How to Find and Remove Malware With Windows Defender Offline

By Chris Hoffman on August 9th, 2016

Microsoft has long offered a “Windows Defender Offline” tool you can use to perform malware scans from outside of Windows. With Windows 10’s Anniversary Update, this tool is included with Windows, and even easier to launch. Here’s how to use it, no matter which version of Windows you’re on.

Windows Defender may prompt you to download and run Windows Defender Offline if it finds malware it can’t remove. But, if you’re concerned your computer might be infected, it’s worth running an offline scan with something like Windows Defender Offline just to be safe.

Why an “Offline” Scan Is So Useful

This tool is called “Windows Defender Offline” because it scans when Windows isn’t running. Rather than attempting to run from within Windows and scan your computer while Windows is running–and malware could be running in the background–it restarts your computer into a clean environment and scans from outside of Windows.

Since the tool scans while Windows isn’t running, any malware that might be running inside Windows can’t interfere. Some rootkits may hide from Windows during the bootup process, but be detectable when running a scan from outside Windows. Some malware may hook so deep into Windows that it can’t be removed while Windows is running, but can be removed if you run a standalone scan outside the OS.

This tool is essentially an antivirus boot disc, but integrated into Windows 10 and easier to run. (And if you’re on Windows 7 or 8.1, you can make a disc and run it yourself.)

How to Run Windows Defender Offline on Windows 10

Assuming you’ve upgraded to the Anniversary Update, you can do this in one click from within Windows 10. You won’t find this option in the Windows Defender desktop application, however. It’s only located in the Settings app.

Head to Settings > Update & Security > Windows Defender. Scroll down and click the “Scan Offline” button under Windows Defender Offline.

img_579bc0d96ca80

After you click this button, your computer will automatically reboot and begin scanning your PC for malware. The scan may take up to fifteen minutes. If any malware is found, you’ll be prompted to clean it up from within the Windows Defender Offline interface. If no malware is found, your computer will automatically boot back into Windows once the scan is complete.

How to Run Windows Defender Offline on Windows 7 and 8.1

For previous versions of Windows, you can download Windows Defender Offline, create a bootable USB drive, CD, or DVD, and boot the Windows Defender Offline tool on the PC. This works identically to the Windows Defender Offline feature on Windows 10, but requires you create the bootable media and boot it up yourself.

Microsoft recommends creating bootable media on a known-clean computer. Malware can interfere with the media creation process if it’s running in the background, so if you’re concerned your current PC might be infected, use another PC to download Windows Defender Offline and create the media.

Head to the Windows Defender Offline download page, scroll down, and download either the 32-bit or 64-bit version depending on whether your PC is running a 32-bit or 64-bit version of Windows. Here’s how to check.

Run the downloaded msstool64.exe or msstool32.exe file and you’ll be prompted to create installation media on a USB drive, or burn it to a CD or DVD. You can also have the tool create an ISO file, which you can burn to a disc yourself using your preferred disc-burning program. The tool will create Windows Defender Offline media containing the latest virus definitions.

If you use a USB drive, the drive will be reformatted and any data on it will be erased. Be sure to back up any important data from the drive first.

Once you’ve created the USB drive, CD, or DVD, you’ll need to remove it from your current computer and take it to the computer you want to scan. Insert the USB drive or disc into the other computer and restart the computer.

Boot from the USB drive, CD, or DVD to run the scan. Depending on the computer’s settings, it may automatically boot from the media after you restart it, or you may have to press a key to enter a “boot devices” menu or modify the boot order in the computer’s UEFI firmware or BIOS.

Once you’ve booted from the device, you’ll see a Windows Defender tool that will automatically scan your computer and remove malware. It works identically to Windows Defender Offline on Windows 10, and it’s the same interface you’d see in Microsoft Security Essentials on Windows 7 and Windows Defender on Windows 8.1.

After the scan is complete and you’re done with the tool, you can reboot your computer and remove the Windows Defender Offline media to boot back into Windows.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 08/9/16
More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!