New CMD does not work as designed
Closed this issue · 8 comments
First of all, thank you very much for addressing the removal of Defender log files.
After running your revised ClearDefenderHistory.cmd and restarting my machine, I found the history is still there.
I restarted my machine and reran ClearDefenderHistory.cmd.
This time, instead of restarting the machine, I used Autoruns (SysInternals) to check the registry entry created in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce". Autoruns reports "DWDH File not found: cmd".
I deleted the registry entry and changed line 13 of ClearDefenderHistory.cmd from "$valueData = "cmd /c rd /s /q ""$folder"""" to "$valueData = "cmd.exe /c rd /s /q ""$folder"""". This change did have some effect at least... I reran ClearDefenderHistory.cmd and now Autoruns reports "DWDH File not found: rd".
I did try to use "rmdir" instead of "rd" but the result was the same.
I appreciate if you can have a look at this and correct ClearDefenderHistory.cmd or let me know what I need to change on my machine to make ClearDefenderHistory.cmd work as designed.
BTW... I happened to have a copy of your ClearDefenderHistory.bat file on another machine. Using this, I was able to delete the history just fine.
Thank you very much - Peter
Normally C:\Windows\system32 is the first item on the search path, so specifying "cmd" is typically just as reliable as "cmd.exe". I suspect a Path issue on your computer. What happens when you run Cmd via the Run box (i.e. ⊞-R cmd)? Does a Cmd window open? If so, what do you see when you type Path? Is C:\Windows\system32 first on the path?
It's also interesting that the original script still works for you. The test the I always run is to go to the m2team website and click the download link for NSudo. That always causes a "Virus detected" (it's a false positive). Previously, the original script would clear that right out. After a recent update to Defender, I had to change to the remove-on-reboot method. The current script creates a RunOnce registry entry. That method does not work for a Standard user, but I'm assuming your are an administrator.
You can also try my Right-Click Tools package. It includes an option to clear Defender history that works for both Standard and Administrator users. It uses an OnStart task to clear the history.
Normally C:\Windows\system32 is the first item on the search path, so specifying "cmd" is typically just as reliable as "cmd.exe". I suspect a Path issue on your computer. What happens when you run Cmd via the Run box (i.e. ⊞-R cmd)? Does a Cmd window open? If so, what do you see when you type Path? Is C:\Windows\system32 first on the path?
...
Thanks for your suggestions. Here is what I did:
- I started a command window from the Run box. I double-checked the path and it does indeed start with "PATH=C:\WINDOWS\System32;C:\WIND...".
- Next, I started an Administrator command prompt. I double-checked the path is identical.
Correct, I ran ClearDefenderHistory.cmd with administrative privileges. Hence, I could use Autoruns to examine the in the registry entry. I use the EICAR test files (https://www.eicar.org/) to test my malware defenses. It is good to have an additional source.
I believe your PATH suspicion may be correct but I am unable to point the finger on it just yet. And it is too early to ask ChatGPT ;-)
I tested again with an "infection" using the eicar zip files. Again, it worked flawlessly for me. This is what shows in AutoRuns (or AutoRuns64) after I run ClearDefenderHistory.cmd (and before I press y to reboot):
I have no idea why AutoRuns shows the same item twice, but otherwise it all looks normal. The "file not found" error you see is a head scratcher.
I also tested the older ClearDefenderHistory.bat with the eicar files and it was not able to clear the Protection history on my computer.
Are you running any other security software in addition to Windows Defender?
After applying the latest Windows updates and restarting my machine several times, I could successfully execute ClearDefenderHistory.cmd.
I then "infected" my machine (again) using the EICAR files. This shows up in the protection history. ClearDefenderHistory.cmd did not remove this entry. Also, Windows Defender created an event with the ID 1116 (Event 1116 - Microsoft Defender Antivirus has detected malware or other potentially unwanted software).
While reviewing the event log, I found an event 1013 created on 2024-04-19 (Event 1013 - Microsoft Defender Antivirus has removed history of malware and other potentially unwanted software). It may not have been ClearDefenderHistory.bat as I reported before.
I will check in 15 days (my default ScanPurgeItemsAfterDelay setting) to see if the protection history comes up empty and not spend more time on trying to manually clean it.
Again, thanks a lot for your script! It provided interesting insights. Could you please close the issue?
Just one thing to clarify. You said "I ran ClearDefenderHistory.cmd with administrative privileges", but since it self-elevates, you can just double-click it and it will put up a UAC prompt. However, regardless of how you launch it, if your Windows account is a Standard user, the RunOnce entry will be created, but it will fail to clear the Protection history. So, I just wanted to confirm that your Windows account is not a Standard user.
I just posted a new version that creates a temporary scheduled task instead of a RunOnce registry entry. It has been confirmed to work for another user that was not having success with the previous version. Please give it a try and let me know. Thanks.
My protection history came up empty today as per the ScanPurgeItemsAfterDelay I mentioned above.
So, I "infected" my machine and ran the new version of the command. This one works as designed.
The history was clean after I restarted my machine.
Thank you very much for the update!