When troubleshooting malware scans on encrypted drives, it's crucial to know that Windows Defender Offline (WDO) operates differently from regular scans. The scanning engine loads before Windows boots, which affects log persistence.
For standard Windows Defender scans (not offline mode):
C:\ProgramData\Microsoft\Windows Defender\Support
C:\Windows\WindowsUpdate.log
Event Viewer: Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational
BitLocker encryption adds complexity because:
- WDO creates temporary decrypted sectors during scan
- Logs are typically purged after scan completion unless malware is found
- TPM measurements might affect log accessibility
Try this PowerShell command to enable verbose logging:
Set-MpPreference -EnableControlledFolderAccess AuditMode -Force
Start-MpWDOScan -ScanOptions 2 -TimeoutInSeconds 3600
When direct logs aren't available:
# Check last scan time:
Get-MpComputerStatus | select LastFullScanTime
# Check quarantine:
Get-MpThreatDetection | Where-Object {$_.InitialDetectionTime -gt (Get-Date).AddDays(-1)}
Scan metadata persists in the registry:
reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Scan" /v LastScanRun
reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Offline" /v LastRunTime
For persistent monitoring, implement this scheduled task:
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -Command "Get-MpThreatDetection | Export-Csv -Path C:\DefenderLogs\scan_$(Get-Date -Format 'yyyyMMdd').csv -NoTypeInformation""
$trigger = New-ScheduledTaskTrigger -Daily -At 3am
Register-ScheduledTask -TaskName "DefenderLogCollector" -Action $action -Trigger $trigger -RunLevel Highest
Windows Defender Offline (WDO) scan operates differently from regular scans. When you initiate an offline scan, Windows boots into a special environment to inspect your system before malware loads. This process creates unique logging behavior that many users find confusing.
For Windows 10 systems, WDO scan results are typically stored in:
C:\Windows\Windows Defender\Support\MPLog-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
However, these logs are often overwritten or may not contain the detailed information you expect from an offline scan.
More reliable method is to check Windows Event Logs:
1. Open Event Viewer (eventvwr.msc)
2. Navigate to:
Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational
3. Look for Event ID 1116 (scan started) and 1117 (scan completed)
When dealing with BitLocker-encrypted drives:
- Offline scans decrypt the drive temporarily during scanning
- Logs may be written to a temporary location first
- Use PowerShell to check recent scan history:
Get-MpThreatDetection | Where-Object { $_.InitialDetectionTime -gt (Get-Date).AddDays(-7) }
For comprehensive reporting, use this PowerShell command:
Get-MpThreatDetection | Export-Csv -Path "C:\DefenderScans\LastScanReport.csv" -NoTypeInformation
This generates a CSV file with all threat detection events, including offline scans.
If you're not seeing any logs after an offline scan:
- Verify the scan actually completed (check event IDs mentioned above)
- Run this command to force log generation:
Start-MpWDOScan -ScanParameters 2 -DisableRemediation