Windows Defender Quarantine & DetectionHistory
Location
C:\ProgramData\Microsoft\Windows Defender\Quarantine\ and C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\Description
Windows Defender quarantine directory containing encrypted copies of detected malware (ResourceData) and detection metadata (DetectionHistory) recording threat name, file path, detection time, user context, and remediation action taken.
Forensic Value
Defender quarantine preserves the original malware sample even after it was removed from its original location, enabling full malware analysis. The ResourceData files can be decrypted to recover the exact binary for reverse engineering and hash-based threat intelligence correlation. DetectionHistory files provide structured detection metadata showing what was detected, where, and when. This is invaluable when the attacker deletes the original malware after detection.
Tools Required
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target DefenderQuarantine
PowerShell
Copy-Item "C:\ProgramData\Microsoft\Windows Defender\Quarantine\*" -Recurse -Destination C:\output\Quarantine\
Defender Quarantine Decryptor
python3 defender_quarantine_decryptor.py -i C:\output\Quarantine\ResourceData -o C:\output\recovered_samples\
mplog-parser
python3 mplog-parser.py -i "C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-*.log" -o C:\output\mplog_parsed.csv
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.