Windows Defender bug may fill your hard drive with thousands of files
If you are using a device with Microsoft's Windows 10 operating system and Windows Defender as the default security solution, you may be impacted by a bug that is filling the hard drive with files.
Windows Defender puts thousands of files in the folder C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store if a device is affected by the issue. More than 10,800 items were placed in the folder on a test system running Windows 10 version 20H2. Other users reported over 950,000 files over the course of a 24 hour period and 30 Gigabytes of storage occupied by the files. Most files are small in size, between 1 and 2 Kilobytes.
The bug may affect certain operations, such as synchronization or backup tasks. Backups and syncs may take longer to complete, and may occupy more space. Storage devices may also be filled up quickly, depending on the severity of the experienced issue on a device.
Several Microsoft Answers threads exist in which Windows users and server administrators report the issue. It is affecting a wide variety of Windows versions, and not only Windows 10 according to these reports. Windows versions mentioned include Windows Server 2021 R2, Windows Server 2016 and 2019, and Windows 10.
Since it is a Windows Defender bug, it is likely that all Windows versions may be affected by the issue. In other words, it does not depend on the operating system but the Windows Defender version.
The affected engine version is 18100.5, the fixed engine version appears to be 18100.6. You can verify the version of Windows Defender on Windows 10 by opening Settings > Update & Security > Windows Security > Open Windows Security > Settings icon > About. Microsoft may release the fixed version this Thursday.
One workaround at the time of writing is to delete the files that are in the folder. Note that new files will be added to the folder by Windows Defender until the issue is fixed by an update. Some users reported that turning off realtime protections will also stop the production of the files.
Note that you need administrative rights to open the folder, and that some folders may be hidden by default.
To sum it up:
- Windows Defender has a bug that places lots of files into the folder C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store.
- Microsoft will release a fix soon for the issue.
- The files can be deleted.
Now You: Are you affected by the issue? (via Deskmodder)
LTSC 1809
https://i.imgur.com/rWWvQkP.png
So what are you trying to show us? Why have you blanked out the Defender engine version and other such info.? BTW LTSC has nothing to do with this.
I use a third-party solution, as surely do most users (free, or paid as in my case), so not an issue to be concerned about. Sucks for affected users till they get the updated engine of course, but thankfully it’s nothing too severe like a privilege escalation bug for example.
I followed the article and inspected it.
The “Scan Engine Version” does match.
The number of files in
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store
is only 30 items (each file is about 1 to 2 KB in size), which did not cause any problems.
Fortunately, my system doesn’t seem to be in trouble, but thanks to gHacks Tech News for the beneficial news.
Current Status:
Windows 10 (x64) Version 1909 (build 18363.1500)
Windows Defender Version 4.18.2103.7
Scan Engine Version 1.1.18100.5
Virus Definitions Version 5/5/2021 Rev 1.337.639.0
Last Disk Scan on Tuesday, May 4, 2021 10:12:37
Realtime File Scanning Off
However, the “Date modified” of the files are all recent (since 5/3). Just before that date, I performed a cleanup with “PrivaZer v4.0.22”, so it is highly possible that the files were deleted by the effect of that cleanup.
In fact, it is likely that an “Issue” has occurred on my system.
Once again, I decided to observe the location of the file, and sure enough, I saw that the “file” was being added every few minutes.
Definitely, there seems to be a bug problem with this “version”.
I decided to make it a routine work to finish with “PrivaZer” until the fixed version is applied and the problem is wiped out.
To clarify the situation with the “Issue”.
I’ve had been “realtime protections” turned off, but the file is still being generated every few minutes without regard to that.
Even when I go offline, the files continue to be generated without stopping.
I’ve decided to go offline and turn off Windows Defender while not using the web.
New Defender version is already available to all, so no big deal.
@Anonymous,
> New Defender version is already available to all, so no big deal.
No, it is not.
Sure, it has been updated to the new “Scan Engine Version 1.1.18100.6”, but it still adds a file “every one or three minutes”.
I don’t think it’s an improvement.
Current Status:
Windows Defender Version 4.18.2103.7
Scan Engine Version 1.1.18100.6
Virus Definitions Version 5/6/2021 Rev 1.339.85.0
Last Disk Scan on Wednesday, May 5, 2021 16:14:08
Realtime File Scanning Off
Windows Defender issue on server – lots of files being created | docs.microsoft.com
https://docs.microsoft.com/answers/users/3656163/tomdingshanghaiwicresoftcoltd-3099.html
Windows Defender Engineer replied that the new version (1.1.18100.6) will “resolve the Issue”, but the reality is different.
End users need to check one’s own system status, and if the issue is not resolved, we will have to take some workarounds.
Windows Defender issue on server – lots of files being created | docs.microsoft.com
https://docs.microsoft.com/en-us/answers/questions/376490/windows-defender-issue-on-server-lots-of-files-bei.html
> Sure, it has been updated to the new “Scan Engine Version 1.1.18100.6â€, but it still adds a file “every one or three minutesâ€.
Not here. If you’re still affected then try sending feedback to Microsoft. May or may not get through to them, especially if there aren’t many like you, but I can guarantee that solely by complaining here you will 100% never achieve anything.
Auto update already updated to 18100.6
Same here.
Oh that’s just great.Perhaps Microsoft can explain the hundreds of empty folders (Average 20 each day) in the folder C:\Windows\System32\config\systemprofile\AppData\Local. Hundreds of them and growing with names like tw-1670-10dc-7994a0.tmp. Files from Windows Defender bug were present and promptly deleted. Thanks Martin.
Probably file samples it covertly uploads to Microsoft? Has anyone looked at what the files contain?
https://www.bleepingcomputer.com/news/security/how-to-stop-windows-10-defender-from-uploading-files-to-microsoft/
Using Process Monitor I managed to find out that provtool.exe is responsible for this. It’s run from task scheduler, “\Microsoft\Windows\Management\Provisioning\Logon”
There’s not much in google about it
The problem doesn’t affect me, I guess because I don’t use WinDef. But I do have almost 2,700 (apparently all) empty folders like Falco mentioned. Apparently they were all created last year and this year. Can these things be safely deleted? Thanks.
Go ahead and delete them. Nothing will complain about deletion of empty folders.
Thanks, Anonymous. I started a topic about this on Windows Ten Forums (https://www.tenforums.com/general-support/178837-can-i-delete-nonsense.html). Although I haven’t gotten around to doing this yet, it seems safe to disable the ‘Logon’ process in Task Scheduler, and the files should no longer be created.
I did delete the folders and disable the ‘Logon’ task over the weekend, and nothing bad has happened. Also, of course, no folders were created when I restarted the machine. It makes sense that deleting stuff with nothing in it should not be a problem, but with computers anything (bad) is possible.
I have that version. I do not have the issue … only 3 files in the “store” folder.
Microsoft Windows [Version 10.0.19042.928] (20H2)
I’m sure there are other factors involved.
I just checked a machine running 20H2 with Defender as the default and 18100.5
Only 3 files totalling about 6mb.
So I’m curious as to what triggers the issue on other machines.
And irrespective of the lack of any apparent issues at my end many thanks for the heads-up Martin.
Module 1.1.18500.5 not change at this time to 1.1.18500.6 on wdsi portal
I don’t use Defender. It’s very slow, I try to block all things MS I don’t use and as much of their data scraping as possible. No Chredge allowed, either. Using Defender defeats a large amount of that by using it to filter web, email, app and program usage, kinda back to where I started.
Plus, it’s really slow.
I looked in the folder Ashwin noted and, a good thing, Defender hasn’t altered anything since the version upgrade to 20H2 in January when it was disabled.
Just turn it off and problem solved… anything like a antivirus, antimalware or antiwhatever is useless most of the time, filled always by false positives and deleting good files because they are “signed”.
Even Safe Browsing (which is controlled by Google) is annoying for people like me because it always cause problems with whatever Google wants to flag as “malicious” even if it is not and then people suffer and have to do a lot of stuff for their files to stop being flagged, a bunch of ‘bureaucracy’ that shouldn’t be needed any place and less on the internet only because some “big tech” think they own the internet.
So I turn all these annoyances off for myself and everyone else around me, well, not the safe browsing because I don’t expect them to download the files I download so it is whatever, at least it doesn’t run all the time and uses a bunch of disk and cpu like any antivirus/malware/whatever does.
I would rather spend my time teaching people not to open everything they see on the internet and the importance of firewalls and the whilelist mode and since there are good firewalls, where UI is not complicated where you have to jump through 30 windows to whitelist something and don’t have alerts (because most people would just click allow with them) like Tinywall and Fort Firewall (for now) then it would be easier for anyone to block and allow what they need and will use, or you can set it up and then adjust it if something comes up.
But balancing when and antiwhatever can be effective vs how much resources it uses and when it might be useful to have it on I rather just go to registry and remove it completely not even just turn the realtime stuff. Also when we think about how Browsers have integrated tracking protection/adblockers and with the safe browsing turned on (for others, not for me), it is less and less needed all this Windows Defender and others.
Also, most people I have seen infected, it was usually people who had a protection installed that didn’t do its job. Of course it loves to flag good files only because they are new or whatever, when I use Process Hacker which has Virustotal integration, you can see the many process some might display 5/46 or whatever, and then you understand how these software with their ineffective databases will cause more problems than what it is worth, while using tons of resources, especially when we talk about Windows Defender.
Of course, it is really bad when people think that using a 3rd party AV or whatever is a better choice and even pay for it. So, not my problem but I wish people would know better without sacrificing CPU and Disk usage for a protection they wouldn’t need 99% of the time.
Totally agree.
> So I turn all these annoyances off for myself and everyone else around me
Wow, such user hostile behavior! Not everyone is tech-savvy or even can be taught effectively to be safe on the web, not to mention even so-called ‘experts’ have fallen prey to ransomware and other malware, phishing scams etc. I am the de facto system admin for my entire family including aged parents, uncles, aunts and lots of other even non-related seniors around, and without automatic OS and software updates, firewalls, ad blockers and third-party anti-malware apps their systems turn into hotbeds of malware infestations in no time at all. Just can’t seem to stop them from clicking on random links and attachments in spam unfortunately, so I wouldn’t even dream of turning these so-called ‘annoyances’ off for them. Anyone who would do so on someone else’s PC without their explicit permission ought to be shot IMO, no joking.
Windows 10 is such garbage lol. I don’t have this issue. I’m using Windows 7 with ESU. Stress free and no bugs.
Windows 10 follows the GIGO principle. No wonder you find it to be garbage, since that’s what you’re feeding it!
@Falco, Been seeing that here for a long time. It’s annoying enough that I have a start up batch file that cleans up a bunch of stuff, including that folder, using this:
for /D %%f in (“C:\Windows\S32\config\systemprofile\AppData\Local\tw-*.tmp”) do rmdir /S /Q %%f
Windows Update (WU) failed with 0x80070643 trying to update Windows Defender (WD). Using the WD taskbar icon to update WD apparently worked, as Belarc Advisor (BA) showed for my home laptop:
Windows Defender Version 4.18.2103.7
Scan Engine Version 1.1.18100.6
Virus Definitions Version 2021-05-05 Rev 1.339.26.0
Last Disk Scan on Friday, 30 April, 2021 07:13:08
Realtime File Scanning On
However neither BA or WU History shows the associated KB.
Whoa! I’ve got 23772 files (38.6MB) in that folder. 1056 just from yesterday (May 4) with the first one timestamped 11:13pm and the last one of they day at 11:33pm. The previous day (May 3) shows 315 files, with the same timestamps, first at 11:13pm, last at 11:33pm.
Lots of activity in that 20 minute period.
Further check shows 9044 files on May 2, starting this time at 11:20am, running all afternoon and into the evening, finishing at 11:34pm.
The earliest file in that folder is from Nov. 2017.
Unbelievable!
I’ve always despised WIndows Defender because it always inspects and interferes with certain programs and scripts I use which I know to be safe and it is an absolute chore to disable all Defender background processes and services.
So I’ve ripped out Windows Defender entirely from a custom Windows 10 LTSB image I maintain. Reinstalling programs after a fresh install and downloading new programs has never been faster. Microsoft doesn’t offer a “I know what I’m doing get out of my way” edition of Windows so I made one myself. Final ISO size is less than 2.8 GB and RAM usage from a fresh install is around 700 MB. Way faster and leaner than the bloated nonsense Microsoft releases to the masses.
I like to have me one of those.Any chance?
Good idea ripping it out. I use this script to remove Defender, but it comes back after a new build or SFC scan. https://pastebin.com/031r7hdt
I use a tool called wimtweak by Legolash2o to remove Windows components. It can remove components from the current Windows installation and also from an install.wim image file.
Here’s an example cmd script that will remove components like Windows Defender, Skype, and OneDrive from an install.wim file in the same directory as wimtweak: https://pastebin.com/j9KVe2KE
I have heard that Windows versions after 1709 have limited users’ ability to fully remove certain components so your mileage may vary.
> Microsoft doesn’t offer a “I know what I’m doing get out of my way†edition of Windows
For obvious reasons. Most self proclaimed OS experts are dumb beyond belief, and when they break their own systems would immediately blame Microsoft. Matter of fact that’s exactly what happens even now, with morons blindly employing deleterious cleaners and tweakers and patchers and blockers and what not, then bitching about how MS devs cannot code. I’ve actually had a couple of customers so far shouting at me and refusing to pay for repairs after I pointed out that they themselves were responsible for ruining their Windows installations, only for the a-holes to STFU when I told them I had all the necessary proof and threatened to sue their asses into bankruptcy.
I don’t consider myself a Microsoft technician and certainly not an OS expert. I can barely wrap my head around creating and modifying bootloaders like BCD and GRUB and wouldn’t even think to touch the kernel. I’ve also never dealt with Active Directory, Azure, or managed an Exchange server, and yet I use Enterprise LTSB precisely because it has the fewest features. The fewer things that can go wrong the fewer things will go wrong.
I’m more of a set it and forget it kind of guy so over the years I’ve gotten a lot of experience reducing systems to a lean, stable state and then using ADK to capture the best image state possible and then using that on all my systems. My entire goal has always been to limit the influence of Microsoft on my workflow, such that 99% of all problems are application issues and not OS issues.
Over 20 years of using Microsoft systems not once have I ever blamed Microsoft for anything I did. When things go wrong I usually assume it’s because of something I did or a rogue application or even a hardware failure. The OS itself usually isn’t the culprit (when all the crap is removed).
> Over 20 years of using Microsoft systems not once have I ever blamed Microsoft for anything I did.
You might not have, but I’ll bet you anything others using such a theoretical “Expert Edition” of Windows will. Guaranteed.
Honestly, you at least sound like you know what you’re doing, beemeup5. My previous comment was of course directed at the vast majority of self proclaimed ‘experts’ out there. Based on long personal experience with such folks as part of my job, believe me, just using the OS for the last 2 decades or so doesn’t imbue them with quite the amount of expertise they love to boast about. Oh the funny stories I could tell! :D
windows server 2016 : C:\ProgramData\Microsoft\Windows Defender\Scans\History\
4 500 000 item 2H 30m deleting was nice
Very good information. Thank you very much Ghacks. I checked my folder. I only had two small files in there, which I deleted. Checked my Defender version and have the fixed one. Thanks again.
Updated from 1.1.18100.5 to 1.1.18100.6
Re-started and the file are still there! So I manually deleted 4538 files (21 MB) dated 5/5 – 6/5
Thanks for the tip!
I had the problematic version of Windows Defender on my Windows 10 Home 20H2 system. I found a couple/few thousand files in my “Store” folder and deleted them. Over the next half-day or so more files accumulated at a slowish rate (from 4 to maybe 30 per hour, depending on what I was doing).
After working on my computer for an hour or so this morning, I found my Store folder completely empty and discovered that Windows Defender had been updated. I normally keep my Windows Update and Windows Update Medic services disabled to control drive-by updates, and I hadn’t temporarily re-enabled them in this case. I’d previously noticed that Windows Defender definitions updates bypass the Update service, and I was gratified to see that its engine does as well. (If there’s anything you want to err on the side of up-to-dateness on, it’s anti-malware packages.)
BTW, I haven’t noticed that Windows Defender is any more burdensome than third-party anti-malware packages I’ve used, and it’s markedly *less* burdensome than some. Maybe I’m depriving myself of mind-blowing additional performance, but even though I practice reasonably safe computing, I don’t think I’d want to run Windows without protection. Linux, sure, but not Windows.
I disabled WD using Autoruns a long time ago and just use Malwarebytes Premium for security purposes these days.