Microsoft Defender quarantines files it detects as threats, but sometimes legitimate files get flagged as false positives. This guide shows you how to safely restore quarantined files on Windows 10 and Windows 11, and prevent Defender from re-quarantining them.
Method 1: Restore via Windows Security App
The easiest method for most users:
- Open Windows Security:
- Windows 11: Settings > Privacy & security > Windows Security > Open Windows Security
- Windows 10: Settings > Update & Security > Windows Security > Open Windows Security
- Go to Protection History:
- Click Virus & threat protection
- Under "Current threats," click Protection history
- Find the quarantined file:
- Click Filters and select Quarantined Items
- Click on the file you want to restore
- Restore the file:
- Click Actions
- Select Restore
Note: If the file isn't listed, it may have been permanently deleted (files are held for approximately 30 days) or was a severe threat removed immediately.
Method 2: Restore via Command Prompt
Use this method if the Windows Security interface isn't working or the file doesn't appear in Protection History.
- Open Command Prompt as Administrator:
- Right-click Start button
- Select Terminal (Admin) or Command Prompt (Admin)
- Navigate to the Defender folder:
cd "%ProgramFiles%\Windows Defender" - List all quarantined files:
MpCmdRun.exe -restore -listall - Restore a specific file:
MpCmdRun.exe -restore -name "Filename.exe"Replace "Filename.exe" with the actual file name
Add an Exclusion (Prevent Re-Quarantine)
After restoring a file, Defender may quarantine it again on the next scan. Add an exclusion to prevent this:
- Open Windows Security
- Go to Virus & threat protection
- Under "Virus & threat protection settings," click Manage settings
- Scroll to Exclusions and click Add or remove exclusions
- Click + Add an exclusion
- Choose File or Folder
- Select the restored file
Defender will now ignore this file in future scans.
When Is It Safe to Restore?
| ✅ Safe to Restore | ❌ Do NOT Restore |
|---|---|
| Software from official websites | Unexpected email attachments |
| Known game mods or tools | Cracked software or keygens |
| Scripts you wrote yourself | Files you don't recognize |
| Development/automation tools | Downloads from sketchy websites |
| Files you verified on VirusTotal | Torrented content |
How to Verify a Suspicious File
If you're unsure whether a file is safe:
- Go to VirusTotal.com
- Upload the file or paste the download URL
- VirusTotal scans it with 70+ antivirus engines
- Review the results - if only 1-2 engines flag it as suspicious, it's likely a false positive
Common False Positive Scenarios
- Game mods and trainers: Often flagged due to memory manipulation code
- Automation tools: AutoHotkey scripts and similar tools
- Development tools: Python scripts, batch files, custom utilities
- Older software: Legacy programs not in Microsoft's database
- Open-source software: New releases before they're cataloged
Quarantine vs. Removal
| Action | What Happens |
|---|---|
| Quarantine | File moved to secure location, can be restored |
| Remove | File permanently deleted, cannot be recovered |
| Allow on device | File excluded from future scans |