“Windows Defender Offline” in Windows 10 Eliminates Complex Malware

Windows Defender Offline scanning is one of the new settings added by the Windows 10 Anniversary Update. Although Defender Offline has already been a built-in feature in Windows 10 since the early builds, the GUI option is added in the Windows Defender Settings page only after you install the Anniversary Update (v1607).

Nowadays malware are more complex than they were many years ago. They operate at the filter driver, service or rootkit level and to eliminate them is very tough. In some cases, you need to boot to the Windows RE environment (or using a Linux boot media) and then delete the core malware files and services added in your Windows installation.

Windows Defender Offline takes care of this situation by running a quick scan even before the Operating System loads. When Windows Defender detects a rootkit or any other tough malware when Windows is running, it suggests you run an offline scan, showing the following message or similar.

Additional cleaning required.
To complete the cleaning process your PC needs to be rebooted and cleaned with Windows Defender Offline. This will take approximately 15 minutes. Please save all your files before clicking on the button.

Start “Windows Defender Offline” Scan Using Windows Defender Settings

Open Settings (WinKey + i), click Update & Security and select Windows Defender.

windows defender offline in anniversary update

Click Scan Offline. It silently downloads a light-weight offline scanner, restarts the system and runs a scan before loading Windows.

The light-weight offline scan image is about ~2 MB comprising the following files in it:

EppManifest.dll
mpasdesc.dll
MpClient.dll
MpCmdRun.exe
MpCommu.dll
MpSvc.dll
MpTpmAtt.dll
MsMpCom.dll
MsMpEng.exe
MsMpLics.dll
MsMpRes.dll
msseces.exe
OfflineScannerShell.exe
EN-US\MpSwpHelp.RTF
EN-US\MsMpRes.dll.mui
EN-US\offlinescannershell.exe.mui
EN-US\EppManifest.dll.mui
EN-US\EULA.RTF
EN-US\mpasdesc.dll.mui

Presumably OfflineScannerShell.exe is the one that powers the scan in Windows RE, including the task of locating the correct Operating System against which the scan has to be run. It’s completely automated and preconfigured to run a Quick scan using the definitions that’s already in the system.

windows defender offline in anniversary update



Start “Windows Defender Offline” scan Using PowerShell

Previously, Windows Defender offline scan could only be initiated using the following PowerShell cmdlet, or if Windows Defender automatically suggests an offline scan when dealing with complex malware or rootkit infection.

To start Windows Defender Offline scan using PowerShell, launch PowerShell as Administrator, and then run the following command:

Start-MpWDOScan

windows defender offline in anniversary update

Press ENTER. The system will restart automatically within in a minute and complete a quick scan in offline mode. There is no setting available to change it to full scan though.

Windows Defender Offline in Windows 7 and Windows 8

Windows Defender Offline is now an integrated feature in Windows 10. If you’re using Windows 7 or 8, you can create a Windows Defender Offline boot media (USB drive or CD/DVD) using the scan image which you can download from Microsoft site. Check out Help protect my PC with Windows Defender Offline – Windows Help to download the bootable Windows Defender Offline scan image in Windows 7 or Windows 8. Make sure you download the correct version (x86 vs x64) for your system.

See also How to Create a Windows Defender Offline Bootable Media and Run a Scan.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

3 thoughts on ““Windows Defender Offline” in Windows 10 Eliminates Complex Malware”

  1. I tried the WINDOWS defender offline scan with ,windows powershell as an administrator but when i hit enter , it says –

    Start -MPWDOScan : provider load failure At Line :1 char :1 + Start -MPWDOScan + ~~~~~~~~ + category info : Notspecified: (MSFT_MpWDOScan:ROOT\Microsoft\ . . .\MSFT_MpWDOScan) [Start -MPWDOScan], CimException + FullyQualifiedErrorId : HRESULT 0x80041013,Start -MPWDOScan

    Any help

    Reply

Leave a Reply