replace screenshots with the equivalent code snippet

Author: DeCohen

defender-endpoint/mde-demonstration-amsi.md

@@ -11,7 +11,7 @@ audience: ITPro
 ms.collection: 
 - m365-security
 ms.topic: how-to
-ms.date: 08/19/2025
+ms.date: 09/01/2025
 search.appverid: met150
 ms.custom: 
 - partner-contribution
@@ -60,8 +60,6 @@ In this demonstration article, you have two engine choices to test AMSI:
 
    The result should be as follows:
 
-### Attempt to execute the AMSI Test Sample
-
 ```powershell
    Invoke-Expression : At line:1 char:1
    + AMSI Test Sample: 7e72c3ce-861b-4339-8740-8ac1484c1386
@@ -107,14 +105,36 @@ In this demonstration article, you have two engine choices to test AMSI:
     Source: Microsoft VBScript runtime error
    ```
 
-      :::image type="content" source="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png" alt-text="Screenshot showing the AMSI test results. It should show that antivirus software blocked the script." lightbox="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png":::
-
-
 ### Verifying the test results
 
 In your protection history, you should be able to see the following information:
 
-:::image type="content" source="media/mde-demonstrations-amsi/verifying-results.png" alt-text="Screenshot showing the AMSI test results. The information should show that a threat was blocked and cleaned." lightbox="media/mde-demonstrations-amsi/verifying-results.png":::
+```vbscript
+Threat blocked
+
+Detected: Virus: Win32/MpTest!amsi
+
+Status: Cleaned
+
+This threat or app was cleaned or quarantined before it became active on your device.
+Details: This program is dangerous and replicates by infecting other files.
+
+Affected items:
+amsi: \Device\HarddiskVolume3\Windows\System32\WindowsPowershell\v1.0\powershell.exe
+or
+amsi: C:\Users\Admin\Desktop\AMSI_vbscript.vbs
+
+and/or you might see:
+
+Threat blocked
+
+Detected: Virus: Win32/MpTest!amsi
+
+Status: Cleaned
+
+This threat or app was cleaned or quarantined before it became active on your device.
+Details: This program is dangerous and replicates by infecting other files
+```
 
 ### Get the list of Microsoft Defender Antivirus threats
 
@@ -128,18 +148,58 @@ You can view detected threats by using the Event log or PowerShell.
 
 3. Look for `event ID 1116`. You should see the following information:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/eventid1116.png" alt-text="Screenshot showing Event ID 1116, which says malware or unwanted software was detected." lightbox="media/mde-demonstrations-amsi/eventid1116.png":::
+```powershell
+
+Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
+
+For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/MpTest!amsi&t
 
-##### Use PowerShell
+Name: Virus:Win32/MpTest!amsi
+
+ID: 2147694217
+
+Severity: Severe
+
+Category: Virus
+
+Path: \Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or C:\Users\Admin\Desktop\AMSI_jscri
+
+Detection Origin: Local machine or Unknown
+
+Detection Type: Concrete
+
+Detection Source: System
+
+User: NT AUTHORITY\SYSTEM
+
+Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or C:\Windows\System32\cscript.exe or C:\Windows\Sy
+
+Security intelligence Version: AV: 1.419.221.0, AS: 1.419.221.0, NIS: 1.419.221.0
+
+Engine Version: AM: 1.1.24080.9, NIS: 1.1.24080.9
+```
+
+#### Use PowerShell 
 
 1. On your device, open PowerShell.
 
-2. Type the following command: `Get-MpThreat`.
+1. Type the following command: `Get-MpThreat`.
 
    You might see the following results:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/get-mpthreat-results.png" alt-text="Screenshot showing the results of the Get-MpThreat command. It should show that an AMSI threat was detected." lightbox="media/mde-demonstrations-amsi/get-mpthreat-results.png":::
-
+```powershell
+CategoryID     : 42
+DidThreatExecute : True
+IsActive       : True
+Resources      :
+RollupStatus   : 97
+SchemaVersion  : 1.0.0.0
+SeverityID     : 5
+ThreatID       : 2147694217
+ThreatName     : Virus:Win32/MpTest!amsi
+TypeID         : 0
+PSComputerName :
+```
 
 ## See also