[LaunchApp] AppPath = "%ProgramFiles%\Microsoft Security Client\OfflineScannerShell.exe"In my case that's X:\Program Files\Microsoft Security Client\OfflineScannerShell.exe once WinPE has booted.
Now how about adding Windows Defender Offline to a customised WinPE? Let's say a very small MistyPE build.
So here's what I did - it's a bit rough, and it's not automated, but it seems to be working fine and will point you in the right direction if you are interested.
- Downloaded Windows Defender Offline - there are various posts containing direct download links - I simply ran mssstool32.exe and selected the "As an ISO file on a disk (Advanced)." option to create an ISO file - in my case D:\WDO_Media32.iso.
- Mounted D:\WDO_Media32.iso as drive F:\ (using imdisk).
- Copied F:\FilesList32.dll and F:\mpam-fe.exe (the virus definition file) to the root of my existing MistyPE bootable USB drive (drive E:\)
- Opened F:\sources\boot.wim in 7-zip and extracted the \Program Files\Microsoft Security Client\ directory to the root of drive E:\ (my USB drive).
- Booted my MistyPE USB drive - the relevant .wim file was mounted as drive X: and the USB drive (containing \FilesList32.dll and \mpam-fe.exe extracted/copied in step 3 above) was mounted as drive D:.
- Copied the D:\Microsoft Security Client\ directory (extracted in step 4 above) to X:\Program Files\.
- Ran X:\Program Files\Microsoft Security Client\OfflineScannerShell.exe.
- OfflineScannerShell.exe wouldn't work from any path other than X:\Program Files\Microsoft Security Client\OfflineScannerShell.exe - when attempting to run it from another location it failed to start.
- No packages were required - it worked in a minimal WinPE build.
- Tested the above in 32-bit versions of WinPE 3.1 and WinPE 5.0 - it appeared to work fine in both.
- A 32-bit version of Windows Defender Offline is required for scanning a 32-bit version of Windows. A 64-bit version of Windows Defender Offline is required for scanning a 64-bit version of Windows. Why? Well done Microsoft for imposing such a seemingly stupid limitation.
- Some blogs suggest adding \FilesList32.dll and \mpam-fe.exe to boot.wim. This in my opinion just makes it more difficult to update the definitions file - it's located fine at the root of the USB drive or CD/DVD. Why rebuild boot.wim just to update the virus definitions? Exception might be when PXE booting.
- The above steps can be adapted/applied to 64-bit versions of WinPE. The only difference is the names of the files extracted in step 3 above - \FilesList64.dll and \mpam-fex64.exe are required in 64-bit builds.
- \Microsoft Security Client\ can be added to an offline boot.wim so it's available when booted - just remember to add it to \Program Files\Microsoft Security Client\
- It's possible to automate most (probably all) of the above steps during the build process - this was just a rough test.