Targeted Folder Scans in Windows Defender: Quick, Custom, and Scripted

Windows Security (Microsoft Defender) gives you multiple fast ways to scan just the folders you care about — from a single right‑click in File Explorer to scripted, enterprise‑grade scans — and understanding each method, its limits, and the operational trade‑offs can save time and prevent accidental blind spots in protection.

Background​

Windows 10 and Windows 11 include Microsoft Defender as the built‑in antivirus and threat‑protection platform. It offers several scan modes: Quick, Full, Custom (folder), and Microsoft Defender Offline (boot‑time). For everyday troubleshooting and routine hygiene, you rarely need a full system scan — targeted folder scans are faster, less disruptive, and ideal for downloads, removable drives, and single project folders. The built‑in UI and context menus make these targeted checks easy, while command‑line tools provide automation and advanced control for power users.
This feature unpacks the four easy ways to scan specific folders, explains when to use each method, explores interactions with exclusions and ransomware protection, and gives practical workflows and risk‑mitigation advice to keep your Windows system safe without slowing your work.

---

Overview of the four easy methods​

• Scan from File Explorer (right‑click → Scan with Microsoft Defender) — fastest, for one‑off checks.
• Custom scan from the Windows Security app (Virus & threat protection → Scan options → Custom scan) — guided UI for picking folders.
• Command Prompt with mpcmdrun.exe — advanced, scriptable control for forensic or automated tasks.
• PowerShell Start‑MpScan — scriptable, powerful, recommended for scheduled or repeatable custom scans.

Each method covers the same Defender engine under the hood, but they differ in convenience, logging visibility, and suitability for automation or mass scanning.

---

Scan a specific folder from File Explorer​

What it is and when to use it​

The File Explorer context‑menu scan — “Scan with Microsoft Defender” — is the shortest path from suspicion to action. It’s designed for quick checks of a single folder, a downloaded file, or an inserted USB drive. Use it when you’ve just downloaded a file, copied data from an unknown source, or want a rapid second opinion without leaving the folder view.

How to run it​

1. Open File Explorer (Win + E).
2. Navigate to the folder or file you want to check.
3. Right‑click and choose Scan with Microsoft Defender.
4. View the result in Windows Security (the Virus & threat protection page will open).

Strengths and limits​

• Strengths: instant, accessible to all users, and integrates into normal file workflows. It’s ideal for one‑off checks on downloads or removable media.
• Limitations: minimal configuration and logging; not suitable for sweeping drives or scheduled checks. If you need to scan inside nested archives or large folders with tuned options, use a custom scan or command line.

---

Run a custom scan from Windows Security​

What it is and when to use it​

The Windows Security app lets you perform a Custom scan that prompts you to choose a folder to scan. This is the recommended method for controlled, UI‑driven folder scans when you want a clear report and don’t need scripting. It’s especially handy for scanning a whole Downloads folder, a suspicious project folder, or external media while seeing progress in the Windows Security interface.

How to run it​

1. Open Start and select Windows Security.
2. Choose Virus & threat protection.
3. Select Scan options.
4. Choose Custom scan, then click Scan now and pick the target folder.

Practical tips​

• Use Custom scan when you want UI feedback and the ability to change parameters without scripting.
• If a folder contains very large archives or many small files, expect a longer scan time; Defender will still inspect archived content but performance varies with archive size.

---

Command‑line scanning: mpcmdrun (Command Prompt)​

Why use the command line​

Command‑line scanning is required when you want repeatable, automated, or forensic scans — for example, in incident response, bulk checks of multiple folders, or when building diagnostic scripts. The mpcmdrun.exe tool (part of the Defender platform) supports targeted scans and provides console output you can capture to logs.

Example steps and command​

1. Open Command Prompt as Administrator.
2. Navigate to the Microsoft Defender platform folder:
   • cd C:\ProgramData\Microsoft\Windows Defender\Platform
   • locate the current version folder (e.g., 4.x.xxxx).
3. Run a folder scan:
   • mpcmdrun -Scan -ScanType 3 -File "C:\Path\To\Folder"

Note: Use quotes when paths contain spaces. The console will show scan progress and results.

When to prefer this method​

• Bulk or scripted workflows.
• Incident response when you need terminal output or to chain scans into larger automation.
• Environments where GUI access is restricted.

---

PowerShell scanning: Start‑MpScan​

Why PowerShell matters​

PowerShell gives the most direct and modern automation route on Windows. It’s the easiest way to schedule or integrate Defender scans into maintenance scripts and can be used interactively or in scheduled tasks. It also works well in remote administration scenarios.

Example command​

Open PowerShell as Administrator and run:

• Start‑MpScan -ScanType CustomScan -ScanPath "C:\Path\To\Folder"

PowerShell outputs the scan status directly to the console, making it easy to parse or record results.

Advanced uses​

• Combine Start‑MpScan with logging, scheduled tasks, or remote execution (remoting/PSExec) to automate nightly folder checks for multiple endpoints.
• Use narrow scopes (specific folders) to limit CPU and I/O during working hours.

---

Protect critical folders with Controlled Folder Access (ransomware protection)​

What Controlled Folder Access (CFA) does​

CFA locks specified folders so only trusted apps can modify files there. It’s specifically designed to mitigate ransomware by preventing unauthorized processes from encrypting or corrupting protected data. Enable it for folders like Documents, Desktop, Pictures, and any high‑value project directories.

How to enable and manage CFA​

1. Open Windows Security → Virus & threat protection.
2. Select Manage ransomware protection.
3. Turn on Controlled folder access and add Protected folders.
4. Use Allowed apps to whitelist trusted applications that need write access.

Caveats and operational risks​

• CFA can block legitimate apps until they’re explicitly allowed, which may disrupt workflows in development or content‑creation environments. Review Protection history and whitelist judiciously rather than blanket‑allowing many apps.
• CFA needs Defender services active; if a third‑party AV places Defender in passive mode, CFA may not be configurable until Defender is re‑enabled. Use vendor removal tools or policy changes to restore Defender if necessary.

---

Excluding and whitelisting folders (when you trust content)​

When exclusions are appropriate​

Exclusions are useful for very large virtual machine images, developer build directories, large media libraries, or application data that trips on‑access scanners and creates performance issues. Use exclusions sparingly and prefer narrow file or process exclusions over broad folder exclusions where possible.

How to add exclusions​

1. Open Windows Security → Virus & threat protection → Manage settings under Virus & threat protection settings.
2. Select Add or remove exclusions and add the folder, file type, or process.

Risks​

• An exclusion removes Defender’s scanning from that scope — it’s a blind spot. Keep a documented audit of exclusions and review periodically. If performance is the reason for exclusion, consider targeted exclusions or off‑hours full scans instead.

---

Compressed archives, encrypted files, and defender limits​

Scanning archives​

Defender inspects archive contents during scans, but very large or nested archives may increase scan time and put pressure on CPU and I/O. For massive archives, manual extraction in an isolated environment or targeted scanning of the extracted contents can be faster and more thorough.

Encrypted containers and encrypted files​

Encrypted files (including some container formats and encrypted Office documents) may not be fully analyzable while encrypted. If you must scan encrypted content, decrypt it in a controlled environment or scan after mounting the encrypted volume with the necessary credentials. Treat claims about exact engine behavior for every container format as variable; verify per case. Flag: behavior will vary depending on encryption method and Defender updates.

---

Interactions with third‑party tools: VPNs, AV suites, and second opinions​

• Third‑party antivirus products typically disable Defender real‑time protection to avoid driver conflicts; Defender will usually enter passive mode until the third‑party product is removed. If you plan to rely on Defender, remove other AV suites cleanly with vendor tools.
• VPN features in security suites affect network traffic handling but do not change Defender’s ability to scan local folders. However, network‑based protections (web filtering) live in different components — don’t conflate local scanning with network protections.
• For stubborn or unusual samples, use a reputable second‑opinion scanner (such as Malwarebytes on demand) or upload files to a multi‑engine service for consensus — treat multi‑engine results as evidence, not absolute proof.

---

Advanced workflows and troubleshooting​

When scans don’t find the problem​

1. Reboot into Safe Mode and run full scans — Safe Mode reduces active interference from malware.
2. Run Microsoft Defender Offline for boot‑time scanning when you suspect rootkits or persistent threats; Microsoft documents typical offline scan durations (approximate average ~15 minutes) but times vary by hardware and sample complexity. Flag: exact durations are variable and should be treated as estimates.
3. If Defender is disabled or won’t start after uninstalling third‑party AV, use vendor removal tools, check Defender services (WinDefend, WdNisSvc), and run component repairs/distribution updates.

Logging and evidence collection​

• Use command‑line outputs from mpcmdrun or PowerShell to capture scan results for incident records. For deep forensic work, collect process paths, hashes, and Protection history entries before restoring or deleting files.

---

Recommended, practical workflows (four scenarios)​

1. Single suspicious download (fast): Right‑click in File Explorer → Scan with Microsoft Defender → Check Protection history.
2. Folder of newly downloaded content (thorough UI): Windows Security → Virus & threat protection → Scan options → Custom scan → Select folder → Review results.
3. Remote or automated checks (repeatable): Scheduled PowerShell task using Start‑MpScan targeted to a folder path; log output to a central location.
4. Forensic or incident response: Boot into Safe Mode, run mpcmdrun scans from an admin shell, then use Microsoft Defender Offline if persistence is suspected. Keep evidence copies and use second‑opinion tools as needed.

---

Strengths, limitations, and risks — a critical analysis​

Strengths​

• Deep OS integration reduces compatibility issues and gives Defender a broad feature set (real‑time protection, Controlled Folder Access, tamper protection, offline scan) that is sufficient for most home and small‑office users. Defender’s cloud‑delivered protections and telemetry enable fast updates and good baseline detection.

Limitations and risks​

• Exclusions create blind spots. Broad folder exclusions should be a last resort. Maintain an audit log of exclusions and prefer precise rules.
• Controlled Folder Access can disrupt workflows and block legitimate apps until whitelisted — this requires operational discipline to manage allowed apps safely.
• No single AV engine catches everything. Use second‑opinion tools and behavioral analysis for elusive or complex samples. VirusTotal and sandbox detonations are valuable triage tools but should not be treated as irrefutable proof.
• Enterprise environments must consider Defender for Endpoint (EDR) and centralized policies; consumer Defender lacks full EDR capabilities required in high‑security settings. Validate policy changes against ADMX and managed controls rather than registry hacks.

Unverifiable or variable claims (flagged)​

• Any claim giving precise timing (scan durations) or absolute detection guarantees should be treated as estimates. Performance and detection change with updates, hardware, and the evolving threat landscape; verify time‑sensitive or SLA‑style claims against up‑to‑date vendor documentation before operationalizing.

---

Final recommendations​

• Use the File Explorer right‑click scan for fast, ad‑hoc checks.
• Use Windows Security Custom scan for guided folder scans when you want UI feedback.
• Use PowerShell or mpcmdrun for automation and incident response; capture console output for records.
• Enable Controlled Folder Access for high‑value folders, but manage allowed apps deliberately to avoid productivity interruptions.
• Avoid broad exclusions; where performance is an issue, schedule heavy scans for off‑hours or create narrow exclusions and re‑evaluate them periodically.
• For persistent or unusual threats, boot to Safe Mode and use Microsoft Defender Offline plus second‑opinion tools. Keep forensic evidence and use a clean reinstall if remediation stalls.

---

Conclusion​

Scanning specific folders with Windows Security is straightforward and flexible: File Explorer and the Windows Security UI put targeted scans within a click or two, while Command Prompt and PowerShell let technical users automate, log, and integrate Defender checks into broader maintenance or incident response playbooks. Controlled Folder Access and carefully managed exclusions provide additional layers of protection and performance tuning, but both require operational discipline to avoid creating blind spots or disrupting legitimate applications. Apply the method that matches your confidence level and risk tolerance: quick context‑menu scans for single suspicious items, UI custom scans for guided checks, and scripted command‑line scans for repeatable, auditable workflows. With those options and the right operational controls, you can keep a tight security posture while minimizing disruption to everyday work.

---

Source: Windows Report How to Scan Specific Folders With Windows Security (4 Easy Ways)

 

[NventorMan]

I’m new to this forum, and don’t know if this is the best place
to post this question. If there is a better place, please tell me
and I will move the post.

I asked the AI bot how to AV-scan files
that are in my OneDrive cloud account. It said
one must download files in order to scan them.

So I downloaded several sub-directories of files
(that is, folders with subordinate folders & files).
One had 8,000 files.
I used Windows Defender to scan them
by right-clicking on the directory/folder and
then selecting the option to run a “custom scan”.

I was elated when it said “0 threats”
for all 6 of the scans! Yay!
On the other hand, I was surprised
when the scan only took a few seconds.

Today I read that files are scanned at download time,
which I’m very glad happens. Now that I think about it,
I wouldn’t expect less. So I assume that scans of all files
in each download only took a few seconds because
they had been flagged as “recently scanned”.

Please let me know if my assumptions are corrrect—
that files are scanned when uploaded & downloaded.
And maybe also at various times while being stored?

I have family & personal files from 1800s thru today.
I want to leave them to my posterity. I will probably
create some photo-books; I’m envisioning hard copy,
which I will backup. At that point, I will probably
just store the files offline. But hey, they’re already online
so I may leave them there as well. But I believe that
any online file could potentially be corrupted,
so I’d only use that backup if my offline version
somehow got lost, erased, etc.

This brings up the concept of long-term file management
and arcniving. Do folks here have tools for that?
If so, what are the favorites?

Thanks in advance! I appreciate any help offered!

 

[ChatGPT]

Welcome, @NventorMan — this is a perfectly reasonable place to ask (Windows Security + OneDrive + archiving). If a moderator wants it moved later, they can, but you’re not “off topic.”

1) Are your assumptions correct about when OneDrive/Defender scans happen?​

Broadly yes, but it helps to separate cloud-side OneDrive scanning from your PC’s Microsoft Defender Antivirus scanning:

A) OneDrive (cloud) does its own malware checks​

Microsoft documents built-in virus protection for OneDrive/SharePoint where files are scanned after upload (asynchronously), and if a file hasn’t been scanned yet, a scan can be triggered before download is allowed (not all files are always scanned; heuristics determine what gets scanned).
Microsoft’s consumer OneDrive security page also explicitly mentions virus scanning on download for known threats using the Windows Defender antimalware engine (signatures updated frequently).
Takeaway: OneDrive can scan uploaded content in the service, and it also emphasizes scanning at download time.

B) Microsoft Defender Antivirus (your PC) scans when files are accessed locally​

On your Windows PC, Defender’s real-time protection typically inspects files during normal activity (opening/closing, and other filesystem activity), and on-demand scans (quick/full/custom) are additional checks you can trigger.
Takeaway: You can’t meaningfully “scan the cloud copy” with Defender unless the bytes are actually present (downloaded / hydrated) on your PC.

---

2) Why did an 8,000-file folder scan finish in a few seconds?​

A few common reasons—one of these is very likely in your case:

Most common: the files were still “online-only” (Files On-Demand placeholders)​

If OneDrive Files On-Demand is enabled, folders can look present, but many files are just placeholders until opened. If you scanned a folder where most content was still cloud-only, the scan can complete extremely fast because there isn’t much real content on disk to read.
How to check:

• In File Explorer, look at the Status icons:
  • Cloud icon = online-only (not fully on disk)
  • Green check = downloaded/available locally
• Right-click the top OneDrive folder you care about → Always keep on this device (then let it fully finish downloading), then scan again.

Also possible: they were already scanned during download / access​

Between OneDrive’s download-time scanning and Defender real-time protection, you may have already gotten a lot of “first-pass” scanning simply by downloading/browsing. That can make a later manual scan feel surprisingly quick, especially on an SSD and with lots of small/benign files.

Verify what actually happened (recommended)​

To confirm the scan truly processed that location, check Defender’s logs:

• Windows Security → Virus & threat protection → Protection history
• Or Event Viewer → Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational

Those entries typically show scan activity and can help you tell whether the scan really traversed the files.

---

3) “Are files scanned while just being stored?” (long-term safety)​

• On the cloud side, OneDrive’s built-in protection is mainly described around upload/detect, and download-time scanning.
• On the PC side, Defender scans what your PC actually touches (on-access / scheduled / on-demand).

For archival integrity, the bigger long-term risk usually isn’t “a virus silently infects an old JPG in the cloud,” but rather:

• accidental deletion / overwrite
• ransomware encrypting your synced copy
• account compromise
• silent corruption (“bit rot”) over many years
• losing track of what is the “authoritative” copy

---

4) Practical long-term archiving approach (what tends to work)​

If these are family files you want to survive decades, I’d aim for:

A) 3-2-1 backup strategy (simple and effective)​

• 3 copies total
• 2 different media (example: external HDD + cloud)
• 1 offsite/offline (offline is important for ransomware)

B) Add integrity checking (this is what most people miss)​

Backups tell you you have a copy; integrity checks tell you it’s still identical.

• Create a hash manifest periodically (PowerShell example):
  • Get-FileHash -Algorithm SHA256 "C:\YourFolder\file.jpg"
• Consider keeping checksum lists per folder (date-stamped), and re-check annually.

C) Use versioning/immutability where possible​

OneDrive has version history and recycle bin features (helpful), but I’d still keep an offline copy that is not continuously mounted (e.g., unplugged drive stored safely).

---

A couple quick questions so I can tailor the best advice​

1) Are you on Windows 10 or Windows 11?
2) Is this OneDrive Personal (Microsoft account) or OneDrive for Business (work/school)?
3) In File Explorer, did those 8,000 files show cloud icons or green checks at the time you scanned?
If you answer those, I can tell you the most reliable way to ensure you’ve truly scanned the full dataset locally and suggest a simple “archive + verify” workflow that isn’t tedious.

 

[NventorMan]

Wow, what a wonderful, comprehensive answer! Thank you!

I felt pretty confident that all my files were AV-scanned,
after pondering the overall experience the next day — including
the thorough explanation you gave of options & methods.

Here my answers to your 3 questions, along with other pertinent details.

1. I believe I was on Windows 11. It was at MIdland Library in Portland, OR.
The PC was also running DeepFreeze, which increased my confidence of the
security of the overall process greatly!

2. I am using OneDrive personal.

3. I downloaded a few folders, and most had a couple hundred files
in them and in subordinate folders. I only ran “custom scans” on about 2000
of my cloud files. I downloaded 6 folders, which took several minutes
for each folder. The downloads were in the form of zip files. I did a full extraction
into a folder there, and then ran the “custom scans” on each unzipped folder.

At the end of each scan, the result showed “0 threats found”.
Hallelujah, and thanks Microsoft! One specific example of number
of files was 574, and the result showed “scan lasted 1 seconds”.
I have not accessed these files in a couple years, and saw no evidence of
any files having more recent time stamps. I assumed files were scanned
when I uploaded them into One Drive, and maybe later on a routine or
as-needed basis by your maintenance processes.

I came up with a similar long-term strategy to the one you suggested.
I have 2 online copies (in clouds), which I’ll download to a flash and SSD drive.
I want to create a hard-copy of the files (all these are photos), along with
a narrative description of each file (or group). It will be a printed book, and
I will store the narrative on the flash & SSD drives. I’ll store the flash & SSD
in two geographic locations. I may delete one of the cloud file sets,
to make long-term management of the set less complex.

I have more work to do in syncing the two cloud file sets. I grouped them
into folders according to experience (like a trip, wedding, etc) and
named them according to sub-set of that and/or also by time-stamps.

While managing the photos (2017, 18), I used a Windows-based app
that compared all files in two folders. That compared my OneDrive files
to their iCloud versions, if I recall correctly. I have since created more files
on Windows and iPadOS, in an organized/methodical fashion.
I think 2-3 days work would bring together a matching set of folders+files
on those two clouds. Which I will archive!

Do you have any advice about my plan? Like about an archiving tool.
Thanks SO MUCH, in advance.

 

[ChatGPT]

Your plan is already headed in a good direction (multiple copies, geographic separation, a printed “human-readable” record, and getting organized by events). The main gaps I’d tighten are (a) media choice for the offline copies, (b) integrity verification (hashes) so you know copies are identical, and (c) a predictable syncing workflow so you don’t create conflicts over time.

1) Quick reassurance: your “1 second for 574 photos” scan can be normal​

Given what you described (OneDrive Personal → download ZIP → extract → custom scan):

• Downloading the ZIP usually triggers security checks (browser/SmartScreen + Defender real-time protection).
• Extracting touches every file on disk, which also tends to trigger on-access scanning.
• Photos (JPG/HEIC/PNG) are typically very fast to scan because they’re not executable and are generally low risk compared to scripts/installers.

So “0 threats” + very fast timing is not inherently suspicious for a photo-only archive. If you ever want to confirm Defender really walked the folder, check Windows Security → Protection history, or Event Viewer:
Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational (look for scan events referencing your path).

2) Biggest change I’d recommend: don’t rely on USB flash drives for long-term archiving​

Flash drives are great for transport, but they’re not my favorite for “posterity” storage because they vary wildly in quality and can fail without warning.
A more durable offline set usually looks like this:

• Two external HDDs (high quality, name-brand), stored in two locations, and kept unplugged except when updating/verifying.
• Optionally: a third copy on archival optical (e.g., M‑DISC Blu‑ray) if you want something that’s truly “shelf stable.”
• SSDs are fine too, but for very long periods unpowered, HDD/optical tends to be the safer archival bet.

Rule of thumb: whatever you choose, plan to refresh/migrate the archive to new drives every ~5–7 years.

3) Add integrity checking (this is the “archiving tool” most people need)​

Backups answer “Do I have a copy?”
Integrity checking answers “Is my copy still identical and uncorrupted?”

Practical approach (simple)​

1) Pick one “master” folder structure (more on that below).
2) Generate hashes for everything (SHA-256), store the hash list with the archive.
3) When you copy to another drive/cloud, verify hashes.
Tools that work well:

• FreeFileSync (Windows/macOS/Linux): excellent for mirroring + has verification options.
• rclone (advanced, but great): can sync to/from OneDrive/iCloud alternatives and can do checking.
• PowerShell (built-in) for hashes:
  • Get-FileHash is solid, but you’ll likely want a script that recurses and exports to CSV.

If you want, tell me roughly how many photos / total GB, and I can give you a ready-to-run PowerShell script that:

• creates a manifest-sha256.csv
• and later verifies it (flags missing/changed files)

4) Pick a “system of record” to avoid sync chaos​

Two clouds + iPad + Windows can turn into accidental duplication/rename conflicts.
I’d recommend this workflow:

• Choose one canonical “Master Archive” location (even if temporary), e.g. Archive_Master.
• Use one-way mirroring from Master → Backup A and Master → Backup B.
  (Avoid bidirectional sync unless you’re very disciplined; it’s where conflicts multiply.)

For comparing/merging folders, your past approach is spot-on. Current favorites in the Windows world:

• Beyond Compare (paid, excellent)
• FreeFileSync (free, very good)
• WinMerge (free; better for certain comparisons, less “backup workflow” oriented)

5) Preserve meaning: put the narrative into the photo metadata, not only in a separate document​

A printed book is fantastic—but for digital longevity, I strongly suggest also embedding your narrative into standard metadata fields that will survive software changes.
Best practice:

• Put descriptions in IPTC Caption/Description
• Add Keywords (people, places, event name)
• Keep dates accurate (or add “event date” keyword if the file date is unreliable)

Tools:

• ExifTool (powerful; can bulk write metadata)
• digiKam (free photo manager; strong metadata support)
• Adobe Lightroom / Bridge (if you already use Adobe)

This way, even if your “narrative file” is separated, the core story stays attached to each photo.

6) About deleting one cloud set to “reduce complexity”​

That can be a good idea after you do two things:
1) Prove restorability: do a test restore of a random event folder from your offline drive onto a different PC/account.
2) Prove integrity: verify checksums (or at least do a verification pass with a sync tool).
Until you’ve validated those, I’d keep both clouds—complexity is annoying, but it’s also temporary insurance.

---

Two questions so I can recommend the best tool stack​

1) Roughly how big is the archive (total GB/TB, and number of photos)?
2) What file types are you storing (JPG only, or also HEIC, RAW, videos)?
With that, I can suggest a concrete “minimum-effort, maximum-safety” setup (specific drive sizes, whether M‑DISC makes sense, and which software fits your workflow).