Key Points:
- Windows Security Protection History logs actions taken by Microsoft Defender Antivirus, Windows Firewall, and Smart App Control.
- Manually deleting Windows Security protection history: Navigate to the Windows Defender protection history folder (C:\ProgramData\Microsoft\Windows Defender\Scans\History), delete the Service folder to clear stored threat logs, and restart the device.
- Clearing Windows Security protection history using PowerShell: Run an elevated PowerShell execute this command: Remove-Item -Path “C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\*” -Recurse -Force
- Disable tamper protection temporarily: Navigate to Windows Security > Virus & threat protection > Virus & threat protection settings, then toggle Tamper Protection off.
Windows Security is a built-in suite of security features designed to protect your device from threats. It includes applications like Microsoft Defender Antivirus, Windows Firewall, and Smart App Control, which work simultaneously to protect against viruses, malware, and more.
Windows Security’s protection history is a page where you can view the actions that Microsoft Defender Antivirus has taken on your behalf. Protection history accumulates and could reveal sensitive data about malware testing or user behavior. As such, it’s highly recommended for enterprises and individual users clear this log history now and then.
This guide will walk you through the different methods you can use to delete protection history.
Process automation is key to stronger endpoint security.
Different ways to clear Windows Security protection history
You can clear Windows Security’s protection history using two primary methods: manually deleting the history folder and clearing it using a PowerShell script.
📌 Prerequisites:
- Windows 11 (any edition)
- Administrator rights
💡Tip: You may need to temporarily disable Tamper Protection for the methods to work.
⚠️ Important: Try testing the first two methods before you consider disabling Tamper Protection, as you could be exposing your device to threats and malware if you disable the feature. Turn it off only when the methods fail. [For more details, refer to ⚠️ Things to look out for]
📌 Recommended deployment strategies:
| Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Manual deletion of protection history | ✓ | |
| Method 2: Clear using PowerShell script | ✓ | |
| Method 3: Disable tamper protection temporarily | ✓ |
Method 1: Manual deletion of protection history
You can manually delete Windows Security’s protection history without using scripts. This method is straightforward, as you only need to click a few buttons.
📌Use Cases: End users looking to clear protection history without using scripts and one-time deletions.
📌Prerequisite: Boot in Safe Mode
- Open File Explorer by clicking the Win button + E.
- Copy and paste the folder path location into File Explorer’s address bar and press Enter:
C:\ProgramData\Microsoft\Windows Defender\Scans\History
- Right-click on the Service folder and click Delete.
- Restart the computer to apply the changes.
An empty Service folder will automatically get created after restarting the device, since the system needs a place to store the history in the future.
Method 2: Clearing protection history via PowerShell script
Manually clearing Windows Security protection history is a viable option if you’re working on a single computer. However, PowerShell can help automate the deployment of preferred registry configuration while ensuring consistency across multiple endpoints.
📌Use Cases: This method is ideal for administrators looking to automatically manage Windows Security’s security protection to make the registry change repeatable and scalable.
- Press the Win button, type PowerShell, then press Enter.
- Right-click Windows PowerShell and press Run as administrator.
- Copy and paste any of the commands below into the command prompt and press Enter.
- Remove protection history:
Remove-Item -Path "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\*" -Recurse -Force
- Restart the antivirus service:
Start-Service -Name WinDefend
Set-MpPreference -DisableRealtimeMonitoring $false
- Stop the antivirus service:
Set-MpPreference -DisableRealtimeMonitoring $true
Stop-Service -Name WinDefend -Force
⚠️ Warning: It’s also advised to first test the script on a local machine before deploying PowerShell scripts. [For more details, refer to ⚠️ Things to look out for] It’s easier to reverse potential problems and mistakes on a single computer than on multiple endpoints.
Method 3: Disable tamper protection temporarily
You may need to disable Tamper Protection if the methods above fail. Tamper Protection is a security feature that prevents unauthorized changes to device security settings.
📌 Prerequisite: You’ll need administrator-level permissions if you use a device managed by a security team.
However, Home users can disable Tamper Protection by following the steps below:
- Press the Win button, type Security, and click Windows Security.
- Select Virus & threat protection, then Virus & threat protection settings.
- Toggle Tamper Protection off.
⚠️ Warning: Remember to enable Tamper Protection again after completing the task. (For more details, refer to ⚠️ Things to look out for.) Do so by following the same steps above, but toggle Tamper Protection on instead.
⚠️ Things to look out for when clearing Windows security protection history
| Risks | Potential Consequences | Reversals |
| Unauthorized access | Allowing users to access and delete history could be misused to hide malicious activity. Protection history could include useful logs for malware removal validation or forensic auditing. | Re-enable Tamper Protection to restore security settings or use the Windows Event Viewer to see if it still holds activity records. You can also create a backup by copying the Service folder before deletion. |
| Remote deployment hazards | Applying a PowerShell script across multiple endpoints and systems without testing may disrupt security. It may also break real-time protection, especially if the script is deployed on production systems without proper testing. | Always validate scripts on a non-production machine first to ensure that they produce the intended results. |
| User error | Users may forget to re-enable Tamper Protection, leaving the system vulnerable. | Always enable Tamper Protection after using the methods. In enterprise environments, you can use policies via GPO or MDM to ensure that Tamper Protection is re-enabled. |
NinjaOne brings consistent and centralized IT asset protection at scale.
Additional information regarding Windows Security’s protection history
- Event Viewer logs: Clearing protection history doesn’t remove events from the Event Viewer. You’ll need to clear the viewer separately.
- Forensics: Back up Defender history before clearing it if you use the app for post-incident review. To do so, click the Service folder (method 1), press Ctrl + C, then Ctrl + V.
- Tamper Protection: Tamper Protection is a security feature that prevents unauthorized changes to device security settings.
- No GUI option: There are no GUI (graphical user interface) options to clear protection history, so you must delete the log manually or use scripted methods.
Protect sensitive malware data by clearing Windows Security’s protection history
Windows Security protects your device from threats using Microsoft Defender Antivirus, Windows Firewall, and Smart App Control to combat viruses, malware, and more. Windows Security keeps track of past threat detections, blocked items, and the like on its protection history page, which you can use for malware removal validation, forensic auditing, etc. Clearing Windows Security Protection History in Windows 11 helps protect user privacy and reduce unnecessary data clutter.
Related topics:
