Solved A file is 'stuck' in quarantine

Hi everyone,

I'm encountering a problem that a lot of googling has not been able to solve:

While scanning my C: with WizTree, I noticed i have a 50GB file in C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\07\0745A328E303B199BA9CFC64133C90B32C7866A3

I looked at what the file was and when it was quarantined using:
MpCmdRun.exe -restore -listall It was quarantined on 2023-10-25

I tried deleting it using the 'normal' way: Protection History > Filters> Quarantined Items but there is nothing showing up there.

I went to delete it manually but i don't have proper access to that folder - even though i'm admin

From this link from a previous thread (How to control Microsoft Defender Antivirus from PowerShell on Windows 11) I came across Get-MpPreference and did Set-MpPreference -QuarantinePurgeItemsAfterDelay 0

I'm not sure after how long the setting should take hold, but the file is still there.

My question is, how do i manually delete that quarantined file?

Thanks in advance!!

Try this. The reset option should delete the apps data.Use Option 3.

I don't have Windows Security:


Nor did Get-AppxPackage *Microsoft.SecHealthUI* | Reset-AppxPackage work:
PS C:\Users\Vranghel> Get-AppxPackage *Microsoft.SecHealthUI* | Reset-AppxPackage
Reset-AppxPackage : The term 'Reset-AppxPackage' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:43
+ Get-AppxPackage *Microsoft.SecHealthUI* | Reset-AppxPackage
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Reset-AppxPackage:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

I managed to run the 'Reset Windows Security app for All Users in PowerShell' :
Get-AppxPackage -AllUsers *Microsoft.SecHealthUI* | Reset-AppxPackage

and restarted, but the file is still there, and nothing appears under Protection History > Quarantined Items

Since nothing happened last time, i tried running the command 'Get-AppxPackage -AllUsers *Microsoft.SecHealthUI* | Reset-AppxPackage' making sure i'm in admin power shell, and this time i got an error:

PS C:\Users\Vrangel> Get-AppxPackage -AllUsers *Microsoft.SecHealthUI* | Reset-AppxPackage
Reset-AppxPackage : The term 'Reset-AppxPackage' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At line:1 char:53
+ ... et-AppxPackage -AllUsers *Microsoft.SecHealthUI* | Reset-AppxPackage
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Reset-AppxPackage:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Not sure what's happening or what i'm doing wrong

I checked using TreeSize. Using that file path in programdata I have 3 zero byte files in Resource Data.(files all have 2digit names like yours) Uninstalling and reinstalling Defender should get rid of it but the methods I have used in the past to uninstall and reinstall Defender no longer work so hopefully someone will step in with a working method for 2023. @Brink, can you help?

I do know a surefire way of removing that file, but I do not know if there would be any repercussions by doing so.
I use one of the live Linux distros on usb, either Mint or Ubuntu. I boot into Linux and can remove any file in Windows I want. A 50 gb file is huge and I can't imagine what situation might have created it.

The 50 GB file is a "Linux ISO" that has a false positive

Are you able to manually delete it from a command prompt at boot?

glasskuter said:

I do know a surefire way of removing that file, but I do not know if there would be any repercussions by doing so.
I use one of the live Linux distros on usb, either Mint or Ubuntu. I boot into Linux and can remove any file in Windows I want. A 50 gb file is huge and I can't imagine what situation might have created it.

Click to expand...

I have done the same since being able to have Linux Mint [since version13 now at 21] on a Desktop and creating the Bootable LiveUSB using its USB Image Writer.

leave it alone for now

vranghel said:

The 50 GB file is a "Linux ISO"

Click to expand...

Now you tell us. If you've created Linux installation usb media using the file, boot into the live distro and delete the file, BUT NOT THE FOLDER. However, it's doubtful that's all it is as no Linux iso is 50gb....unless you didn't deal with the file the first time it was detected and add the file to Defender exclusions as your should have. If it wasn't dealt with, maybe it kept detecting it over and over again somehow making that file in programdata larger each time.(that's a guess)

If you intend to keep the file, make sure it, or it's folder is added to exclusions or Defender will only create that big file again after it scans enough times..

Something else. I have never had defender detect a legitimate Linux iso as erroneous. You might want to question the origin of that file. as it may have been altered.

glasskuter said:

Something else. I have never had defender detect a legitimate Linux iso as erroneous. You might want to question the origin of that file. as it may have been altered.

Click to expand...

I was being sarcastic that it's a Linux ISO. It is, however, an ISO obtained from the high seas.

Brink said:

Are you able to manually delete it from a command prompt at boot?

Open Command Prompt at Boot in Windows 11 Tutorial

This tutorial will show you how to open an elevated command prompt at boot in Windows 11. The Command shell is an entry point for typing commands in the Command Prompt console window. By typing commands at the command prompt, you can perform tasks on your computer without using the Windows GUI...

www.elevenforum.com

Delete File in Windows 11 Tutorial

This tutorial will show you different ways to delete a file in Windows 11. Files deleted from internal drives are moved to the Recycle Bin by default in Windows 11. Removable drives, such as USB flash drives and memory cards, do not have a Recycle Bin by default. Files deleted from removable...

www.elevenforum.com

Click to expand...

YES! It (finally) worked to delete it from the cmd at boot.

However, it was not smooth sailing:

First did this: del /f /s /q /a "C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\07\0745A328E303B199BA9CFC64133C90B32C7866A3"

Path does not exist
I tried with X, same thing. Tried cd to ProgramData, them Microsoft etc....Quarantine folder did not exist

Then i tried diskpart which showed C Storage 2tb, and D NTFS which is ALL BACKWARDS!! C is the main one having 1 TB.
Why is that? I dont understand

Finally I did del /f /s /q /a "D:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\07\0745A328E303B199BA9CFC64133C90B32C7866A3"
and it worked, the file disappeared in WizTree

Thank you glasskuter, Brink and the rest.

Awesome community and guides for doing everything!!

If you are referring to the way disks are numbered (ie disk 0 or disk 1) don't worry about it. In some machines (my Dell being one of them)it depends on the disk configuration how the bios numbers them. In my particular case I have an m.2 system drive and a HDD storage drive. I have found if a sata drive is connected it is disk 0. I can disconnect the HDD and the m.2 becomes disk 0. I can connect a second sata HDD or SSD it becomes disk 1 and the m.2 becomes disk 2. I gave up trying to figure it out but get irritated every time I see it. Out of years of habit I expect my system drive to be disk 0 NO MATTER WHAT. Not always so any more..

Glad you got rid of that big file and regained your disk space.

It looked like this:

Volume 0 C Storage NTFS
Volume 1 D NTFS

The weird part is that D is Storage and C is the main windows drive and partition- i have 1 separate drive for each

What does disk management say?

See if this helps. Be sure to make a system image first.

So this is weird
Diskpart in windows:



Diskpart in boot cmd

But what does disk management say?