drop windows defender operational evtx csv or registry export · detect real-time protection disablement · identify antimalware coverage gaps · surface periods where no active scanning was occurring · runs locally
5000/5001 rtp toggle · 5007 config · 4104 Set-MpPreference · DisableRealtimeMonitoring registry
drop defender operational evtx csv · security evtx · registry export