How to Run a Windows Defender Offline Scan in Batch Script
Some types of malware, such as rootkits and persistent boot-level viruses, are highly sophisticated and can hide from the operating system while it is running. To eliminate these threats, Windows includes a "Defender Offline Scan" feature. This scan restarts your computer into a special, trusted environment outside of the standard Windows kernel, allowing the antivirus engine to clean deep-seated infections that would otherwise be impossible to delete. While users typically trigger this from the "Settings" menu, you can automate this critical security task using a Batch script.
This guide explains how to schedule and trigger an offline scan.
Why Run an Offline Scan?
- Persistent Threat Removal: Eliminating malware that "Resurrects" itself after every standard scan.
- Rootkit Detection: Scanning the system before the OS boot sequence can be hijacked by malicious drivers.
- Deep System Cleaning: Ensuring a machine is 100% clean before performing a highly sensitive operation, like accessing a bank vault or a cryptocurrency wallet.
Running an Offline Scan script will automatically restart your computer without warning. Ensure you save all open work before executing the script.
Method 1: Using the PowerShell Bridge (Recommended)
The most reliable way to trigger the modern Windows 10/11 Offline Scan is using the Start-MpWDOScan cmdlet. You can call this from a Batch script with ease.
@echo off
setlocal
echo ============================================================
echo Microsoft Defender Offline Scan Trigger
echo ============================================================
:: Check for admin rights first
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
echo [HELP] Right-click and select 'Run as administrator'.
pause
exit /b 1
)
echo [WARNING] This will restart your computer immediately.
echo [WARNING] Save all open work before proceeding.
echo.
set /p "CONFIRM=Proceed with offline scan? (Y/N): "
if /i not "%CONFIRM%"=="Y" (
echo [INFO] Cancelled by user.
pause
exit /b 0
)
echo.
echo [PROCESS] Preparing the offline environment...
:: Trigger the scan
powershell -NoProfile -Command "Start-MpWDOScan" 2>nul
if %errorlevel% neq 0 (
echo [ERROR] Failed to start offline scan. Code: %errorlevel%
echo [HELP] Ensure Windows Defender is active and not replaced
echo by a third-party antivirus.
pause
)
Method 2: Using the Defender Command Line
The MpCmdRun.exe utility can also trigger an offline scan using scan type 4, which schedules the scan and initiates a reboot.
@echo off
setlocal
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
pause
exit /b 1
)
:: Locate MpCmdRun.exe
set "MP_PATH="
if exist "%ProgramFiles%\Windows Defender\MpCmdRun.exe" (
set "MP_PATH=%ProgramFiles%\Windows Defender\MpCmdRun.exe"
) else (
for /f "delims=" %%f in ('dir /s /b "%ProgramData%\Microsoft\Windows Defender\Platform\MpCmdRun.exe" 2^>nul') do set "MP_PATH=%%f"
)
if not defined MP_PATH (
echo [ERROR] Could not locate MpCmdRun.exe.
pause
exit /b 1
)
echo [WARNING] This will restart your computer for an offline scan.
echo.
set /p "CONFIRM=Proceed? (Y/N): "
if /i not "%CONFIRM%"=="Y" (
echo [INFO] Cancelled by user.
pause
exit /b 0
)
echo [PROCESS] Scheduling offline scan...
"%MP_PATH%" -Scan -ScanType 4
if %errorlevel% equ 0 (
echo [SUCCESS] Offline scan scheduled. Your computer will restart shortly.
) else (
echo [ERROR] Failed to schedule offline scan. Code: %errorlevel%
)
pause
Creating a Security Emergency "Nuke" Script
This script provides the user with a final warning, updates definitions, and then triggers the offline scan.
@echo off
setlocal
echo ============================================================
echo CRITICAL SECURITY CLEANUP TOOL
echo ============================================================
echo.
echo This tool triggers a Windows Defender Offline Scan to remove
echo deep-seated infections like rootkits and boot-level malware.
echo.
echo IMPORTANT:
echo [1] Save all open work. The computer WILL restart.
echo [2] The scan takes approximately 15-30 minutes.
echo [3] Have your BitLocker Recovery Key ready if applicable.
echo.
:: Verify Admin Rights first
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] You MUST run this as an Administrator.
pause
exit /b 1
)
set /p "CONFIRM=Are you ready to proceed? (Y/N): "
if /i not "%CONFIRM%"=="Y" (
echo [EXIT] Operation cancelled by user.
pause
exit /b 0
)
:: Locate MpCmdRun.exe
set "MP_PATH="
if exist "%ProgramFiles%\Windows Defender\MpCmdRun.exe" (
set "MP_PATH=%ProgramFiles%\Windows Defender\MpCmdRun.exe"
) else (
for /f "delims=" %%f in ('dir /s /b "%ProgramData%\Microsoft\Windows Defender\Platform\MpCmdRun.exe" 2^>nul') do set "MP_PATH=%%f"
)
:: Update definitions before the scan
if defined MP_PATH (
echo.
echo [STEP 1] Updating virus definitions...
"%MP_PATH%" -SignatureUpdate >nul 2>&1
if %errorlevel% equ 0 (
echo [PASS] Definitions updated.
) else (
echo [WARN] Could not update definitions. Proceeding with current signatures.
)
) else (
echo [WARN] MpCmdRun.exe not found. Skipping definition update.
)
:: Trigger the offline scan
echo.
echo [STEP 2] Initiating Offline Scan...
powershell -NoProfile -Command "Start-MpWDOScan" 2>nul
if %errorlevel% neq 0 (
echo [ERROR] Failed to initiate offline scan. Code: %errorlevel%
echo [HELP] Try using Windows Security GUI instead:
echo Settings ^> Windows Security ^> Virus ^& threat protection
echo ^> Scan options ^> Microsoft Defender Offline scan
pause
exit /b 1
)
echo.
echo [INFO] Your computer should restart momentarily...
echo ============================================================
Common Pitfalls and How to Avoid Them
Administrative Rights
Triggering a system-level restart and a boot-time scan requires Administrator privileges. The command will silently fail or return an error if run from a standard CMD window.
Missing BitLocker Keys
If you use BitLocker disk encryption, the Offline Scan environment might ask for your Recovery Key before it can scan the C: drive.
Advise your users to have their BitLocker Recovery Key ready (printed or on another device) before running this script. If they don't have it, the scan may be unable to unlock the drive to perform the cleanup.
Best Practices for Offline Scans
- Run Quick Scan First: Always try a
Quick Scanand aFull Scan(Method 1 & 2 in our other guides) before resorting to an offline scan. - Verify Definition Updates: Ensure your virus definitions are updated (
MpCmdRun.exe -SignatureUpdate) before triggering the reboot. - Check Hardware Compatibility: On very old hardware or specialized RAID configurations, the offline environment might lack the necessary drivers to see the hard drive.
A Windows Defender Offline scan typically takes 15 to 30 minutes. During this time, the computer will show a loading screen and a progress bar, and you will be unable to use the machine.
Conclusion
Running a Windows Defender Offline scan via Batch script is the ultimate recovery step in a modern security workflow. By automating the transition from the standard desktop environment to a secure, pre-boot scanning state, you can eliminate even the most resilient and hidden threats. This professional approach to deep-system cleaning ensures that your Windows infrastructure remains untainted by rootkits and boot-level malware, providing the highest possible tier of protection for your mission-critical workstation and server deployments.