Windows Defender issue on server - lots of files being created

IT Resourcing 6 Reputation points
2021-04-29T04:11:27.177+00:00

We have an issue on a Windows Server 2019 Datacenter virtual machine with Windows Defender.
We are in: Settings -> Update & Security -> Windows Security -> Virus & threat protection -> Virus & threat protection settings -> Manage settings

When Real-time protection is turned on, after about 20-30 minutes it creates hundreds/thousands of files in this location:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store

Most of these files are either 1kb or 2kb. Over a 24 hour period we ended up with roughly 950,000 files and it was taking 30 GB of space. This does not appear to be normal. There is no threats detected and no actively running scan or updates. These files appear to be encrypted, or at least we can't open them in notepad and see any useful data. This is only happening on one server.

Anybody got any ideas?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,105 questions

13 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Haggerty, John 16 Reputation points
    2021-05-03T14:26:13.033+00:00

    Seeing this issue on our 2012R2 file servers.
    C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\Store has millions of these 1-2kb files.
    We had to delete the entire Store folder and haven't seen any issues thus far.

    3 people found this answer helpful.
    0 comments
  2. Denis Payne 156 Reputation points
    2021-04-29T14:03:16.593+00:00

    We started having this same problem on our WS 2016 Domain Controller.

    It normally takes 20minutes to backup this server, but last night it hit runtime limit of 4hours and the cause was tracked down to be over 200k new files in C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store.

    It looks to be the system process that is creating these random 1KB to 2KB files in said locate, this is an assumption as the owner of the files is System and in Ressource Monitor>Disk I can see the System process accessing said folder location.

    Since 22:11 last night it has been creating hundreds of thousands of these files and it continues to do so after a reboot.

    Windows Defender GUI isn't running a scan, doesn't show anything in History.

    Windows Defender Operations log in EventViewer does indicate why these random files are being created.

    What is the C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\ folder for?
    How do I determine what is constantly creating these files?

    1 person found this answer helpful.
  3. Andreas Schweizer (diverto gmbh) 16 Reputation points
    2021-05-02T11:50:47.283+00:00

    We have the same Problem on different Servers with 2016! Any News?

    1 person found this answer helpful.
    0 comments
  4. Axelius, Carl 6 Reputation points
    2021-05-03T09:15:40.517+00:00

    One of my Windows 2019 std Server is having the same symptom.
    C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\ contains several millions 1-2kb files and the MsMpEng.exe process is running at 60%-90% all the time.
    Not sure if I can delete the "Store" folder or not?

    1 person found this answer helpful.
    0 comments
  5. Paul Molina 6 Reputation points
    2021-05-03T17:28:06.923+00:00

    We're seeing this too, it's a thing.

    1 person found this answer helpful.
    0 comments