Solved How to Remove Items in Defender History

LesFerch · May 6, 2024

Script revised:

ClearDefenderHistory

Clear Windows Defender History Files

lesferch.github.io

@Steve C Please try this new version. Thanks!

Steve C · May 7, 2024

I fixed the issue by booting to Safe Mode and deleting the service folder as described in this tutorial Clear Windows Security Protection History in Windows 11 Tutorial

I've now added a Safe Mode boot option Add Safe Mode to Boot Options Menu in Windows 11 Tutorial

Thanks for the help.

Steve C · May 7, 2024

Josey Wales said:

Clear Windows Security History

The above Tutorial may do it.

If is doesn't this will:

Code:

<# : batch script
@echo off
powershell -nop "if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { Start-Process -Verb RunAs 'cmd.exe' -ArgumentList '/c %~dpnx0 %*' } else { Invoke-Expression ([System.IO.File]::ReadAllText('%~f0')) }"
goto :eof
#>

# https://www.tiraniddo.dev/2019/09/the-art-of-becoming-trustedinstaller.html

$ScriptBlock = {
    $MAPS_Status = (Get-MpPreference).MAPSReporting
    Set-MpPreference -DisableRealtimeMonitoring 1
    Set-MpPreference -MAPSReporting Disabled

    Get-ChildItem -File 'C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service' -Recurse | Remove-Item -Force

    Set-MpPreference -DisableRealtimeMonitoring 0
    Set-MpPreference -MAPSReporting $MAPS_Status
}

# Create scheduled task

$TaskName = 'Clear Defender Protection History'
$SchedulerPath = '\Microsoft\Windows\PowerShell\ScheduledJobs'
Unregister-ScheduledJob $TaskName -Confirm:$false 2>&1 | Out-Null
Register-ScheduledJob -Name $TaskName -ScriptBlock $ScriptBlock | Out-Null

$adminAccount = Get-LocalUser | Where-Object {$_.SID -like "*-500"} | Select-Object -ExpandProperty Name
$Principal = New-ScheduledTaskPrincipal -UserId "$env:COMPUTERNAME\$adminAccount"
Set-ScheduledTask -TaskPath $SchedulerPath -TaskName $TaskName -Principal $Principal | Out-Null

$Service = New-Object -ComObject 'Schedule.Service'
$Service.Connect()

# Invoke task as TI

$User = 'NT SERVICE\TrustedInstaller'
$Folder = $Service.GetFolder($SchedulerPath)
$Task = $Folder.GetTask($TaskName)

$Task.RunEx($null, 0, 0, $User) | Out-Null

# Wait for task completion, or timed out

$Timeout = 60
$Timer =  [Diagnostics.Stopwatch]::StartNew()

while (((Get-ScheduledTask -TaskName $TaskName).State -ne 'Ready') -and ($Timer.Elapsed.TotalSeconds -lt $Timeout)) {
    Start-Sleep -Seconds 1
}

$Timer.Stop()

# Remove scheduled task
Unregister-ScheduledJob $TaskName -Confirm:$false | Out-Null

The tutorial worked!

Steve C · May 7, 2024

LesFerch said:
Script revised:

ClearDefenderHistory

Clear Windows Defender History Files

lesferch.github.io

@Steve C Please try this new version. Thanks!

Thanks but deleting the offending folder in Safe Mode worked.

Josey Wales · May 7, 2024

I am glad that you got this problem sorted out Steve. :thumbsup:

Tester · May 7, 2024

LesFerch said:
Script revised:

ClearDefenderHistory

Clear Windows Defender History Files

lesferch.github.io

@Steve C Please try this new version. Thanks!

I'll test it, i have to keep up my name...
Tested clean win 11 vm with:
Defender version; 4.18.24030.9-0
Windows 11 version: 23H2 OS build: 22631.3527
Works Like a Charm!

How did you figure out so fast how that that other program did it this way?

LesFerch · May 7, 2024

Tester said:
Tested clean win 11 vm with:
Defender version; 4.18.24030.9-0
Windows 11 version: 23H2 OS build: 22631.3527
Works Like a Charm!

Tester said:
How did you figure out so fast how that that other program did it this way?

I wrote the other program.

Tester · May 7, 2024

My compliments!

I might adjust this script to disable the Defender Core Service. Monitors only status and do expiriments on computers and reports back to microsoft. Microsoft Defender is not depened on that service. Already have them manually turned off. Then a day later the services removes it self from services. When it gets dependency's i will turn it back on, but for time being it is not needed.
Might be a good idea for a new topic and discussion. Don't shoot me for turning something off that looks important, but in my eyes not really is.

Tester · May 8, 2024

@LesFresh
After running it on some more machines, i have noticed one more thing about the script.
If i double click the file, UAC elevation prompt comes up, then a black screen flashes.
So i guess, this part of the scrips fails, and hits the goto :eof and so skipping the rest of the script.
Right click and run as administrator works.

<# : batch script
@echo off
powershell -nop "if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { Start-Process -Verb RunAs 'cmd.exe' -ArgumentList '/c %~dpnx0 %*' } else { Invoke-Expression ([System.IO.File]::ReadAllText('%~f0')) }"
goto :eof
#>

LesFerch · May 8, 2024

Tester said:
After running it on some more machines, i have noticed one more thing about the script.
If i double click the file, UAC elevation prompt comes up, then a black screen flashes.
So i guess, this part of the scrips fails, and hits the goto :eof and so skipping the rest of the script.
Right click and run as administrator works.

You will just get a console window flash if there is no Protection history to be cleared, but that would also be the case if you right-click and select "Run as Administrator". But it sounds like you're getting the reboot prompt when using "Run as Administrator", but not when double-clicking. Is that correct and is that consistent for all your machines?

I just updated the script to display a message if no Protection history is found. This might make checking this issue a little easier.

Tester · May 8, 2024

LesFerch said:
But it sounds like you're getting the reboot prompt when using "Run as Administrator", but not when double-clicking. Is that correct and is that consistent for all your machines?

Yes, with right click run as admin, i get the reboot prompt, so the log file is detected.
All machines where i have run the script, where windows machines with the same 23H2 updates.
I will boot up later today, some old cloned machines that are update until jan/febr or even later. Do you also want to know it for windows 10?

LesFerch · May 8, 2024

Tester said:
Yes, with right click run as admin, i get the reboot prompt, so the log file is detected.
All machines where i have run the script, where windows machines with the same 23H2 updates.
I will boot up later today, some old cloned machines that are update until jan/febr or even later. Do you also want to know it for windows 10?

I just retested on 23H2 with both Administrator and Standard users and it worked fine with just a double-click for me. There may be some setting on your machines that affects the script. @garlin is more familiar with the self-elevation code, so I hope he's available to chime in on possible causes.

I guess testing on your Windows 10 machines would be a good idea to see if there is any difference.

garlin · May 8, 2024

There's nothing special about the elevation code. Some devs do elevation checks in the "wrong way", by running a privileged command and checking the exit code for failure. Since we're using PS, it's more direct to check if we have the Administrator role. Otherwise, it's the normal -verb Runas business to elevate the script.

I think to debug what's happening for @Tester, we change -ArgumentList '/c %~dpnx0 %*' to '/k %~dpnx0 %*'.

This way the original CMD window doesn't exit, and maybe we can catch a possible error message.

Tester · May 8, 2024

garlin said:
I think to debug what's happening for @Tester, we change -ArgumentList '/c %~dpnx0 %*' to '/k %~dpnx0 %*'.

I did this change, and after elevation, an empty command prompt was opened, no error shown.
Have tested it on some more Win11 machines, and on some machines the elevation script did work. With the same version of win11.

Tested it on Windows 10 22H2 with all updates, and also no elevation. This windows 10machine was freshly installed and updated last week. No changes to configuration made or any software installed after that.

I know from tools that impersonate trusted installers etc. Like: RunAsTI64, ExecTI, Advanced Run x64, That two depency's are needed for those to run correctly.
Modules installer, and Secondary Login.
Any dependency's that i can check for this script?

Tester · May 8, 2024

On the windows 10 machine i forgot to put something in windows defender history. So windows 10 works ok.

LesFerch · May 8, 2024

Tester said:
I know from tools that impersonate trusted installers etc. Like: RunAsTI64, ExecTI, Advanced Run x64, That two depency's are needed for those to run correctly.
Modules installer, and Secondary Login.
Any dependency's that i can check for this script?

No. Only the original ClearDefenderHistory.bat used TrustedInstaller. It stopped working for most of us recently. The current ClearDefenderHistory.cmd script that creates a task (and the previous version that created a RunOnce entry) only pop up a UAC prompt so that the script can run with Administrator level access. It should be the same as right-clicking and selecting "Run as Administrator".

garlin · May 8, 2024

You need to have Admin rights, in order to create a Scheduled Task. The original script used a loophole to subvert the task's run-time identity to be TrustedInstaller. But the current version only needs to run the task as SYSTEM.

The script doesn't have any more power than you in a Admin shell. But the executed task is where the magic happens, because it's running as a privileged system identity.

Steve C · May 9, 2024

I'm impressed by all this sophisticated script writing but why don't you folks simply delete the Defender history folder at
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service using Safe Mode which still works?

LesFerch · May 9, 2024

Steve C said:
I'm impressed by all this sophisticated script writing but why don't you folks simply delete the Defender history folder at
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service using Safe Mode which still works?

Simply for the convenience.

The script works fine. It's just that, for some reason, @Tester has to right-click and select "Run as Administrator" (on some machines) instead of just double-clicking the script which already self-elevates using the RunAs verb. That's a problem I'm sure would affect any script that uses the same technique, so it's worthwhile to figure out what's going on in order to help anyone else encountering the same problem with other scripts now or in the future.

Tester · May 12, 2024

After rebooting the machines where the script failed to run, they have run ok after te reboot and the history is empty now. Not sure what was preventing those commands to run. However i have documeted the encounters, so onces it happens again i/we can continue the investigation.
Will report back when i know more.