This is a class that represents the current detailed state of a threat. For a detailed list of error codes, see Get-MpThreatDetection.
Methods
MSFT_MpThreatDetection has no methods.
Properties
MSFT_MpThreatDetection returns 16 properties:
'ActionSuccess','AdditionalActionsBitMask','AMProductVersion','CleaningActionID',
'CurrentThreatExecutionStatusID','DetectionID','DetectionSourceTypeID','DomainUser','InitialDetectionTime',
'LastThreatStatusChangeTime','ProcessName','RemediationTime','Resources','ThreatID','ThreatStatusErrorCode',
'ThreatStatusID'
Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender -Property *
Most WMI classes return one or more instances.
When
Get-CimInstancereturns no result, then apparently no instances of class MSFT_MpThreatDetection exist. This is normal behavior.Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).
ActionSuccess
Specifies if the cleaning action was successful
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID, ActionSuccess
AdditionalActionsBitMask
Additional actions required to complete remediation - Enumeration
AdditionalActionsBitMask returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$AdditionalActionsBitMask_map = @{
0 = 'None'
4 = 'FullScanRequired'
8 = 'RebootRequired'
12 = 'FullScanAndRebootRequired'
16 = 'ManualStepsRequired'
20 = 'FullScanAndManualStepsRequired'
24 = 'RebootAndManualStepsRequired'
28 = 'FullScanAndRebootAndManualStepsRequired'
32768 = 'OfflineScanRequired'
32772 = 'FullScanAndOfflineScanRequired'
32776 = 'RebootAndOfflineScanRequired'
32780 = 'FullScanAndRebootAndOfflineScanRequired'
32784 = 'ManualStepsAndOfflineScanRequired'
32788 = 'FullScanAndManualStepsAndOfflineScanRequired'
32792 = 'RebootAndManualStepsAndOfflineScanRequired'
}
Use a switch statement
switch([int]$value)
{
0 {'None'}
4 {'FullScanRequired'}
8 {'RebootRequired'}
12 {'FullScanAndRebootRequired'}
16 {'ManualStepsRequired'}
20 {'FullScanAndManualStepsRequired'}
24 {'RebootAndManualStepsRequired'}
28 {'FullScanAndRebootAndManualStepsRequired'}
32768 {'OfflineScanRequired'}
32772 {'FullScanAndOfflineScanRequired'}
32776 {'RebootAndOfflineScanRequired'}
32780 {'FullScanAndRebootAndOfflineScanRequired'}
32784 {'ManualStepsAndOfflineScanRequired'}
32788 {'FullScanAndManualStepsAndOfflineScanRequired'}
32792 {'RebootAndManualStepsAndOfflineScanRequired'}
default {"$value"}
}
Use Enum structure
Enum EnumAdditionalActionsBitMask
{
None = 0
FullScanRequired = 4
RebootRequired = 8
FullScanAndRebootRequired = 12
ManualStepsRequired = 16
FullScanAndManualStepsRequired = 20
RebootAndManualStepsRequired = 24
FullScanAndRebootAndManualStepsRequired = 28
OfflineScanRequired = 32768
FullScanAndOfflineScanRequired = 32772
RebootAndOfflineScanRequired = 32776
FullScanAndRebootAndOfflineScanRequired = 32780
ManualStepsAndOfflineScanRequired = 32784
FullScanAndManualStepsAndOfflineScanRequired = 32788
RebootAndManualStepsAndOfflineScanRequired = 32792
}
Examples
Use $AdditionalActionsBitMask_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "AdditionalActionsBitMask" to friendly text
Note: to use other properties than "AdditionalActionsBitMask", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "AdditionalActionsBitMask"
# to translate other properties, use their translation table instead
$AdditionalActionsBitMask_map = @{
0 = 'None'
4 = 'FullScanRequired'
8 = 'RebootRequired'
12 = 'FullScanAndRebootRequired'
16 = 'ManualStepsRequired'
20 = 'FullScanAndManualStepsRequired'
24 = 'RebootAndManualStepsRequired'
28 = 'FullScanAndRebootAndManualStepsRequired'
32768 = 'OfflineScanRequired'
32772 = 'FullScanAndOfflineScanRequired'
32776 = 'RebootAndOfflineScanRequired'
32780 = 'FullScanAndRebootAndOfflineScanRequired'
32784 = 'ManualStepsAndOfflineScanRequired'
32788 = 'FullScanAndManualStepsAndOfflineScanRequired'
32792 = 'RebootAndManualStepsAndOfflineScanRequired'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "AdditionalActionsBitMask", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$AdditionalActionsBitMask = @{
Name = 'AdditionalActionsBitMask'
Expression = {
# property is an array, so process all values
$value = $_.AdditionalActionsBitMask
$AdditionalActionsBitMask_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "AdditionalActionsBitMask". The latter
# is defined by the hashtable in $AdditionalActionsBitMask:
Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $AdditionalActionsBitMask
# ...or dump content of property AdditionalActionsBitMask:
$friendlyValues = Get-CimInstance -Class MSFT_MpThreatDetection |
Select-Object -Property $AdditionalActionsBitMask |
Select-Object -ExpandProperty AdditionalActionsBitMask
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $AdditionalActionsBitMask_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "MSFT_MpThreatDetection" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "MSFT_MpThreatDetection", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "MSFT_MpThreatDetection"
# to translate other properties, use their translation table instead
$AdditionalActionsBitMask_map = @{
0 = 'None'
4 = 'FullScanRequired'
8 = 'RebootRequired'
12 = 'FullScanAndRebootRequired'
16 = 'ManualStepsRequired'
20 = 'FullScanAndManualStepsRequired'
24 = 'RebootAndManualStepsRequired'
28 = 'FullScanAndRebootAndManualStepsRequired'
32768 = 'OfflineScanRequired'
32772 = 'FullScanAndOfflineScanRequired'
32776 = 'RebootAndOfflineScanRequired'
32780 = 'FullScanAndRebootAndOfflineScanRequired'
32784 = 'ManualStepsAndOfflineScanRequired'
32788 = 'FullScanAndManualStepsAndOfflineScanRequired'
32792 = 'RebootAndManualStepsAndOfflineScanRequired'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.AdditionalActionsBitMask
# translate raw value to friendly text:
$friendlyName = $AdditionalActionsBitMask_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "AdditionalActionsBitMask" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "AdditionalActionsBitMask", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "AdditionalActionsBitMask", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$AdditionalActionsBitMask = @{
Name = 'AdditionalActionsBitMask'
Expression = {
# property is an array, so process all values
$value = $_.AdditionalActionsBitMask
switch([int]$value)
{
0 {'None'}
4 {'FullScanRequired'}
8 {'RebootRequired'}
12 {'FullScanAndRebootRequired'}
16 {'ManualStepsRequired'}
20 {'FullScanAndManualStepsRequired'}
24 {'RebootAndManualStepsRequired'}
28 {'FullScanAndRebootAndManualStepsRequired'}
32768 {'OfflineScanRequired'}
32772 {'FullScanAndOfflineScanRequired'}
32776 {'RebootAndOfflineScanRequired'}
32780 {'FullScanAndRebootAndOfflineScanRequired'}
32784 {'ManualStepsAndOfflineScanRequired'}
32788 {'FullScanAndManualStepsAndOfflineScanRequired'}
32792 {'RebootAndManualStepsAndOfflineScanRequired'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender |
# ...and output properties "Caption" and "AdditionalActionsBitMask". The latter is defined
# by the hashtable in $AdditionalActionsBitMask:
Select-Object -Property Caption, $AdditionalActionsBitMask
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "MSFT_MpThreatDetection", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumAdditionalActionsBitMask
{
None = 0
FullScanRequired = 4
RebootRequired = 8
FullScanAndRebootRequired = 12
ManualStepsRequired = 16
FullScanAndManualStepsRequired = 20
RebootAndManualStepsRequired = 24
FullScanAndRebootAndManualStepsRequired = 28
OfflineScanRequired = 32768
FullScanAndOfflineScanRequired = 32772
RebootAndOfflineScanRequired = 32776
FullScanAndRebootAndOfflineScanRequired = 32780
ManualStepsAndOfflineScanRequired = 32784
FullScanAndManualStepsAndOfflineScanRequired = 32788
RebootAndManualStepsAndOfflineScanRequired = 32792
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.AdditionalActionsBitMask
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **AdditionalActionsBitMask**
[EnumAdditionalActionsBitMask]$rawValue
# get a comma-separated string:
[EnumAdditionalActionsBitMask]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumAdditionalActionsBitMask]
#endregion
Enums must cover all possible values. If AdditionalActionsBitMask returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
AMProductVersion
Product version (major, minor, build, revision)
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID, AMProductVersion
CleaningActionID
The cleaning action - Enumeration
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID, CleaningActionID
CurrentThreatExecutionStatusID
Execution Status ID - Enumeration
CurrentThreatExecutionStatusID returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$CurrentThreatExecutionStatusID_map = @{
0 = 'Unknown'
1 = 'Blocked'
2 = 'Allowed'
3 = 'Executing'
4 = 'NotExecuting'
}
Use a switch statement
switch([int]$value)
{
0 {'Unknown'}
1 {'Blocked'}
2 {'Allowed'}
3 {'Executing'}
4 {'NotExecuting'}
default {"$value"}
}
Use Enum structure
Enum EnumCurrentThreatExecutionStatusID
{
Unknown = 0
Blocked = 1
Allowed = 2
Executing = 3
NotExecuting = 4
}
Examples
Use $CurrentThreatExecutionStatusID_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "CurrentThreatExecutionStatusID" to friendly text
Note: to use other properties than "CurrentThreatExecutionStatusID", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "CurrentThreatExecutionStatusID"
# to translate other properties, use their translation table instead
$CurrentThreatExecutionStatusID_map = @{
0 = 'Unknown'
1 = 'Blocked'
2 = 'Allowed'
3 = 'Executing'
4 = 'NotExecuting'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "CurrentThreatExecutionStatusID", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$CurrentThreatExecutionStatusID = @{
Name = 'CurrentThreatExecutionStatusID'
Expression = {
# property is an array, so process all values
$value = $_.CurrentThreatExecutionStatusID
$CurrentThreatExecutionStatusID_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "CurrentThreatExecutionStatusID". The latter
# is defined by the hashtable in $CurrentThreatExecutionStatusID:
Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $CurrentThreatExecutionStatusID
# ...or dump content of property CurrentThreatExecutionStatusID:
$friendlyValues = Get-CimInstance -Class MSFT_MpThreatDetection |
Select-Object -Property $CurrentThreatExecutionStatusID |
Select-Object -ExpandProperty CurrentThreatExecutionStatusID
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $CurrentThreatExecutionStatusID_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "MSFT_MpThreatDetection" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "MSFT_MpThreatDetection", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "MSFT_MpThreatDetection"
# to translate other properties, use their translation table instead
$CurrentThreatExecutionStatusID_map = @{
0 = 'Unknown'
1 = 'Blocked'
2 = 'Allowed'
3 = 'Executing'
4 = 'NotExecuting'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.CurrentThreatExecutionStatusID
# translate raw value to friendly text:
$friendlyName = $CurrentThreatExecutionStatusID_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "CurrentThreatExecutionStatusID" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "CurrentThreatExecutionStatusID", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "CurrentThreatExecutionStatusID", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$CurrentThreatExecutionStatusID = @{
Name = 'CurrentThreatExecutionStatusID'
Expression = {
# property is an array, so process all values
$value = $_.CurrentThreatExecutionStatusID
switch([int]$value)
{
0 {'Unknown'}
1 {'Blocked'}
2 {'Allowed'}
3 {'Executing'}
4 {'NotExecuting'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender |
# ...and output properties "Caption" and "CurrentThreatExecutionStatusID". The latter is defined
# by the hashtable in $CurrentThreatExecutionStatusID:
Select-Object -Property Caption, $CurrentThreatExecutionStatusID
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "MSFT_MpThreatDetection", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumCurrentThreatExecutionStatusID
{
Unknown = 0
Blocked = 1
Allowed = 2
Executing = 3
NotExecuting = 4
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.CurrentThreatExecutionStatusID
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **CurrentThreatExecutionStatusID**
[EnumCurrentThreatExecutionStatusID]$rawValue
# get a comma-separated string:
[EnumCurrentThreatExecutionStatusID]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumCurrentThreatExecutionStatusID]
#endregion
Enums must cover all possible values. If CurrentThreatExecutionStatusID returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
DetectionID
Unique Detection ID
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID
DetectionSourceTypeID
Detection Source Type ID - Enumeration
DetectionSourceTypeID returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$DetectionSourceTypeID_map = @{
0 = 'Unknown'
1 = 'User'
2 = 'System'
3 = 'Real-time'
4 = 'IOAV'
5 = 'NRI'
7 = 'ELAM'
8 = 'LocalAttestation'
9 = 'RemoteAttestation'
}
Use a switch statement
switch([int]$value)
{
0 {'Unknown'}
1 {'User'}
2 {'System'}
3 {'Real-time'}
4 {'IOAV'}
5 {'NRI'}
7 {'ELAM'}
8 {'LocalAttestation'}
9 {'RemoteAttestation'}
default {"$value"}
}
Use Enum structure
Enum EnumDetectionSourceTypeID
{
Unknown = 0
User = 1
System = 2
Real_time = 3
IOAV = 4
NRI = 5
ELAM = 7
LocalAttestation = 8
RemoteAttestation = 9
}
Examples
Use $DetectionSourceTypeID_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "DetectionSourceTypeID" to friendly text
Note: to use other properties than "DetectionSourceTypeID", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "DetectionSourceTypeID"
# to translate other properties, use their translation table instead
$DetectionSourceTypeID_map = @{
0 = 'Unknown'
1 = 'User'
2 = 'System'
3 = 'Real-time'
4 = 'IOAV'
5 = 'NRI'
7 = 'ELAM'
8 = 'LocalAttestation'
9 = 'RemoteAttestation'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "DetectionSourceTypeID", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$DetectionSourceTypeID = @{
Name = 'DetectionSourceTypeID'
Expression = {
# property is an array, so process all values
$value = $_.DetectionSourceTypeID
$DetectionSourceTypeID_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "DetectionSourceTypeID". The latter
# is defined by the hashtable in $DetectionSourceTypeID:
Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $DetectionSourceTypeID
# ...or dump content of property DetectionSourceTypeID:
$friendlyValues = Get-CimInstance -Class MSFT_MpThreatDetection |
Select-Object -Property $DetectionSourceTypeID |
Select-Object -ExpandProperty DetectionSourceTypeID
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $DetectionSourceTypeID_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "MSFT_MpThreatDetection" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "MSFT_MpThreatDetection", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "MSFT_MpThreatDetection"
# to translate other properties, use their translation table instead
$DetectionSourceTypeID_map = @{
0 = 'Unknown'
1 = 'User'
2 = 'System'
3 = 'Real-time'
4 = 'IOAV'
5 = 'NRI'
7 = 'ELAM'
8 = 'LocalAttestation'
9 = 'RemoteAttestation'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.DetectionSourceTypeID
# translate raw value to friendly text:
$friendlyName = $DetectionSourceTypeID_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "DetectionSourceTypeID" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "DetectionSourceTypeID", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "DetectionSourceTypeID", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$DetectionSourceTypeID = @{
Name = 'DetectionSourceTypeID'
Expression = {
# property is an array, so process all values
$value = $_.DetectionSourceTypeID
switch([int]$value)
{
0 {'Unknown'}
1 {'User'}
2 {'System'}
3 {'Real-time'}
4 {'IOAV'}
5 {'NRI'}
7 {'ELAM'}
8 {'LocalAttestation'}
9 {'RemoteAttestation'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender |
# ...and output properties "Caption" and "DetectionSourceTypeID". The latter is defined
# by the hashtable in $DetectionSourceTypeID:
Select-Object -Property Caption, $DetectionSourceTypeID
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "MSFT_MpThreatDetection", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumDetectionSourceTypeID
{
Unknown = 0
User = 1
System = 2
Real_time = 3
IOAV = 4
NRI = 5
ELAM = 7
LocalAttestation = 8
RemoteAttestation = 9
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.DetectionSourceTypeID
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **DetectionSourceTypeID**
[EnumDetectionSourceTypeID]$rawValue
# get a comma-separated string:
[EnumDetectionSourceTypeID]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumDetectionSourceTypeID]
#endregion
Enums must cover all possible values. If DetectionSourceTypeID returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
DomainUser
The user who requested remediation
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID, DomainUser
InitialDetectionTime
The initial threat detection time
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID, InitialDetectionTime
LastThreatStatusChangeTime
The most recent time of the threat status change
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID, LastThreatStatusChangeTime
ProcessName
The name of the process involved
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID, ProcessName
RemediationTime
The time of the remediation.
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID, RemediationTime
Resources
List of resources affected by the detection
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID, Resources
ThreatID
Unique Threat ID
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID
ThreatStatusErrorCode
The threat status error code
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property DetectionID, ThreatID, ThreatStatusErrorCode
ThreatStatusID
The Threat Status ID - Enumeration
ThreatStatusID returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$ThreatStatusID_map = @{
0 = 'Unknown'
1 = 'Detected'
2 = 'Cleaned'
3 = 'Quarantined'
4 = 'Removed'
5 = 'Allowed'
6 = 'Blocked'
102 = 'QuarantineFailed'
103 = 'RemoveFailed'
104 = 'AllowFailed'
105 = 'Abondoned'
107 = 'BlockedFailed'
}
Use a switch statement
switch([int]$value)
{
0 {'Unknown'}
1 {'Detected'}
2 {'Cleaned'}
3 {'Quarantined'}
4 {'Removed'}
5 {'Allowed'}
6 {'Blocked'}
102 {'QuarantineFailed'}
103 {'RemoveFailed'}
104 {'AllowFailed'}
105 {'Abondoned'}
107 {'BlockedFailed'}
default {"$value"}
}
Use Enum structure
Enum EnumThreatStatusID
{
Unknown = 0
Detected = 1
Cleaned = 2
Quarantined = 3
Removed = 4
Allowed = 5
Blocked = 6
QuarantineFailed = 102
RemoveFailed = 103
AllowFailed = 104
Abondoned = 105
BlockedFailed = 107
}
Examples
Use $ThreatStatusID_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "ThreatStatusID" to friendly text
Note: to use other properties than "ThreatStatusID", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "ThreatStatusID"
# to translate other properties, use their translation table instead
$ThreatStatusID_map = @{
0 = 'Unknown'
1 = 'Detected'
2 = 'Cleaned'
3 = 'Quarantined'
4 = 'Removed'
5 = 'Allowed'
6 = 'Blocked'
102 = 'QuarantineFailed'
103 = 'RemoveFailed'
104 = 'AllowFailed'
105 = 'Abondoned'
107 = 'BlockedFailed'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "ThreatStatusID", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$ThreatStatusID = @{
Name = 'ThreatStatusID'
Expression = {
# property is an array, so process all values
$value = $_.ThreatStatusID
$ThreatStatusID_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "ThreatStatusID". The latter
# is defined by the hashtable in $ThreatStatusID:
Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $ThreatStatusID
# ...or dump content of property ThreatStatusID:
$friendlyValues = Get-CimInstance -Class MSFT_MpThreatDetection |
Select-Object -Property $ThreatStatusID |
Select-Object -ExpandProperty ThreatStatusID
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $ThreatStatusID_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "MSFT_MpThreatDetection" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "MSFT_MpThreatDetection", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "MSFT_MpThreatDetection"
# to translate other properties, use their translation table instead
$ThreatStatusID_map = @{
0 = 'Unknown'
1 = 'Detected'
2 = 'Cleaned'
3 = 'Quarantined'
4 = 'Removed'
5 = 'Allowed'
6 = 'Blocked'
102 = 'QuarantineFailed'
103 = 'RemoveFailed'
104 = 'AllowFailed'
105 = 'Abondoned'
107 = 'BlockedFailed'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.ThreatStatusID
# translate raw value to friendly text:
$friendlyName = $ThreatStatusID_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "ThreatStatusID" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "ThreatStatusID", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "ThreatStatusID", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$ThreatStatusID = @{
Name = 'ThreatStatusID'
Expression = {
# property is an array, so process all values
$value = $_.ThreatStatusID
switch([int]$value)
{
0 {'Unknown'}
1 {'Detected'}
2 {'Cleaned'}
3 {'Quarantined'}
4 {'Removed'}
5 {'Allowed'}
6 {'Blocked'}
102 {'QuarantineFailed'}
103 {'RemoveFailed'}
104 {'AllowFailed'}
105 {'Abondoned'}
107 {'BlockedFailed'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender |
# ...and output properties "Caption" and "ThreatStatusID". The latter is defined
# by the hashtable in $ThreatStatusID:
Select-Object -Property Caption, $ThreatStatusID
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "MSFT_MpThreatDetection", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumThreatStatusID
{
Unknown = 0
Detected = 1
Cleaned = 2
Quarantined = 3
Removed = 4
Allowed = 5
Blocked = 6
QuarantineFailed = 102
RemoveFailed = 103
AllowFailed = 104
Abondoned = 105
BlockedFailed = 107
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.ThreatStatusID
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **ThreatStatusID**
[EnumThreatStatusID]$rawValue
# get a comma-separated string:
[EnumThreatStatusID]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumThreatStatusID]
#endregion
Enums must cover all possible values. If ThreatStatusID returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
Examples
List all instances of MSFT_MpThreatDetection
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender
Learn more about Get-CimInstance and the deprecated Get-WmiObject.
View all properties
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender -Property *
View key properties only
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender -KeyOnly
Selecting Properties
To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.
Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.
Selecting Properties
The code below lists all available properties. Remove the ones you do not need:
$properties = 'ActionSuccess',
'AdditionalActionsBitMask',
'AMProductVersion',
'CleaningActionID',
'CurrentThreatExecutionStatusID',
'DetectionID',
'DetectionSourceTypeID',
'DomainUser',
'InitialDetectionTime',
'LastThreatStatusChangeTime',
'ProcessName',
'RemediationTime',
'Resources',
'ThreatID',
'ThreatStatusErrorCode',
'ThreatStatusID'
Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender | Select-Object -Property $properties
Limiting Network Bandwidth
If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:
Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender -Property $property |
Select-Object -Property $property
Selecting Instances
To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).
The parameter -Filter runs a simple query.
Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender -Filter 'Caption LIKE "a%"'
Using a WQL Query
The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:
Get-CimInstance -Query "SELECT ThreatID, ThreatStatusErrorCode, CurrentThreatExecutionStatusID, AdditionalActionsBitMask FROM MSFT_MpThreatDetection WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender
Any property you did not specify is still present but empty. You might need to use
Select-Objectto remove all unwanted properties:Get-CimInstance -Query "SELECT ThreatID, ThreatStatusErrorCode, CurrentThreatExecutionStatusID, AdditionalActionsBitMask FROM MSFT_MpThreatDetection WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender | Select-Object -Property ThreatID, ThreatStatusErrorCode, CurrentThreatExecutionStatusID, AdditionalActionsBitMask
Accessing Remote Computers
To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.
Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with your current identity:
$result = Get-CimInstance -ClassName MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender -ComputerName $list
$result
Authenticating as Different User
Use a CIMSession object to authenticate with a new identity:
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred
$result = Get-CimInstance MSFT_MpThreatDetection -Namespace root/microsoft/windows/defender -CimSession $session
# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session
$result
Learn more about accessing remote computers.
Requirements
To use MSFT_MpThreatDetection, the following requirements apply:
PowerShell
Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.
If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.
Operating System
MSFT_MpThreatDetection was introduced on clients with Windows 8.1 [desktop apps only] and on servers with Windows Server 2012 R2 [desktop apps only].
Namespace
MSFT_MpThreatDetection lives in the Namespace Root/Microsoft/Windows/Defender. This is not the default namespace. Use parameter -Namespace root/microsoft/windows/defender with all CIM cmdlets..
Implementation
MSFT_MpThreatDetection is implemented in ProtectionManagement.dll and defined in ProtectionManagement.mof. Both files are located in the folder C:\Windows\system32\wbem:
explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\ProtectionManagement.mof
PREVIOUSArchive