Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Individual
Platforms:
- Windows 11, Windows 10, Windows 8.1, Windows 8
- Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Detecting malware that starts early in the boot cycle was a challenge before Windows 8. In August 2012, Microsoft Defender Antivirus (MDAV) for Windows 8 or later, and Windows Server 2012 and later incorporated a new feature called the Early Launch Antimalware (ELAM) driver. ELAM combats early boot threats (for example, rootkits or malicious drivers that can hide from detection) by using a Wdboot.sys driver that starts before other boot-start drivers. ELAM enables the evaluation of other drivers, and helps the Windows kernel decide whether those drivers should be initialized.
The ELAM detection is logged in the same location as the other Microsoft Defender Antivirus threats, such as Event ID 1006.
The MDAV ELAM driver ships with the monthly "Platform update."
ELAM can be modified here:
Computer Configuration > Administrative Templates > System > Early Launch Antimalware
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch BackupPath (string) C:\Windows\ELAMBKUP\WdBoot.sys (value)
C:\ProgramData\Microsoft\Windows Defender\Platform<antimalware platform version>\MpCmdRun.exe -RevertPlatform.
For example:
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24010.12-0\MpCmdRun.exe -RevertPlatform