Update ConfigureDefender utility for Windows 10

SeriousHoax

Level 38
Verified
Mar 16, 2019
2,732
protection history intented to keep history by purpose
It should give an option to delete those on purpose too. That's what almost all other security products do. The protection history is also known to crash randomly or when there's a lot of entry.
no try yourself let others do your work for you?
As I wrote, I installed a third-party AV recently so I don't have the option to check protection history from the WS UI at the moment. I don't want to remove the AV now so maybe someone else can check.
 

oldschool

Level 62
Verified
Mar 29, 2018
5,127
The protection history is also known to crash randomly or when there's a lot of entry.

maybe someone else can check.
I just tried to do that for you and it crashed! :rolleyes::ROFLMAO::ROFLMAO::ROFLMAO:

So I tried to clear scans files and couldn't do it without changing permissions to the folder. When I tried to do this, explorer just took forever so I cancelled the process. I don't remember encountering this roadblock when I've done it in the past. Maybe this method doesn't work anymore with the current build?
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,162
...
I don't know if the solution you showed works to remove ASR rules-related entries. Maybe Andy or someone else can try and share the info.
  1. Deleting the folder:
    "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\"
    removes the detection events from Defender's History. But, blocked events like those related to ASR rules are not removed. The ConfigureDefender Log does not change at all.
  2. Emptying the Event Log:

1628108787124.png


... removes all entries from ConfigureDefender's Log but does not remove any entries from Defender's History.

********************************************

There is a way to clear the Defender History. One has to stop temporarily Defender service and:
  1. Delete the file: "c:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db"
    This will remove the ASR entries from Defender's History.
  2. Delete the folder:
    "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\"
    This will remove other entries from Defender's History.
Stopping Defender service requires Trusted Installer privileges, so one has to use Defender Control (Sordum.org) or AdvancedRun (Nirsoft.net).
One can remove these files also using the recovery CMD shell.

Edit.
I noticed that it is not necessary to delete all files and subfolders in the folder:
"C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\"
Deleting the subfolder "DetectionHistory" is enough.
 
Last edited:

SeriousHoax

Level 38
Verified
Mar 16, 2019
2,732
There is a way to clear the Defender History. One has to stop temporarily Defender service and:
  1. Delete the file: "c:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db"
    This will remove the ASR entries from Defender's History.
  2. Delete the folder:
    "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\"
    This will remove other entries from Defender's History.
Stopping Defender service requires Trusted Installer privileges, so one has to use Defender Control (Sordum.org) or AdvancedRun (Nirsoft.net).
One can remove these files also using the recovery CMD shell.

Edit.
I noticed that it is not necessary to delete all files and subfolders in the folder:
"C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\"
Deleting the subfolder "DetectionHistory" is enough.
Thanks. It worked 🥳
It's Andy Ful's world and we are living in it 🤩
 

JoyousBudweiser

Level 12
Verified
Aug 22, 2013
587
I'm not talking about those logs, I'm talking about the logs in Windows Security's protection history. There should be options in the UI to delete those but there aren't any. I don't want to open protection history and be greeted with old unnecessary ASR rule blocking logs.
I don't know if the solution you showed works to remove ASR rules-related entries. Maybe Andy or someone else can try and share the info.


You can test this one too.....
  1. Open PowerShell with admin rights.
  2. Run the following command. Replace the number at the end with the number of days an item should remain in your protection history.
Set-MpPreference -ScanPurgeItemsAfterDelay 3
After the time expires, items that are older than the set number of days will be removed from Protection History
clear protection history 1 - AddictiveTips
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,162
You can test this one too.....
  1. Open PowerShell with admin rights.
  2. Run the following command. Replace the number at the end with the number of days an item should remain in your protection history.
After the time expires, items that are older than the set number of days will be removed from Protection History
clear protection history 1 - AddictiveTips
Does not work on my machine. The Defender History still shows the entries as before (some from a few months ago). The same after performing quick and custom scans. It is possible that this might work after the full scan.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,162
Instead of using Event Viewer to delete the Defender Operational events, one can use Wevtutil tool in the Administrator PowerShell console or Administrator CMD console:

Code:
wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"

This will clear the "Defender Security Log" in ConfigureDefender and Defender-related events in the H_C.
The Defender History in Security Center will not be affected by this command.
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,162
Please help.

I tried to clear the Defender History on two computers by using Administrator PowerShell:
Set-MpPreference -ScanPurgeItemsAfterDelay 7
But, without any effect (items from a few months are still present). Did anybody use it with success on Windows 10 20H2 or newer versions?

The default delay is 15 days (on the fresh installed Windows 10) and 30 days on the older versions of Windows 10. So if one did not set it manually, then any item in Defender's History older than 15 (30) days suggests that this feature does not work on the computer.

The current setting (number of delay days) can be found via PowerShell like this:
(Get-MpPreference).ScanPurgeItemsAfterDelay
If the number is 0, then Windows Defender does not remove items.

It seems that someone else noticed this problem too:
https://www.bleepingcomputer.com/fo...s-about-windows-defender-windows-10-pro-2004/
 
Last edited:

JoyousBudweiser

Level 12
Verified
Aug 22, 2013
587
Please help.

I tried to clear the Defender History on two computers by using Administrator PowerShell:

But, without any effect (items from a few months are still present). Did anybody use it with success on Windows 10 20H2 or newer versions?

The default delay is 15 days (on the fresh installed Windows 10) and 30 days on the older versions of Windows 10. So if one did not set it manually, then any item in Defender's History older than 15 (30) days suggests that this feature does not work on the computer.

The current setting (number of delay days) can be found via PowerShell like this:

If the number is 0, then Windows Defender does not remove items.

It seems that someone else noticed this problem too:
https://www.bleepingcomputer.com/fo...s-about-windows-defender-windows-10-pro-2004/
I have a theory ( it just a theory) for the non working of command, if the number is "7" history gets only removed after 7 days and not instantly. So you might have to wait "7" days to see if its working...
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,162
I have a theory ( it just a theory) for the non working of command, if the number is "7" history gets only removed after 7 days and not instantly. So you might have to wait "7" days to see if its working...
That would be very strange. But, I have used delay 1 on another computer, so we will see tomorrow.:)
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,162
Definitely, something is wrong with this feature.

The older History entries were not removed on my machine set to 1-day delay. I made this setting on 5 July. Furthermore, I noticed the same issue on Windows 11 installed on 15 July in the VM. I still have entries in Defender's History from 15 July (over 20 days ago). I did not change the default setting and checked that it is set to 15 days delay.

So, my question is still valid. Does anybody see this feature working?:unsure:
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,162
I confirmed that the ScanPurgeItemsAfterDelay feature does not remove most PUA (low severity) and ASR related records in the Defender History. But, it can probably remove some serious threats related to Id=1116.
So, this feature works differently from:
  • deleting "c:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db"
and
  • deleting the folder:
    "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\"

I found on my machine a few events Id=1013 :

1628379097577.png


As we can see, the difference between the date of deleting History event and the date of detection is 15 days (default delay). So, it seems that some records were removed from Defender's History by the ScanPurgeItemsAfterDelay feature.

Event ID: 1013
Symbolic name:MALWAREPROTECTION_MALWARE_HISTORY_DELETE
Message:The antimalware platform deleted history of malware and other potentially unwanted software.
Description:Microsoft Defender Antivirus has removed history of malware and other potentially unwanted software.Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.User: <Domain>\<User>

From the description, this event should be related to deleting Defender's History (malware and PUA). Anyway, it does not delete all PUA, because I can still see some older PUA records in the Defender History.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,162
Post updated.

If one wants to clear the Defender History or solve the problem with crashing Defender History there is a simple solution.
  1. Download the AdvancedRun:
    for Windows 32-bit: https://www.nirsoft.net/utils/advancedrun.zip
    for Windows 64-bit: https://www.nirsoft.net/utils/advancedrun-x64.zip
  2. Run AdvancedRun.exe once and close it - the file AdvancedRun.cfg will be created
  3. Edit the config file AdvancedRun.cfg as it is shown below
  4. Disable Defender Tamper protection >> Run AdvancedRun.exe to clear the Defender History >> Enable Tamper Protection.
After running AdvancedRun it will automatically apply the settings and command lines from the AdvancedRun.cfg and the Defender History will be cleared.

The modified content of AdvancedRun.cfg is as follows:

Code:
...
EXEFilename=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine=net stop windefend; $path = 'c:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db'; if (Test-Path -Path $path) {Remove-Item $path}; $path = 'c:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory'; if (Test-Path -Path $path) {Remove-Item $path -Recurse}; net start windefend
AutoRun=1
...
RunAs=8
...

The PowerShell is executed with CommandLine.
AutoRun=1 means that AdvancedRun does not show the application window and automatically applies the AdvancedRun.cfg
RunAs=8 means that the process will be run with TrustedInstaller privileges.

The CommandLine simply stops Windefend service, checks if the file/folder exists and deletes it, starts Windefend service again.
 
Last edited:

SearchLight

Level 12
Verified
Jul 3, 2017
591
If one wants to clear the Defender History or solve the problem with crashing Defender History there is a simple solution.
  1. Download the AdvancedRun:
    for Windows 32-bit: https://www.nirsoft.net/utils/advancedrun.zip
    for Windows 64-bit: https://www.nirsoft.net/utils/advancedrun-x64.zip
  2. Edit the config file AdvancedRun.cfg as it is shown below
  3. Run AdvancedRun.exe
After running AdvancedRun it will automatically apply the settings and command lines from the AdvancedRun.cfg and the Defender History will be cleared.

The modified content of AdvancedRun.cfg is as follows:

Code:
...
EXEFilename=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine=net stop windefend; $path = 'c:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db'; if (Test-Path -Path $path) {Remove-Item $path}; $path = 'c:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory'; if (Test-Path -Path $path) {Remove-Item $path -Recurse}; net start windefend
AutoRun=1
...
RunAs=8
...

The PowerShell is executed with CommandLine.
AutoRun=1 means that AdvancedRun does not show the application window and automatically applies the AdvancedRun.cfg
RunAs=8 means that the process will be run with TrustedInstaller privileges.

The CommandLine simply stops Windefend service, checks if the file/folder exists and deletes it, starts Windefend service again.
Andy when you state to modify the cfg file with the above code, do you mean this:
Image 1.png


I do not know if I edited the cfg file correctly but did above.

I then ran AdvancedRun and saw Powershell stopping MDefender, wait a few seconds, then restart it. My Protection History was blank. I hope it worked.

Thanks.
 

SeriousHoax

Level 38
Verified
Mar 16, 2019
2,732
Andy when you state to modify the cfg file with the above code, do you mean this:View attachment 260078

I do not know if I edited the cfg file correctly but did above.

I then ran AdvancedRun and saw Powershell stopping MDefender, wait a few seconds, then restart it. My Protection History was blank. I hope it worked.

Thanks.
Yeah, I think that's what he meant and it works perfectly (y)
1.PNG
But @Andy Ful, I think you should add that in order to have the "AdvancedRun.cfg" file, the program "AdvancedRun.exe" needs to be run at least once first.
Edit: Maybe you can also integrate this feature later into Configure Defender?
 

SearchLight

Level 12
Verified
Jul 3, 2017
591
Yeah, I think that's what he meant and it works perfectly (y)
View attachment 260079
But @Andy Ful, I think you should add that in order to have the "AdvancedRun.cfg" file, the program "AdvancedRun.exe" needs to be run at least once first.
Edit: Maybe you can also integrate this feature later into Configure Defender?
Agree because when it is downloaded, there is no cfg file in the app's zip file when it is decompressed, and not until the app is run.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,162
Andy when you state to modify the cfg file with the above code, do you mean this:View attachment 260078

I do not know if I edited the cfg file correctly but did above.

I then ran AdvancedRun and saw Powershell stopping MDefender, wait a few seconds, then restart it. My Protection History was blank. I hope it worked.

Thanks.

Yes, the config is OK. :)

...
Edit: Maybe you can also integrate this feature later into Configure Defender?
No, I am afraid.
This tweak can be recognized as very suspicious by Defender and then ConfigureDefender (and Hard_Configurator) will be flagged as malicious. In such a case, the SmartScreen reputation of my applications would be destroyed.:(
I will rather try to inform Microsoft about this design bug in Defender's History.

Thanks for testing - I edited my previous post (added info that AdvancedRun.cfg is created after the first run).
 
Last edited:
Top