Microsoft Defender Offline Scan Stops at 91%?

Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. It utilizes Windows RE to run the offline scan.

During the Microsoft Defender Offline scan, it may appear to the user that the scan stalled or crashed at 91%, 92%, or 93% on some systems. This article tells you how to check if the last Microsoft Defender Offline scan was completed correctly.

Cause

The “Percent complete” indicator in the Microsoft Defender Offline scan is entirely inaccurate. For example, check these images.

92622 files have been scanned. The percentage is 93.

defender completes scan at 92%

95417 files have been scanned. The percentage remains at 93.

defender completes scan at 92%

115417 files have been scanned. The percentage remains at 93.

defender completes scan at 93%

As long as the number in the “Items scanned” increases, it means scanning progresses well.

It’s OK if Microsoft Defender Offline closes and reboots the computer before the progress percentage reaches 100%. Not sure on what basis the “percent complete” value is calculated, but it’s not even approximate. Therefore, the field should be ignored completely.

Check the status of the last Offline Scan

To correctly know the status or the return code of the previous Microsoft Defender Offline scan, inspect the msssWrapper.log file. The log file is located in the following path:

C:\Windows\Microsoft Antimalware\Support\msssWrapper.log

The recent entries are at the bottom of the log. Open the log using Notepad and scroll to the bottom part of the file.

If you see the following line at the end of the log, it means the last scan ran correctly.

Offline scan completed with 0x00000000

(Code 0 or 0x00000000 means SUCCESS.)



microsoft defender offline scan log

The Microsoft article Microsoft Defender Offline in Windows | Microsoft Learn states the following:

Where can I find the scan results?

To see the Microsoft Defender Offline scan results:

  • Select Start, then Settings > Update & Security > Windows Security > Virus & threat protection.
  • On the Virus & Threat protection screen, under Current threats, select Scan options and Protection history.
    Screenshots:

    microsoft defender offline scanner

    microsoft defender offline scanner - malware threat history
    Malware detected using Microsoft Defender (offline scan) – Protection history page

However, the above applies only if the offline scan detected malware. Else, the Protection history page doesn’t show anything about the last offline scan.

INFO: A sample msssWrapper.log file

Here are the contents of a sample msssWrapper.log file.

START  2024/04/28 15:48:41:800 TID:1692 PID:1660

INFO    2024/04/28 15:48:41:800 TID:1692 PID:1660
Loading offline registry library returned 0x00000000

INFO    2024/04/28 15:48:41:800 TID:1692 PID:1660
Binary architecture is amd64

INFO    2024/04/28 15:48:41:831 TID:1692 PID:1660
UtilIsFileExists(E:\WINDOWS\SysWOW64\ntdll.dll) returned 0x00000000

INFO    2024/04/28 15:48:41:831 TID:1692 PID:1660
CheckProcessorArchitecture returned 0x00000000

INFO    2024/04/28 15:48:41:831 TID:1692 PID:1660
Setting target OS key: "E:\WINDOWS"

INFO    2024/04/28 15:48:41:831 TID:1692 PID:1660
SetRecoveryEnvironmentKey returned 0x00000000

INFO    2024/04/28 15:48:41:940 TID:1692 PID:1660
Mapping target OS C drive to WinPE E drive

INFO    2024/04/28 15:48:41:940 TID:1692 PID:1660
Mapping target OS D drive to WinPE C drive

INFO    2024/04/28 15:48:41:940 TID:1692 PID:1660
Mapping target OS E drive to WinPE D drive

INFO    2024/04/28 15:48:41:972 TID:1692 PID:1660
BuildTargetOSDriveMapping returned 0x00000000

INFO    2024/04/28 15:48:41:972 TID:1692 PID:1660
Searching for signatures. Default signature path: ""

INFO    2024/04/28 15:48:41:972 TID:1692 PID:1660
Searching for signatures at root of drives...

WARNING 2024/04/28 15:48:41:972 TID:1692 PID:1660
Missing definitions file in 'C:\mpam-fex64.exe'

WARNING 2024/04/28 15:48:41:972 TID:1692 PID:1660
Missing definitions file in 'D:\mpam-fex64.exe'

WARNING 2024/04/28 15:48:41:972 TID:1692 PID:1660
Missing definitions file in 'E:\mpam-fex64.exe'

WARNING 2024/04/28 15:48:41:972 TID:1692 PID:1660
Missing definitions file in 'F:\mpam-fex64.exe'

WARNING 2024/04/28 15:48:41:972 TID:1692 PID:1660
Missing definitions file in 'X:\mpam-fex64.exe'

INFO    2024/04/28 15:48:41:972 TID:1692 PID:1660
Searching for signatures from installed product on target OS

INFO    2024/04/28 15:48:42:987 TID:1692 PID:1660
Looking for Defender registry key on target OS

INFO    2024/04/28 15:48:42:987 TID:1692 PID:1660
Mapped target os path (C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F79A0553-A974-4973-A00E-6391E4B00807}) to winpe path (E:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F79A0553-A974-4973-A00E-6391E4B00807})

INFO    2024/04/28 15:48:42:987 TID:1692 PID:1660
Found signatures on the target OS at E:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F79A0553-A974-4973-A00E-6391E4B00807}

INFO    2024/04/28 15:48:43:081 TID:1692 PID:1660
SearchForSignatures returned 0x00000000

INFO    2024/04/28 15:48:44:096 TID:1692 PID:1660
Looking for Defender registry key on target OS

INFO    2024/04/28 15:48:44:096 TID:1692 PID:1660
Mapped target os path (C:\ProgramData\Microsoft\Windows Defender) to winpe path (E:\ProgramData\Microsoft\Windows Defender)

INFO    2024/04/28 15:48:44:205 TID:1692 PID:1660
Initializing offline environment and service...

INFO    2024/04/28 15:48:45:911 TID:1692 PID:1660
XCopySignatures returned hr = 0x0

INFO    2024/04/28 15:48:57:054 TID:1692 PID:1660
GetTempPath2W where sigs would unpack = 

INFO    2024/04/28 15:48:57:054 TID:1692 PID:1660
Signatures are already fairly recent. Skipping sig update.

INFO    2024/04/28 15:48:57:054 TID:1692 PID:1660
AS Signature Version: 1.409.569.0

INFO    2024/04/28 15:48:57:054 TID:1692 PID:1660
Engine Version: 1.1.24030.4

INFO    2024/04/28 15:48:57:054 TID:1692 PID:1660
Launching user interface...

INFO    2024/04/28 15:48:57:054 TID:1692 PID:1660
Auto-scan mode selected...

INFO    2024/04/28 15:48:57:069 TID:1692 PID:1660
Registered for notifications

INFO    2024/04/28 15:48:57:069 TID:1692 PID:1660
Automatic scan started

INFO    2024/04/28 15:48:57:069 TID:1692 PID:1660
Launched Console UI, waiting...

INFO    2024/04/28 15:56:19:770 TID:1704 PID:1660
CALLBACK: Scan complete.  hResult=0x0, threat count=1

INFO    2024/04/28 15:56:19:770 TID:1692 PID:1660
Wait finished (Scan signaled)

INFO    2024/04/28 15:56:19:770 TID:1692 PID:1660
Getting results from scan...

INFO    2024/04/28 15:56:19:770 TID:1692 PID:1660
Scan completed successfully, attempting to clean any active malware.  Number of threats from scan: 1

INFO    2024/04/28 15:56:19:770 TID:1692 PID:1660
STARTING LIST OF DETECTED THREATS:

INFO    2024/04/28 15:56:19:770 TID:1692 PID:1660
1: Found HackTool:Win32/DefenderControl!MSR (0x80042394).

INFO    2024/04/28 15:56:19:770 TID:1692 PID:1660
        Resource 1: Main OS based Path = C:\Program Files (x86)\DefenderControl\dControl.exe  WinRE based Path = E:\Program Files (x86)\DefenderControl\dControl.exe.

INFO    2024/04/28 15:56:19:770 TID:1692 PID:1660
        Resource 2: Main OS based Path = C:\Users\Public\Desktop\DefenderControl.lnk  WinRE based Path = E:\Users\Public\Desktop\DefenderControl.lnk.

INFO    2024/04/28 15:56:19:770 TID:1692 PID:1660
LIST OF DETECTED THREATS COMPLETE. Found 0 threats requiring user-defined action.

INFO    2024/04/28 15:56:19:770 TID:1692 PID:1660
STARTING CLEANING (using default action on all detected threats):

INFO    2024/04/28 15:56:25:051 TID:1692 PID:1660
CALLBACK: Scan complete.  hResult=0x0, threat count=1

INFO    2024/04/28 15:56:25:472 TID:1692 PID:1660
Remediation: Successfully completed action Quarantine on threat 0x80042394.

INFO    2024/04/28 15:56:25:472 TID:1692 PID:1660
CLEANING COMPLETE.

INFO    2024/04/28 15:56:25:488 TID:1692 PID:1660
RunCallisto returned 0x00000000

INFO    2024/04/28 15:56:25:535 TID:1692 PID:1660
PreserveCallistoDetections returned 0x00000000

ERROR   2024/04/28 15:56:25:535 TID:1692 PID:1660
Unable to open the offline HKLM SOFTWARE hive with 0x80070020

ERROR   2024/04/28 15:56:25:535 TID:1692 PID:1660
Unable to open the offline HKLM hive with 0x80070020

INFO    2024/04/28 15:56:25:535 TID:1692 PID:1660
SetOfflineScanRunFlag returned 0x80070020

INFO    2024/04/28 15:56:25:535 TID:1692 PID:1660
Offline scan completed with 0x00000000

FINISH  2024/04/28 15:56:25:535 TID:1664 PID:1660

The above log shows that a threat was found and remediated. It’s also shown in the Protection history page.

defender offline - threat history in windows security

Editor’s note: In addition to msssWrapper.log, you may find the following logs helpful.

C:\Windows\Microsoft Antimalware\Support\MPDetection-[date]-[time].log
C:\Windows\Microsoft Antimalware\Support\MPLog-[date]-[time].log

I hope the above information helps. Let’s know your comments.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

Leave a Comment