How Can I Find The Current Windows Defender Executable Location? And Why Are There Many?

Question

Microsoft has multiple versions of the Defender executable (MpCmdRun.exe) installed on my computer. There is an obvious one in "C:\Program Files\Windows Defender\MpCmdRun.exe" but then two others in "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2010.7-0\MpCmdRun.exe" and "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2011.6-0\MpCmdRun.exe". The folders all have different versions of MpCmdRun.exe.

Per Microsoft, the latest version is the 4.18.2011.6-0 version, but how would I know this if I hadn't researched? And if I encode some dependency on this location (see below), how would I know when it's been superceded?

My goal is to create a custom scheduled task for Defender that runs full scans rather than quick scans. I tried whacking on the existing Windows Defender task definitions (in Task Scheduler -> Task Scheduler Library -> Microsoft -> Windows -> Windows Defender), but the tasks periodically modify themselves (after updates, etc.) and my changes are lost. I can readily create my own custom task, but I have to know the location of MpCmdRun.exe which, as I pointed out above, seems to move around.

Does anyone know of a reliable way to determine what the location of the latest Defender executable is, preferably easy enough to use in a command line?

Also, anyone have any clues about why Microsoft did it this way? Why not just keep the latest version in "C:\Program Files\Windows Defender"? And why leave old version laying around?

Answer 1

Slow down.

I found the instructions in 30 seconds.

https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus