Files, with GUID filenames, under:
<SYSTEMDRIVE>:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\


Windows Defender stores information on past detections, from its real-time and cloud-delivered protection components, in DetectionHistory file(s). Part of the information contained in the DetectionHistory files is displayed to end-users in the Windows Defender “Current threats” and “Protection history” interfaces (Windows Security -> Virus & threat protection -> Current threats -> Protection history).

Information of interest

The DetectionHistory file(s) are located in subdirectories under <SYSTEMDRIVE>:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\, with a GUID filename. The files follow a specific, partially non-human readable format, detailed in the DetectionHistory Parser README.

For each threat detected, the following notable information is available:

  • The file path of the file that triggered the detection.

  • The threat name (such as Backdoor:JS/Chopper.VH!MSR or Trojan:PowerShell/ReverseShell.SA).

  • The process and domain and username of the user associated with the detection.

  • The size, md5, sha1, and sha256 hashes of the file that triggered the detection.

  • For Potentially Unwanted Applications (PUA) detections, the associated Uninstall registry key associated with the application.

  • Various metadata on the detection:

    • The detection ThreatID, that can be used to correlate the DetectionHistory entry with Windows Defender ETW events and Support log files.

    • Internal Windows Defender data about the signature that triggered the detection.


The DetectionHistory Parser tool (KAPE DHParser module) can be used to parse DetectionHistory file(s) into JSON.

# Parses the specified file (and outputs the JSON result in the output directory).
dhparser.exe -f <DH_FILE> -o <OUTPUT_FOLDER>

# Recursively process the specified folder and parses the DH file(s) found.
dhparser.exe -rgf <DH_FOLDER> -o <OUTPUT_FOLDER>


View on GitHub