<SYSTEMDRIVE>:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\
Overview
Windows Defender stores information on past detections, from its real-time
and cloud-delivered protection components, in DetectionHistory file(s). Part
of the information contained in the DetectionHistory files is displayed to
end-users in the Windows Defender “Current threats” and “Protection history”
interfaces (Windows Security -> Virus & threat protection ->
Current threats -> Protection history).
Information of interest
The DetectionHistory file(s) are located in subdirectories under
<SYSTEMDRIVE>:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\,
with a GUID filename. The files follow a specific, partially non-human
readable format, detailed in the
DetectionHistory Parser README.
For each threat detected, the following notable information is available:
-
The file path of the file that triggered the detection.
-
The threat name (such as
Backdoor:JS/Chopper.VH!MSRorTrojan:PowerShell/ReverseShell.SA). -
The process and domain and username of the user associated with the detection.
-
The size,
md5,sha1, andsha256hashes of the file that triggered the detection. -
For
Potentially Unwanted Applications (PUA)detections, the associatedUninstall registry keyassociated with the application. -
Various metadata on the detection:
-
The detection
ThreatID, that can be used to correlate theDetectionHistoryentry withWindows DefenderETW events and Support log files. -
Internal
Windows Defenderdata about the signature that triggered the detection.
-
Tool(s)
The DetectionHistory Parser
tool (KAPE DHParser module) can be used to parse DetectionHistory
file(s) into JSON.
# Parses the specified file (and outputs the JSON result in the output directory).
dhparser.exe -f <DH_FILE> -o <OUTPUT_FOLDER>
# Recursively process the specified folder and parses the DH file(s) found.
dhparser.exe -rgf <DH_FOLDER> -o <OUTPUT_FOLDER>
References
View on GitHub