Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. It utilizes Windows RE to run the offline scan.
During the Microsoft Defender Offline scan, it may appear to the user that the scan stalled or crashed at 91%, 92%, or 93% on some systems. This article tells you how to check if the last Microsoft Defender Offline scan was completed correctly.
Cause
The “Percent complete” indicator in the Microsoft Defender Offline scan is entirely inaccurate. For example, check these images.
92622 files have been scanned. The percentage is 93.
95417 files have been scanned. The percentage remains at 93.
115417 files have been scanned. The percentage remains at 93.
As long as the number in the “Items scanned” increases, it means scanning progresses well.
It’s OK if Microsoft Defender Offline closes and reboots the computer before the progress percentage reaches 100%. Not sure on what basis the “percent complete” value is calculated, but it’s not even approximate. Therefore, the field should be ignored completely.
Check the status of the last Offline Scan
To correctly know the status or the return code of the previous Microsoft Defender Offline scan, inspect the msssWrapper.log
file. The log file is located in the following path:
C:\Windows\Microsoft Antimalware\Support\msssWrapper.log
The recent entries are at the bottom of the log. Open the log using Notepad and scroll to the bottom part of the file.
If you see the following line at the end of the log, it means the last scan ran correctly.
Offline scan completed with 0x00000000
(Code 0
or 0x00000000
means SUCCESS.)
The Microsoft article Microsoft Defender Offline in Windows | Microsoft Learn states the following:
Where can I find the scan results?
To see the Microsoft Defender Offline scan results:
- Select Start, then Settings > Update & Security > Windows Security > Virus & threat protection.
- On the Virus & Threat protection screen, under Current threats, select Scan options and Protection history.
Screenshots:
However, the above applies only if the offline scan detected malware. Else, the Protection history page doesn’t show anything about the last offline scan.
INFO: A sample msssWrapper.log file
Here are the contents of a sample msssWrapper.log
file.
START 2024/04/28 15:48:41:800 TID:1692 PID:1660 INFO 2024/04/28 15:48:41:800 TID:1692 PID:1660 Loading offline registry library returned 0x00000000 INFO 2024/04/28 15:48:41:800 TID:1692 PID:1660 Binary architecture is amd64 INFO 2024/04/28 15:48:41:831 TID:1692 PID:1660 UtilIsFileExists(E:\WINDOWS\SysWOW64\ntdll.dll) returned 0x00000000 INFO 2024/04/28 15:48:41:831 TID:1692 PID:1660 CheckProcessorArchitecture returned 0x00000000 INFO 2024/04/28 15:48:41:831 TID:1692 PID:1660 Setting target OS key: "E:\WINDOWS" INFO 2024/04/28 15:48:41:831 TID:1692 PID:1660 SetRecoveryEnvironmentKey returned 0x00000000 INFO 2024/04/28 15:48:41:940 TID:1692 PID:1660 Mapping target OS C drive to WinPE E drive INFO 2024/04/28 15:48:41:940 TID:1692 PID:1660 Mapping target OS D drive to WinPE C drive INFO 2024/04/28 15:48:41:940 TID:1692 PID:1660 Mapping target OS E drive to WinPE D drive INFO 2024/04/28 15:48:41:972 TID:1692 PID:1660 BuildTargetOSDriveMapping returned 0x00000000 INFO 2024/04/28 15:48:41:972 TID:1692 PID:1660 Searching for signatures. Default signature path: "" INFO 2024/04/28 15:48:41:972 TID:1692 PID:1660 Searching for signatures at root of drives... WARNING 2024/04/28 15:48:41:972 TID:1692 PID:1660 Missing definitions file in 'C:\mpam-fex64.exe' WARNING 2024/04/28 15:48:41:972 TID:1692 PID:1660 Missing definitions file in 'D:\mpam-fex64.exe' WARNING 2024/04/28 15:48:41:972 TID:1692 PID:1660 Missing definitions file in 'E:\mpam-fex64.exe' WARNING 2024/04/28 15:48:41:972 TID:1692 PID:1660 Missing definitions file in 'F:\mpam-fex64.exe' WARNING 2024/04/28 15:48:41:972 TID:1692 PID:1660 Missing definitions file in 'X:\mpam-fex64.exe' INFO 2024/04/28 15:48:41:972 TID:1692 PID:1660 Searching for signatures from installed product on target OS INFO 2024/04/28 15:48:42:987 TID:1692 PID:1660 Looking for Defender registry key on target OS INFO 2024/04/28 15:48:42:987 TID:1692 PID:1660 Mapped target os path (C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F79A0553-A974-4973-A00E-6391E4B00807}) to winpe path (E:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F79A0553-A974-4973-A00E-6391E4B00807}) INFO 2024/04/28 15:48:42:987 TID:1692 PID:1660 Found signatures on the target OS at E:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F79A0553-A974-4973-A00E-6391E4B00807} INFO 2024/04/28 15:48:43:081 TID:1692 PID:1660 SearchForSignatures returned 0x00000000 INFO 2024/04/28 15:48:44:096 TID:1692 PID:1660 Looking for Defender registry key on target OS INFO 2024/04/28 15:48:44:096 TID:1692 PID:1660 Mapped target os path (C:\ProgramData\Microsoft\Windows Defender) to winpe path (E:\ProgramData\Microsoft\Windows Defender) INFO 2024/04/28 15:48:44:205 TID:1692 PID:1660 Initializing offline environment and service... INFO 2024/04/28 15:48:45:911 TID:1692 PID:1660 XCopySignatures returned hr = 0x0 INFO 2024/04/28 15:48:57:054 TID:1692 PID:1660 GetTempPath2W where sigs would unpack = INFO 2024/04/28 15:48:57:054 TID:1692 PID:1660 Signatures are already fairly recent. Skipping sig update. INFO 2024/04/28 15:48:57:054 TID:1692 PID:1660 AS Signature Version: 1.409.569.0 INFO 2024/04/28 15:48:57:054 TID:1692 PID:1660 Engine Version: 1.1.24030.4 INFO 2024/04/28 15:48:57:054 TID:1692 PID:1660 Launching user interface... INFO 2024/04/28 15:48:57:054 TID:1692 PID:1660 Auto-scan mode selected... INFO 2024/04/28 15:48:57:069 TID:1692 PID:1660 Registered for notifications INFO 2024/04/28 15:48:57:069 TID:1692 PID:1660 Automatic scan started INFO 2024/04/28 15:48:57:069 TID:1692 PID:1660 Launched Console UI, waiting... INFO 2024/04/28 15:56:19:770 TID:1704 PID:1660 CALLBACK: Scan complete. hResult=0x0, threat count=1 INFO 2024/04/28 15:56:19:770 TID:1692 PID:1660 Wait finished (Scan signaled) INFO 2024/04/28 15:56:19:770 TID:1692 PID:1660 Getting results from scan... INFO 2024/04/28 15:56:19:770 TID:1692 PID:1660 Scan completed successfully, attempting to clean any active malware. Number of threats from scan: 1 INFO 2024/04/28 15:56:19:770 TID:1692 PID:1660 STARTING LIST OF DETECTED THREATS: INFO 2024/04/28 15:56:19:770 TID:1692 PID:1660 1: Found HackTool:Win32/DefenderControl!MSR (0x80042394). INFO 2024/04/28 15:56:19:770 TID:1692 PID:1660 Resource 1: Main OS based Path = C:\Program Files (x86)\DefenderControl\dControl.exe WinRE based Path = E:\Program Files (x86)\DefenderControl\dControl.exe. INFO 2024/04/28 15:56:19:770 TID:1692 PID:1660 Resource 2: Main OS based Path = C:\Users\Public\Desktop\DefenderControl.lnk WinRE based Path = E:\Users\Public\Desktop\DefenderControl.lnk. INFO 2024/04/28 15:56:19:770 TID:1692 PID:1660 LIST OF DETECTED THREATS COMPLETE. Found 0 threats requiring user-defined action. INFO 2024/04/28 15:56:19:770 TID:1692 PID:1660 STARTING CLEANING (using default action on all detected threats): INFO 2024/04/28 15:56:25:051 TID:1692 PID:1660 CALLBACK: Scan complete. hResult=0x0, threat count=1 INFO 2024/04/28 15:56:25:472 TID:1692 PID:1660 Remediation: Successfully completed action Quarantine on threat 0x80042394. INFO 2024/04/28 15:56:25:472 TID:1692 PID:1660 CLEANING COMPLETE. INFO 2024/04/28 15:56:25:488 TID:1692 PID:1660 RunCallisto returned 0x00000000 INFO 2024/04/28 15:56:25:535 TID:1692 PID:1660 PreserveCallistoDetections returned 0x00000000 ERROR 2024/04/28 15:56:25:535 TID:1692 PID:1660 Unable to open the offline HKLM SOFTWARE hive with 0x80070020 ERROR 2024/04/28 15:56:25:535 TID:1692 PID:1660 Unable to open the offline HKLM hive with 0x80070020 INFO 2024/04/28 15:56:25:535 TID:1692 PID:1660 SetOfflineScanRunFlag returned 0x80070020 INFO 2024/04/28 15:56:25:535 TID:1692 PID:1660 Offline scan completed with 0x00000000 FINISH 2024/04/28 15:56:25:535 TID:1664 PID:1660
The above log shows that a threat was found and remediated. It’s also shown in the Protection history page.
Editor’s note: In addition to msssWrapper.log
, you may find the following logs helpful.
C:\Windows\Microsoft Antimalware\Support\MPDetection-[date]-[time].log C:\Windows\Microsoft Antimalware\Support\MPLog-[date]-[time].log
I hope the above information helps. Let’s know your comments.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!