Windows Defender Offline scanning is one of the new settings added by the Windows 10 Anniversary Update. Although Defender Offline has already been a built-in feature in Windows 10 since the early builds, the GUI option is added in the Windows Defender Settings page only after you install the Anniversary Update (v1607).
Nowadays malware are more complex than they were many years ago. They operate at the filter driver, service or rootkit level and to eliminate them is very tough. In some cases, you need to boot to the Windows RE environment (or using a Linux boot media) and then delete the core malware files and services added in your Windows installation.
Windows Defender Offline takes care of this situation by running a quick scan even before the Operating System loads. When Windows Defender detects a rootkit or any other tough malware when Windows is running, it suggests you run an offline scan, showing the following message or similar.
To complete the cleaning process your PC needs to be rebooted and cleaned with Windows Defender Offline. This will take approximately 15 minutes. Please save all your files before clicking on the button.
Start “Windows Defender Offline” Scan Using Windows Defender Settings
Open Settings (WinKey + i), click Update & Security and select Windows Defender.
Click Scan Offline. It silently downloads a light-weight offline scanner, restarts the system and runs a scan before loading Windows.
The light-weight offline scan image is about ~2 MB comprising the following files in it:
EppManifest.dll mpasdesc.dll MpClient.dll MpCmdRun.exe MpCommu.dll MpSvc.dll MpTpmAtt.dll MsMpCom.dll MsMpEng.exe MsMpLics.dll MsMpRes.dll msseces.exe OfflineScannerShell.exe EN-US\MpSwpHelp.RTF EN-US\MsMpRes.dll.mui EN-US\offlinescannershell.exe.mui EN-US\EppManifest.dll.mui EN-US\EULA.RTF EN-US\mpasdesc.dll.mui
Presumably OfflineScannerShell.exe is the one that powers the scan in Windows RE, including the task of locating the correct Operating System against which the scan has to be run. It’s completely automated and preconfigured to run a Quick scan using the definitions that’s already in the system.
Start “Windows Defender Offline” scan Using PowerShell
Previously, Windows Defender offline scan could only be initiated using the following PowerShell cmdlet, or if Windows Defender automatically suggests an offline scan when dealing with complex malware or rootkit infection.
To start Windows Defender Offline scan using PowerShell, launch PowerShell as Administrator, and then run the following command:
Press ENTER. The system will restart automatically within in a minute and complete a quick scan in offline mode. There is no setting available to change it to full scan though.
Windows Defender Offline in Windows 7 and Windows 8
Windows Defender Offline is now an integrated feature in Windows 10. If you’re using Windows 7 or 8, you can create a Windows Defender Offline boot media (USB drive or CD/DVD) using the scan image which you can download from Microsoft site. Check out Help protect my PC with Windows Defender Offline – Windows Help to download the bootable Windows Defender Offline scan image in Windows 7 or Windows 8. Make sure you download the correct version (x86 vs x64) for your system.
See also How to Create a Windows Defender Offline Bootable Media and Run a Scan.