Running Procmon in a boot mode is a very powerful research tool. In this short post I want to share a Procmon boot log of MsMpEng.exe (Windows Defender process) where we clearly see it is attempting to access a lot of (assumed bad) file names and paths.

I have not seen this documented before and I am a bit surprised, because the Windows Defender signatures are easily decompilable thanks to projects like WDExtract and MpLua converter. Google searches for the file names presented in my boot log return nada.

So, here it is. A list of paths that are most likely _bad_ for business.