Good one Shawn:)

Here is the Event Viewer custom view, for Defenders save logs, that can be imported into any other users Event Viewer:
Defender Custom View.zip

Download the zip file, unblock in properties, and extract it.
1). In Event viewer click import Custom View
2). Browse to your extracted file and import.


Now it will show up at the top of Event Viewer, and is faster to find. Custom Views is just like pinning something in to Quick Access in File Explorer:

Before offline scan in preperation




After offline scan

Final results

I found the Offline Scanner folder: C:\ProgramData\Microsoft\Windows Defender\Offline Scanner
Here is the EULA:

MICROSOFT PRE-RELEASE SOFTWARE LICENSE TERMS
MICROSOFT WINDOWS DEFENDER OFFLINE v2
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the pre-release software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft
· updates,
· supplements,
· Internet-based services, and
· support services
for this software, unless other terms accompany those items. If so, those terms apply.
By using the software, you accept these terms. If you do not accept them, do not use the software.
As described below, using some features also operates as your consent to the transmission of certain potentially malicious software information and computer information for Internet-based services.
If you comply with these license terms, you have the rights below.
1. INSTALLATION AND USE RIGHTS.
a. Installation and Use.
· You may install and use any number of copies of the software on your premises to test how it runs with your programs.
· You may not test the software in a live operating environment unless Microsoft permits you to do so under another agreement.
2. INTERNET-BASED SERVICES. Microsoft provides Internet-based services with the software. It may change or cancel them at any time.
a. Consent for Internet-Based Services. The software features described below and in the Windows Defender Offline Privacy Statement connect to Microsoft or service provider computer systems over the Internet. In some cases, you will not receive a separate notice when they connect. In some cases, you may switch off these features or not use them. For more information about these features, see go.microsoft.com/fwlink/?LinkId=253996. By using these features, you consent to the transmission of this information. Microsoft does not use the information to identify or contact you.
i. Computer Information. The following features use Internet protocols, which send to the appropriate systems computer information, such as your Internet protocol address, the type of operating system, browser and name and version of the software you are using, and the language code of the device where you installed the software. Microsoft uses this information to make the Internet-based services available to you.
· Customer Experience Improvement Program (CEIP). This software uses CEIP. CEIP automatically sends Microsoft information about your hardware and how you use this software. We do not use this information to identify or contact you. To learn more about CEIP, see go.microsoft.com/fwlink/?LinkId=253996.
· Updates. By default, the software will automatically download definition updates. For more information, see the privacy statement at go.microsoft.com/fwlink/?LinkId=253996.
· Malicious Software Removal. The software will check for and remove certain high severity malicious software (“Malware”) stored on your device during scheduled scans and when you select this action. When the software checks your device for Malware, a report will be sent to Microsoft about any Malware detected or errors that occur while the software is checking for Malware, specific information relating to the detection, errors that occurred while the software was checking for Malware, and other information about your device that will help us improve this and other Microsoft products and services. No information that can be used to identify you is included in the report.
· Potentially Unwanted Software. The software will search your computer for low to medium severity Malware, including but not limited to, spyware, and other potentially unwanted software ("Potentially Unwanted Software"). The software will only remove or disable low to medium severity Potentially Unwanted Software if you agree. Removing or disabling this Potentially Unwanted Software may cause other software on your computer to stop working, and it may cause you to breach a license to use other software on your computer, if the other software installed this Potentially Unwanted Software on your computer as a condition of your use of the other software. You should read the license agreements for other software before authorizing the removal of this Potentially Unwanted Software. By using this software, it is possible that you or the system will also remove or disable software that is not Potentially Unwanted Software.
· Microsoft Active Protection Service (MAPS) Participation. The Microsoft Active Protection Service (MAPS) antimalware community is a voluntary, worldwide community that includes users of the software. Upon initial installation, users will be opted-in by default to participate in MAPS under a Basic membership. Under the Basic membership, if the software is turned on, MAPS can report information about Malware and other forms of Potentially Unwanted Software to Microsoft. If a MAPS report includes details about Malware or Potentially Unwanted Software that the software may be able to remove, MAPS will download the latest signature to address it. MAPS can also find “false positives” (where something originally identified as Malware turns out not to be) and fix them. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. To learn more about MAPS and the information this feature transmits to Microsoft, see the privacy statement at go.microsoft.com/fwlink/?LinkId=253996.
· Error Reports. This software automatically sends error reports to Microsoft that describe which software components had errors. No files or memory dumps will be sent unless you choose to send them. For more information about Error Reports, see go.microsoft.com/fwlink/?LinkId=253996.
ii. Use of Information. We may use the computer information, and CEIP information, to improve our software and services. We may also share it with others, such as hardware and software vendors. They may use the information to improve how their products run with Microsoft software.
3. TERM. The term of this agreement is until 15/09/2012 (day/month/year), or commercial release of the software, whichever is first.
4. PRE-RELEASE SOFTWARE. This software is a pre-release version. It may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version.
5. FEEDBACK. If you give feedback about the software to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.
6. SCOPE OF LICENSE. The software is licensed, not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not
· work around any technical limitations in the software;
· reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation;
· make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;
· publish the software for others to copy;
· rent, lease or lend the software;
· transfer the software or this agreement to any third party; or
· use the software for commercial software hosting services.
7. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations, end users and end use. For additional information, see Microsoft Exporting - Home.
8. SUPPORT SERVICES. Because this software is “as is,” we may not provide support services for it.
9. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the software and support services.
10. APPLICABLE LAW.
a. United States. If you acquired the software in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the software in any other country, the laws of that country apply.
11. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the software. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
12. DISCLAIMER OF WARRANTY. The software is licensed “as-is.” You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights or statutory guarantees under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.
FOR AUSTRALIA – You have statutory guarantees under the Australian Consumer Law and nothing in these terms is intended to affect those rights.
13. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. You can recover from Microsoft and its suppliers only direct damages up to U.S. $5.00. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
This limitation applies to
· anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and
· claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Also MpSwpHelp:

Using Windows Defender Offline
Malicious and other potentially unwanted software, including rootkits, attempt to install themselves on your computer when you connect to the Internet or install some programs from a CD, DVD, or other media. Once on your computer, this software might run immediately, or it might run at unexpected times.
Windows Defender Offline can help remove hard to find malicious and potentially unwanted programs using definitions to recognize threats. Definitions are files that provide an encyclopedia of potential software threats. Because new threats appear daily, it is important to always have the most up-to-date definitions installed in Windows Defender Offline. Armed with definition files, Windows Defender Offline can detect malicious and potentially unwanted software, and then alert you to the risks.

Windows 10
On Windows 10, Windows Defender Offline is completely automated. This means Windows Defender when it identifies advanced malware will recommend that Windows Defender Offline be run and on the next reboot Windows Defender Offline will automatically scan/remediate the malware and reboot into Windows 10. This removes the need for the user to interact with the Windows Defender Offline product manually, as such the below sections are no longer applicable to Windows 10.

Windows 8.1, Windows 8, Windows 7 and Windows Vista
The following sections apply only to the above mentioned OS.
Manually scan for malicious and other potentially unwanted software
Windows Defender Offline offers three ways to scan your computer: Full scan, Quick scan, and Custom scan.
· A Full scan will scan all the files on your computer. It is highly recommended that you perform this type of scan. However, a full scan can take a long time, depending on the size of your hard drive and number of files to scan.
· To do a full scan, click the Home tab, under Scan options select Full and then click Scan now.
· A Quick scan will check places on your computer’s hard disk that are most likely to be targets for malware, such as the system folder, startup folder, and the registry. You should run a quick scan anytime you suspect malware has infected your computer.
· To do a quick scan, click the Home tab, under Scan options select Quick and then click Scan now.
· Use Custom scan to choose just the folders or files you want to scan. This works well if you suspect a specific area of your computer is infected.
· To do a custom scan, click the Home tab, under Scan options select Custom and then click Scan now.
· On the Scan options page, select the drives and folders that you want to scan, and then click OK.
Respond to malware found on your computer
When Windows Defender Offline detects malicious or potentially unwanted software, you can review the item, choose Clean Computer, Remove, Quarantine, Clean, or Allow the item. Windows Defender Offline will offer a recommended action, but you can choose a different one if you prefer.
Note: If you choose Allow for an item, Windows Defender Offline will stop alerting you to risks that the software might pose to your privacy or your computer. Add software to the allowed list only if you trust the software and the software publisher.
To take recommended actions on malicious or potentially unwanted software
To review and apply actions to detected malicious or potentially unwanted software, follow these steps:
1. In Windows Defender Offline, click the Show details link under the Clean Computer button on the page that is displayed when a scan is completed. This opens a new dialog.
2. For each item listed, review the information that Windows Defender Offline displays about the item. You can choose to apply the recommended action, or select another action that Windows Defender Offline should take on the item.
3. Clicking on the Show details button provides more detailed information about each identified threat.
4. After you have reviewed each item and selected an action, click Apply Actions.
Using Clean Computer
When you have malicious or potentially unwanted software, one of your options is Clean Computer. The Clean Computer button appears on the Home tab of Windows Defender Offline.
When you choose Clean Computer, Windows Defender Offline opens a new dialog that lists the items that were identified and the progress in apply the default action on the item.
Windows Defender Offline first applies the default actions for detected software based on the definition file from Microsoft. If the default action fails, the next action recommended by Windows Defender Offline is automatically applied. In most cases, Clean Computer quarantines malware when the attempt to clean or remove the malware fails. Detected software items that do not have an action associated with them are removed.
If Windows Defender Offline fails to take the above mentioned actions on the item, the window turns red. If this happens, try rebooting and rescanning the machine. If Windows Defender Offline succeeds the window turns green. Clicking on Close will dismiss this dialog.
Updating Signatures on Windows Defender Offline
If you have Windows Defender Offline installed on a USB, inserting the USB drive on a computer with internet connection and re-running the wizard will update the signatures.

Otherwise, the recommended approach for updating signatures is to create a new copy of Windows Defender Offline.
Understanding alert levels
Alert levels help you choose how to respond to malicious and potentially unwanted software. While Windows Defender Offline will recommend that you remove malware, not all software that is detected is malicious or unwanted. The information in this table can help you decide what to do if Windows Defender Offline detects potentially unwanted software on your computer.
Alert level: Severe
What it means: Widespread or exceptionally malicious software, such as viruses or worms, which negatively affect your privacy and the security of your computer, and which can damage your computer.
What to do: Remove this software immediately.
Alert level: High
What it means: Software that might collect your personal information and negatively affect your privacy or damage your computer, for example, by collecting information or changing settings, typically without your knowledge or consent.
What to do: Remove this software immediately.
Alert level: Medium
What it means: Software that might affect your privacy or make changes to your computer that could negatively impact your computing experience, for example, by collecting personal information or changing settings.
What to do: Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.
Alert level: Low
What it means: Potentially unwanted software that might collect information about you or your computer or change how your computer works, but is operating in agreement with licensing terms displayed when you installed the software.
What to do: This software is typically benign when it runs on your computer, unless it was installed without your knowledge. If you're not sure whether to allow it, review the alert details or check to see if you recognize and trust the publisher of the software.
Windows Defender Offline system requirements
Memory requirement:
The system to be scanned must have a minimum of 512 MB of memory.
Operating Systems that can be scanned for malware:
Windows XP SP3, Windows Vista, Windows 7 and Windows 8.
Windows Server 2k3 R2, Windows Server 2k3 SP 2, Windows Server 2k8, Windows Server 2k8 R2, Windows Server 8.

It appears that the C:\ProgramData\Microsoft\Windows Defender\Offline Scanner folder isn't available by default until you have done an offline scan with Windows Defender Offline first.

Brink said:

It appears that the C:\ProgramData\Microsoft\Windows Defender\Offline Scanner folder isn't available by default until you have done an offline scan with Windows Defender Offline first.

I was trying to see if one of .exe(both as normal and as admin run) would start the offline scan, so you could make a shortcut, but... nope.

So you think it(like many Windows features) unpacks and installs itself when run for the first time? Makes sense, that would save disk space, if never needed, and resources.

That seems to be the case for this to not be available until used.

There doesn't appear to be an easy way to create a quick shortcut to directly run this so far.

Brink said:

That seems to be the case for this to not be available until used.

There doesn't appear to be an easy way to create a quick shortcut to directly run this so far.

Nope. I have used my MFT scanner(just installed it in the VM) and it cannot find a link to the button, just to the settings. Also it's not in the system32 part of Defender or in Program Files or Program Files(x86) or in the Uni Apps shortcuts list. Maybe if I set File Explorer to Unhide protected OS files?