Ask a new question

How to tell if Offline defender scan ran successfully?

I tried to run the "offline scan".  It rebooted, looks like it did something, and then looks like it booted to normal windows.

According to what I could find on the web, it should have put a log file in "C:\windows\Microsoft\Antimalware\Support" folder, but that folder doesn't exist.  

Is the log somewhere else?  Did the scan actually run?  Was it successful, or did some malware prevent it from running?

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hi,

Thank you for posting your query. I am a Community adviser. Let me help you with the best that I can.

You can easily check if the scan was successful by going in to Settings> Update & Security> Windows Security> Virus threat & protection. You can see when was the last scan, threats found, how long was the scan and how many files were scanned. You can also view below if your security intelligence is up to date for virus protection.

I hope this helps resolve your concern! Please let me know if you have further concerns.

Sincerely,

Paulo M.
Expert

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

You didn't answer my question about the file location.  Do you know if there should be such a folder?  It doesn't exist.

Also, I think for a while, if I click on the protection history, the Defender dialog crashes.  It works fine on my wife's machine.

… time passes ...

Ok, I was able to find the History.log file in "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service".  However, it is empty even though quick scans and full scans have been run in the past.

My wife's machine runs the offline scan fine and the file contains information.

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi Mark,
Any results of off-line operations are stored in system journal (Event Viewer).
------------------
if you'll find someone's post helpful, mark it as an answer and rate it please. This will help other users to find answers to their similar questions.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

And see https://docs.microsoft.com/en-us/windows/securi... document.
------------------
if you'll find someone's post helpful, mark it as an answer and rate it please. This will help other users to find answers to their similar questions.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I wonder if this is a wise thing to do in powershell:

Add-AppxPackage -register "C:\Program Files\WindowsApps\Microsoft.Windows.SecHealthUI_10.0.18362.449_neutral__cw5n1h2txyewy\appxmanifest.xml" -DisableDevelopmentMode

Maybe this will allow it to update the "protection history" access that is crashing Defender when I try to look at the offline status results?

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

What do I look for in Event Viewer?

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

See list of events at https://docs.microsoft.com/en-us/windows/securi...

You may send your comments to Microsoft using Feedback Hub.
------------------
if you'll find someone's post helpful, mark it as an answer and rate it please. This will help other users to find answers to their similar questions.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

How do I tell which of those events are normal defender antimalware running vs. the offline scan?

I did a "find" on MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED

But it didn't find that anywhere.  Does that mean it didn't run for some reason, or does find not work for that?

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

A possible related problem is that I can't open the "Protection history" under Settings "Virus & threat protection".  I'm wondering if the offline scan is trying to write something there and can't.

After I start the offline scan, and the reboot happens, I see what looks like a dos window flash, and then I see a little dialog with a green progress bar, and then the PC restarts.

That all takes about 2 minutes or less.  I thought the scan was supposed to be about 15 minutes, but that problem depends on the CPU, disk, etc.

But so far I haven't seen an indication that the scan actually ran.

… time passes ...

I watched a video of what appears to be an older version of the OS running the offline scan.  I saw the green progress bar dialog, but THEN there was a tabbed dialog that showed up and could show scan progress.  That didn't happen for me.  So I think the offline scan is not able to start.

Now what?

… time passes ...

Tried it on my wife's PC and it worked the same as mine, but when I looked in Event Viewer, there was not even the Saved Logs node which I DO have.

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Please check Windows files with commands:
sfc /scannow
and
DISM.exe /Online /Cleanup-Image /RestoreHealth
need to be run from Windows PowerShell (administrator) environment.
------------------
if you'll find someone's post helpful, mark it as an answer and rate it please. This will help other users to find answers to their similar questions.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Question Info

Last updated April 19, 2025 Views 2,451 Applies to: