Comparison CM Settings Registries and Event Viewer Execution?

Question

Hello,

How to compare the settings found in the registry:

HKLM > SOFTWARE > Policies > Microsoft > Microsoft Antimalware > Scan

DWORD: ScheduleDay

Value: from 0 to 7

to the Event Viewer Event(s) 1000 & 1001 found in:

Applications and Services Logg > Microsoft > Windows > Windows Defender > Operational

Event ID 1000

Microsoft Defender Antivirus scan has started.

Log Name:      Microsoft-Windows-Windows Defender/Operational
Source:        Microsoft-Windows-Windows Defender
Date:          5/14/2023 2:00:36 AM
Event ID:      1000
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      VIPPARATA1.ad
Description:
Microsoft Defender Antivirus scan has started.
 	Scan ID: {2577AD54-2E6E-4B29-A95A-F26FE09A634F}
 	Scan Type: Antimalware
 	Scan Parameters: Full Scan
 	Scan Resources: 
 	User: NT AUTHORITY\SYSTEM
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" />
    <EventID>1000</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2023-05-14T09:00:36.591656400Z" />
    <EventRecordID>10432</EventRecordID>
    <Correlation />
    <Execution ProcessID="2428" ThreadID="2396" />
    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
    <Computer>VIPPARATA1.ad</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Product Name">Microsoft Defender Antivirus</Data>
    <Data Name="Product Version">4.18.2304.8</Data>
    <Data Name="Scan ID">{2577AD54-2E6E-4B29-A95A-F26FE09A634F}</Data>
    <Data Name="Scan Type Index">2</Data>
    <Data Name="Scan Type">Antimalware</Data>
    <Data Name="Scan Parameters Index">2</Data>
    <Data Name="Scan Parameters">Full Scan</Data>
    <Data Name="Domain">NT AUTHORITY</Data>
    <Data Name="User">SYSTEM</Data>
    <Data Name="SID">S-1-5-18</Data>
    <Data Name="Scan Resources">
    </Data>
  </EventData>
</Event>

Event ID 1001

Microsoft Defender Antivirus scan has finished.

Log Name:      Microsoft-Windows-Windows Defender/Operational
Source:        Microsoft-Windows-Windows Defender
Date:          5/14/2023 1:54:12 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      VIPPARATA1.ad
Description:
Microsoft Defender Antivirus scan has finished.
 	Scan ID: {2577AD54-2E6E-4B29-A95A-F26FE09A634F}
 	Scan Type: Antimalware
 	Scan Parameters: Full Scan
 	User: NT AUTHORITY\SYSTEM
 	Scan Time: 11:53:36
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" />
    <EventID>1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2023-05-14T20:54:12.982486900Z" />
    <EventRecordID>10445</EventRecordID>
    <Correlation ActivityID="{DF404DFD-B9A3-4817-B35C-7FFC0C1820C3}" />
    <Execution ProcessID="2428" ThreadID="2396" />
    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
    <Computer>VIPPARATA1.ad</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Product Name">Microsoft Defender Antivirus</Data>
    <Data Name="Product Version">4.18.2304.8</Data>
    <Data Name="Scan ID">{2577AD54-2E6E-4B29-A95A-F26FE09A634F}</Data>
    <Data Name="Scan Type Index">2</Data>
    <Data Name="Scan Type">Antimalware</Data>
    <Data Name="Scan Parameters Index">2</Data>
    <Data Name="Scan Parameters">Full Scan</Data>
    <Data Name="Domain">NT AUTHORITY</Data>
    <Data Name="User">SYSTEM</Data>
    <Data Name="SID">S-1-5-18</Data>
    <Data Name="Scan Time Hours">11</Data>
    <Data Name="Scan Time Minutes">53</Data>
    <Data Name="Scan Time Seconds">36</Data>
  </EventData>
</Event>

Thanks,

Dom

Answer 1

Hi,

ScheduleDay specifies the day of the week that Microsoft Defender runs a scheduled full scan to complete remediation. The full scan can also be configured to run every day or to never run at all.

0	Run a scheduled full scan every day.
1	Run a scheduled full scan Sunday.
2	Run a scheduled full scan Monday.
3	Run a scheduled full scan Tuesday.
4	Run a scheduled full scan Wednesday.
5	Run a scheduled full scan Thursday.
6	Run a scheduled full scan Friday.
7	Run a scheduled full scan Saturday.
8	Never run a scheduled full scan. This is the default value.

Answer 2

Hello

I would like to compare the settings in the registry to the execution time.

I noticed several servers are not starting their "Full Scan" at the day/time set.

Thanks,

Dom

Answer 3

Hi,

If you selected "Start a scheduled scan only when the computer is idle", the scheduled scans will only run when the computer is on but not in use.

You can also view the schedule of Microsoft Defender Antivirus trigger time and frequency.

Task Scheduler Library > Microsoft > Windows>Windows Defender>Windows Defender Scheduled Scan

Schedule a scan in Microsoft Defender Antivirus

https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d

More info:

Turn on catch-up full scan

Answer 4

Hello,

"Start a scheduled scan only when the computer is idle" is set to "No" I verified the Antimalware policy.

I need a tool to compare the settings and registries (for the expected) to the event viewer (for the executed).

Thanks,
Dom