", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$CategoryID = @{
  Name = 'CategoryID'
  Expression = {
    # property is an array, so process all values
    $value = $_.CategoryID
    $CategoryID_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "CategoryID". The latter
# is defined by the hashtable in $CategoryID: 
Get-CimInstance -Class MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $CategoryID

# ...or dump content of property CategoryID:
$friendlyValues = Get-CimInstance -Class MSFT_MpThreat | 
    Select-Object -Property $CategoryID |
    Select-Object -ExpandProperty CategoryID

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $CategoryID_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpThreat" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpThreat", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpThreat" 
# to translate other properties, use their translation table instead
$CategoryID_map = @{
      0 = 'INVALID'
      1 = 'ADWARE'
      2 = 'SPYWARE'
      3 = 'PASSWORDSTEALER'
      4 = 'TROJANDOWNLOADER'
      5 = 'WORM'
      6 = 'BACKDOOR'
      7 = 'REMOTEACCESSTROJAN'
      8 = 'TROJAN'
      9 = 'EMAILFLOODER'
     10 = 'KEYLOGGER'
     11 = 'DIALER'
     12 = 'MONITORINGSOFTWARE'
     13 = 'BROWSERMODIFIER'
     14 = 'COOKIE'
     15 = 'BROWSERPLUGIN'
     16 = 'AOLEXPLOIT'
     17 = 'NUKER'
     18 = 'SECURITYDISABLER'
     19 = 'JOKEPROGRAM'
     20 = 'HOSTILEACTIVEXCONTROL'
     21 = 'SOFTWAREBUNDLER'
     22 = 'STEALTHNOTIFIER'
     23 = 'SETTINGSMODIFIER'
     24 = 'TOOLBAR'
     25 = 'REMOTECONTROLSOFTWARE'
     26 = 'TROJANFTP'
     27 = 'POTENTIALUNWANTEDSOFTWARE'
     28 = 'ICQEXPLOIT'
     29 = 'TROJANTELNET'
     30 = 'FILESHARINGPROGRAM'
     31 = 'MALWARE_CREATION_TOOL'
     32 = 'REMOTE_CONTROL_SOFTWARE'
     33 = 'TOOL'
     34 = 'TROJAN_DENIALOFSERVICE'
     36 = 'TROJAN_DROPPER'
     37 = 'TROJAN_MASSMAILER'
     38 = 'TROJAN_MONITORINGSOFTWARE'
     39 = 'TROJAN_PROXYSERVER'
     40 = 'VIRUS'
     42 = 'KNOWN'
     43 = 'UNKNOWN'
     44 = 'SPP'
     45 = 'BEHAVIOR'
     46 = 'VULNERABILTIY'
     47 = 'POLICY'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.CategoryID  

# translate raw value to friendly text:
$friendlyName = $CategoryID_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "CategoryID" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "CategoryID", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "CategoryID", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$CategoryID = @{
  Name = 'CategoryID'
  Expression = {
    # property is an array, so process all values
    $value = $_.CategoryID
    
    switch([int]$value)
      {
        0          {'INVALID'}
        1          {'ADWARE'}
        2          {'SPYWARE'}
        3          {'PASSWORDSTEALER'}
        4          {'TROJANDOWNLOADER'}
        5          {'WORM'}
        6          {'BACKDOOR'}
        7          {'REMOTEACCESSTROJAN'}
        8          {'TROJAN'}
        9          {'EMAILFLOODER'}
        10         {'KEYLOGGER'}
        11         {'DIALER'}
        12         {'MONITORINGSOFTWARE'}
        13         {'BROWSERMODIFIER'}
        14         {'COOKIE'}
        15         {'BROWSERPLUGIN'}
        16         {'AOLEXPLOIT'}
        17         {'NUKER'}
        18         {'SECURITYDISABLER'}
        19         {'JOKEPROGRAM'}
        20         {'HOSTILEACTIVEXCONTROL'}
        21         {'SOFTWAREBUNDLER'}
        22         {'STEALTHNOTIFIER'}
        23         {'SETTINGSMODIFIER'}
        24         {'TOOLBAR'}
        25         {'REMOTECONTROLSOFTWARE'}
        26         {'TROJANFTP'}
        27         {'POTENTIALUNWANTEDSOFTWARE'}
        28         {'ICQEXPLOIT'}
        29         {'TROJANTELNET'}
        30         {'FILESHARINGPROGRAM'}
        31         {'MALWARE_CREATION_TOOL'}
        32         {'REMOTE_CONTROL_SOFTWARE'}
        33         {'TOOL'}
        34         {'TROJAN_DENIALOFSERVICE'}
        36         {'TROJAN_DROPPER'}
        37         {'TROJAN_MASSMAILER'}
        38         {'TROJAN_MONITORINGSOFTWARE'}
        39         {'TROJAN_PROXYSERVER'}
        40         {'VIRUS'}
        42         {'KNOWN'}
        43         {'UNKNOWN'}
        44         {'SPP'}
        45         {'BEHAVIOR'}
        46         {'VULNERABILTIY'}
        47         {'POLICY'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "CategoryID". The latter is defined
  # by the hashtable in $CategoryID:
  Select-Object -Property Caption, $CategoryID
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpThreat", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumCategoryID
{
  INVALID                     = 0
  ADWARE                      = 1
  SPYWARE                     = 2
  PASSWORDSTEALER             = 3
  TROJANDOWNLOADER            = 4
  WORM                        = 5
  BACKDOOR                    = 6
  REMOTEACCESSTROJAN          = 7
  TROJAN                      = 8
  EMAILFLOODER                = 9
  KEYLOGGER                   = 10
  DIALER                      = 11
  MONITORINGSOFTWARE          = 12
  BROWSERMODIFIER             = 13
  COOKIE                      = 14
  BROWSERPLUGIN               = 15
  AOLEXPLOIT                  = 16
  NUKER                       = 17
  SECURITYDISABLER            = 18
  JOKEPROGRAM                 = 19
  HOSTILEACTIVEXCONTROL       = 20
  SOFTWAREBUNDLER             = 21
  STEALTHNOTIFIER             = 22
  SETTINGSMODIFIER            = 23
  TOOLBAR                     = 24
  REMOTECONTROLSOFTWARE       = 25
  TROJANFTP                   = 26
  POTENTIALUNWANTEDSOFTWARE   = 27
  ICQEXPLOIT                  = 28
  TROJANTELNET                = 29
  FILESHARINGPROGRAM          = 30
  MALWARE_CREATION_TOOL       = 31
  REMOTE_CONTROL_SOFTWARE     = 32
  TOOL                        = 33
  TROJAN_DENIALOFSERVICE      = 34
  TROJAN_DROPPER              = 36
  TROJAN_MASSMAILER           = 37
  TROJAN_MONITORINGSOFTWARE   = 38
  TROJAN_PROXYSERVER          = 39
  VIRUS                       = 40
  KNOWN                       = 42
  UNKNOWN                     = 43
  SPP                         = 44
  BEHAVIOR                    = 45
  VULNERABILTIY               = 46
  POLICY                      = 47
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.CategoryID

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **CategoryID** 
[EnumCategoryID]$rawValue 

# get a comma-separated string:
[EnumCategoryID]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumCategoryID]
#endregion

Enums must cover all possible values. If CategoryID returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

DidThreatExecute

BOOLEAN

Specifies if threat has executed

Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -Property ThreatID, DidThreatExecute

IsActive

BOOLEAN

Specifies if the threat is active

Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -Property ThreatID, IsActive

Resources

STRING ARRAY

List of resources affected by the threat

Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -Property ThreatID, Resources

RollupStatus

UINT32

Threat Rollup Status

Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -Property ThreatID, RollupStatus

SchemaVersion

STRING

The Schema Version

Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -Property ThreatID, SchemaVersion

SeverityID

UINT8

Severity ID - Enumeration

SeverityID returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$SeverityID_map = @{
      0 = 'Unknown'
      1 = 'Low'
      2 = 'Moderate'
      3 = 'High'
      4 = 'Severe'
}
Use a switch statement
switch([int]$value)
{
  0          {'Unknown'}
  1          {'Low'}
  2          {'Moderate'}
  3          {'High'}
  4          {'Severe'}
  default    {"$value"}
}
Use Enum structure
Enum EnumSeverityID
{
  Unknown    = 0
  Low        = 1
  Moderate   = 2
  High       = 3
  Severe     = 4
}

Examples

Use $SeverityID_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "SeverityID" to friendly text

  Note: to use other properties than "SeverityID", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "SeverityID" 
# to translate other properties, use their translation table instead
$SeverityID_map = @{
      0 = 'Unknown'
      1 = 'Low'
      2 = 'Moderate'
      3 = 'High'
      4 = 'Severe'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "SeverityID", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$SeverityID = @{
  Name = 'SeverityID'
  Expression = {
    # property is an array, so process all values
    $value = $_.SeverityID
    $SeverityID_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "SeverityID". The latter
# is defined by the hashtable in $SeverityID: 
Get-CimInstance -Class MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $SeverityID

# ...or dump content of property SeverityID:
$friendlyValues = Get-CimInstance -Class MSFT_MpThreat | 
    Select-Object -Property $SeverityID |
    Select-Object -ExpandProperty SeverityID

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $SeverityID_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpThreat" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpThreat", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpThreat" 
# to translate other properties, use their translation table instead
$SeverityID_map = @{
      0 = 'Unknown'
      1 = 'Low'
      2 = 'Moderate'
      3 = 'High'
      4 = 'Severe'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.SeverityID  

# translate raw value to friendly text:
$friendlyName = $SeverityID_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "SeverityID" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "SeverityID", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "SeverityID", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$SeverityID = @{
  Name = 'SeverityID'
  Expression = {
    # property is an array, so process all values
    $value = $_.SeverityID
    
    switch([int]$value)
      {
        0          {'Unknown'}
        1          {'Low'}
        2          {'Moderate'}
        3          {'High'}
        4          {'Severe'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "SeverityID". The latter is defined
  # by the hashtable in $SeverityID:
  Select-Object -Property Caption, $SeverityID
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpThreat", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumSeverityID
{
  Unknown    = 0
  Low        = 1
  Moderate   = 2
  High       = 3
  Severe     = 4
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.SeverityID

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **SeverityID** 
[EnumSeverityID]$rawValue 

# get a comma-separated string:
[EnumSeverityID]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumSeverityID]
#endregion

Enums must cover all possible values. If SeverityID returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

ThreatID

KEY PROPERTY SINT64

Unique Detection ID

Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -Property ThreatID

ThreatName

STRING

The name of the threat

Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -Property ThreatID, ThreatName

TypeID

UINT8

Type ID - Enumeration

TypeID returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$TypeID_map = @{
      0 = 'Known Bad'
      1 = 'Behavior'
      2 = 'Unknown'
      3 = 'Known Good'
      4 = 'NRI'
}
Use a switch statement
switch([int]$value)
{
  0          {'Known Bad'}
  1          {'Behavior'}
  2          {'Unknown'}
  3          {'Known Good'}
  4          {'NRI'}
  default    {"$value"}
}
Use Enum structure
Enum EnumTypeID
{
  Known_Bad    = 0
  Behavior     = 1
  Unknown      = 2
  Known_Good   = 3
  NRI          = 4
}

Examples

Use $TypeID_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "TypeID" to friendly text

  Note: to use other properties than "TypeID", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "TypeID" 
# to translate other properties, use their translation table instead
$TypeID_map = @{
      0 = 'Known Bad'
      1 = 'Behavior'
      2 = 'Unknown'
      3 = 'Known Good'
      4 = 'NRI'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "TypeID", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$TypeID = @{
  Name = 'TypeID'
  Expression = {
    # property is an array, so process all values
    $value = $_.TypeID
    $TypeID_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "TypeID". The latter
# is defined by the hashtable in $TypeID: 
Get-CimInstance -Class MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $TypeID

# ...or dump content of property TypeID:
$friendlyValues = Get-CimInstance -Class MSFT_MpThreat | 
    Select-Object -Property $TypeID |
    Select-Object -ExpandProperty TypeID

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $TypeID_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpThreat" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpThreat", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpThreat" 
# to translate other properties, use their translation table instead
$TypeID_map = @{
      0 = 'Known Bad'
      1 = 'Behavior'
      2 = 'Unknown'
      3 = 'Known Good'
      4 = 'NRI'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.TypeID  

# translate raw value to friendly text:
$friendlyName = $TypeID_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "TypeID" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "TypeID", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "TypeID", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$TypeID = @{
  Name = 'TypeID'
  Expression = {
    # property is an array, so process all values
    $value = $_.TypeID
    
    switch([int]$value)
      {
        0          {'Known Bad'}
        1          {'Behavior'}
        2          {'Unknown'}
        3          {'Known Good'}
        4          {'NRI'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "TypeID". The latter is defined
  # by the hashtable in $TypeID:
  Select-Object -Property Caption, $TypeID
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpThreat", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumTypeID
{
  Known_Bad    = 0
  Behavior     = 1
  Unknown      = 2
  Known_Good   = 3
  NRI          = 4
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.TypeID

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **TypeID** 
[EnumTypeID]$rawValue 

# get a comma-separated string:
[EnumTypeID]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumTypeID]
#endregion

Enums must cover all possible values. If TypeID returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

Examples

List all instances of MSFT_MpThreat
Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender

Learn more about Get-CimInstance and the deprecated Get-WmiObject.

View all properties
Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender -Property *
View key properties only
Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender -KeyOnly

Selecting Properties

To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.

Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.

Selecting Properties

The code below lists all available properties. Remove the ones you do not need:

$properties = 'CategoryID',
              'DidThreatExecute',
              'IsActive',
              'Resources',
              'RollupStatus',
              'SchemaVersion',
              'SeverityID',
              'ThreatID',
              'ThreatName',
              'TypeID'
Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender | Select-Object -Property $properties
Limiting Network Bandwidth

If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:

Get-CimInstance -Class MSFT_MpThreat -Namespace root/microsoft/windows/defender -Property $property | 
Select-Object -Property $property

Selecting Instances

To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).

The parameter -Filter runs a simple query.

Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class MSFT_MpThreat -Namespace root/microsoft/windows/defender -Filter 'Caption LIKE "a%"' 
Using a WQL Query

The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:

Get-CimInstance -Query "SELECT Resources, ThreatName, CategoryID, IsActive FROM MSFT_MpThreat WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender

Any property you did not specify is still present but empty. You might need to use Select-Object to remove all unwanted properties:

Get-CimInstance -Query "SELECT Resources, ThreatName, CategoryID, IsActive FROM MSFT_MpThreat WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender | Select-Object -Property Resources, ThreatName, CategoryID, IsActive

Accessing Remote Computers

To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.

Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with your current identity:
$result = Get-CimInstance -ClassName MSFT_MpThreat -Namespace root/microsoft/windows/defender -ComputerName $list 
$result
Authenticating as Different User

Use a CIMSession object to authenticate with a new identity:

# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred

$result = Get-CimInstance MSFT_MpThreat -Namespace root/microsoft/windows/defender -CimSession $session

# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session

$result

Learn more about accessing remote computers.

Requirements

To use MSFT_MpThreat, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

MSFT_MpThreat was introduced on clients with Windows 8.1 [desktop apps only] and on servers with Windows Server 2012 R2 [desktop apps only].

Namespace

MSFT_MpThreat lives in the Namespace Root/Microsoft/Windows/Defender. This is not the default namespace. Use parameter -Namespace root/microsoft/windows/defender with all CIM cmdlets..

Implementation

MSFT_MpThreat is implemented in ProtectionManagement.dll and defined in ProtectionManagement.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\ProtectionManagement.mof