Windows Defender can detect and remove malware and viruses, but it doesn’t catch Potentially Unwanted Programs or crapware by default. However, there is an opt-in feature which you can enable by editing the registry, to make Windows Defender scan and eliminate adware, PUAs or PUPs in real-time.
Potentially Unwanted Program (PUP), Potentially Unwanted Application (PUA) and Potentially Unwanted Software (PUS) refer to the category of software which are considered unwanted, untrusted or undesirable. PUPs include adware, dialers, fake “optimizer” programs, toolbars and search bars that come bundled with applications.
PUAs don’t fall under the definition of “malware” as they’re not malicious, but still, some PUAs are classified as “risky.”
Bottom line: You don’t need “Potentially Unwanted” stuff in your system regardless of the risk level unless you seriously believe that the benefits offered by a particular program outweigh the risks or inconvenience created by the PUP which accompanied the main program.
Now, here is how to enable scanning and removal of adware, PUPs or PUAs using Windows Defender (in Windows 8 and higher).
There are three different ways to enable PUA protection in Windows Defender, but I’m unsure which setting takes precedence in the event of a conflict. The registry location is different in each method described. It’s advisable to use only one of the following methods to avoid confusion.
Start PowerShell (powershell.exe) as administrator.
Run the following command and press ENTER:
Set-MpPreference -PUAProtection 1
This PowerShell command adds a registry value to the following key:
- Value: PUAProtection
- Data: 1 – enables PUA protection | 0 – disables protection
Note that manually setting the registry value would still work. But the above registry path is protected and can’t be edited using the Registry Editor unless you’re editing it as SYSTEM.
This method uses the same registry value but implements it under the Policies registry key.
Start Regedit.exe and go to the following key:
Create a DWORD value named PUAProtection
Double-click PUAProtection and set its value data to 1.
Start the Registry Editor (regedit.exe) and go to the following key:
Create a subkey named “MpEngine”
Under MpEngine, create a DWORD value named MpEnablePus
Double-click MpEnablePus and set its value data to 1
This configures Windows Defender to enable real-time scanning and removal of “Potentially Unwanted” stuff.
Exit the Registry Editor.
Of those three methods, 1 & 2 are not yet documented by Microsoft — but I managed to find them out when playing with PowerShell. Methods 1 & 2 were tested in a system running Windows 10. Method 3 was initially published by the MMPC blog.
Apply the changes
Do one of these things to apply the changes:
- Turn off real-time protection, and turn it back on.
- Update Windows Defender definitions
- Restart Windows
PUA will be blocked only at download or install time. A file will be included for blocking if it meets one of the following conditions:
- The file is being scanned from the browser
- The file has Mark of the Web (Zone ID) set
- The file is in the Downloads folder
- The file in the %temp% folder
Does Windows Defender PUA Protection work in systems that are not part of a corporate enterprise network?
This opt-in Windows Defender feature was announced last year by the Microsoft Malware Protection Center (MMPC) blog. But, as the MMPC blog post references only “enterprise” systems, some home users may be wondering whether or not the PUA detection feature works on standalone computers.
Yes. Windows Defender PUA scanning works in standalone systems, as well.
The following test shows that Windows Defender PUA detection certainly works in systems that are not part of a domain network.
MMPC Security Portal has the complete list of “Potentially Unwanted Programs” or “Potentially Unwanted Applications,” each threat name is prefixed with “PUA:”.
For example, PUA: Win32/CandyOpen is a PUP/PUA bundled with Magical jelly bean Keyfinder and other programs.
(Magical Jelly Bean Keyfinder, otherwise is a useful piece of software.)
Before activating Windows Defender PUA protection, I downloaded Magicaljellybean’s Keyfinder and tried to run it on a Windows 10 v1607 standalone computer. Windows Defender allowed me to download the installer, as well as run it.
After setting the “MpEnablePus” value data to 1 using the Registry Editor and updating the definitions, Windows Defender blocked the setup program from running.
Also, when I tried to download a new copy of the Keyfinder installer, the file was blocked as it landed up in the Downloads or %temp% folder. The result was the same when I chose a folder other than “Downloads”.
And the Windows Defender notification message was shown.
Windows Defender has found an untrusted app
Your IT settings cause the blocking of any app that might perform unwanted actions on your computer
Whereas, the notification message verbatim is different for “malware” detections; in which case it would say “Found some malware”.
And the PUA was quarantined, as shown in the Windows Defender scan history.
Magical Jelly Bean Keyfinder seems to bundle different PUAs in its installer from time to time. When tested in May 2019, the installer contained a different PUA (named
PUA:Win32/Vigua.A) with threat level “Severe”.
The notification message is different this time. It said “Windows Defender Antivirus blocked an app that might perform unwanted actions on your device.”
Conclusion: The Windows Defender PUA detection feature can be handy for systems that don’t already leverage a third-party premium anti-malware solution (e.g., Malwarebytes Antimalware Premium) with real-time monitoring capability. Hope Microsoft adds a GUI option to enable PUA scanning feature in Windows Defender, like the Limited Periodic Scanning opt-in feature (and the GUI option) in Windows 10.
About the author
Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.