Comparison CM Settings Registries and Event Viewer Execution?

Duchemin, Dominique 2,006 Reputation points
2023-05-16T21:09:01.36+00:00

Hello,

How to compare the settings found in the registry:

HKLM > SOFTWARE > Policies > Microsoft > Microsoft Antimalware > Scan

DWORD: ScheduleDay

Value: from 0 to 7

to the Event Viewer Event(s) 1000 & 1001 found in:

Applications and Services Logg > Microsoft > Windows > Windows Defender > Operational

Event ID 1000

Microsoft Defender Antivirus scan has started.

Log Name:      Microsoft-Windows-Windows Defender/Operational
Source:        Microsoft-Windows-Windows Defender
Date:          5/14/2023 2:00:36 AM
Event ID:      1000
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      VIPPARATA1.ad
Description:
Microsoft Defender Antivirus scan has started.
 	Scan ID: {2577AD54-2E6E-4B29-A95A-F26FE09A634F}
 	Scan Type: Antimalware
 	Scan Parameters: Full Scan
 	Scan Resources: 
 	User: NT AUTHORITY\SYSTEM
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" />
    <EventID>1000</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2023-05-14T09:00:36.591656400Z" />
    <EventRecordID>10432</EventRecordID>
    <Correlation />
    <Execution ProcessID="2428" ThreadID="2396" />
    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
    <Computer>VIPPARATA1.ad</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Product Name">Microsoft Defender Antivirus</Data>
    <Data Name="Product Version">4.18.2304.8</Data>
    <Data Name="Scan ID">{2577AD54-2E6E-4B29-A95A-F26FE09A634F}</Data>
    <Data Name="Scan Type Index">2</Data>
    <Data Name="Scan Type">Antimalware</Data>
    <Data Name="Scan Parameters Index">2</Data>
    <Data Name="Scan Parameters">Full Scan</Data>
    <Data Name="Domain">NT AUTHORITY</Data>
    <Data Name="User">SYSTEM</Data>
    <Data Name="SID">S-1-5-18</Data>
    <Data Name="Scan Resources">
    </Data>
  </EventData>
</Event>

Event ID 1001

Microsoft Defender Antivirus scan has finished.

Log Name:      Microsoft-Windows-Windows Defender/Operational
Source:        Microsoft-Windows-Windows Defender
Date:          5/14/2023 1:54:12 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      VIPPARATA1.ad
Description:
Microsoft Defender Antivirus scan has finished.
 	Scan ID: {2577AD54-2E6E-4B29-A95A-F26FE09A634F}
 	Scan Type: Antimalware
 	Scan Parameters: Full Scan
 	User: NT AUTHORITY\SYSTEM
 	Scan Time: 11:53:36
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" />
    <EventID>1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2023-05-14T20:54:12.982486900Z" />
    <EventRecordID>10445</EventRecordID>
    <Correlation ActivityID="{DF404DFD-B9A3-4817-B35C-7FFC0C1820C3}" />
    <Execution ProcessID="2428" ThreadID="2396" />
    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
    <Computer>VIPPARATA1.ad</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Product Name">Microsoft Defender Antivirus</Data>
    <Data Name="Product Version">4.18.2304.8</Data>
    <Data Name="Scan ID">{2577AD54-2E6E-4B29-A95A-F26FE09A634F}</Data>
    <Data Name="Scan Type Index">2</Data>
    <Data Name="Scan Type">Antimalware</Data>
    <Data Name="Scan Parameters Index">2</Data>
    <Data Name="Scan Parameters">Full Scan</Data>
    <Data Name="Domain">NT AUTHORITY</Data>
    <Data Name="User">SYSTEM</Data>
    <Data Name="SID">S-1-5-18</Data>
    <Data Name="Scan Time Hours">11</Data>
    <Data Name="Scan Time Minutes">53</Data>
    <Data Name="Scan Time Seconds">36</Data>
  </EventData>
</Event>

Thanks,

Dom

Microsoft Configuration Manager
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. XinGuo-MSFT 15,476 Reputation points
    2023-05-17T07:26:30.7966667+00:00

    Hi,

    ScheduleDay specifies the day of the week that Microsoft Defender runs a scheduled full scan to complete remediation. The full scan can also be configured to run every day or to never run at all.

    0 Run a scheduled full scan every day.
    1 Run a scheduled full scan Sunday.
    2 Run a scheduled full scan Monday.
    3 Run a scheduled full scan Tuesday.
    4 Run a scheduled full scan Wednesday.
    5 Run a scheduled full scan Thursday.
    6 Run a scheduled full scan Friday.
    7 Run a scheduled full scan Saturday.
    8 Never run a scheduled full scan. This is the default value.
    0 comments No comments

  2. Duchemin, Dominique 2,006 Reputation points
    2023-05-17T17:51:32.99+00:00

    Hello

    I would like to compare the settings in the registry to the execution time.

    I noticed several servers are not starting their "Full Scan" at the day/time set.

    Thanks,

    Dom

    0 comments No comments

  3. XinGuo-MSFT 15,476 Reputation points
    2023-05-19T08:33:23.83+00:00

    Hi,

    If you selected "Start a scheduled scan only when the computer is idle", the scheduled scans will only run when the computer is on but not in use.

    MicrosoftTeams-image (1)

    You can also view the schedule of Microsoft Defender Antivirus trigger time and frequency.

    Task Scheduler Library > Microsoft > Windows>Windows Defender>Windows Defender Scheduled Scan

    Schedule a scan in Microsoft Defender Antivirus

    https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d

    More info:

    Turn on catch-up full scan

    0 comments No comments

  4. Duchemin, Dominique 2,006 Reputation points
    2023-05-19T23:05:01.7733333+00:00

    Hello,

    "Start a scheduled scan only when the computer is idle" is set to "No" I verified the Antimalware policy.

    I need a tool to compare the settings and registries (for the expected) to the event viewer (for the executed).

    Thanks,
    Dom

    0 comments No comments