What is MsSenses.exe

%3CLINGO-SUB%20id%3D%22lingo-sub-330256%22%20slang%3D%22en-US%22%3EWhat%20is%20MsSenses.exe%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330256%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20sure%20if%20this%20is%20the%20best%20place%20to%20answer%20this%2C%20but%20can%20someone%20tell%20me%20what%20this%20file%20does%2Fwhen%20it%20gets%20used%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EC%3A%5CProgram%20Files%5CMicrosoft%20Monitoring%20Agent%5CAgent%5CHealth%20Service%20State%5CMonitoring%20Host%20Temporary%20Files%207%5C2375%5CMsSenseS.exe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-330256%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESystem%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-339041%22%20slang%3D%22en-US%22%3ERe%3A%20What%20is%20MsSenses.exe%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-339041%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15390%22%20target%3D%22_blank%22%3E%40Lloyd%20Adams%3C%2FA%3E%26nbsp%3B%20-%20This%20process%20or%20sensor%20is%20part%20of%20onboarding%20via%20technologies%20such%20as%20Microsoft%20Security%20Center%2C%20Windows%20Defender%20and%20ATP.%20There%20are%20also%20third%20party%20integrations%20via%20Dell%20as%20well%20as%20a%20few%20others%20noted%20in%20the%20links%20below%20(SCOM%20or%20onboard%20to%20Log%20Analytics%20workspace%2C%20etc).%20You%20may%20notice%20the%20workflows%20run%20in%20a%20temporary%20file%20in%20that%20directory.%20The%20process%20runs%20under%20the%20workflow%20servicing%20context%20named%20MonitoringHost.exe%20as%20the%20Health%20Service%20runs%20in%20conjunction.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20Windows%20Security%20Center%20-%20Warning%3C%2FP%3E%3CP%20class%3D%22alert-title%22%3E%3CEM%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fwindows-defender-antivirus-compatibility%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EReference%3A%20Docs%20-%20Warning%20on%20bottom%20of%20page%3C%2FA%3E%3C%2FEM%3E%3C%2FP%3E%3CP%20class%3D%22alert-title%22%3E%3CEM%3E%22Warning%20-%26nbsp%3B%3C%2FEM%3E%3CEM%3EYou%20should%20not%20attempt%20to%20disable%2C%20stop%2C%20or%20modify%20any%20of%20the%20associated%20services%20used%20by%20Windows%20Defender%20AV%2C%20Windows%20Defender%20ATP%2C%20or%20the%20Windows%20Security%20app.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EThis%20includes%20the%26nbsp%3Bwscsvc%2C%26nbsp%3BSecurityHealthService%2C%26nbsp%3BMsSense%2C%26nbsp%3BSense%2C%26nbsp%3BWinDefend%2C%20or%26nbsp%3BMsMpEng%26nbsp%3Bservices%20and%20process.%20Manually%20modifying%20these%20services%20can%20cause%20severe%20instability%20on%20your%20endpoints%20and%20open%20your%20network%20to%20infections%20and%20attacks.%3C%2FEM%3E%3C%2FP%3E%3CP%20class%3D%22%22%3E%3CEM%3EIt%20can%20also%20cause%20problems%20when%20using%20third-party%20antivirus%20apps%20and%20how%20their%20information%20is%20displayed%20in%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fwindows-defender-security-center-antivirus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Security%20app%3C%2FA%3E.%22%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDell%20-%20notice%20the%20av%20exclusions%20and%20other%20integration%20points%5Cservices%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.dell.com%2Fsupport%2Farticle%2Flt%2Fen%2Fltbsdt1%2Fsln304640%2Fhow-to-unregister-register-dell-endpoint-security-suite-enterprise-or-dell-threat-defense-as-an-anti-virus-in-windows-security-center%3Flang%3Den%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.dell.com%2Fsupport%2Farticle%2Flt%2Fen%2Fltbsdt1%2Fsln304640%2Fhow-to-unregister-register-dell-endpoint-security-suite-enterprise-or-dell-threat-defense-as-an-anti-virus-in-windows-security-center%3Flang%3Den%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

I'm not sure if this is the best place to answer this, but can someone tell me what this file does/when it gets used?

 

C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 7\2375\MsSenseS.exe

1 Reply

@Lloyd Adams  - This process or sensor is part of onboarding via technologies such as Microsoft Security Center, Windows Defender and ATP. There are also third party integrations via Dell as well as a few others noted in the links below (SCOM or onboard to Log Analytics workspace, etc). You may notice the workflows run in a temporary file in that directory. The process runs under the workflow servicing context named MonitoringHost.exe as the Health Service runs in conjunction. 

 

Microsoft Windows Security Center - Warning

Reference: Docs - Warning on bottom of page

"Warning - You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Security app.

This includes the wscsvc, SecurityHealthService, MsSense, Sense, WinDefend, or MsMpEng services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.

It can also cause problems when using third-party antivirus apps and how their information is displayed in the Windows Security app."

 

Dell - notice the av exclusions and other integration points\services

https://www.dell.com/support/article/lt/en/ltbsdt1/sln304640/how-to-unregister-register-dell-endpoin...