How to List All Windows Defender Exclusions in Batch Script
Security auditing is the cornerstone of a healthy IT environment. While Windows Defender's real-time protection is vital, the "Exclusions" list can often become a cluttered "Black Box" of legacy paths, forgotten developer tools, and potentially dangerous system-wide exceptions. For system administrators and security-conscious users, being able to quickly dump a list of all current exclusions, including folders, files, and processes, is an essential diagnostic task.
This guide explains how to use Batch (powered by PowerShell) to reveal every hidden blind spot in your security configuration.
Why List Defender Exclusions?
- Security Auditing: Periodically reviewing exclusions to ensure that a "Temporary" test folder hasn't become a permanent and dangerous blind spot.
- Troubleshooting: Identifying if a "Slow Build" or "File Lock" error is occurring because a critical project folder wasn't excluded properly.
- Compliance Reporting: Generating a text report of security configurations for stakeholder review or insurance audits.
The MpCmdRun.exe tool does not provide a command to "List" exclusions for security reasons (it prevents a malicious script from easily identifying where it can hide). However, the information is accessible via PowerShell for administrators.
Method 1: Using PowerShell via Batch (Recommended)
The Get-MpPreference cmdlet is the "Source of Truth" for all Microsoft Defender settings, including the exclusion list.
@echo off
setlocal
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required to view Defender exclusions.
pause
exit /b 1
)
echo [PROCESS] Retrieving Windows Defender Exclusion List...
echo.
powershell -NoProfile -Command "$paths = (Get-MpPreference).ExclusionPath; if ($paths) { $paths } else { Write-Host '(No folder exclusions configured)' }"
pause
Method 2: Comprehensive Security Dump
If you want to see not just folders, but also excluded Extensions and Processes, you can pull the specific properties from the preference object.
@echo off
setlocal
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
pause
exit /b 1
)
echo ============================================================
echo FULL DEFENDER EXCLUSION AUDIT
echo ============================================================
echo.
echo [FOLDERS/FILES]
powershell -NoProfile -Command "$v = (Get-MpPreference).ExclusionPath; if ($v) { $v | ForEach-Object { Write-Host (' ' + $_) } } else { Write-Host ' (none)' }"
echo.
echo [PROCESS NAMES]
powershell -NoProfile -Command "$v = (Get-MpPreference).ExclusionProcess; if ($v) { $v | ForEach-Object { Write-Host (' ' + $_) } } else { Write-Host ' (none)' }"
echo.
echo [FILE EXTENSIONS]
powershell -NoProfile -Command "$v = (Get-MpPreference).ExclusionExtension; if ($v) { $v | ForEach-Object { Write-Host (' ' + $_) } } else { Write-Host ' (none)' }"
echo.
echo ============================================================
pause
Creating a Security Audit Log
A professional script will save this information to a timestamped file for archival or network-wide auditing.
@echo off
setlocal
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
pause
exit /b 1
)
set "AUDIT_DIR=%~dp0"
set "AUDIT_FILE=%AUDIT_DIR%Defender_Exclusions_%COMPUTERNAME%_%date:~-4%%date:~-10,2%%date:~-7,2%.txt"
echo [PROCESS] Auditing Security Configuration...
:: Generate the report via a single PowerShell call
powershell -NoProfile -Command ^
"$pref = Get-MpPreference;" ^
"'--- WINDOWS DEFENDER EXCLUSION REPORT ---';" ^
"'';" ^
"'Computer: ' + $env:COMPUTERNAME;" ^
"'Date: ' + (Get-Date -Format 'yyyy-MM-dd HH:mm:ss');" ^
"'';" ^
"'[PATH EXCLUSIONS]';" ^
"if ($pref.ExclusionPath) { $pref.ExclusionPath | ForEach-Object { ' ' + $_ } } else { ' (none)' };" ^
"'';" ^
"'[PROCESS EXCLUSIONS]';" ^
"if ($pref.ExclusionProcess) { $pref.ExclusionProcess | ForEach-Object { ' ' + $_ } } else { ' (none)' };" ^
"'';" ^
"'[EXTENSION EXCLUSIONS]';" ^
"if ($pref.ExclusionExtension) { $pref.ExclusionExtension | ForEach-Object { ' ' + $_ } } else { ' (none)' }" ^
> "%AUDIT_FILE%" 2>nul
if %errorlevel% equ 0 (
echo [SUCCESS] Report saved to: %AUDIT_FILE%
echo [ACTION] Please review this file for suspicious or outdated paths.
) else (
echo [ERROR] Failed to generate audit report. Code: %errorlevel%
)
pause
Common Pitfalls and How to Avoid Them
Administrative Rights
Querying detailed security preferences via the Get-MpPreference cmdlet is restricted on many enterprise environments.
Wrong Way:
:: Running as a standard user
powershell -Command "(Get-MpPreference).ExclusionPath"
:: Result: May return an empty result or a "Permission Denied" error.
Empty Results
If the script returns nothing, it usually means your exclusion list is Empty.
Advise your users that an empty list is actually a Healthy State. It means Microsoft Defender is scanning 100% of the files on the computer without exceptions.
Best Practices for Security Auditing
- Weekly Automation: Run an audit script via Task Scheduler once a week and email the results to your IT inbox.
- Compare to Baseline: Keep a "Gold Standard" list of allowed exclusions (like
C:\Program Files\Antivirus_Vendor) and flag any paths that aren't on that list. - Cross-Check Registry: Advanced exclusions might also hide in the registry at
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions. Your Batch script can query this viareg queryas a secondary check.
If you have a third-party antivirus installed (like SentinelOne or CrowdStrike), these commands will only reflect the status of the built-in Microsoft engine, which may be disabled or in "Passive Mode."
Conclusion
Listing Windows Defender exclusions via Batch script is a fundamental diagnostic task for maintaining the integrity of your Windows ecosystem. By exposing hidden folder and process exceptions, you can identify security gaps before they are exploited and ensure that your antivirus engine is providing the maximum possible protection. This professional approach to security monitoring transforms "Invisible" settings into a clear, actionable audit trail, providing peace of mind and demonstrating a commitment to proactive system defense.