drop windows defender operational evtx csv · detect clearing of defender threat detection history · identify removal of malware detection records · surface evidence that detection events were erased · runs locally
1006–1008 detections · 1013 history cleared · 1009 quarantine restore · gap analysis · optional quarantine/history listing
drop windows defender operational evtx csv