Windows script to display Malwarebytes Endpoint Protection Agent Health and Service Status 

File uploaded by aprobert Employee on Aug 8, 2018Last modified by aprobert Employee on Oct 2, 2019
Version 42Show Document
  • View in full screen mode

To verify a Malwarebytes Endpoint Protection is running, you can download and run the ServiceStatus.cmd script on the endpoint.


Download and run Service Status script

  1. Download the attached script zip file and extract ServiceStatus-x.xx.cmd.txt to the endpoint computer.

  2. Rename the file to be ServiceStatus-x.xx.cmd 
    Administrator privileges are not required to run the script, as it uses only standard Windows commands and scripting. 
    It can be run locally by double-clicking and is suitable for remote command-line execution.
    If AppLocker is in use, then it should be placed into an appropriate folder allowed to execute.

  3. Double-click on the file to run it.  Alternatively, it can be run from Windows CMD.EXE prompt and/or its output piped to file e.g.
    ServiceStatus-x.xx.cmd > status.txt

  4. A command window displays.  The window refreshes every 20 seconds.  This is useful when testing for configuration changes and updates e.g. policy or exclusions. 
        OnExclusionChanged is new and shows date of last exclusion update/change.
        The script may be edited to change the refresh timer.  SET WAITSECS=20
        A command parameter  once will suppress refresh/repeat and is useful to output to file e.g.
      ServiceStatus-x.xx.cmd once
      ServiceStatus-x.xx.cmd once > %homepath%\desktop\ServiceStatus.txt


To cancel the script, enter Ctrl + C or click [x]


Endpoint Protection and Response - typical status


Incident Response - typical status

Note that turning off Real Time Policy Detectors unloads the Malwarebytes real time protection service and its services are disabled.




This is a user community shared utility. Please send questions, comments, and support request to the author directly. 

Andrew Probert (



Will show Home Premium service, but will not have Management Agent nor Flight Recorder services.

Will trigger some Suspicious Activity as it is checking status.




Change history

2019-09-28 Version 1.14 Added Incident Response (MBIRPlugin) version check.  It is not a service and runs on demand/scheduled.

2019-06-26 Version 1.13 Added OnExclusion which shows latest date/time of an exclusion update item. Fixed error if there is no MBAMService.txt.1 file.

2019-06-03 Version 1.12 Added display of SDK/Controllerpackage, which relates to the component update (CU) version.  Added display of OnExclusionChanged, so receipt of updates to exclusions can be easily seen.  Script will accept variable once as %1, to suppress looping.

2019-04-01 Version 1.11 Added status of the configuration of Endpoint Response Settings for Suspicious Activity Monitoring, Rollback and Isolation reading

                    from last log entry in EndpointAgent.txt   Note: The log entry also displayed if plugin subsequently uninstalled which obsoletes other entry in log. 

2019-02-21 Version 1.10 Added count of files in EPR Local Backup

2019-01-31 Version 1.08 Added policy.ea_last_update, to show datetime of most recent policy update.  Useful when monitoring for recent change.

2019-01-22 Version 1.07 Added * warnings in column 1 for disabled and inactive services.

2019-01-07 Version 1.06 Added MBAMService.Resource showing Memory and Handles usage.  Set timer to 20 seconds with a editable variable in script.

2018-12-12 Version 1.05 Fixed problem with reading large EPR backup sizes.

2018-10-30 Added controllers_version, date time stamp at top, community note at bottom. 

2018-10-10 Suppress file not found messages. Search prior log for MBAMService, if not found in current log. Adde.2018-10-08 Added MBAMService CPU% monitor.

2018-10-05 Added policy settings, versions for endpoint_protection and mbam_version, EDR Local Backup size estimation.