Get-MpPerformanceReport empty processpath

hi lalanc01​  Yes — this is a known quirk when usingGet-MpPerformanceReport from the Windows Defender (Microsoft Defender Antivirus) module. check this.

If you want to fill in the blanks for these entries:

Correlate with Event Viewer

Check Microsoft-Windows-Windows Defender/Operational log and Microsoft-Windows-Security-Mitigations logs for process start events (Event ID 4688 in Security log). 

Cross-match the PID and timestamp from Get-MpPerformanceReport with event logs to retrieve the original path. 

Use Get-Process while process is still running

If you run the report in near-real-time and the process is still active:

$report = Get-MpPerformanceReport

foreach ($item in $report.TopScans) {

if (-not $item.ProcessPath) {

         try {

               $proc = Get-Process -Id $item.ProcessId -ErrorAction SilentlyContinue

               if ($proc) {

                  $item | Add-Member -NotePropertyName ResolvedPath -NotePropertyValue $proc.Path

              }

          } catch {}

      }

  }

  $report

Enable Defender Verbose Logging

Increase Defender logging level with:

   Set-MpPreference -EnableControlledFolderAccessAudit 1

   Set-MpPreference -DisableRealtimeMonitoring $false

Then check the Defender operational logs for richer details.

Use Sysmon for persistent mapping

Sysmon’s process creation logs (Event ID 1) always capture process path and hash. You can join those with the PIDs from Get-MpPerformanceReport.

Empty ProcessPath in Get-MpPerformanceReport doesn’t always mean Defender for Endpoint is hiding it — it’s often just that the local Defender performance telemetry never cached the path, the process ended, or it was a system/kernel/memory-only entity. To be sure, you’ll need to correlate with process creation logs (Windows Event Log, Sysmon, or EDR data).