Windows Defender creating thousands of files

Denis Payne 156 Reputation points
2021-04-30T09:58:44.31+00:00

Since 28/04/2021 around 22:00, thousands of files started to be created in folder C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\ on one of my domain controllers.

There were over 200k files which caused that night's backup to take over 4hours rather then the normal 20minutes.
There are now well over 400k files.

Another member server is also affected by this, there are over 2million files in the same folder being:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\

Bother servers are running Windows Server 2016.
The files are 1-2KB.
Settings>Update&Security>Windows Defender settings are enabled.
Windows Defender GUI>History is empty for Quarantined, Allowed and All Detected items.
No Windows Defender scan is running.

Resource Monitor>Disk>Disk Activity shows the System process accessing these files, so I presume it is creating them.
System is also the owner of these files.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,764 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,217 questions
{count} votes

Accepted answer
  1. Denis Payne 156 Reputation points
    2021-05-10T10:58:39.867+00:00

    All in 7xWS2016 servers all running Sophos were affected, across two of my clients.
    Windows Defender was thus uninstalled from 3xservers with small C-Drives to prevent 0% free space issue.

    Cause seems to of been a MSFT Windows Defender update for which a fix was released late last week.

    Windows Defender has been re-installed on the 3xservers it was previously uninstalled from.
    None of the 7xWS2016 servers are showing a repeat of the issue so assume MSFT fixed it with a Windows Defender update.

    No comments

10 additional answers

Sort by: Most helpful
  1. Dave Patrick 330.3K Reputation points Microsoft MVP
    2021-04-30T12:56:42.753+00:00

    Something here may help.
    https://support.microsoft.com/en-us/windows/protection-history-f1e5fd95-09b4-46d1-b8c7-1059a1e09708

    --please don't forget to Accept as answer if the reply is helpful--


  2. Paul Martin 6 Reputation points
    2021-05-01T18:37:08.457+00:00

    Just to add that we have also seen this issue which looks to be across multiple servers.
    An example server has the folder is almost 2 million files large with the majority created from 29th April

    Server 2016
    Windows Defender Versions

    Antimalware Client: 4.18.2001.7
    Engine Version: 1.1.18100.5
    Antivirus Definitions: 1.337.307.0
    Network inspection system engine version: 1.1.18100.5
    Network inspection system definition versions: 1.337.307.0

    EDIT: We're also running Sophos on the impacted machines, I've raised a ticket with Sophos to see if they can check their side too or re-create the issue
    After checking some servers though it seemed to start after a definitions update for Windows Defender after the MpKslacab service was re-installed
    Between impacted servers, the "Engine Version" of Windows Defender seems to be the only one that matches other impacted servers too


  3. David Fosbenner 21 Reputation points
    2021-05-02T04:00:19.03+00:00

    Oh thank goodness someone else has this issue! I thought I was losing my mind.

    Starting on 4/29, 2 of my file servers suddenly had zero disk space. I'm running Windows Server 2019, I have the same issue with the same Store folder. This folder had about 1 million files, all under 2K, all dated within the last 24 hours. The only way I could stop creation of the files was disabling Defender's real-time protection. The files took up about 4GB. I deleted them all.

    Since the servers are virtual machines I added 10GB to each C: drive. Well, guess what? Tonight the disks were full again, this time with over 11GB and 4 million files!

    I just opened a case with MS PPI Support. When a server has no disk space things stop working, so obviously this is urgent. For now I've disable real-time protection and deleted the files again.

    This is insane! I haven't made any system changes since the last patch Tuesday. I don't know what MS did but this is definitely on them IMO.


  4. 2021-05-02T09:25:23.65+00:00

    Same here on some 2016 servers.
    Any news from MS?
    We habe Sophso Endpoint and datto RMM.. do you have some similar?