Windows Defender Bug Fills Windows 10 Boot Drive With Thousands of Files

A Windows Defender bug creates thousands of small files that waste gigabytes of storage space on Windows 10 hard drives. BleepingComputer reports: The bug started with Windows Defender antivirus engine 1.1.18100.5 and will cause the C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store folder to be filled up with thousands of files with names that appear to be MD5 hashes. From a system seen by BleepingComputer, the created files range in size from 600 bytes to a little over 1KB. While the system we looked at only had approximately 1MB of files, other Windows 10 users report that their systems have been filled up with hundreds of thousands of files, which in one case, used up 30GB of storage space. On smaller SSD system drives (C:), this can be a considerable amount of storage space to waste on unnecessary files. According to Deskmodder, who first reported on this issue, the bug has now been fixed in the latest Windows Defender engine, version 1.1.18100.6.

1 file

[HouseOfMisterE]

Definitely fixed, I have 1 file in that folder. It's tiny and has yesterday's date.

Re:

[s4080326]

Definitely fixed, I have 1 file in that folder. It's tiny and has yesterday's date.

I have 790 all from between 7:20 and 7:32. No idea what it should look like just providing a data point

Re:

[nojayuk]

I have about 100 or so hash files in that directory, all about 1kb with similar timestamps. The Defender engine version number is the buggy one, 1.1.18100.5. I'm trying right now to download and install the recommended update but it keeps failing with error code 0x80070643. It may just be that the update servers are overloaded at the moment, I'll try again later.

At the moment my C: drive is reporting 400GB free.

Re:

[The MAZZTer]

3mb of files here.

It's worth noting that folder is blocked from user access by default, which could make it difficult to track down the source of the disappearing disk space if you're not running search tools as administrator.

How did this get to the front?

[Petersko]

Seriously. I'd like to know.

Re:

[rastos1]

Someone clicked the "Submit" button at the top of the page and copy pasted an excerpt from an article he found interesting. Some other folks checked the firehose and upvoted the submission. That's it. Are you new here?

Re:

[Petersko]

"Some other folks checked the firehose and upvoted the submission."

That's the part I don't understand.

Re:

[thegarbz]

A Windows bug? This is Slashdot. Stories about a bug caused by Microsoft give people here an erection more powerful than swallowing all the blue pills at once. Slashdot lives for these stories, it's like a fetish.

Re:How did this get to the front?

[AmiMoJo]

Microsoft fired most of the QA team. They rely on slowly rolling out updates and waiting to see if lots of crash reports come back now. Same with Windows Update.

Re:

[flyingfsck]

Bill Gates was their QA and he left a long time ago.

WTF

[Megane]

The filesystem is not a database. If all you making is a bunch of small files with an MD5 hash as the filename, that is exactly what you are doing, with all the waste of minimum cluster sizes. Don't do that!

On the other hand, if they hadn't done that, it wouldn't have been so easy to notice it going wild storing way more than it should have.

Yeah! The file system is not a database!

[Petersko]

...What do mean my process is already running? It clearly is not...

Re:WTF

[The MAZZTer]

Actually the filesystem is a type of database. It's used to store.... files.

Anyway the files have some amount of data in them. My guess is data on file scans. They were probably not getting cleared out properly when Defender was done with them.

Re:

[Anonymous Coward]

I first noticed this back on 4/22.

It creates around ten thousand files in a couple seconds time, every 15 or so minutes.
The first server I saw it on was a WSUS server, where C: had a 16k block allocation size.

Within a weeks time there was over ten million files, and despite having under 1k of data, they each took up 16k on disk, and that folder grew to 120 GB in that time and ran out of space
.
That's what prompted me to check the storage history reports for the other servers, and they had the same defender p

Re:

[gTsiros]

that's a rate of deletion in the order of one hundred/s

sounds quite low. Even on spinning rust it should be higher. Am i missing something?

Re:

[tlhIngan]

The first server I saw it on was a WSUS server, where C: had a 16k block allocation size.

Within a weeks time there was over ten million files, and despite having under 1k of data, they each took up 16k on disk, and that folder grew to 120 GB in that time and ran out of space
.
That's what prompted me to check the storage history reports for the other servers, and they had the same defender problem but on default 4k block size drives.

Funny thing, BSD ufs and NTFS support sub-block allocations. A modern disk ha

Re:

[Munchr]

Sure, but if you're generating a lot of hashes there's certainly much better ways to temporarily store those that doesn't involve creating thousands of tiny files and wasting a ton of slack space.

Re:

[dowhileor]

Looks just like a bad behaving disk defragger. Or an old 16bit virus program. I'm willing to bet some old "open source" code got loose in the update...

Re: WTF

[getuid()]

Not true.

First, the file system is a database; it just depends on your use case if it's good fir that.

Second, there are fairly well established file systems that store small files directly in the inodes of the directory above, e.g. the (fir varoius reasons out-of-vogue) ReiserFS. This is specifically for this kind of usage.

I don't know NTFS internals good enough ti know if it does anything similar, but the use case here is not by default a bad one. If anything, it reduces dependencies and code footprint, re

Re:

[cusco]

Wow, that's a blast from the past, I haven't heard ReiserFS mentioned for years, it used to be a constant drum beat on /. from the anti-MS crowd.

Re: WTF

[getuid()]

I don't think anyone is using it these days. My point is: the tech was there decades ago.

I'd be massively surprised if newer filesystems don't have anything similar.

But meomrizing filesystem features by heart is not my hobby these days, so can't tell yiu uf a particular FS has it or not. Any anyway, MS is doing its own thing - always has. So whether NTFS has it... dunno.

Re:

[drinkypoo]

The filesystem is not a database.

Thanks for that, I'm going to feel smart all day

Windows = Job Security

[creimer]

I haven't seen a variation of that bug since I started working in help desk after the dot com bust. IIRC, the Windows XP task manager was guilty of generating numerous 1K files. If caught early, the solution was to back up the user's data and the hard drive reimage. If there was no free space left on the hard drive, user had to kiss their iTunes library bye-bye and the hard drive reimage. That's not much of a problem today since data is stored in the cloud and not locally. Hard drive reimage is easy as pie.

Re: Windows = Job Security

[sirber]

Run, he's gonna reimage you!

Re:

[Joey Vegetables]

Maybe I'm missing something, but hasn't it always been possible to boot into a system rescue CD or Knoppix or something like that, and at least transfer the important files before reimaging? (Note: Knoppix predates Windows XP, and I remember there being bootable OSs before then although my recollection 20+ years later is a little rusty.)

Re:

[Coren22]

Or just remove the disk and put it into another system to backup the data...

It's intentional

[aglider]

Otherwise they are just morons at MS.

In either case, do you still trust them?

It's a feature

[paulatz]

Skype for Linux has been filling my home directory with log files for years and nobody at MS seems to have even noticed. It is safe to assume that it is the MS way, and set up a cron job to delete them regularly

doesn't matter

[AndyKron]

That's OK Microsoft isn't liable for anything it does to your computer. You agreed to that by being born

I think this might have costed me $1000 :-(

[misnohmer]

My family backup server recently run up against the capacity of backups, causing me to spend $1000 to upgrade backup storage. Then, out of nowhere, in a span of about a week the backup utilization dropped on average about about 142GB per Windows Machine, which would have kept backup drives from having to be upsized. This could be the explanation - all the PC's updated (as per Group Policy). I probably could have ran for a couple more years before having to upgrade, but what's done is done. I was too lazy to look into what was causing the backups to increase, since they increased over time, so I assumed with all the work/school from home data usage was just growing.

PS> Yes, I backup (almost) the entire PC's (not 100% of each drive, but enough to create a system restore using windows backup). This allows me to restore any of them in case they are lost, stolen, or the HDD just dies, without having to nag each family member to save their files into a designated folder or else they will not be backed up. Only ever performed this restore in one live scenario, but it sure was convenient not to worry about ANY lost content.

Not just Windows 10, I think...

[Foundryman]

Since last week I've noticed 3 of my windows server 2019 VMs started showing high cpu. When checking it was splitting the cpu between msmpeng.exe (windows defender) and my sophos AV. This week I also noted low free disk space on all 3 servers as well.
Checking on c:\programdata\microsoft\windows defender\scans\history\store I found there were1,043,201 files using just over 1gb. The other two servers I'm still waiting on the folder examination to complete.

Hmm, Only for the limited few that is.

[dmitch33]

How many people do NOT have an anti-virus package installed? If you do than Defender is de-activated and this won't happen. I looked and I had a total of 7.42 MB of files.

Nope, Not For Me

[Toad-san]

Five files, 16Kb, only 1 or 2 per year. Not an issue. But then this system isn't a server.

shrug - fixed already?

[argStyopa]

Mine shows 0k.
Then again, WD updated yesterday.