Forum Discussion
Get-MpPerformanceReport empty processpath
Hi, anyone knows why we sometimes get empty processpath when using Get-MpPerformanceReport to get top processes?
Some say it could be Defender for Endpoint, but I would like to be sure what it is.
Any ideas on how to get more info?
Thank you in advance and don't hesitate if you have any questions
hi lalanc01 Yes — this is a known quirk when usingGet-MpPerformanceReport from the Windows Defender (Microsoft Defender Antivirus) module. check this.
If you want to fill in the blanks for these entries:
Correlate with Event Viewer
Check Microsoft-Windows-Windows Defender/Operational log and Microsoft-Windows-Security-Mitigations logs for process start events (Event ID 4688 in Security log).
Cross-match the PID and timestamp from Get-MpPerformanceReport with event logs to retrieve the original path.
Use Get-Process while process is still running
If you run the report in near-real-time and the process is still active:
$report = Get-MpPerformanceReport
foreach ($item in $report.TopScans) {
if (-not $item.ProcessPath) {
try {
$proc = Get-Process -Id $item.ProcessId -ErrorAction SilentlyContinue
if ($proc) {
$item | Add-Member -NotePropertyName ResolvedPath -NotePropertyValue $proc.Path
}
} catch {}
}
}
$report
Enable Defender Verbose Logging
Increase Defender logging level with:
Set-MpPreference -EnableControlledFolderAccessAudit 1
Set-MpPreference -DisableRealtimeMonitoring $false
Then check the Defender operational logs for richer details.
Use Sysmon for persistent mapping
Sysmon’s process creation logs (Event ID 1) always capture process path and hash. You can join those with the PIDs from Get-MpPerformanceReport.
Empty ProcessPath in Get-MpPerformanceReport doesn’t always mean Defender for Endpoint is hiding it — it’s often just that the local Defender performance telemetry never cached the path, the process ended, or it was a system/kernel/memory-only entity. To be sure, you’ll need to correlate with process creation logs (Windows Event Log, Sysmon, or EDR data).
1 Reply
hi lalanc01 Yes — this is a known quirk when usingGet-MpPerformanceReport from the Windows Defender (Microsoft Defender Antivirus) module. check this.
If you want to fill in the blanks for these entries:
Correlate with Event Viewer
Check Microsoft-Windows-Windows Defender/Operational log and Microsoft-Windows-Security-Mitigations logs for process start events (Event ID 4688 in Security log).
Cross-match the PID and timestamp from Get-MpPerformanceReport with event logs to retrieve the original path.
Use Get-Process while process is still running
If you run the report in near-real-time and the process is still active:
$report = Get-MpPerformanceReport
foreach ($item in $report.TopScans) {
if (-not $item.ProcessPath) {
try {
$proc = Get-Process -Id $item.ProcessId -ErrorAction SilentlyContinue
if ($proc) {
$item | Add-Member -NotePropertyName ResolvedPath -NotePropertyValue $proc.Path
}
} catch {}
}
}
$report
Enable Defender Verbose Logging
Increase Defender logging level with:
Set-MpPreference -EnableControlledFolderAccessAudit 1
Set-MpPreference -DisableRealtimeMonitoring $false
Then check the Defender operational logs for richer details.
Use Sysmon for persistent mapping
Sysmon’s process creation logs (Event ID 1) always capture process path and hash. You can join those with the PIDs from Get-MpPerformanceReport.
Empty ProcessPath in Get-MpPerformanceReport doesn’t always mean Defender for Endpoint is hiding it — it’s often just that the local Defender performance telemetry never cached the path, the process ended, or it was a system/kernel/memory-only entity. To be sure, you’ll need to correlate with process creation logs (Windows Event Log, Sysmon, or EDR data).