Powershell Windows Defender RRS feed

  • Question

  • I'm trying to write a PowerShell script to automate some scanning activities using Windows Defender. I've noticed a limitation with the published code which I'm interested to know whether or not there is a workaround.

    Is there any reason why when you run this:

    Start-MpScan -ScanType CustomScan -ScanPath "C:\Files"

    That the scan does not get added into the event viewer?

    I need this because I need a way to keep a log of what files were scanned? If I could output the results of scan directly from PowerShell that would be even better but I don't believe this function returns anything. Any pointers appreciated.

    Monday, August 10, 2020 6:12 PM

All replies

  • Hello,

    In my Win10 Pro it get logged.

    Look for the below Provider / EventID:

      <Provider Name="Microsoft-Windows-Windows Defender">

     <EventID>1000</EventID> Scan started

     <EventID>1001</EventID> Scan finished


    Hope this help.



    • Edited by Sokratissz Monday, August 10, 2020 9:10 PM
    Monday, August 10, 2020 9:07 PM
  • Hi Sok,

    Thanks for the reply.  Can you confirm that you see the event when you scan via the PowerShell command?

    If I scan using the standard gui then the event gets added, only when I run the command via the PowerShell does it not get added.

    I've tried on numerous Windows 10 installations - could it be a policy thing?

    Tuesday, August 11, 2020 8:14 AM
  • Get-WinEvent @{ProviderName='Microsoft-Windows-Windows Defender';ID=1000,1001}


    Tuesday, August 11, 2020 8:32 AM
  • Thanks, so that'll retrieve the events, but the issue is there are no events to retrieve when using the Start-MpScan cmdlet.

    I assume all events would be stored within the Microsoft-Windows-Windows Defender/Operational ?

    Tuesday, August 11, 2020 9:51 AM
  • Do you observe this behavior (no log entries) on all machines that you use the cmdlet on, or just on one machine only?

    * If the cmdlet doesn't log no matter which machine you run it on, then probably that's just how it behaves. Make sure you're not missing a parameter or some setting that enables logging. If the cmdlet just doesn't have the behavior you want, then you will need to contact Microsoft and request that feature.

    * If the cmdlet doesn't log only on one machine, then there's some setting on the machine causing the behavior or something is broken. You will need to change the setting or fix the broken machine.

    We really can't assist either way. For the first case, we are not an official Microsoft support resource (this is a volunteer Q&A forum), and for the second case, 1) This is not a Windows Defender support forum and 2) we can't perform troubleshooting or break/fix from afar.

    -- Bill Stewart [Bill_Stewart]

    Tuesday, August 11, 2020 4:14 PM
  • Ok thanks.  It does it on all the systems I've tried (4 in all)

    Talking this through it was originally felt that there was some group policy that needed to be enabled in order to activate the logging of events, the only thing I found close to this was to turn on events for PowerShell itself - not what I'm after.

    Can anyone suggest another cmdlet to run that would, if run natively result in a event being generated.  That will determine whether its something specific with Windows Defender or a general PowerShell anomaly?

    Tuesday, August 11, 2020 5:17 PM
  • Can anyone suggest another cmdlet...

    You have access to the same resources we do (search engines, MSDN, etc.).

    -- Bill Stewart [Bill_Stewart]

    Tuesday, August 11, 2020 6:12 PM
  • A little hint.  I tried it and it does not log.  You can use the PS output to a file to get some loggin.

    I would report this as a bug as it is likely a mistake by the coders.


    Tuesday, August 11, 2020 6:27 PM
  • Right - it seems likely that the cmdlet just does not do what the OP expects. This is either by design or an oversight. (Unfortunately, wishful thinking does not cause features to spring into existence.) In either case there's nothing we can do about it from this forum.

    -- Bill Stewart [Bill_Stewart]

    Tuesday, August 11, 2020 6:31 PM