Defender MetaStore
Windows Defender keeps a MetaStore under ProgramData as part of its scan engine state, storing scan metadata, item records, signatures-related lookup data, and Extensible Storage Engine files used to track previously inspected content. These files help Microsoft Defender Antivirus avoid reprocessing unchanged items and speed up scheduled and real-time scans, but the store can grow stale or inconsistent after engine, platform, or definition updates. Kudu removes the cached MetaStore contents so Defender can rebuild a fresh scan metadata database without touching quarantined items, user files, accounts, or security settings.
Why clean Defender MetaStore?
- Corrupted MetaStore records can make Microsoft Defender rescans take unusually long, with users noticing scheduled scans stuck for extended periods or high MsMpEng.exe disk usage
- Stale scan metadata after Defender platform or intelligence updates can cause repeated inspection of the same files, showing up as persistent CPU activity and slower file opens right after boot
- Inconsistent ESE database pages in the MetaStore can trigger scan errors or entries in Protection History, while clearing it forces Defender to recreate clean tracking data
- Bloated cached item records from months of scan history increase ProgramData disk usage and can make quick scans feel less quick even though no user documents are being removed
- If the MetaStore no longer matches current file state, Defender may repeatedly re-enumerate large folders, which users notice as constant drive thrashing during idle time
- Database page fragmentation inside Defender's metadata store wastes space and slows lookups; a rebuild acts like a VACUUM rewrite of the store structure without deleting user files or quarantine data
Cache paths Kudu targets
Windows
%ProgramData%/Microsoft/Windows Defender/Scans/MetaStore |
Common questions about Defender MetaStore
Download Kudu and reclaim your disk space.
Available on Windows, macOS, and Linux. No account required, no feature gates, no telemetry without consent. All cleaning targets are open source and community-auditable.