Redirecting Microsoft ForeFront Endpoint Protection AV Pattern Files

One of the best practices that Citrix recommends for XenApp or XenDesktop provisioned machines is redirecting the anti-virus pattern files to a persistent drive. This blog post describes the required steps for redirecting the Microsoft ForeFront Endpoint Protection (MSFEP) AV Pattern Files to a different location.


When a machine, which is provisioned by Citrix Provisioning Services and the provisioned vDisk uses the Standard Image Mode and the option write cache on device’s hard disk or
server’s hard disk, is rebooted it loses its changes that were written to the write cache file. That means that changes to the C:-drive are lost after a reboot of the machine.

MSFEP, by default, writes the AV pattern files to C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates.

That means that AV pattern files that are downloaded in this folder are lost after a reboot and need to be re-downloaded. To preserve the downloaded AV pattern files we are going to redirect the location of the downloaded AV pattern files to the write cache disk. I say write cache disk, not write cache file!

Steps for Redirecting the AV Pattern Files

IMPORTANT: Redirecting the AV pattern files involves changing settings in the Windows Registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

In this example we are going to redirect the AV pattern files to D:\FEP.

Stop the service Microsoft Antimalware Service
Create the folder D:\FEP
Open the Registry Editor and browse to HKLM\Software\Microsoft\Microsoft Antimalware
Change ProductAppDataPath
to D:\FEP
You’ll notice the error that you can’t change the value. This is because only the SYSTEM account has enough permission to change settings in the Microsoft Antimalwareregistry key and sub keys.There are two options.

1) Change ownership of the Microsoft Antimalware registry key and continue.


2) Perform the changes using the SYSTEM account. (Recommended)


In this example we use the recommended method by using the SYSTEM account. We do this by using the utility PsExec.exe.


Therefore we continue from the command line.

Type the command psexec /accepteula –s reg add “HKLM\Software\Microsoft\Microsoft Antimalware” /v ProductAppDataPath /t REG_SZ /d “D:\FEP” /fThis changes the path where the AV pattern files are stored to D:\FEP.

The –s is used for PsExec to execute under the SYSTEM account.

Type the command psexec /accepteula -s reg.exe add “HKLM\System\CurrentControlSet\
Control\WMI\Autologger\Microsoft Security Client” /v FileName /t REG_SZ /d “D:\FEP\Support\Application.etl” /fThis changes the location of the first file for the Event Viewer. Events that are logged to the Event Viewer are redirected to the write cache disk and saved after a reboot.
Type the command psexec /accepteula -s reg.exe add “HKLM\System\CurrentControlSet\
Control\WMI\Autologger\Microsoft Security Client WMI Providers” /v FileName /t REG_SZ /d “%FEPLocation%\Support\Providers.etl” /f
This changes the location of the second file for the Event Viewer.
Reboot the server
Type the command psexec /accepteula -s cmd.exe /c rd /s /q “C:\ProgramData\Microsoft\Microsoft Antimalware”This removes the left over from the initial FEP configuration.
Type the command psexec /accepteula -s cmd.exe /c rd /s /q “C:\ProgramData\Microsoft\Microsoft Security Client”This removes the left over from the initial configuration.
The AV pattern files are now automatically downloaded to D:\FEP.


Example Scripts (CMD)

::Redirect AV Pattern Files
net stop "Microsoft Antimalware Service"
cmd /c md "D:\FEP"
psexec /accepteula -s reg.exe add "HKLM\Software\Microsoft\Microsoft Antimalware" /v ProductAppDataPath /t REG_SZ /d "D:\FEP" /f
psexec /accepteula -s reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Microsoft Security Client" /v FileName /t REG_SZ /d "D:\FEP\Support\Application.etl" /f
psexec /accepteula -s reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Microsoft Security Client WMI Providers" /v FileName /t REG_SZ /d "D:\FEP\Support\Providers.etl" /f
shutdown /r /t 0
::Remove Left Over Initial Configuration
psexec /accepteula -s cmd.exe /c rd /s /q "C:\ProgramData\Microsoft\Microsoft Antimalware"
psexec /accepteula -s cmd.exe /c rd /s /q "C:\ProgramData\Microsoft\Microsoft Security Client"
Ivan de Mes

Ivan de Mes

Ivan de Mes works as an EUC Solution Architect for Login Consultants in The Netherlands. Ivan has over 19 years of experience in delivering workspace solutions at large customers in banking, health care, education and others.

In 2017, 2018 and 2019, Ivan was rewarded with the VMware vExpert status. In 2018 and 2019 Login VSI rewarded Ivan with the Login VSI Technology Advocate status.


For more information, please read the about page.

You may also like...

11 Responses

  1. Avatar Sunil Modhvadia says:


    Tried this, redirection works fine but the signatures still seem to get updated on every reboot, i have quite a few update folders in D:\FEP\Definition Updates. On further investigation, i can see that even though there is a folder with the latest definition update, e.g. D:\FEP\Definition Updates\{37216C36-7078-40CA-B604-D926E3F4ABDD}, it will still show as Out of Date Update and force a redownload which creates a new folder with the same updates. Is this something you have seen?



    • Ivan Ivan says:

      Hi Sunil,

      I haven’t seen this issue. We only have one GUID folder with the latest update, one Backup folder and one Updates folder. Also the status of FEP is “Up to date”. Normally, when a new update is available, the current GUID folder should be replaced with a new GUID folder. There should not be a long list with GUID folders.

      Also, in the registry, SignatureLocation (in HKLM\Software\Microsoft\Microsoft Antimalware\Signature Updates) should point to the correct GUID folder. So when a new update is downloaded/installed and a new GUID folder is created with the latest update, this registry value should automatically be adjusted to this new GUID folder. You can check this process with the command C:\Program Files\Microsoft Security Client\Antimalware\mpcmdrun.exe -signatureupdate -mmpc

      • Avatar Paul says:

        Hi Ivan,

        Like Sunil we have some machines that show more than 1 GUID folders under the Definition Updates. On these machines the Backup folders is not present
        If we try the command line chack it turns out OK en the rekeys are also pointing to existing folders on the persistant disk
        I tried stopping the service and deleting all GUID folders but no result
        Any idea how to solve this?
        I will delete 1 of the VM’s and create a new one to see what happens

        • Ivan Ivan says:

          Hi Paul,

          Did you use the above manual steps or did you use the example scripts? I wonder if there is a difference in behavior between those two. I used the scripts, and haven’t seen the issues that you and Sunil described. And I still use the scripted method in production when creating new versions of PVS images without problems.

      • Avatar James says:

        Been struggling with a similar setup using scep2012.. Seems to me that the signature location registry entries are getting reset when the write cache resets on reboot. Given the use of these keys I’m having a hard time understanding how this can actually work across reboots.

        • Ivan Ivan says:

          Hi James,

          I have no experience with SCEP2012, but you could try exporting the location registry entries at system shutdown and importing the location registry entries at startup using a script and trigger exporting and importing using the startup/shutdown option in a GPO.

  2. Avatar Nawir says:

    Hi Ivan,

    Is that possible to store Definition update in FileServer so that I don’t have to create cache disk for each user.

  3. Avatar Mike Bijl says:

    Hey Ivan, cool post. I ran into your site will looking for exactly this solution. Implementing this right now. Thanks.

  4. Avatar Nagu says:

    Nice article! Very helpful.
    But, how you could you stop Microsoft Antimalware Service? This is a protected System Service which runs under SYSTEM context.
    However, I was able to Redirect Folder to D:\Fep while the Service was running and rebooted the machine.
    At the end i could not delete

    psexec /accepteula -s cmd.exe /c rd /s /q “C:\ProgramData\Microsoft\Microsoft Antimalware”

    psexec /accepteula -s cmd.exe /c rd /s /q “C:\ProgramData\Microsoft\Microsoft Security Client”

    • Ivan Ivan says:

      You can try starting a command prompt with the system account and use the net stop command to stop the service.

      psexec /accepteula -s -i cmd.exe