Windows script to display endpoint agent health and service status

To verify Malwarebytes Endpoint Protection or Endpoint Detection and Response and its component services are running, as well as show the memory and CPU performance, you can download and run the ServiceStatus.cmd script on the endpoint. This Windows script is read-only and does not need any special privileges to execute, so it is safe to run. It reads visible configuration JSON files and log files to retrieve enablement settings and uses the Windows service controller (SC.EXE) command to retrieve the status.

Endpoint Detection and Response - typical status

Below is an example of the normal output from the script on a device running Endpoint Detection and Response.

Download and run Service Status script

1. Download the attached script file (see below)  ServiceStatus-x.xx.cmd.txt to the endpoint computer.
2. Rename the file to be ServiceStatus-x.xx.cmd
   • Administrator privileges are not required to run the script, as it uses only standard Windows commands and scripting.
   • It can be run locally by double-clicking and is suitable for remote command-line execution.
   • If AppLocker is in use, then it should be placed into an appropriate folder allowed to execute.
3. Double-click on the file to run it. Alternatively, it can be run from Windows CMD.EXE prompt and/or its output piped to file e.g.
   

   ServiceStatus-x.xx.cmd > status.txt
   

4. A command window displays. The window refreshes every 60 seconds. This is useful when testing for configuration changes and updates e.g. policy or exclusions.
   • OnExclusionChanged is new and shows date of last exclusion update/change.
   • The script may be edited to change the refresh timer. SET WAITSECS=60
   • A command parameter once will suppress refresh/repeat and is useful to output to file e.g.

 ServiceStatus-x.xx.cmd once
 ServiceStatus-x.xx.cmd once > %homepath%\desktop\ServiceStatus.txt

To cancel the script, enter Ctrl + C or click [x]

Notes

This is a user community shared utility. Please send questions, comments, and support request to the author directly: Andrew Probert (aprobert@malwarebytes.com)

Restrictions

• Will show Home Premium service, but will not have Management Agent or Flight Recorder services.
• Will trigger some Suspicious Activity as it is checking status.

Legend

Desired Status:
   (  O) Enabled
   (x  ) Disabled
   ( . ) Undefined/could not be determined
MBAMService information:
   CPU% is across sample time e.g. 60 seconds
   Memory should be approximately 350 Mgb when not scanning. + 300 Mgb when scanning
   Handle Count ~= 2,000 

Change history

• 2023-08-02 Version 1.22.  Added enabled sliders (x.O). Simplified some output. Status display now retrieved for non-English language.
• 2022-03-15 Version 1.19 Fixed parsing error by delimiters for parsing JSON
• 2021-08-07 Version 1.18 Updated the Endpoint Detection and Response status check logic.
• 2020-11-11  Version 1.17 Fixed version checking, now used EACMD.EXE --versions instead of configuration file. Changed timer to 60 second wait.
• 2019-09-28 Version 1.14 Added Incident Response (MBIRPlugin) version check. It is not a service and runs on demand/scheduled.
• 2019-06-26 Version 1.13 Added OnExclusion which shows latest date/time of an exclusion update item. Fixed error if there is no MBAMService.txt.1 file.
• 2019-06-03 Version 1.12 Added display of SDK/Controllerpackage, which relates to the component update (CU) version. Added display of OnExclusionChanged, so receipt of updates to exclusions can be easily seen. Script will accept variable once as %1, to suppress looping.
• 2019-04-01 Version 1.11 Added status of the configuration of Endpoint Response Settings for Suspicious Activity Monitoring, Rollback and Isolation reading from last log entry in EndpointAgent.txt Note: The log entry also displayed if plugin subsequently uninstalled which obsoletes other entry in log.
• 2019-02-21 Version 1.10 Added count of files in EPR Local Backup
• 2019-01-31 Version 1.08 Added policy.ea_last_update, to show datetime of most recent policy update. Useful when monitoring for recent change.
• 2019-01-22 Version 1.07 Added * warnings in column 1 for disabled and inactive services.
• 2019-01-07 Version 1.06 Added MBAMService.Resource showing Memory and Handles usage. Set timer to 20 seconds with a editable variable in script.
• 2018-12-12 Version 1.05 Fixed problem with reading large EPR backup sizes.
• 2018-10-30 Added controllers_version, date time stamp at top, community note at bottom.
• 2018-10-10 Suppress file not found messages. Search prior log for MBAMService, if not found in current log. Adde.2018-10-08 Added MBAMService CPU% monitor.
• 2018-10-05 Added policy settings, versions for endpoint_protection and mbam_version, EDR Local Backup size estimation.