How to use Windows Defender Offline to clean nasty malware

There are times when your devices may be infected by malware that's very hard to remove with traditional antivirus software. On other occasions, the malware blocks the installation of any antivirus software and you cannot remove it manually. In such delicate situations, you need to boot an antivirus in a safe recovery environment, so that it can run before the operating system is loaded. This is the only way to disinfect that kind of malware . For such situations, Microsoft has created Windows Defender Offline - a free tool that does a very good job. Here's where to use it to clean nasty malware from all your PCs and devices, regardless whether they use Windows 7, Windows 8.1 or Windows 10:

NOTE: If you are using Windows 10, skip the next section of this guide and scroll down to the second one.

How to use Windows Defender Offline to clean malware in Windows 8.1 or Windows 7

If you’re using Windows 8.1 or Windows 7, the first thing you’ll have to do is download the correct Windows Defender Offline version for your PC or device. Unfortunately, the download is a bit more complex tha n you might think.

Start by using a computer other than the one infected. Then, find out if you are using a 32-bit or 64-bit version of Windows on the infected PC or device. If you don't know which version you have, read this tutorial: How to determine what version of Windows you have installed.

Once you know what version of Windows Defender Offline you need, use the links below to download the one that's appropriate for your Windows PC or device.

Both the 32-bit and the 64-bit versions are less than 1 MB in size .

The next step is to burn Windows Defender Offline to a CD or DVD, copy it to a USB flash drive or save it using an ".iso" disc image that can be used on the PC or device that’s infected. Keep in mind that you should have about 300 MB of storage space available. The Windows Defender Offline wizard says that you only have to have 250 MB but we have found this not to be true. We tested this tool several times and it always required at least 300 MB of space.

Run mssstool32.exe or mssstool64.exe and use the wizard to install Windows Defender Offline on the media you want to use. The wizard will start by informing you about the things you need. Read the information displayed and then click or tap Next.

Read the license terms of the Windows Defender Offline. Read them and press "I accept".

Now you are asked to select where you want to install Windows Defender Offline: on a blank CD or DVD, a USB flash drive or an ".iso" file on the disk . The steps you will make next are similar for all these options.

We will go ahead and select "On a USB flash drive that is not password protected". After making your selection, press Next.

Select the flash drive you want to use and press Next. If you chose one of the other options , you won't encounter this step.

You are informed that Windows Defender Offline needs to reformat this drive before the installation can continue. Make sure that you don't have any important data on it and then press Next.

Windows Defender Offline downloads all the files it need for the installation, formats the USB flash drive and copies its files to it. This process will take a while, as it will need to download a total of 275 - 300 MB of files.

When the process has finished, you are informed about it. Press Finish and you can start using Windows Defender Offline to disinfect other computers and devices.

If you look at the contents of the disc, drive or image you created, you should see files and folders that are similar to the ones shown in the screenshot below:

It is time to use Windows Defender Offline. Plug your drive or disc into the infected computer or device and configure it to boot from it.

During the boot, a mini-Windows kernel is loaded which, in turn, loads Windows Defender Offline.

The process takes a while so be patient. When loaded, Windows Defender Offline automatically starts to scan your device. If malware is found, you can remove it at the end of the scan. Windows Defender Offline works just like the desktop version of Windows Defender. If you need a bit of guidance on how to use it, read this tutorial: How to use Windows Defender in Windows 8 & Windows 8.1.

One thing that you should keep in mind is that Windows Defender Offline uses the malware definitions that were available at the time you installed it on your disc, drive or image. If you use it a couple of days later, its definitions are dated and it might not be of too much help. That's why you should cancel its automated scan and update it before scanning the system again.

Another solution is to install it again, on another disc, or drive so that you have the latest malware definitions to work with.

How to use Windows Defender Offline to clean malware in Windows 10

If you use Windows 10, things are a lot simpler, as Windows Defender Offline is now built into the operating system. All you have to do is ask your PC or device to perform an offline scan. There’s no need to create a bootable CD or USB memory stick in order to do that.

Start by launching the Settings app. A quick way to do it is to click or tap on its shortcut from the Start Menu.

Open the Update & security settings category.

On the left side of the window, select Windows Defender.

On the right, scroll until you get to the section called Windows Defender Offline. Here, Windows 10 is pretty straightforward in telling you that “Some malicious software can be particularly difficult to remove from your PC. Windows Defender Offline can help find and remove them using up-to-date threat definitions. This will restart your PC and will take about 15 minutes.”. Click or tap on the Scan Offline button.

You will get a notification that “You’re about to be signed out” and that your PC “will shut down in less than a minute”. Close the notification and wait for your PC or device to restart.

After your PC or device reboots, Windows 10 will boot in a recovery environment and it will automatically launch Windows Defender Offline.

Then, Windows Defender Offline will automatically start scanning your computer and, if malware is found, you will be asked about the action you want to take. If nothing bad is found, your PC or device will simply boot Windows 10 again.


We used Windows Defender Offline on a couple of occasions to disinfect systems that had nasty problems with malware and it worked great each time. The tool is easy to use and familiar to most users, so you shouldn't have any issues with it. If you have used it as well, tell us more about your experience. Did it do its job well? Were you satisfied?