Same here. Your script or garlin's script always worked for me in the past. I did notice an update to Defender during this week. That's only because I have a program running that notifies of any new exectuables dropped in watched locations.
The only way I found to clear history now is to delete on boot.
I checked back on the Group Policy timeout setting mentioned at the start of the thread but that has been removed.
I tried both PowerRun and AdvancedRun to open Cmd as TrustedInstaller and get "Access Denied" when attempting to delete or create a file within "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service". I can create and delete a folder there, but not a file. I tried killing all processes listed in this Defender Remover script and still couldn't clear the history. I'm stumped.
@garlin Any ideas?
P.S. Also,net stop "Microsoft Defender Antivirus Service"from Cmd as TrustedInstaller results in "Access is denied".
FYI: It's also discussed here:
Clearing Defender history after recent updates - Anti-Virus, Anti-Malware, and Privacy Software
I tried the solution in the last post but that didn't work.
Get-Acl reports TI should have full rights to the folder and its files, but it's ignored. I'm guessing it's a kernel-level restriction much like how Tamper Protection disables live changes to Defender services.
I notice you're not allowed to:
- delete or move any files
But you're allowed to:
- copy them
Access to the path 'C:\ProgramData\Microsoft\Windows Defender\scans\History\Service\DetectionHistory\01\81BE0F6E-EB27-40BB-9889-0A3B3BF4C68C' is denied.
As noted by @Callender, the Windows Defender Protection history can be cleared at machine startup. I have revised the ClearDefenderHistory script to do that:
ClearDefenderHistory | Clear Windows Defender History Files
If anyone finds a new method to clear the Protection history without a restart, I'll update the script accordingly.
Darn. I can't keep up with your coding speed...
I finished a script to schedule itself in Safe Mode using a RunOnce command. When in Safe Mode, it clears out the history before restarting back into normal Windows. Maybe overkill, but the workflow might be useful for someone who needs a wrapper script to execute an arbitrary command in Safe Mode, before returning to Windows.
If you make a RunOnce key starting with an *, Safe Mode will follow it.
Code:<# : batch script @echo off powershell -nop "if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { Start-Process -Verb RunAs 'cmd.exe' -ArgumentList '/c %~dpnx0' } else { Invoke-Expression ('$Script=''%~f0''' + [System.IO.File]::ReadAllText('%~f0')) }" goto :eof #> if ((Get-WmiObject Win32_ComputerSystem).BootupState -match 'Normal') { Add-Type -AssemblyName PresentationCore,PresentationFramework $result = [System.Windows.MessageBox]::Show('Reboot the computer now?','Confirm Reboot','OKCancel','Warning') if (($result).value__ -ne 1) { exit 0 } # https://msirevolution.wordpress.com/2012/03/30/runonce-to-execute-in-safe-mode/ Set-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name '*ClearDefenderHistory' -Value $Script Start-Process bcdedit -ArgumentList '/set {current} safeboot network' & shutdown /r /t 0 } else { Get-ChildItem 'C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service' -File -Recurse | Remove-Item -Force Start-Process bcdedit -ArgumentList '/deletevalue {current} safeboot' & shutdown /r /t 0 }
Quote
