Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. It utilizes Windows RE to run the offline scan.
During the Microsoft Defender Offline scan, it may appear to the user that the scan stalled or crashed at 91%, 92%, or 93% on some systems. This article tells you how to check if the last Microsoft Defender Offline scan was completed correctly.
Cause
The “Percent complete” indicator in the Microsoft Defender Offline scan is entirely inaccurate. For example, check these images.
92622 files have been scanned. The percentage is 93.
95417 files have been scanned. The percentage remains at 93.
115417 files have been scanned. The percentage remains at 93.
As long as the number in the “Items scanned” increases, it means scanning progresses well.
It’s OK if Microsoft Defender Offline closes and reboots the computer before the progress percentage reaches 100%. Not sure on what basis the “percent complete” value is calculated, but it’s not even approximate. Therefore, the field should be ignored completely.
Check the status of the last Offline Scan
To correctly know the status or the return code of the previous Microsoft Defender Offline scan, inspect the msssWrapper.log file. The log file is located in the following path:
C:\Windows\Microsoft Antimalware\Support\msssWrapper.log
The recent entries are at the bottom of the log. Open the log using Notepad and scroll to the bottom part of the file.
If you see the following line at the end of the log, it means the last scan ran correctly.
Offline scan completed with 0x00000000
(Code 0 or 0x00000000 means SUCCESS.)
Where can I find the scan results?
To see the Microsoft Defender Offline scan results:
- Select Start, then Settings > Update & Security > Windows Security > Virus & threat protection.
- On the Virus & Threat protection screen, under Current threats, select Scan options and Protection history.
However, the above applies only if the offline scan detected malware. Else, the Protection history page doesn’t show anything about the last offline scan.
INFO: A sample msssWrapper.log file
Here are the contents of a sample msssWrapper.log file.
START 2023/05/31 21:47:26:426 TID:1652 PID:1620
INFO 2023/05/31 21:47:26:426 TID:1652 PID:1620
Loading offline registry library returned 0x00000000
INFO 2023/05/31 21:47:26:426 TID:1652 PID:1620
Binary architecture is amd64
INFO 2023/05/31 21:47:26:458 TID:1652 PID:1620
UtilIsFileExists(E:\WINDOWS\SysWOW64\ntdll.dll) returned 0x00000000
INFO 2023/05/31 21:47:26:458 TID:1652 PID:1620
CheckProcessorArchitecture returned 0x00000000
INFO 2023/05/31 21:47:26:458 TID:1652 PID:1620
Setting target OS key: "E:\WINDOWS"
INFO 2023/05/31 21:47:26:458 TID:1652 PID:1620
SetRecoveryEnvironmentKey returned 0x00000000
INFO 2023/05/31 21:47:26:551 TID:1652 PID:1620
Mapping target OS C drive to WinPE E drive
INFO 2023/05/31 21:47:26:551 TID:1652 PID:1620
Mapping target OS D drive to WinPE C drive
INFO 2023/05/31 21:47:26:551 TID:1652 PID:1620
Mapping target OS E drive to WinPE D drive
INFO 2023/05/31 21:47:26:567 TID:1652 PID:1620
BuildTargetOSDriveMapping returned 0x00000000
INFO 2023/05/31 21:47:26:567 TID:1652 PID:1620
Searching for signatures. Default signature path: ""
INFO 2023/05/31 21:47:26:567 TID:1652 PID:1620
Searching for signatures at root of drives...
WARNING 2023/05/31 21:47:26:567 TID:1652 PID:1620
Missing definitions file in 'C:\mpam-fex64.exe'
WARNING 2023/05/31 21:47:26:567 TID:1652 PID:1620
Missing definitions file in 'D:\mpam-fex64.exe'
WARNING 2023/05/31 21:47:26:567 TID:1652 PID:1620
Missing definitions file in 'E:\mpam-fex64.exe'
WARNING 2023/05/31 21:47:26:567 TID:1652 PID:1620
Missing definitions file in 'F:\mpam-fex64.exe'
WARNING 2023/05/31 21:47:26:567 TID:1652 PID:1620
Missing definitions file in 'X:\mpam-fex64.exe'
INFO 2023/05/31 21:47:26:567 TID:1652 PID:1620
Searching for signatures from installed product on target OS
INFO 2023/05/31 21:47:27:691 TID:1652 PID:1620
Looking for Defender registry key on target OS
INFO 2023/05/31 21:47:27:707 TID:1652 PID:1620
Mapped target os path (C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6848C643-912D-47B8-B586-AA43428E6BAB}) to winpe path (E:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6848C643-912D-47B8-B586-AA43428E6BAB})
INFO 2023/05/31 21:47:27:707 TID:1652 PID:1620
Found signatures on the target OS at E:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6848C643-912D-47B8-B586-AA43428E6BAB}
INFO 2023/05/31 21:47:27:801 TID:1652 PID:1620
SearchForSignatures returned 0x00000000
INFO 2023/05/31 21:47:28:926 TID:1652 PID:1620
Looking for Defender registry key on target OS
INFO 2023/05/31 21:47:28:926 TID:1652 PID:1620
Mapped target os path (C:\ProgramData\Microsoft\Windows Defender) to winpe path (E:\ProgramData\Microsoft\Windows Defender)
INFO 2023/05/31 21:47:29:020 TID:1652 PID:1620
Initializing offline environment and service...
INFO 2023/05/31 21:47:30:182 TID:1652 PID:1620
XCopySignatures returned hr = 0x0
INFO 2023/05/31 21:47:39:316 TID:1652 PID:1620
GetTempPath2W where sigs would unpack =
INFO 2023/05/31 21:47:39:316 TID:1652 PID:1620
Signatures are already fairly recent. Skipping sig update.
INFO 2023/05/31 21:47:39:316 TID:1652 PID:1620
AS Signature Version: 1.391.27.0
INFO 2023/05/31 21:47:39:316 TID:1652 PID:1620
Engine Version: 1.1.23050.3
INFO 2023/05/31 21:47:39:316 TID:1652 PID:1620
Launching user interface...
INFO 2023/05/31 21:47:39:316 TID:1652 PID:1620
Auto-scan mode selected...
INFO 2023/05/31 21:47:39:331 TID:1652 PID:1620
Registered for notifications
INFO 2023/05/31 21:47:39:331 TID:1652 PID:1620
Automatic scan started
INFO 2023/05/31 21:47:39:331 TID:1652 PID:1620
Launched Console UI, waiting...
INFO 2023/05/31 21:58:11:989 TID:1712 PID:1620
CALLBACK: Scan complete. hResult=0x0, threat count=0
INFO 2023/05/31 21:58:11:989 TID:1652 PID:1620
Wait finished (Scan signaled)
INFO 2023/05/31 21:58:11:989 TID:1652 PID:1620
Getting results from scan...
INFO 2023/05/31 21:58:11:989 TID:1652 PID:1620
Scan completed successfully, attempting to clean any active malware. Number of threats from scan: 0
INFO 2023/05/31 21:58:11:989 TID:1652 PID:1620
RunCallisto returned 0x00000000
INFO 2023/05/31 21:58:11:999 TID:1652 PID:1620
PreserveCallistoDetections returned 0x00000000
ERROR 2023/05/31 21:58:11:999 TID:1652 PID:1620
Unable to open the offline HKLM SOFTWARE hive with 0x80070020
ERROR 2023/05/31 21:58:11:999 TID:1652 PID:1620
Unable to open the offline HKLM hive with 0x80070020
INFO 2023/05/31 21:58:11:999 TID:1652 PID:1620
SetOfflineScanRunFlag returned 0x80070020
INFO 2023/05/31 21:58:11:999 TID:1652 PID:1620
Offline scan completed with 0x00000000
FINISH 2023/05/31 21:58:12:015 TID:1624 PID:1620
Editor’s note: In addition to msssWrapper.log, you may find the following logs helpful.
C:\Windows\Microsoft Antimalware\Support\MPDetection-[date]-[time].log C:\Windows\Microsoft Antimalware\Support\MPLog-[date]-[time].log
I hope the above information helps. Let’s know your comments.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
