title: Collect diagnostic data of Microsoft Defender Antivirus description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus. ms.service: defender-endpoint ms.localizationpriority: medium author: chrisda ms.author: chrisda ms.custom: nextgen ms.date: 06/10/2025 ms.reviewer: pahuijbr, yongrhee manager: bagol ms.subservice: ngp ms.topic: how-to ms.collection:
- m365-security
- tier2
- mde-ngp
search.appverid: met150
appliesto:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
- Microsoft Defender for Individuals
This article describes how to collect diagnostic data that's used by Microsoft support and engineering teams when they help troubleshoot issues with Microsoft Defender Antivirus.
Note
As part of the investigation or response process, you can collect an investigation package from a device. Here's how: Collect investigation package from devices.
For performance-specific issues related to Microsoft Defender Antivirus, see: Performance analyzer for Microsoft Defender Antivirus.
On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps:
-
Open Command Prompt as an administrator by following these steps:
a. Open the Start menu.
b. Type cmd. Right-click on Command Prompt and then select Run as administrator.
c. Specify administrator credentials or approve the prompt.
-
Navigate to the directory for Microsoft Defender Antivirus:
cd C:\ProgramData\Microsoft\Windows Defender\Platform\<version>Where
<version>is the actual version that starts with4.18.2xxxx.x[!NOTE]
C:\ProgramDatais a hidden folder. If you don't have a folder that starts with4.18.2xxxx.xinC:\ProgramData\Microsoft\Windows Defender\Platform\, then you will need to go toC:\Program Files\Windows Defender\. -
Type the following command, and then press Enter
mpcmdrun.exe -GetFiles -
A
.cabfile is generated that contains various diagnostic logs. The location of the file is specified in the output in the command prompt. By default, the location isC:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.[!NOTE] To redirect the cab file to a different path or UNC share, use the following command:
mpcmdrun.exe -GetFiles -SupportLogLocation <path>For more information, see Redirect diagnostic data to a UNC share.
-
Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
To collect diagnostic data on a central repository, you can specify the SupportLogLocation parameter.
mpcmdrun.exe -GetFiles -SupportLogLocation <path>
Copies the diagnostic data to the specified path. If the path isn't specified, the diagnostic data is copied to the location specified in the Support Log Location Configuration.
When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path:
<path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
| field | Description |
|---|---|
| path | The path as specified on the command line or retrieved from configuration |
| MMDD | Month and day when the diagnostic data was collected (for example, 0530) |
| hostname | The hostname of the device on which the diagnostic data was collected |
| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422) |
Note
When using a file share please make sure that account used to collect the diagnostic package has write access to the share.
You can also specify where the diagnostic .cab file is created using a Group Policy Object (GPO).
-
Open the Local Group Policy Editor and find the SupportLogLocation GPO at:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation. -
Select Define the directory path to copy support log files.
:::image type="content" source="media/GPO1-SupportLogLocationDefender.png" alt-text="The local group policy editor" lightbox="media/GPO1-SupportLogLocationDefender.png":::
:::image type="content" source="media/GPO2-SupportLogLocationGPPage.png" alt-text="The define path for log files setting" lightbox="media/GPO2-SupportLogLocationGPPage.png":::
:::image type="content" source="media/GPO1-SupportLogLocationDefender.png" alt-text="The local group policy editor" lightbox="media/GPO1-SupportLogLocationDefender.png":::
:::image type="content" source="media/GPO2-SupportLogLocationGPPage.png" alt-text="The define path for configuring the log files setting" lightbox="media/GPO2-SupportLogLocationGPPage.png":::
-
Inside the policy editor, select Enabled.
-
Specify the directory path where you want to copy the support log files in the Options field.
:::image type="content" source="media/GPO3-SupportLogLocationGPPageEnabledExample.png" alt-text="Screenshot showing the enabled directory path custom setting." lightbox="media/GPO3-SupportLogLocationGPPageEnabledExample.png":::
-
Select OK or Apply.