Solved How to Remove Items in Defender History

How do I remove these warnings for PUAs in Defender Protectionj History which have been listed since 12 March? The files all relate to the Win10PXE project on the forum since deleted. I tried the ClearDefenderHistory tool recommended here on GitHub but it didn't remove these items.

Clear Windows Security History

The above Tutorial may do it.

If is doesn't this will:

I don't my script works any more, @LesFerch found a newer workaround.
Clear Windows Defender History Files

garlin said:

I don't my script works any more, @LesFerch found a newer workaround.
Clear Windows Defender History Files

Click to expand...

That didn't work as I said in my original post

Steve C said:

How do I remove these warnings for PUAs in Defender Protectionj History

Click to expand...

Interesting. I'll do some testing with a PUA and see what's up.

You can also try the Clear Defender history option in my Right-Click Tools package. It uses a task instead of a RunOnce key.

Josey Wales said:

Clear Windows Security History

The above Tutorial may do it.

If is doesn't this will:

Code:

<# : batch script
@echo off
powershell -nop "if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { Start-Process -Verb RunAs 'cmd.exe' -ArgumentList '/c %~dpnx0 %*' } else { Invoke-Expression ([System.IO.File]::ReadAllText('%~f0')) }"
goto :eof
#>

# https://www.tiraniddo.dev/2019/09/the-art-of-becoming-trustedinstaller.html

$ScriptBlock = {
    $MAPS_Status = (Get-MpPreference).MAPSReporting
    Set-MpPreference -DisableRealtimeMonitoring 1
    Set-MpPreference -MAPSReporting Disabled

    Get-ChildItem -File 'C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service' -Recurse | Remove-Item -Force

    Set-MpPreference -DisableRealtimeMonitoring 0
    Set-MpPreference -MAPSReporting $MAPS_Status
}

# Create scheduled task

$TaskName = 'Clear Defender Protection History'
$SchedulerPath = '\Microsoft\Windows\PowerShell\ScheduledJobs'
Unregister-ScheduledJob $TaskName -Confirm:$false 2>&1 | Out-Null
Register-ScheduledJob -Name $TaskName -ScriptBlock $ScriptBlock | Out-Null

$adminAccount = Get-LocalUser | Where-Object {$_.SID -like "*-500"} | Select-Object -ExpandProperty Name
$Principal = New-ScheduledTaskPrincipal -UserId "$env:COMPUTERNAME\$adminAccount"
Set-ScheduledTask -TaskPath $SchedulerPath -TaskName $TaskName -Principal $Principal | Out-Null

$Service = New-Object -ComObject 'Schedule.Service'
$Service.Connect()

# Invoke task as TI

$User = 'NT SERVICE\TrustedInstaller'
$Folder = $Service.GetFolder($SchedulerPath)
$Task = $Folder.GetTask($TaskName)

$Task.RunEx($null, 0, 0, $User) | Out-Null

# Wait for task completion, or timed out

$Timeout = 60
$Timer =  [Diagnostics.Stopwatch]::StartNew()

while (((Get-ScheduledTask -TaskName $TaskName).State -ne 'Ready') -and ($Timer.Elapsed.TotalSeconds -lt $Timeout)) {
    Start-Sleep -Seconds 1
}

$Timer.Stop()

# Remove scheduled task
Unregister-ScheduledJob $TaskName -Confirm:$false | Out-Null

Click to expand...

This worked for me, don't know why it would not work for everyone?

There's TenForums posts that report it doesn't work any more. Maybe it depends on your Defender platform version.

@Josey Wales
This worked for me, don't know why it would not work for everyone?

Have tested the script, also verified the jobs is made, and has run, but after running, the history is still visable.
In task scheduler, the task is scheduled by the script as Administrator (is that correct????, i expected it to run As Trusted Installer)
Also the scripts outputs a log file after running it, can be found here:
\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\Clear Defender Protection History\Output\

Log file:
$MAPS_Status = (Get-MpPreference).MAPSReporting
Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -MAPSReporting Disabled

Get-ChildItem -File 'C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service' -Recurse | Remove-Item -Force

Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -MAPSReporting $MAPS_Status
</InvocationInfo_Command><InvocationInfo_Name z:Ref="4" i:nil="true"/><InvocationInfo_AdapterType i:nil="true"/><InvocationInfo_ModuleName z:Id="36" z:Type="System.String" z:Assembly="0">PSScheduledJob</InvocationInfo_ModuleName><InvocationInfo_AdapterTypeName z:Id="37" z:Type="System.String" z:Assembly="0">ScheduledJobSourceAdapter</InvocationInfo_AdapterTypeName><InvocationParam_ScriptBlock z:Ref="6" i:nil="true"/><InvocationParam_FilePath z:Id="38" z:Type="System.String" z:Assembly="0"/><InvocationParam_InitScript z:Ref="38" i:nil="true"/><InvocationParam_RunAs32 z:Id="39" z:Type="System.Boolean" z:Assembly="0">false</InvocationParam_RunAs32><InvocationParam_Authentication z:Id="40" z:Type="System.Management.Automation.Runspaces.AuthenticationMechanism" z:Assembly="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">Default</InvocationParam_Authentication><InvocationParam_ArgList i:nil="true"/></InvocationInfo_Member></Status_Definition><Status_StartTime z:Id="41" z:Type="System.DateTime" z:Assembly="0">2024-05-06T22:34:47.8542716+02:00</Status_StartTime><Status_StopTime z:Id="42" z:Type="System.DateTime" z:Assembly="0">2024-05-06T22:34:50.4818144+02:00</Status_StopTime></StatusInfo><ResultsInfo z:Id="43" z:Type="Microsoft.PowerShell.ScheduledJob.ScheduledJob+ResultsInfo" z:Assembly="Microsoft.PowerShell.ScheduledJob, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" xmlns=""><Results_Output z:Id="44" z:Type="System.Collections.ObjectModel.Collection`1[[System.Management.Automation.PSObject, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]" z:Assembly="0"><items z:Id="45" z:Type="System.Collections.Generic.List`1[[System.Management.Automation.PSObject, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]" z:Assembly="0" xmlns="http://schemas.datacontract.org/2004/07/System.Management.Automation"><_items z:Id="46" z:Size="0"/><_size>0</_size><_version>0</_version></items></Results_Output><Results_Error z:Id="47" z:Type="System.Collections.ObjectModel.Collection`1[[System.Management.Automation.ErrorRecord, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]" z:Assembly="0"><items z:Id="48" z:Type="System.Collections.Generic.List`1[[System.Management.Automation.ErrorRecord, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]" z:Assembly="0" xmlns="http://schemas.datacontract.org/2004/07/System.Management.Automation"><_items z:Id="49" z:Size="4"><ErrorRecord z:Id="50" z:Type="System.Management.Automation.Runspaces.RemotingErrorRecord" z:Assembly="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"><CliXml z:Id="51" z:Type="System.String" z:Assembly="0" xmlns="">&lt;Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"&gt;&#xD;
&lt;Obj RefId="0"&gt;&#xD;
&lt;ToString&gt;@{Exception=System.Management.Automation.RemoteException: Access to the path is denied.; TargetObject=C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log; FullyQualifiedErrorId=RemoveFileSystemItemArgumentError,Microsoft.PowerShell.Commands.RemoveItemCommand; InvocationInfo=; ErrorCategory_Category=5; ErrorCategory_Activity=Remove-Item; ErrorCategory_Reason=ArgumentException; ErrorCategory_TargetName=C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log; ErrorCategory_TargetType=FileInfo; ErrorCategory_Message=InvalidArgument: (C:\ProgramData\...\Detections.log:FileInfo) [Remove-Item], ArgumentException; ErrorDetails_Message=Cannot remove item C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log: Access to the path is denied.; ErrorDetails_RecommendedAction=; SerializeExtendedInfo=False; ErrorDetails_ScriptStackTrace=at &amp;lt;ScriptBlock&amp;gt;, &amp;lt;No file&amp;gt;: line 6}&lt;/ToString&gt;&#xD;
&lt;Obj RefId="1"&gt;&#xD;

@Tester Does this script work for you?

Oh dear - as OP I seem to have exposed a can of worms!

Steve C said:

Oh dear - as OP I seem to have exposed a can of worms!

Click to expand...

It's good! A mystery to solve and more input to help solve it.

I have nothing to clear so I can't test it.

I wonder if Defender's filter driver is now protecting its own history, to prevent malware from covering up its own tracks. If you and I could write these basic scripts, it means malware could perform the same actions.

@LesFerch Nope tested it just now, and did not work, history still intact after reboot.

@gerlin I am actually ok with it, that scripts or users can't do it. However for lazy admins its a bit of a hussle to do it in safe mode. More work/time to do it, but that option still works.

@Tester One more method for you to try:
Use the "Clear History" menu item and you'll see a "Defender history" checkbox.

@LesFerch Time to boot up the vm and then hopefully catch a cold.

Tester said:

@LesFerch Time to boot up the vm and then hopefully catch a cold.

Click to expand...

Here are some options to safely trigger a detection:

Scroll down to "download area" and download any one of the test files.

Click the NSudo link

LesFerch said:

Use the "Clear History" menu item and you'll see a "Defender history" checkbox.

Click to expand...

That tool works, after a reboot history is gone.
Nice tool btw.

@LesFerch Good suggestion. Some apps i wrote trigger win def, so i copyed those to the vm to get something in the history.

Tester said:

That tool works, after a reboot history is gone.
Nice tool btw.

Click to expand...

Great! I'll revise the standalone script to use the same method. And Thanks!