7

Windows Defender has quarantined two threats on my PC recently: one is an infected executable on a network share (which was put there deliberately and which someone needs), the other is a simple "potentially unwanted app" from a bundle installer I downloaded for FileZilla.

In Defender's Protection History, when I click on "Restore" or "Remove" for one threat, I get a UAC prompt, then nothing happens when I confirm. After accepting once, I don't get other UAC prompts, but further commands don't do anything either.

The Windows Security task bar icon keeps warning me of the bundle installer, even though I can't remove it.

Why can't I act on quarantined threats, and how can I fix this?

acl
  • 211
  • 1
  • 3
  • 5

2 Answers2

9

Let's fix the issue from Command prompt.

First open Command Prompt as Administrator. Then run cd "%ProgramFiles%\Windows Defender". Now run MpCmdRun.exe -restore -listall and you will get a list of quarantined files. Now choose the file you want to restore and run MpCmdRun.exe -restore -name "Filename" where "Filename" is the file's name you want to restore.

If it does not work, temporarily disable File checking by Windows Security > App & browser control > Check apps and files option set to Off and restore it now. Now again you can turn it on.

Hope that helps

wasif
  • 9,176
2

In Defender's Protection History, when I click on "Restore" or "Remove" for one threat, I get a UAC prompt, then nothing happens when I confirm. After accepting once, I don't get other UAC prompts, but further commands don't do anything either.

I had the same issue: it was due to the fact that the file that Windows Defender quarantined was originally in a folder that I had later renamed. This caused restore to fail silently, since Defender didn't know where to restore the file (what a great program). There is no way to specific another folder where to restore the file in the UI: one has to use the CLI.

To fix the issue, open cmd.exe as admin and run:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Restore -name "filename" -Path C:\temp\restoredfiles

where:

  • filename: filename of the file to be restored.
  • C:\temp\restoredfiles: folder where the file should be restored.

And if all the quarantined files were false positive, one can restore all files at once as follows:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Restore -All -Path C:\temp\restoredfiles

The commands come from DrMoishe Pippik's great answer.

As a side note, if one tries to restore the deleted file via CLI without specifying the path (e.g., with "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Restore -name "filename") and if the original folder was later renamed, one gets the error message:

Error code: 0x80508014 Cannot restore a file

To open cmd.exe as admin:

enter image description here

Franck Dernoncourt
  • 24,246
  • 64
  • 231
  • 400