Windows Defender Logs
Windows Defender's protection history and operational logs are a direct record of every threat the antivirus engine interacted with on the system. This data is invaluable for reconstructing an attack because it captures exact file paths, threat names, detection timestamps and the actions taken — all attributed to specific processes. Even when malware successfully disabled Defender, its logs often record the exact moment the kill command was executed.
Imagine a security guard at a bank who keeps a logbook of every suspicious person they spot, what they were wearing and exactly what time they walked in. Windows Defender is that security guard. Every time it sees a suspicious file or process, it writes the threat's name, where it was hiding and what time it appeared into a permanent logbook. Even if the attacker knocks out the guard later, the logbook entries are still there.
General
Windows Defender stores its operational data across two primary locations. The primary protection history is written as structured binary files in %ProgramData%\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\. These binary files require specialized tooling to parse. The secondary source is the Microsoft-Windows-Windows Defender/Operational.evtx event log which records threat detections, remediation actions and configuration changes in standard EVTX format using Event IDs 1116 through 1121. Together, these sources provide a complete audit trail of every malware interaction on the host.
Traces
Parsing Defender's detection history and operational logs yields the following key data points:
- Threat Name: The specific malware family classification such as
Trojan:Win32/Meterpreter. - Detection Timestamp: The exact UTC time the threat was identified by the scanner.
- Affected Resource Path: The full file path, process name or registry key where the threat was detected.
- Action Taken: Whether Defender quarantined, deleted or was blocked from remediating the threat.
- User Context: The account active on the system at the time of the detection.
- and more.
Forensic Use Cases
We mine Defender artifacts to reconstruct the malware lifecycle and identify attacker evasion attempts:
- Initial Compromise Timeline: Pinpointing the exact moment malware landed on the system using the first detection timestamp.
- Attacker Tool Identification: Matching Defender's threat names to known red team frameworks or commodity RATs used in the attack.
- Defender Tampering Detection: Identifying Event ID 5001 which records when real-time protection was disabled by an attacker.
- Quarantine Analysis: Recovering quarantined malware samples from the Defender quarantine store for deeper reverse engineering.
- and more.