PS commands for Defender require Admin rights to update any settings, but the script to clear Defender history needs the additional steps of removing a protected folder. That folder is owned by TrustedInstaller to prevent casual or malicious interference.
If you only need to Set-MpPreference, then always check the title of your CMD, PowerShell or Terminal window has the word "Administrator".
Many thanks Les,
I didn't see the UAC warning as I have have it permanently disabled. I have been a heavy PC user since 1989, and have never had a virus on my PCs. I object when Microsoft throws another required click in my way.
I will need time to work through your link, Add Open PowerShell window here as administrator in Windows 10 , but I certainly will.
When I realised that my right click option did not work, and I used the other option to open Admin Powershell, the command did remove my all my virus notifications. To recap, I was logged in Win11 as Administrator, then I used the alternate way of opening Powershell Admin, then the command "Set-MpPreference -QuarantinePurgeItemsAfterDelay 1" did work. I was not, as far as I know, wasn't in "TrustedInstaller" access mode.
I'm not good interpreting your well explained ClearDefenderHistory-type script, but I could see that it does include the elevation to TrustedInstaller. Your script is beautifully written, and from previous issues I have had, it will be of immense help in many circumstances.
And I will certainly be following up PowerRun, etc.
Your help is very much appreciated and I thank you.
Doug Price
- - - Updated - - -
Please be aware that with me being in Australia, your day and mine have very little overlap. Currently it is 0240 here. Hence my response may be delayed. I'm old and my functioning hours are a subset of1400 - 0400 in Aus time, in US central time that is, I think, 2100 - 1200 or there abouts???? I should know much better as I have worked in various places in the US in the past.
That will make it a little less clear that you're elevated, but, as @garlin mentioned, if it doesn't say "Administrator" in the window title, that would be the another clue that there's an issue.
The tutorials and scripts provided here by @Brink are excellent and reliable so you can count on them to just work or use them as a basis to make your own custom version.I will need time to work through your link, Add Open PowerShell window here as administrator in Windows 10, but I certainly will.
Yes, purging the quarantined items only requires standard elevation (i.e. Run as Administrator). Clearing the Defender history requires TrustedInstaller.To recap, I was logged in Win11 as Administrator, then I used the alternate way of opening Powershell Admin, then the command "Set-MpPreference -QuarantinePurgeItemsAfterDelay 1" did work. I was not, as far as I know, wasn't in "TrustedInstaller" access mode.
Actually, the script was written by @garlin, so all credit goes there. I just made a home for it in my GitHub pages.I'm not good interpreting your well explained ClearDefenderHistory-type script, but I could see that it does include the elevation to TrustedInstaller. Your script is beautifully written, and from previous issues I have had, it will be of immense help in many circumstances.
Yes, tools like that are great, but, of course, must be used with care. They are certainly much safer to use then messing around with permissions (when it comes to accessing things that require TrustedInstaller).And I will certainly be following up PowerRun, etc.
@garlin A couple of interesting observations today that perhaps you could shed more light on.
First, as a matter of curiosity, I ran the code from the script block section of ClearDefenderHistory.bat in a PowerShell window (also tried a Cmd window) elevated to TrustedInstaller via PowerRun, but the code was not able to remove the history (lots of errors). I verified that I was indeed running as TrustedInstaller by creating a folder that was restricted to NT Service\TrustedInstaller. I checked by opening a Cmd window as SYSTEM and could not remove the folder. In the window opened as TrustedInstaller, I could remove the folder, so I was satisfied regarding access level. My only idea is that the script in ClearDefenderHistory.bat is running non-interactively and that makes a difference in regards to stopping real-time protection.
Second, the original version of ClearDefenderHistory.bat (the one with the direct reference to "Administrator") is now being detected as malicious on my machine as of today and got quarantined. The new version (with the SID reference) continued to work fine without any bother from Defender. Weird.
I've seen subtle differences in what NSudo, PowerRun and TI scheduled tasks can perform because of how they each handle the security contexts. For example, NSudo can sometimes do something PowerRun can't do.
To me, the question is what's the least intrusive tool for the given task: whether it's a sledgehammer (NSudo), chisel (PowerRun), or magic marker (PS -verb or TI task).
I would suspect Defender is working off machine-learning heuristics, and "Administrator" is a clear keyword. But then you could probably fool the detection engine with $('Ad' + 'm' + 'inistr' + 'ator')...
There's no real need to remove any of those empty folders.
Apps like Defender or any browser (Edge, Chrome, Firefox) will create what are known as "hash" folders. The idea is if you needed to keep track of new items, you sort them into "random" folders based on a calculated math value, instead of indexing them. This performs much faster for the app.
The folders themselves have no real meaning, other than some future files might get stored there, or in another parallel subfolder that gets created as needed. Whether you remove the empty folders or not, doesn't change anything since Defender creates new ones as needed.
If you wanted the folders removed, take out the (-File) in this line:
Code:Get-ChildItem -File 'C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service' -Recurse | Remove-Item -Force
Hello, maybe the last time.
Just popping in to report this script works fine on win 11 too. I finished rebuilding 1 of 2 PC and updated it to 11 (OMG the start menu is FUGLY) and have already used this script.
Of all things Windows Defender was removing my GPU driver packageMost likely because it was "repackaged" to remove all the bloat/spyware.
Edition Windows 11 Pro
Version 23H2
Installed on 3/16/2024
OS build 22631.3155
Experience Windows Feature Experience Pack 1000.22684.1000.0
Quote