Windows Defender Offline scanning is one of the new settings added by the Windows 10 Anniversary Update. Although Defender Offline has already been a built-in feature in Windows 10 since the early builds, the GUI option is added in the Windows Defender Settings page only after you install the Anniversary Update (v1607).
Nowadays malware are more complex than they were many years ago. They operate at the filter driver, service or rootkit level and to eliminate them is very tough. In some cases, you need to boot to the Windows RE environment (or using a Linux boot media) and then delete the core malware files and services added in your Windows installation.
Windows Defender Offline takes care of this situation by running a quick scan even before the Operating System loads. When Windows Defender detects a rootkit or any other tough malware when Windows is running, it suggests you run an offline scan, showing the following message or similar.
To complete the cleaning process your PC needs to be rebooted and cleaned with Windows Defender Offline. This will take approximately 15 minutes. Please save all your files before clicking on the button.
Start “Windows Defender Offline” Scan Using Windows Defender Settings
Open Settings (WinKey + i), click Update & Security and select Windows Defender.
Click Scan Offline. It silently downloads a light-weight offline scanner, restarts the system and runs a scan before loading Windows.
The light-weight offline scan image is about ~2 MB comprising the following files in it:
EppManifest.dll
mpasdesc.dll
MpClient.dll
MpCmdRun.exe
MpCommu.dll
MpSvc.dll
MpTpmAtt.dll
MsMpCom.dll
MsMpEng.exe
MsMpLics.dll
MsMpRes.dll
msseces.exe
OfflineScannerShell.exe
EN-US\MpSwpHelp.RTF
EN-US\MsMpRes.dll.mui
EN-US\offlinescannershell.exe.mui
EN-US\EppManifest.dll.mui
EN-US\EULA.RTF
EN-US\mpasdesc.dll.muiPresumably OfflineScannerShell.exe is the one that powers the scan in Windows RE, including the task of locating the correct Operating System against which the scan has to be run. It’s completely automated and preconfigured to run a Quick scan using the definitions that’s already in the system.
Start “Windows Defender Offline” scan Using PowerShell
Previously, Windows Defender offline scan could only be initiated using the following PowerShell cmdlet, or if Windows Defender automatically suggests an offline scan when dealing with complex malware or rootkit infection.
To start Windows Defender Offline scan using PowerShell, launch PowerShell as Administrator, and then run the following command:
Start-MpWDOScan
Press ENTER. The system will restart automatically within in a minute and complete a quick scan in offline mode. There is no setting available to change it to full scan though.
Windows Defender Offline in Windows 7 and Windows 8
Windows Defender Offline is now an integrated feature in Windows 10. If you’re using Windows 7 or 8, you can create a Windows Defender Offline boot media (USB drive or CD/DVD) using the scan image which you can download from Microsoft site. Check out Help protect my PC with Windows Defender Offline – Windows Help to download the bootable Windows Defender Offline scan image in Windows 7 or Windows 8. Make sure you download the correct version (x86 vs x64) for your system.
See also How to Create a Windows Defender Offline Bootable Media and Run a Scan.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
Use Norton 360 do not need this defender thing!!
I tried the WINDOWS defender offline scan with ,windows powershell as an administrator but when i hit enter , it says –
Start -MPWDOScan : provider load failure At Line :1 char :1 + Start -MPWDOScan + ~~~~~~~~ + category info : Notspecified: (MSFT_MpWDOScan:ROOT\Microsoft\ . . .\MSFT_MpWDOScan) [Start -MPWDOScan], CimException + FullyQualifiedErrorId : HRESULT 0x80041013,Start -MPWDOScan
Any help
@Asis: Please post your query here. I’ll take a look.