Malware is more complex today than it was many years ago. It operates at the filter driver, service, or rootkit level, and eliminating it is tough. Sometimes, you need to boot to the Windows RE environment and then delete the core malware files and services added to your Windows installation.
Microsoft Defender Offline takes care of this situation by running a quick scan even before the Operating System loads. When Defender detects a rootkit or any other tough malware when Windows is running, it suggests you run an offline scan, showing the following message or similar.
We found malware on your device. Run an offline scan to remove it. Your PC will restart.
(or)
To complete the cleaning process your PC needs to be rebooted and cleaned with Microsoft Defender Offline. This will take approximately 15 minutes. Please save all your files before clicking on the button.
How to Start “Microsoft Defender Offline” Scan
Microsoft Defender Offline is an integrated feature in Windows 10 and 11. To start Defender Offline scan, use one of the following methods:
Method 1: Start Microsoft Defender Offline scan using GUI
Open Windows Security, click Virus and threat protection, and click “Scan options.”
Select Microsoft Defender Offline scan, and click Scan now.
Microsoft Defender Offline downloads a light-weight offline scanner, restarts the system, and runs a scan before loading Windows.
The light-weight offline scan image is about ~2 MB, comprising the following files:
EppManifest.dll
mpasdesc.dll
MpClient.dll
MpCmdRun.exe
MpCommu.dll
MpSvc.dll
MpTpmAtt.dll
MsMpCom.dll
MsMpEng.exe
MsMpLics.dll
MsMpRes.dll
msseces.exe
OfflineScannerShell.exe
EN-US\MpSwpHelp.RTF
EN-US\MsMpRes.dll.mui
EN-US\offlinescannershell.exe.mui
EN-US\EppManifest.dll.mui
EN-US\EULA.RTF
EN-US\mpasdesc.dll.mui
Presumably, OfflineScannerShell.exe powers the scan in Windows RE, including locating the correct Operating System against which the scan has to be run. It’s completely automated and preconfigured to run a Quick scan using the definitions already in the system.
You’ll be prompted that you’re about to be signed out of Windows. After you are, your PC should restart. Microsoft Defender Offline will load and perform a quick scan of your PC in the recovery environment. There is no option to choose “Full scan” during the Microsoft Defender Offline scan.
When the scan has finished, your PC will automatically restart.
- Launch Windows Security > Virus & threat protection.
- On the Virus & Threat protection screen, under Current threats, select Scan options and Protection history.
Note: If the offline scan didn’t detect any malware, the Protection history page doesn’t show anything about the last offline scan.
Method 2: Start Microsoft Defender Offline scan using a protocol command
Right-click Start, and click Run.
Type windowsdefender://wdoscan/ and click OK.
You’ll see the following dialog now:
Save your work Microsoft Defender Offline scan will take some time and restart your device. Save all work before continuing.
After saving your work and closing all apps, click on the Scan button to start the Defender offline scan.
To learn more about other windowsdefender:// protocol commands, see the article Windows Security URL Shortcuts for Each Page (WindowsDefender://).
Method 3: Start Microsoft Defender Offline scan Using PowerShell
Previously, the Microsoft Defender offline scan could only be initiated using the following PowerShell or if Microsoft Defender Antivirus automatically suggests an offline scan when dealing with complex malware.
To start Windows Defender Offline scan using PowerShell, launch PowerShell as Administrator, and then run the following command:
Start-MpWDOScan
Press ENTER. The system will restart automatically within a minute and complete a quick scan in offline mode.
Microsoft Defender Offline Scan log
The Microsoft Defender Offline scan log is stored in “C:\Windows\Microsoft Antimalware\Support\msssWrapper.log
“. If any threats were encountered during the scan, it will be recorded in the log as well as in the Windows Security → Protection history page. For more information, check out the article Microsoft Defender Offline Scan Stops at 91%?.
Related
Help protect my PC with Windows Defender Offline – Windows Help
Start-MpWDOScan (Defender) | Microsoft Learn
Microsoft Defender Offline Scan Stops at 91%?
(This post has been last modified on April 29, 2024.)
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
Use Norton 360 do not need this defender thing!!
I tried the WINDOWS defender offline scan with ,windows powershell as an administrator but when i hit enter , it says –
Start -MPWDOScan : provider load failure At Line :1 char :1 + Start -MPWDOScan + ~~~~~~~~ + category info : Notspecified: (MSFT_MpWDOScan:ROOT\Microsoft\ . . .\MSFT_MpWDOScan) [Start -MPWDOScan], CimException + FullyQualifiedErrorId : HRESULT 0x80041013,Start -MPWDOScan
Any help
@Asis: Please post your query here. I’ll take a look.