Microsoft Security | Microsoft Defender | Other
Additional Microsoft Defender tools and services that provide security across various platforms and environments
Query on Defender
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 7.000000000000001%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Glenn Maxwell
13,761
Reputation points
Hi All,
I have the following folders under: C:\ProgramData\Microsoft\Windows Defender\Platform
4.18.25060.7-0
4.18.25070.5-0
I believe Microsoft Defender was uninstalled from this server previously. However, our security scanning tool is reporting vulnerabilities associated with files in these folders.
Are these folders simply leftover Defender platform files, and is it safe to delete the version folders under C:\ProgramData\Microsoft\Windows Defender\Platform?
PS C:\Windows\system32> Get-MpComputerStatus
Get-MpComputerStatus : Invalid class
-----------------------------
PS C:\Windows\system32> Get-Service WinDefend
Get-Service : Cannot find any service with service name 'WinDefend'.
-------------------------------
PS C:\Windows\system32> Get-CimInstance -Namespace root/Microsoft/Windows/Defender -ClassName MSFT_MpComputerStatus
Get-CimInstance : Invalid class
------------------------------------------
PS C:\Windows\system32> Get-Service WinDefend
Get-Service : Cannot find any service with service name 'WinDefend'.
-----------------------------
PS C:\Windows\system32> Get-Service Sense
Status Name DisplayName
------ ---- -----------
Stopped Sense Windows Defender Advanced Threat Pr...
-----------------------------
PS C:\Windows\system32> Get-WindowsFeature *Defender*
Display Name Name Install State
------------ ---- -------------
[ ] Microsoft Defender Antivirus Windows-Defender Available
-----------------------------
PS C:\Windows\system32> sc.exe query WinDefend
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
-----------------------------
PS C:\Windows\system32> Get-CimInstance -Namespace root\Microsoft\Windows\Defender -ClassName MSFT_MpComputerStatus
Get-CimInstance : Invalid class
-----------------------------
PS C:\Windows\system32> Get-ChildItem "C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exe"
-----------------------------
PS C:\Windows\system32> Get-WindowsFeature *Defender*
Display Name Name Install State
------------ ---- -------------
[ ] Microsoft Defender Antivirus Windows-Defender Available
-----------------------------
Get-ChildItem "C:\ProgramData\Microsoft\Windows Defender\Platform" -Recurse |Select-Object FullName
-----------------------------
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status" -ErrorAction SilentlyContinue
----------------------------------
Get-Item "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection" -ErrorAction SilentlyContinue
Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
Name Property
---- --------
Windows Advanced Threat Configuration : {110, 0, 117, 0...}
Protection
--------------------------------
PS C:\Windows\system32> Get-CimClass -Namespace root/Microsoft/Windows/Defender
NameSpace: ROOT/Microsoft/Windows/Defender
CimClassName CimClassMethods CimClassProperties
------------ --------------- ------------------
CIM_Indication {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}
CIM_ClassIndication {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}
CIM_ClassDeletion {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}
CIM_ClassCreation {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}
CIM_ClassModification {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}
CIM_InstIndication {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}
CIM_InstCreation {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}
CIM_InstModification {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}
CIM_InstDeletion {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}
__NotifyStatus {} {StatusCode}
__ExtendedStatus {} {StatusCode, Description, Operation, ParameterInfo...}
CIM_Error {} {CIMStatusCode, CIMStatusCodeDescription, ErrorSource, ErrorSourceFormat...}
MSFT_WmiError {} {CIMStatusCode, CIMStatusCodeDescription, ErrorSource, ErrorSourceFormat...}
MSFT_ExtendedStatus {} {CIMStatusCode, CIMStatusCodeDescription, ErrorSource, ErrorSourceFormat...}
__SecurityRelatedClass {} {}
__Trustee {} {Domain, Name, SID, SidLength...}
__NTLMUser9X {} {Authority, Flags, Mask, Name...}
__ACE {} {AccessMask, AceFlags, AceType, GuidInheritedObjectType...}
__SecurityDescriptor {} {ControlFlags, DACL, Group, Owner...}
__PARAMETERS {} {}
__SystemClass {} {}
__ProviderRegistration {} {provider}
__EventProviderRegistration {} {provider, EventQueryList}
__ObjectProviderRegistration {} {provider, InteractionType, QuerySupportLevels, SupportsBatching...}
__ClassProviderRegistration {} {provider, InteractionType, QuerySupportLevels, SupportsBatching...}
__InstanceProviderRegistration {} {provider, InteractionType, QuerySupportLevels, SupportsBatching...}
__MethodProviderRegistration {} {provider}
__PropertyProviderRegistration {} {provider, SupportsGet, SupportsPut}
__EventConsumerProviderRegistration {} {provider, ConsumerClassNames}
__thisNAMESPACE {} {SECURITY_DESCRIPTOR}
__NAMESPACE {} {Name}
__IndicationRelated {} {}
__FilterToConsumerBinding {} {Consumer, CreatorSID, DeliverSynchronously, DeliveryQoS...}
__EventConsumer {} {CreatorSID, MachineName, MaximumQueueSize}
__AggregateEvent {} {NumberOfEvents, Representative}
__TimerNextFiring {} {NextEvent64BitTime, TimerId}
__EventFilter {} {CreatorSID, EventAccess, EventNamespace, Name...}
__Event {} {SECURITY_DESCRIPTOR, TIME_CREATED}
__NamespaceOperationEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetNamespace}
__NamespaceModificationEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetNamespace, PreviousNamespace}
__NamespaceDeletionEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetNamespace}
__NamespaceCreationEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetNamespace}
__ClassOperationEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetClass}
__ClassDeletionEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetClass}
__ClassModificationEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetClass, PreviousClass}
__ClassCreationEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetClass}
__InstanceOperationEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetInstance}
__InstanceCreationEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetInstance}
__MethodInvocationEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetInstance, Method...}
__InstanceModificationEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetInstance, PreviousInstance}
__InstanceDeletionEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, TargetInstance}
__TimerEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, NumFirings, TimerId}
__ExtrinsicEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}
__SystemEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}
__EventDroppedEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, Event, IntendedConsumer}
__EventQueueOverflowEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, Event, IntendedConsumer...}
__QOSFailureEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, Event, IntendedConsumer...}
__ConsumerFailureEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED, Event, IntendedConsumer...}
__EventGenerator {} {}
__TimerInstruction {} {SkipIfPassed, TimerId}
__AbsoluteTimerInstruction {} {SkipIfPassed, TimerId, EventDateTime}
__IntervalTimerInstruction {} {SkipIfPassed, TimerId, IntervalBetweenEvents}
__Provider {} {Name}
__Win32Provider {} {Name, ClientLoadableCLSID, CLSID, Concurrency...}
__SystemSecurity {GetSD, GetSecuri... {}
BaseStatus {} {}
MSFT_MpBehavioralNetworkBlocking... {Remove} {BlockingAction, Direction, FilterGUID, IpAddress...}
MSFT_MpRollback {Start} {}
-----------------------------
Microsoft Security | Microsoft Defender | Other
Sign in to answer