Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Windows Defender Offline – Scan Your Computer for Malware Without Booting Windows

One of the more difficult situations to find yourself in is to have a malware-infected machine that either won’t boot, or won’t allow you to run anti-malware tools because of the infection.

The most common next step is to download a bootable anti-malware disc, and burn it to CD or install it on a USB flash drive. You then configure your computer’s BIOS or UEFI to boot from the CD or USB, reboot, and instead of starting Windows you’re running the anti-malware tool instead that can then scan the hard disk in your system.

There are several, but my first choice is Microsoft’s own Windows Defender Offline.

Become a Patron of Ask Leo! and go ad-free!

Windows Defender?

We first need to talk about the name, “Windows Defender”. Microsoft continues to confuse us with their choice of product names.

There have been, I think, three different Windows Defenders:

  • An anti-spywareonly tool that runs in Windows XP, Vista and Windows 7. Installing Microsoft Security Essentials (MSE) anti-malware replaces Windows Defender, as MSE scans for all types of malware, including spyware.
  • An anti-malware tool that comes with Windows 8, 8.1 and 10. This is, essentially, Microsoft Security Essentials renamed to be called Windows Defender.
  • An off-line anti-malware tool in the form of Windows Defender Offline.

As we’ll see in a moment, Windows Defender Offline looks a lot like the Windows Defender that’s actually installed in Windows 10.

Getting Windows Defender Offline

Getting Windows Defender Offline is a two step process. First you download the creation tool1 from the Microsoft website, and then run that tool to create the actual bootable Windows Defender Offline media.

Windows Defender Offline Creation Tool

 

After running the tool and accepting the inevitable license agreement, you’re offered a choice of what to create:

Windows Defender Offline Creation Tool - Destination

 

Choose whatever is most convenient and you know your machine can boot from.

The tool will then create the media you requested – burning it to a blank CD, creating a bootable USB drive, or writing an ISO file you can later burn to CD yourself.

Windows Defender Offline Creation Tool - Creating ISO

This may take some time since the actual Windows Defender Offline program is not actually downloaded until this point.

Running Windows Defender Offline

Boot from whatever media you just created. (It’s important to create new media each time, as the malware definitions are part of the media, and you want to make sure you have the latest available.)

You’ll get the (new) Windows Logo for a bit:

Windows Defender Offline - booting

Then a Windows Defender Offline activity indicator:

Windows Defender Offline - activity

Once fully loaded Windows Defender Offline immediately begins scanning:

Windows Defender Offline - initial scan

Upon completion it’ll either report what was found, or as in my example, report a clean bill of health:

Windows Defender Offline - done

That’s basically the process. You can now perform a deeper scan if you like.

Windows Defender Offline Options

Once the initial quick scan is complete you can then fiddle with options or perhaps run a Full scan to ensure that Windows Defender has an opportunity to scan your entire machine.

Just remember that whatever options you select or changes you might make while Windows Defender Offline is running will probably be lost when you’re done – there’s no way for the tool to save those updates to the CD from which it was run, and it’s unlikely that it’ll treat the USB installation any differently.

Close Windows Defender Offline, and your machine will reboot. Make sure to remove the Windows Defender Offline bootable media so that the machine boots from the hard disk as normal.

Windows Defender Offline Alternatives

First, if you have an anti-malware tool other than Microsoft’s installed already you might want to check that product’s documentation and/or web site; you may have available to you a stand-alone boot version that may (or may not) be more current and/or more full featured than some of these free alternatives.

I’d start with that, but particularly if you suspect that your anti-malware tool didn’t catch something you’ll want to try another tool.

In addition to Windows Defender Offline, there are several other free stand-alone anti-malware tools:

Each of these are free downloads that you burn to CD. You then boot from that CD to run the anti-malware software.

Which to use? Well, aside from starting with my choice, Windows Defender Online, and then perhaps whatever your installed anti-malware tool might provide, conventional wisdom is: all of them. If you’re fighting a nasty malware infection it’s completely expected that some tools may catch malware that other tools may miss; it’s the nature of the fight against malware.

More practically, though, having one or two of your favorites on call is typically enough. Remember, though, you’ll want to download and create the CD when you need it, not before, so that it’s as up to date as possible.

More for Patrons of Ask Leo!

Silver-level patrons have access to this related video from The Ask Leo! Video Library.

Running Windows Defender Offline (in Windows 10)   Running Windows Defender Offline (in Windows 10)

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Footnotes & references

1: which, at this writing, is either mssstool32.exe or mssstool64.exe, the name stemming from the original name of the offline tool as the Microsoft System Sweeper.

47 comments on “Windows Defender Offline – Scan Your Computer for Malware Without Booting Windows”

  1. The Kaspersky Rescue Disk 10, and perhaps some of the others, when booted is able to set up an internet connection and update its database.

    This means you burn the disk only once and keep it in a safe place. I consider this ability to update itself a very important feature. I’m surprised that Defender Offline can’t do it.

    Reply
  2. Thanks Leo, I really do appreciate all the information that you provide. I am still a little confused. Since it is best to do the above when a mal-ware problem happens so as to have the latest updates, can I use another family member’s computer with a different type of computer/ OS to download and burn a CD then use it to start my computer or is this download somehow customized by Microsoft to only work on my computer/ OS?

    You can any other computer to create the disc.

    Leo
    02-Nov-2012

    Reply
  3. The Bitdefender rescue CD has a problem with some monitors. It ran fine on my 23 inch monitor, but when I tried it on my two other PCs the monitor came up with the old “Out of range” message and I could not use the program. It’s hard to believe that programmers could make such a mistake that makes their program useless for many. Kind of dents my trust in the company.

    Reply
  4. I would like to support Coly Moore’s comment. I had thought that I could download and burn a CD of Windows Defender Offline to keep for when it’s needed, but when I did need it I found it had to be updated, which I couldn’t do given it was a CD not a USB stick. It needs to be pointed out that for CD use Windows Defender Offline needs to be downloaded, or at least updated, immediately prior to use. So, for WDO the best option is the USB stick one.

    Reply
    • It’s very good to know, Austin, that the USB stick version of Windows Defender Offline proves to be more “useable” than the CD version. I”d made and kept a CD version of WDO. Given your experience I’m going to create a USB stick version … just to be on the safe side. Thanks for the info, mate!

      Reply
      • Creating a USB version or a CD has essentially the same problem. Both would likely be obsolete at the time they’re needed. You’d need to download a fresh copy in either case. The only advantage of using a USB stick is the few cents you’ll save on the cost of the CD.

        Reply
  5. Re Defender –
    I followed the link to MS and as I run XP with SP3 I downloaded the small exe file and ran it to make a CD.
    Then get a message advising an upgrade is required (IMAPI v2.0) and to get this from MS.
    Did that and had another message to say I’m running the wrong system for IMAPI – sure enough this is only required for W7 etc not XP.
    So after going around in circles – Is defender suitable for XP and if so what am I doing wrong ?

    regards
    Bernard

    I’m not sure you’re doing anything wrong, but I’m also not sure why this is failing. Windows Defender Offline system requirements include Windows XP SP3, which you have. What I would do is download the ISO and burn it separately using a different burning program such as ImgBurn. (IMAPI is the Image Mastering API, apparently something used when the Windows Defender setup program tries to burn the CD itself.)

    Leo
    05-Nov-2012

    Reply
  6. My PC is protected with Microsoft Security Essentials with always the newest updated data base. I would like to download and prepare a usb version, yet I unsuccessfully tried to download the software; it’s always interrupted either after a short download periode or after at about 90MB. I have no problems with Windows update facility or other downloads. Can you help?

    Reply
  7. “More practically, though, having one or two of your favorites on call is typically enough.Remember, though, you’ll want to download and create the CD when you need it, not before, so that it’s as up to date as possible.”
    What can you do if the malware stops you from booting the pc in the first place, i.e. before you go to try and download this program?

    Reply
  8. Leo,
    You need to mention that when creating to a USB Flash drive, the program formats the USB Flash drive! Anything on the drive will be lost.
    I weekly download and run Windows Defender Offline, and also do a full scan with Norton AntiVirus. A couple of weeks ago Windows Defender Offline found a Java malware software. Norton AntiVirus did not find anything. I restored to an image backup I had made the week before, and reran the scans. Nothing was found. I do not know what it was or how I got it, but I am glad I did the scan and the malware software is now gone.

    Reply
  9. I downloaded and executed WDO (mssstool32.exe), but when I attempt to boot a Dell Pentium M 2.0 GHz with 2.0 GB running XP Professional 32 bit from the USB I receive the following message:

    “Recovery

    Your PC needs to be repaired

    This operating system uses the Physical Address Extension feature to support systems with more than 4GB of RAM. You’ll need to use a PC with a compatible processor to run the operating system.

    Error code: 0xc0000260

    You’ll need to use the recovery tools on your installation media. If you don’t have any installation media like a disc or a USB device, contact your system administrator or PC manufacturer.

    Press Enter to try again
    Press F8 for Startup Settings”

    I then tried the same thing on a Dell Inspiron with a Celeron M 1.5GHz, and WDO ran without a problem. I haven’t been able to find recovery tools or instructions on Dell.com. Should I keep looking or move on?

    Reply
  10. Leo, I am still a bit confused about Windows Defender Offline. I am using Windows 8.1 which uses Windows Defender. You mentioned:
    “Remember, though, you’ll want to download and create the CD when you need it, not before, so that it’s as up to date as possible.” I have three questions:
    1) From what I’ve read people prefer a thumb drive over a CD because the thumb-drive can be updated while the CD cannot. Does that hold true for a rewritable CD as well? And… what SIZE thumb-drive/CD (how many MB or GB does the program require?) I don’t want to get half way through only to find there’s no enough space on the thumb-drive or CD for Windows Defender Offline to complete its download.
    2) If I should not use this program UNTIL I need it… and there is no other computer in the house from which to download a clean copy of Defender Offline, is it safe (or even possible) to download it from an infected PC? In the case where it will not allow you to log on… what do you do?
    3) Going with question #2… Is it better to download a copy “now” to a thumb-drive and periodically update it, rather than waiting for that inevitable moment when disaster strikes? Will an “older” download still work if the virus scan is out-dated?

    Thanks for your help!

    Reply
    • 1) Thumbdrive is fine. I can’t think of a thumbdrive too small – the smallest these days is way more space than Windows Defender Offline needs.

      2) That is a conundrum for which there’s really no answer. You DO want the latest, which means downloading only when you need it, but an infected machine may not let you download. Might be time for a trip to a friend’s house.

      3) You can do that if you like, but honestly – the chances of ever needing it in the first place are low as long as you play safe online and keep your normal anti-malware tools running and up to date. I wouldn’t bother. You really DO want the latest.

      Reply
  11. Question for Leo and/or Austin Adams (primarily the same question that Cyndy & Roger Wilber asks): If I were to burn Windows Defender Offline (WDO) to a USB flash drive today, would that USB flash drive update to the latest version, if I were to use it, say, a month from today? And a secondary related question: how much space does WDO take? I have a bunch of empty 512 MB flash disks that I could use (but Norton’s Ghost, Windows Boot version 15 doesn’t fit).
    BTW, Leo, thank you for a wonderful resource. I find your articles informative, up-to-date, and often entertaining. And the price can’t be beat ;).

    Reply
    • I don’t believe it will automatically update. It works offline – meaning that it does not use an internet connection to update anything. I would expect 512MB would work, but I honestly don’t know. Why don’t you just give it a try now, before you need it?

      Reply
  12. Leo, I cloned my 250g hard drive to a new 1tb drive. Everything seems good … But I cannot start windows defender or do a windows update. In service it show windows update is automatic and started? I so cannot use windows live. I tried to use fix it etcetera but am unable to select the save or run button ?can you help?

    Reply
  13. Hi Leo: Per your advice I first created a WDO CD which works as advertised on my Dell Inspiron 620 desktop. But when WDO was also loaded to USB flash drive the drive is apparently ignored during boot. The BIOS sequence is – (1) USB “FLOPPY” (which i assume is Dell-speak for flash drive) (2) CD/DVD (3) HD. What am i doing wrong or is this a hardware problem ? Thanx.

    Bob

    Reply
    • You’d have to ask Dell – if it’s ignoring a bootable USB drive on boot up then there;s something about how the BIOS is configured that must be getting in the way.

      Reply
    • LOL!

      “USB Floppy” is most decidedly NOT “Dell speak for a flashdrive.”

      “USB Floppy” is computer-speak for — wait for it! — an external floppy drive, connected to the computer via USB. (Like, whoa! Whodduh thunkit?) :o

      Search your boot sequence for other “USB”-related things; one of them most certainly should be for a flashdrive. But NOT “USB Floppy.”

      Good luck!

      Reply
      • Adding to that reply:

        (1) If need be, keep putting “USB-related” items, one-by-one (keeping very careful track of the changes you make, since you’ll eventually want to revert them to normal) up at the top the boot order.

        EVENTUALLY, one if those changes should aklow the computer to boot your d*mn flashdrive!

        (2) Shame on you, Leo, for missing so obvious a flub on the OP’s part!

        Reply
      • Actually one of them will probably just say “USB” and will attempt to boot from whatever USB device is connected — USB stick, floppy drive, CD drive, or something else. Not all will work, depending on the BIOS.

        Reply
  14. Bewildered Bob,
    Dell is referring to an “External Floppy Drive connected via USB” for option 1, NOT “Floppy or USB Drive”. There may be an additional option for USB Drive but option 1 is not it. Some of the motherboard BIOS programs required a connected USB Drive for that boot option to be available and many of the older Win XP based systems simply don’t support a bootable USB thumb drive.

    Reply
  15. I need clarification please. I know how to change boot order, so all if OK there. One part of the articles says in effect to “use the media to boot that you just created.” If I were to prepare a CD with Windows Defender today and could not boot up in six months or so, apparently I would not have the latest list of threats. If the computer will not boot at all, I could not go to download the most recent version. If this is the case, what to do then?

    Reply
    • If your infected computer has an internet connection, Windows Defender Offline (WDO) should download the latest definitions before scanning the hard drive. Another option is create the CD on uninfected machine just before running WDO.

      Reply
  16. I have got a call saying that my system has been hacked and attacked by virus. That call was from INDIA and I have believed them and given access to my computer and I have also paid$100 them through PAY-PAL, they told me that they will be providing me Internet Security Life-Time. They used to call regularly and talked with me like a friend.
    I have changed my Apartment and after few days they have called me again and told me to give the access and I gave them my access after their call I’m facing problems while using internet . Ex:- If I open any site except “youtube” it diverts me to somewhere and giving me warning to call some numbers.
    Should I call them and ask them to fix the problem or-else Is there any solution for this problem??????
    I’m in a confusion what should I do????
    Please reply me asap.

    Reply
  17. Hi there Leo, i just discover your site a while ago and i wanna say thank you very much and God bless you for helping me some much, even if it wasn’t directly;

    Thank you kindly; Marlon,,,

    Reply
  18. I have acquired the RSA4096 virus somehow. Read up on this virus, tried a bunch of things including Malware Bytes but of course am unable to get it off. Decided I would not be supporting some jerk who would blackmail people no matter what. I erased my hard drive and lost all my files naturally. I was able to reset my PC with Windows 8.1 and low and behold I still have the RSA4096 virus on my desktop! Do I just use an axe and chop it up now, or what? I am no guru but willing to try something else. Lesson #101 save stuff on flashdrives immediately. Thanks

    Reply
  19. I Followed all your instructions and downloaded windows defender offline but it did not work,
    I received an error message error code:0x80070070 it states that virus and spyware definitions couldn’t
    be updated, this app couldn’t check for virus,check internet or network connection and try again, copy
    of this app has expired. please help,Thank you.

    Reply
  20. I have the same problem with Windows Defender Offline – it will not work until it is ‘Updated’ and it is not possible to update…. You should try it Leo !!

    Reply
    • That’s why the last line of the article says “Remember, though, you’ll want to download and create the CD when you need it, not before, so that it’s as up to date as possible.”

      Reply
  21. I use the paid version of Avast Anti-virus and it appears that it also checks for malware and adware. I use Windows 10’s version of Outlook mail and when I click on an e-mail that Avast doesn’t like, it sends a popup to my screen warning me about the email and basically doesn’t allow me to open the e-mail. Is this a safe way to avoid malware/adware? I run the free version of Malware Byes Anti-malware weekly and it’s never found a virus, so it seems Avast is doing its job. The warning always seems to address the e-mail address I use when I had a website and the e-mail address was on the website, so I assume it was harvested by the “bad” guys. The outlook e-mail address I set-up when I installed Windows 10 has never been on a website and Avast has never warned of a possible virus/malware/adware with that address.

    Reply
  22. The Windows Defender Offline will start with an exe file that in turn will create the CD. But this is a Windows executable… I only have 1 windows PC (the suspect) and want to create the WDO CD from either my wife’s Macbook or an Linux PC. Can this be done or do I need to find a windows PC to be able to use WDO? AVG or Kasperksy let me download the ISO, but MS not?

    Reply
  23. Thanks for this article Leo. I’m usually pretty clued up about being suspicious of potential risk but I got
    tricked into giving access to my computer because “he’d show me every move and talk me through it”
    When he asked for money and shouted at me when I said “No” I hung up, unplugged my computer and
    took the battery out for 30 mins.
    I feel much happier having read your helpful article and I won’t be falling for that or similar again.

    Reply
  24. I did every step for the Windows Defender Offline, which is an awesome idea BTW, but when I attempt this, it loads and says “this app requires up-to-date virus and spyware definitions. You’ll need to install the latest definition updates before scanning your PC” and in the middle it says “virus and spyware definitions “out of date” and gives me the option to update which of course will not work. So I cannot scan my computer. Just wanted everyone to know (and you) in case someone runs into this. Maybe there is a way around this, but I dont know what it would be. I must have a very nasty virus. It blocks everything I attempt

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.