Solved How to Remove Items in Defender History


Steve C

Well-known member
Power User
VIP
Local time
1:24 PM
Posts
842
OS
Windows 11 Pro
How do I remove these warnings for PUAs in Defender Protectionj History which have been listed since 12 March? The files all relate to the Win10PXE project on the forum since deleted. I tried the ClearDefenderHistory tool recommended here on GitHub but it didn't remove these items.

defender.png
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self build
    CPU
    Core i7-13700K
    Motherboard
    Asus TUF Gaming Plus WiFi Z790
    Memory
    64 GB Kingston Fury Beast DDR5
    Graphics Card(s)
    Gigabyte GeForce RTX 2060 Super Gaming OC 8G
    Sound Card
    Realtek S1200A
    Monitor(s) Displays
    Viewsonic VP2770
    Screen Resolution
    2560 x 1440
    Hard Drives
    Kingston KC3000 2TB NVME SSD & SATA HDDs & SSD
    PSU
    EVGA SuperNova G2 850W
    Case
    Nanoxia Deep Silence 1
    Cooling
    Noctua NH-D14
    Keyboard
    Microsoft Digital Media Pro
    Mouse
    Logitech Wireless
    Internet Speed
    50 Mb / s
    Browser
    Chrome
    Antivirus
    Defender
Clear Windows Security History

The above Tutorial may do it.

If is doesn't this will:
Code:
<# : batch script
@echo off
powershell -nop "if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { Start-Process -Verb RunAs 'cmd.exe' -ArgumentList '/c %~dpnx0 %*' } else { Invoke-Expression ([System.IO.File]::ReadAllText('%~f0')) }"
goto :eof
#>

# https://www.tiraniddo.dev/2019/09/the-art-of-becoming-trustedinstaller.html

$ScriptBlock = {
    $MAPS_Status = (Get-MpPreference).MAPSReporting
    Set-MpPreference -DisableRealtimeMonitoring 1
    Set-MpPreference -MAPSReporting Disabled

    Get-ChildItem -File 'C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service' -Recurse | Remove-Item -Force

    Set-MpPreference -DisableRealtimeMonitoring 0
    Set-MpPreference -MAPSReporting $MAPS_Status
}

# Create scheduled task

$TaskName = 'Clear Defender Protection History'
$SchedulerPath = '\Microsoft\Windows\PowerShell\ScheduledJobs'
Unregister-ScheduledJob $TaskName -Confirm:$false 2>&1 | Out-Null
Register-ScheduledJob -Name $TaskName -ScriptBlock $ScriptBlock | Out-Null

$adminAccount = Get-LocalUser | Where-Object {$_.SID -like "*-500"} | Select-Object -ExpandProperty Name
$Principal = New-ScheduledTaskPrincipal -UserId "$env:COMPUTERNAME\$adminAccount"
Set-ScheduledTask -TaskPath $SchedulerPath -TaskName $TaskName -Principal $Principal | Out-Null

$Service = New-Object -ComObject 'Schedule.Service'
$Service.Connect()

# Invoke task as TI

$User = 'NT SERVICE\TrustedInstaller'
$Folder = $Service.GetFolder($SchedulerPath)
$Task = $Folder.GetTask($TaskName)

$Task.RunEx($null, 0, 0, $User) | Out-Null

# Wait for task completion, or timed out

$Timeout = 60
$Timer =  [Diagnostics.Stopwatch]::StartNew()

while (((Get-ScheduledTask -TaskName $TaskName).State -ne 'Ready') -and ($Timer.Elapsed.TotalSeconds -lt $Timeout)) {
    Start-Sleep -Seconds 1
}

$Timer.Stop()

# Remove scheduled task
Unregister-ScheduledJob $TaskName -Confirm:$false | Out-Null
 

My Computers

System One System Two

  • OS
    Win 11 Pro 26100.3194
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Alienware Aurora R16
    CPU
    Intel Core i9 14900F (24 -Core, 68 MB Total Cache)
    Motherboard
    Dell Alienware
    Memory
    32GB DDR5
    Graphics Card(s)
    RTX 4080 Super
    Sound Card
    Intel but not working
    Monitor(s) Displays
    Corsair XENEON 32QHD165
    Screen Resolution
    2560 X 1440
    Hard Drives
    1-2TB Samsung 990 Pro PCIe NVMe M2 SSD
    1-4TB Samsung 990 Pro PCIe NVMe M2 SSD
    PSU
    1000 Watt Platinum Dell
    Case
    Alienware
    Cooling
    Liquid Closed Loop
    Keyboard
    Corsair Strafe RGB MK.2
    Mouse
    Corsair M65 Pro
    Internet Speed
    1000Gb's Down-20 Up
    Browser
    Firefox 135.0
    Antivirus
    Defender
    Other Info
    Very Quiet And Fast
    CyberPower UPS CP1500PFCLCD
  • Operating System
    Optimum 11 24H2 Build 26100.2454
    Computer type
    PC/Desktop
    Manufacturer/Model
    IBuypower
    CPU
    Intel Core i3 1315u
    Motherboard
    ASRock
    Memory
    32GB DDR5
    Graphics card(s)
    PNY RTX 4017
    Sound Card
    onboard
    Monitor(s) Displays
    Dell 2419HGCF
    Screen Resolution
    1920 X 1080
    Hard Drives
    Kingston 2TB SNV2S20006 PCIe 4.0 M.2.2280
    SAMSUNG 980 PRO SSD 2TB, PCIe 4.0 M.2 2280
    PSU
    850Watt
    Case
    Small
    Cooling
    Closed loop Liquid
    Mouse
    IBP
    Keyboard
    IBP
    Internet Speed
    1GB
    Browser
    Firefox 133.0
    Antivirus
    Windows Defender
    Other Info
    Noisy but fast

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self build
    CPU
    Core i7-13700K
    Motherboard
    Asus TUF Gaming Plus WiFi Z790
    Memory
    64 GB Kingston Fury Beast DDR5
    Graphics Card(s)
    Gigabyte GeForce RTX 2060 Super Gaming OC 8G
    Sound Card
    Realtek S1200A
    Monitor(s) Displays
    Viewsonic VP2770
    Screen Resolution
    2560 x 1440
    Hard Drives
    Kingston KC3000 2TB NVME SSD & SATA HDDs & SSD
    PSU
    EVGA SuperNova G2 850W
    Case
    Nanoxia Deep Silence 1
    Cooling
    Noctua NH-D14
    Keyboard
    Microsoft Digital Media Pro
    Mouse
    Logitech Wireless
    Internet Speed
    50 Mb / s
    Browser
    Chrome
    Antivirus
    Defender
How do I remove these warnings for PUAs in Defender Protectionj History
Interesting. I'll do some testing with a PUA and see what's up.

You can also try the Clear Defender history option in my Right-Click Tools package. It uses a task instead of a RunOnce key.
 
Last edited:

My Computer

System One

  • OS
    Windows 10/11
    Computer type
    Laptop
    Manufacturer/Model
    Acer
Clear Windows Security History

The above Tutorial may do it.

If is doesn't this will:
Code:
<# : batch script
@echo off
powershell -nop "if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { Start-Process -Verb RunAs 'cmd.exe' -ArgumentList '/c %~dpnx0 %*' } else { Invoke-Expression ([System.IO.File]::ReadAllText('%~f0')) }"
goto :eof
#>

# https://www.tiraniddo.dev/2019/09/the-art-of-becoming-trustedinstaller.html

$ScriptBlock = {
    $MAPS_Status = (Get-MpPreference).MAPSReporting
    Set-MpPreference -DisableRealtimeMonitoring 1
    Set-MpPreference -MAPSReporting Disabled

    Get-ChildItem -File 'C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service' -Recurse | Remove-Item -Force

    Set-MpPreference -DisableRealtimeMonitoring 0
    Set-MpPreference -MAPSReporting $MAPS_Status
}

# Create scheduled task

$TaskName = 'Clear Defender Protection History'
$SchedulerPath = '\Microsoft\Windows\PowerShell\ScheduledJobs'
Unregister-ScheduledJob $TaskName -Confirm:$false 2>&1 | Out-Null
Register-ScheduledJob -Name $TaskName -ScriptBlock $ScriptBlock | Out-Null

$adminAccount = Get-LocalUser | Where-Object {$_.SID -like "*-500"} | Select-Object -ExpandProperty Name
$Principal = New-ScheduledTaskPrincipal -UserId "$env:COMPUTERNAME\$adminAccount"
Set-ScheduledTask -TaskPath $SchedulerPath -TaskName $TaskName -Principal $Principal | Out-Null

$Service = New-Object -ComObject 'Schedule.Service'
$Service.Connect()

# Invoke task as TI

$User = 'NT SERVICE\TrustedInstaller'
$Folder = $Service.GetFolder($SchedulerPath)
$Task = $Folder.GetTask($TaskName)

$Task.RunEx($null, 0, 0, $User) | Out-Null

# Wait for task completion, or timed out

$Timeout = 60
$Timer =  [Diagnostics.Stopwatch]::StartNew()

while (((Get-ScheduledTask -TaskName $TaskName).State -ne 'Ready') -and ($Timer.Elapsed.TotalSeconds -lt $Timeout)) {
    Start-Sleep -Seconds 1
}

$Timer.Stop()

# Remove scheduled task
Unregister-ScheduledJob $TaskName -Confirm:$false | Out-Null
This worked for me, don't know why it would not work for everyone?
 

My Computers

System One System Two

  • OS
    Win 11 Pro 26100.3194
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Alienware Aurora R16
    CPU
    Intel Core i9 14900F (24 -Core, 68 MB Total Cache)
    Motherboard
    Dell Alienware
    Memory
    32GB DDR5
    Graphics Card(s)
    RTX 4080 Super
    Sound Card
    Intel but not working
    Monitor(s) Displays
    Corsair XENEON 32QHD165
    Screen Resolution
    2560 X 1440
    Hard Drives
    1-2TB Samsung 990 Pro PCIe NVMe M2 SSD
    1-4TB Samsung 990 Pro PCIe NVMe M2 SSD
    PSU
    1000 Watt Platinum Dell
    Case
    Alienware
    Cooling
    Liquid Closed Loop
    Keyboard
    Corsair Strafe RGB MK.2
    Mouse
    Corsair M65 Pro
    Internet Speed
    1000Gb's Down-20 Up
    Browser
    Firefox 135.0
    Antivirus
    Defender
    Other Info
    Very Quiet And Fast
    CyberPower UPS CP1500PFCLCD
  • Operating System
    Optimum 11 24H2 Build 26100.2454
    Computer type
    PC/Desktop
    Manufacturer/Model
    IBuypower
    CPU
    Intel Core i3 1315u
    Motherboard
    ASRock
    Memory
    32GB DDR5
    Graphics card(s)
    PNY RTX 4017
    Sound Card
    onboard
    Monitor(s) Displays
    Dell 2419HGCF
    Screen Resolution
    1920 X 1080
    Hard Drives
    Kingston 2TB SNV2S20006 PCIe 4.0 M.2.2280
    SAMSUNG 980 PRO SSD 2TB, PCIe 4.0 M.2 2280
    PSU
    850Watt
    Case
    Small
    Cooling
    Closed loop Liquid
    Mouse
    IBP
    Keyboard
    IBP
    Internet Speed
    1GB
    Browser
    Firefox 133.0
    Antivirus
    Windows Defender
    Other Info
    Noisy but fast
There's TenForums posts that report it doesn't work any more. Maybe it depends on your Defender platform version.
 

My Computer

System One

  • OS
    Windows 7
@Josey Wales
This worked for me, don't know why it would not work for everyone?

Have tested the script, also verified the jobs is made, and has run, but after running, the history is still visable.
In task scheduler, the task is scheduled by the script as Administrator (is that correct????, i expected it to run As Trusted Installer)
Also the scripts outputs a log file after running it, can be found here:
\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\Clear Defender Protection History\Output\

Log file:
$MAPS_Status = (Get-MpPreference).MAPSReporting
Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -MAPSReporting Disabled

Get-ChildItem -File 'C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service' -Recurse | Remove-Item -Force

Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -MAPSReporting $MAPS_Status
</InvocationInfo_Command><InvocationInfo_Name z:Ref="4" i:nil="true"/><InvocationInfo_AdapterType i:nil="true"/><InvocationInfo_ModuleName z:Id="36" z:Type="System.String" z:Assembly="0">PSScheduledJob</InvocationInfo_ModuleName><InvocationInfo_AdapterTypeName z:Id="37" z:Type="System.String" z:Assembly="0">ScheduledJobSourceAdapter</InvocationInfo_AdapterTypeName><InvocationParam_ScriptBlock z:Ref="6" i:nil="true"/><InvocationParam_FilePath z:Id="38" z:Type="System.String" z:Assembly="0"/><InvocationParam_InitScript z:Ref="38" i:nil="true"/><InvocationParam_RunAs32 z:Id="39" z:Type="System.Boolean" z:Assembly="0">false</InvocationParam_RunAs32><InvocationParam_Authentication z:Id="40" z:Type="System.Management.Automation.Runspaces.AuthenticationMechanism" z:Assembly="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">Default</InvocationParam_Authentication><InvocationParam_ArgList i:nil="true"/></InvocationInfo_Member></Status_Definition><Status_StartTime z:Id="41" z:Type="System.DateTime" z:Assembly="0">2024-05-06T22:34:47.8542716+02:00</Status_StartTime><Status_StopTime z:Id="42" z:Type="System.DateTime" z:Assembly="0">2024-05-06T22:34:50.4818144+02:00</Status_StopTime></StatusInfo><ResultsInfo z:Id="43" z:Type="Microsoft.PowerShell.ScheduledJob.ScheduledJob+ResultsInfo" z:Assembly="Microsoft.PowerShell.ScheduledJob, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" xmlns=""><Results_Output z:Id="44" z:Type="System.Collections.ObjectModel.Collection`1[[System.Management.Automation.PSObject, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]" z:Assembly="0"><items z:Id="45" z:Type="System.Collections.Generic.List`1[[System.Management.Automation.PSObject, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]" z:Assembly="0" xmlns="http://schemas.datacontract.org/2004/07/System.Management.Automation"><_items z:Id="46" z:Size="0"/><_size>0</_size><_version>0</_version></items></Results_Output><Results_Error z:Id="47" z:Type="System.Collections.ObjectModel.Collection`1[[System.Management.Automation.ErrorRecord, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]" z:Assembly="0"><items z:Id="48" z:Type="System.Collections.Generic.List`1[[System.Management.Automation.ErrorRecord, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]" z:Assembly="0" xmlns="http://schemas.datacontract.org/2004/07/System.Management.Automation"><_items z:Id="49" z:Size="4"><ErrorRecord z:Id="50" z:Type="System.Management.Automation.Runspaces.RemotingErrorRecord" z:Assembly="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"><CliXml z:Id="51" z:Type="System.String" z:Assembly="0" xmlns="">&lt;Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"&gt;&#xD;
&lt;Obj RefId="0"&gt;&#xD;
&lt;ToString&gt;@{Exception=System.Management.Automation.RemoteException: Access to the path is denied.; TargetObject=C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log; FullyQualifiedErrorId=RemoveFileSystemItemArgumentError,Microsoft.PowerShell.Commands.RemoveItemCommand; InvocationInfo=; ErrorCategory_Category=5; ErrorCategory_Activity=Remove-Item; ErrorCategory_Reason=ArgumentException; ErrorCategory_TargetName=C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log; ErrorCategory_TargetType=FileInfo; ErrorCategory_Message=InvalidArgument: (C:\ProgramData\...\Detections.log:FileInfo) [Remove-Item], ArgumentException; ErrorDetails_Message=Cannot remove item C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log: Access to the path is denied.; ErrorDetails_RecommendedAction=; SerializeExtendedInfo=False; ErrorDetails_ScriptStackTrace=at &amp;lt;ScriptBlock&amp;gt;, &amp;lt;No file&amp;gt;: line 6}&lt;/ToString&gt;&#xD;
&lt;Obj RefId="1"&gt;&#xD;
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
Oh dear - as OP I seem to have exposed a can of worms!
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self build
    CPU
    Core i7-13700K
    Motherboard
    Asus TUF Gaming Plus WiFi Z790
    Memory
    64 GB Kingston Fury Beast DDR5
    Graphics Card(s)
    Gigabyte GeForce RTX 2060 Super Gaming OC 8G
    Sound Card
    Realtek S1200A
    Monitor(s) Displays
    Viewsonic VP2770
    Screen Resolution
    2560 x 1440
    Hard Drives
    Kingston KC3000 2TB NVME SSD & SATA HDDs & SSD
    PSU
    EVGA SuperNova G2 850W
    Case
    Nanoxia Deep Silence 1
    Cooling
    Noctua NH-D14
    Keyboard
    Microsoft Digital Media Pro
    Mouse
    Logitech Wireless
    Internet Speed
    50 Mb / s
    Browser
    Chrome
    Antivirus
    Defender
I have nothing to clear so I can't test it. :-)
 

My Computers

System One System Two

  • OS
    Win 11 Pro 26100.3194
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Alienware Aurora R16
    CPU
    Intel Core i9 14900F (24 -Core, 68 MB Total Cache)
    Motherboard
    Dell Alienware
    Memory
    32GB DDR5
    Graphics Card(s)
    RTX 4080 Super
    Sound Card
    Intel but not working
    Monitor(s) Displays
    Corsair XENEON 32QHD165
    Screen Resolution
    2560 X 1440
    Hard Drives
    1-2TB Samsung 990 Pro PCIe NVMe M2 SSD
    1-4TB Samsung 990 Pro PCIe NVMe M2 SSD
    PSU
    1000 Watt Platinum Dell
    Case
    Alienware
    Cooling
    Liquid Closed Loop
    Keyboard
    Corsair Strafe RGB MK.2
    Mouse
    Corsair M65 Pro
    Internet Speed
    1000Gb's Down-20 Up
    Browser
    Firefox 135.0
    Antivirus
    Defender
    Other Info
    Very Quiet And Fast
    CyberPower UPS CP1500PFCLCD
  • Operating System
    Optimum 11 24H2 Build 26100.2454
    Computer type
    PC/Desktop
    Manufacturer/Model
    IBuypower
    CPU
    Intel Core i3 1315u
    Motherboard
    ASRock
    Memory
    32GB DDR5
    Graphics card(s)
    PNY RTX 4017
    Sound Card
    onboard
    Monitor(s) Displays
    Dell 2419HGCF
    Screen Resolution
    1920 X 1080
    Hard Drives
    Kingston 2TB SNV2S20006 PCIe 4.0 M.2.2280
    SAMSUNG 980 PRO SSD 2TB, PCIe 4.0 M.2 2280
    PSU
    850Watt
    Case
    Small
    Cooling
    Closed loop Liquid
    Mouse
    IBP
    Keyboard
    IBP
    Internet Speed
    1GB
    Browser
    Firefox 133.0
    Antivirus
    Windows Defender
    Other Info
    Noisy but fast
I wonder if Defender's filter driver is now protecting its own history, to prevent malware from covering up its own tracks. If you and I could write these basic scripts, it means malware could perform the same actions.
 

My Computer

System One

  • OS
    Windows 7
@LesFerch Nope tested it just now, and did not work, history still intact after reboot.

@gerlin I am actually ok with it, that scripts or users can't do it. However for lazy admins its a bit of a hussle to do it in safe mode. More work/time to do it, but that option still works.
 
Last edited:

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
@Tester One more method for you to try:
Use the "Clear History" menu item and you'll see a "Defender history" checkbox.
 

My Computer

System One

  • OS
    Windows 10/11
    Computer type
    Laptop
    Manufacturer/Model
    Acer
@LesFerch Time to boot up the vm and then hopefully catch a cold.
Here are some options to safely trigger a detection:

Scroll down to "download area" and download any one of the test files.

Click the NSudo link
 

My Computer

System One

  • OS
    Windows 10/11
    Computer type
    Laptop
    Manufacturer/Model
    Acer
@LesFerch Good suggestion. Some apps i wrote trigger win def, so i copyed those to the vm to get something in the history.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop

Latest Tutorials

Back
Top Bottom