notabot

Level 15
After something odd happening last week ( either an infection or Windows getting messed up ), protection history for WD tab just crashes after 1-2 secs.

Has anyone had something similar ? where does WD keep the protection history logs so that they can be reviewed independently of WD's UI ?
 

matrixlord

Level 1
Yep, WD UI very useless.

Start CMD with admin and;

del "%systemdrive%\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*"

If still same, start CMD from troubleshoot and;

del "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db"
 

SeriousHoax

Level 14
Verified
Malware Tester

notabot

Level 15
Yep, WD UI very useless.

Start CMD with admin and;

del "%systemdrive%\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*"

If still same, start CMD from troubleshoot and;

del "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db"
Thanks!, also how do I view the history? I'm worried it may be an infection (*) so I wouldn't mind looking at the history before deleting it ?

(*) I had some other weird things after connecting to a hotel wifi, this, gfx drivers got messed up, an odd message from 1PW etc - no scanner returns any infection but WD's log would help me rule it anything nasty going on
 

notabot

Level 15
You can restore some folders (look modified date). But if u already delete all folders, you should run full scan. bonus: also you can use npe&malwarebytes&hitman.
I haven't deleted anything yet, but I don't see an obvious way to see protection history in a readable format from there.

I've done 2nd opinion scans with Emsisoft Emergency Kit, ESET Web and Kaspersky ( also Kaspersky rootkit scanner ) -- nothing came up.
 

notabot

Level 15
I use ConfigureDefender and there's an option called Defender Security Log to view the protection logs in a notepad file.
Thanks for this - I only see events since yesterday ( a lot of events were generated because I reinstalled drivers ), while the possible incident happened on Saturday. I wonder is this trimming of the logs natural or it could be that something deleted the logs ? @Andy Ful if you are aware, let me know !
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Thanks for this - I only see events since yesterday ( a lot of events were generated because I reinstalled drivers ), while the possible incident happened on Saturday. I wonder is this trimming of the logs natural or it could be that something deleted the logs ? @Andy Ful if you are aware, let me know !
Defender Security Log in ConfigureDefender shows the last 200 entries. If you want more entries then you can use the H_C or create the custom view in the Windows Event Viewer (the useful event IDs are enumerated in the ConfigureDefender Help).
 

notabot

Level 15
Defender Security Log in ConfigureDefender shows the last 200 entries. If you want more entries then you can use the H_C or create the custom view in the Windows Event Viewer (the useful event IDs are enumerated in the ConfigureDefender Help).
Thanks Andy, I'm really surprised then how it manages to crash with just 200 entries to parse, MS has plenty engineers that know how to parse a file properly, this protection history crash is one that should really not had come out with a release from a company such as Microsoft..
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Thanks Andy, I'm really surprised then how it manages to crash with just 200 entries to parse, MS has plenty engineers that know how to parse a file properly, this protection history crash is one that should really not had come out with a release from a company such as Microsoft..
The 200 entries limit is hardcoded by me in ConfigureDefender. I do not know how many entries can be visible via WD History feature in Windows Security Center.
But, you are probably right that the crash of WD History feature can be caused by too many entries.(y)
 

oldschool

Level 38
Verified
WSC crashes when checking protection history in SUA but works fine in AA. I used Powershell to have it delete after 7 days. I have many, many CFA events so this may be the reason. And clearing Protection History does not seem to affect these. I tried all the suggestions listed here and from searches but nothing works. Still crashing. I think only a clean install will fix this.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
WSC crashes when checking protection history in SUA but works fine in AA. I used Powershell to have it delete after 7 days. I have many, many CFA events so this may be the reason. And clearing Protection History does not seem to affect these. I tried all the suggestions listed here and from searches but nothing works. Still crashing. I think only a clean install will fix this.
That worked for me:
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-837954
 

notabot

Level 15
I never got the time to try any of the suggestions here.
Just wanted to say, protection history started working today, on its own, without me doing anything. Gotta love Windows :unsure:
Probably something got trimmed on its own and it can load the history again
 
  • Like
Reactions: oldschool

oldschool

Level 38
Verified
I never got the time to try any of the suggestions here.
Just wanted to say, protection history started working today, on its own, without me doing anything. Gotta love Windows :unsure:
Probably something got trimmed on its own and it can load the history again
Protection history clears itself by default @ 90 day intervals, if my memory is correct, but the interval may be changed via Powershell if you like. Or maybe the crash issue was solved with a Windows update.?? :unsure:
 
  • Like
Reactions: Burrito