Helping people with computers... one answer at a time.

It's sometimes convenient, and occasionally even necessary, to run anti-malware software before Windows boots or when it can't. Windows Defender Offline is Microsoft's solution that allows you to do just that. I'll show how to download and use it, and I'll also point out a few additional alternatives.

One of the more common, and difficult situations to find yourself in is to be faced with a malware-infected machine that either won't boot, or won't allow you to run anti-malware tools because of the infection.

The most common approach is to get a copy of a bootable anti-malware disc. Download, burn to CD or install on a USB drive, configure your BIOS to boot from CD or USB, reboot and you're running a anti-malware tool that can then scan the hard disk in your system.

There are several, and I'll list a few as well, but my first choice is Microsoft's own Windows Defender Offline.

First, About that Name

Microsoft continues to confuse to no end with their choice of product names, and Windows Defender is no different.

There are, I think, three different Windows Defenders:

  • An anti-spyware tool based on GIANT Antispyware which Microsoft purchased in late 2004. The tool runs in Windows XP, Vista and Windows 7. It's also redundant with, and replaced by, the Microsoft Security Essentials anti-malware1 package when that utility is installed

  • A full anti-malware tool that comes with Windows 8.

  • An off-line anti-malware tool in the form of Windows Defender Offline.

As we'll see in a moment, Windows Defender Offline looks a lot like Microsoft Security Essentials, and with the name of Windows 8's included anti-malware tool also being Windows Defender it's a pretty safe bet that Windows Defender - Offline or not - is, essentially, the next version of Microsoft Security Essentials.

Getting Windows Defender Offline

Getting Windows Defender Offline is a two step process. First you download the creation tool2 from the Microsoft website, and then run that tool to create the actual bootable Windows Defender Offline media.

Windows Defender Offline creation tool

After running the tool and accepting the inevitable licsense agreement, you're offered a choice of what to create:

Windows Defender Offline creation tool - media selection

Choose whatever is most convenient and you know your machine can boot from.

The tool will then create the media you requested - burning it to a blank CD, creating a bootable USB drive, or writing an ISO file you can later burn to CD yourself. This may take some time since the actual Windows Defender Offline program is not actually downloaded until this point.

Running Windows Defender Offline

Boot from whatever media you just created. (It's important to create new media each time, as the malware definitions are part of the media, and you want to make sure you have the latest available.)

You'll get the (new) Windows Logo for a bit:

Windows Defender Offline - booting

Then a Windows Defender Offline activity indicator:

Windows Defender Offline - activity

Once fully loaded Windows Defender Offline immediately begins scanning:

Windows Defender Offline - initial scan

Upon completion it'll either report what was found, or as in my example, report a clean bill of health:

Windows Defender Offline - done

That's basically the process. You can now perform a deeper scan if you like.

Windows Defender Offline Options

Once the initial quick scan is complete you can then fiddle with options or perhaps run a Full scan to ensure that Windows Defender has an opportunity to scan your entire machine.

Just remember that whatever options you select or changes you might make while Windows Defender Offline is running will probably be lost when you're done - there's no way for the tool to save those updates to the CD from which it was run, and it's unlikely that it'll treat the USB installation any differently.

Close Windows Defender Offline, and your machine will reboot. Make sure to remove the Windows Defender Offline bootable media so that the machine boots from the hard disk as normal.

Windows Defender Offline Alternatives

First, if you have an anti-malware tool other than Microsoft's installed already you might want to check that product's documentation and/or web site; you may have available to you a stand-alone boot version that may (or may not) be more current and/or more full featured than some of these free alternatives.

I'd start with that, but particularly if you suspect that your anti-malware tool didn't catch something you'll want to try another tool.

In addition to Windows Defender Offline, there are several other free stand-alone anti-malware tools:

Each of these are free downloads that you burn to CD. You then boot from that CD to run the anti-malware software.

Which to use? Well, aside from starting with my choice, Windows Defender Online, and then perhaps whatever your installed anti-malware tool might provide, conventional wisdom is: all of them. If you're fighting a nasty malware infection it's completely expected that some tools may catch malware that other tools may miss; it's the nature of the fight against malware.

More practically, though, having one or two of your favorites on call is typically enough.Remember, though, you'll want to download and create the CD when you need it, not before, so that it's as up to date as possible.

1: anti-malware tools are those which perform the functions of both anti-spyware and anti-virus tools. Malware is considered a blanket term for all malicious software.

2: which, at this writing, is mssstool32.exe, the name stemming from the original name of the offline tool as the Microsoft System Sweeper.

Article C5974 - October 30, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Coly Moore
November 2, 2012 10:28 AM

The Kaspersky Rescue Disk 10, and perhaps some of the others, when booted is able to set up an internet connection and update its database.

This means you burn the disk only once and keep it in a safe place. I consider this ability to update itself a very important feature. I'm surprised that Defender Offline can't do it.

November 2, 2012 10:36 AM

Thanks Leo, I really do appreciate all the information that you provide. I am still a little confused. Since it is best to do the above when a mal-ware problem happens so as to have the latest updates, can I use another family member's computer with a different type of computer/ OS to download and burn a CD then use it to start my computer or is this download somehow customized by Microsoft to only work on my computer/ OS?

You can any other computer to create the disc.

November 2, 2012 12:39 PM

The Bitdefender rescue CD has a problem with some monitors. It ran fine on my 23 inch monitor, but when I tried it on my two other PCs the monitor came up with the old "Out of range" message and I could not use the program. It's hard to believe that programmers could make such a mistake that makes their program useless for many. Kind of dents my trust in the company.

Austin Adams
November 2, 2012 2:43 PM

I would like to support Coly Moore's comment. I had thought that I could download and burn a CD of Windows Defender Offline to keep for when it's needed, but when I did need it I found it had to be updated, which I couldn't do given it was a CD not a USB stick. It needs to be pointed out that for CD use Windows Defender Offline needs to be downloaded, or at least updated, immediately prior to use. So, for WDO the best option is the USB stick one.

November 3, 2012 10:55 AM

Re Defender -
I followed the link to MS and as I run XP with SP3 I downloaded the small exe file and ran it to make a CD.
Then get a message advising an upgrade is required (IMAPI v2.0) and to get this from MS.
Did that and had another message to say I'm running the wrong system for IMAPI - sure enough this is only required for W7 etc not XP.
So after going around in circles - Is defender suitable for XP and if so what am I doing wrong ?


I'm not sure you're doing anything wrong, but I'm also not sure why this is failing. Windows Defender Offline system requirements include Windows XP SP3, which you have. What I would do is download the ISO and burn it separately using a different burning program such as ImgBurn. (IMAPI is the Image Mastering API, apparently something used when the Windows Defender setup program tries to burn the CD itself.)

November 3, 2012 11:02 AM

My PC is protected with Microsoft Security Essentials with always the newest updated data base. I would like to download and prepare a usb version, yet I unsuccessfully tried to download the software; it's always interrupted either after a short download periode or after at about 90MB. I have no problems with Windows update facility or other downloads. Can you help?

November 3, 2012 1:17 PM

"More practically, though, having one or two of your favorites on call is typically enough.Remember, though, you'll want to download and create the CD when you need it, not before, so that it's as up to date as possible."
What can you do if the malware stops you from booting the pc in the first place, i.e. before you go to try and download this program?

Mark J
November 3, 2012 3:19 PM

In that case, you'd have to use a friend's computer to download Windows Defender.

Ken in San Jose
November 3, 2012 9:15 PM

You need to mention that when creating to a USB Flash drive, the program formats the USB Flash drive! Anything on the drive will be lost.
I weekly download and run Windows Defender Offline, and also do a full scan with Norton AntiVirus. A couple of weeks ago Windows Defender Offline found a Java malware software. Norton AntiVirus did not find anything. I restored to an image backup I had made the week before, and reran the scans. Nothing was found. I do not know what it was or how I got it, but I am glad I did the scan and the malware software is now gone.

January 22, 2013 8:38 AM

I downloaded and executed WDO (mssstool32.exe), but when I attempt to boot a Dell Pentium M 2.0 GHz with 2.0 GB running XP Professional 32 bit from the USB I receive the following message:


Your PC needs to be repaired

This operating system uses the Physical Address Extension feature to support systems with more than 4GB of RAM. You'll need to use a PC with a compatible processor to run the operating system.

Error code: 0xc0000260

You'll need to use the recovery tools on your installation media. If you don't have any installation media like a disc or a USB device, contact your system administrator or PC manufacturer.

Press Enter to try again
Press F8 for Startup Settings"

I then tried the same thing on a Dell Inspiron with a Celeron M 1.5GHz, and WDO ran without a problem. I haven't been able to find recovery tools or instructions on Should I keep looking or move on?

February 26, 2013 9:53 AM

If WDO is downloaded from an infected computer is it likely the download will be infected?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.