Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, May 6, 2019 12:19 PM
Hello.
I have a WS2016 server where I cannot start the defender service. I found out about the issue when Windows Update couldn't install Defender updates/signatures (but other WU work fine).
When i attempt to start the WinDefend service manually, it returns "Error 0x80070003: The system cannot find the path specified".
In the event log (Microsoft-Windows-Windows Defender/WHC) there are two events signalling the attempted service start:
"Windows Defender state updated to 10." and "Windows Defender state updated to 2." (in the same second).
Microsoft-Windows-Windows Defender/Operational has this error logged (in the same second of the attempted service start):
Windows Defender Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007007e
Error description: The specified module could not be found.
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
I have tried:
- installing latest WU
- sfc /scannow - no problems/corruptions found
- dism /online /cleanup-image /restorehealth - no problems found
- removing the Defender feature, rebooting, (deleting C:\ProgramData\Microsoft\Windows Defender folder), reinstalling (Install-WindowsFeature -Name Windows-Defender-Features -IncludeAllSubFeature
None of the above helped.
Any ideas (other than reinstall/refresh/reset Windows) are welcome.
All replies (16)
Wednesday, August 14, 2019 6:27 AM âś…Answered | 1 vote
Solution for us was copy over "C:\ProgramData\Microsoft\Windows Defender\platform" from a working installation.
But you have to copy it offline, if you have a VM, mount the .vhdx File on the Host.
Tuesday, May 7, 2019 5:33 AM
Hello,
Thank you for posting in our TechNet forum.
Is our Windows server 2016 a domain-joined server or not?
We can try to boot into Safe Mode to check if we can restart Windows Defender service or install Defender updates/signatures.
- Click on Start button.
- Type system configuration.
- Launch the program. Enter Boot section and mark Safe Boot option. Click Apply and then OK. The next time you boot the computer, it will launch in Safe Mode. To deactivate it, remove the checkmark from Safe Boot and restart the PC.
For this server, do we have a system backup? If so, we can try to recover the system from a system backup.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, May 7, 2019 6:18 AM
Hello,
the server is domain-joined.
Safe boot (with networking) doesn't help, still getting the same error when trying to start the service.
I have backups, but the issue is there for longer period than backups' retention period, so I'd just be restoring to state where the problem already exist
Isn't there some debug logging option I could enable and look into?
Tuesday, May 7, 2019 9:10 AM
Hi,
Have we ever done any action that caused this service to fail to enable?
Have we installed any three-party anti-virus software?
We can try Process Monitor to grab the network package to see if we can find information related to it.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, May 7, 2019 9:16 AM
I'm not sure what you're asking - I surely haven't deliberately sabotaged the service so it wouldn't start :) As I've written, I just found out about the problem when updating Windows.
Sure I can do a procmon trace, but can you be more specific what should I look for, what filter to use etc?
Wednesday, May 8, 2019 2:10 AM
Hi,
Try the following steps:
- Download and install Process Monitor according to Process Monitor v3.50.
2. Open the process monitor, press "Ctrl+E" to "Suspend" it, "Ctrl+X" to clear present process information.
3. Open the command prompt as administrator.
4. Press "Ctrl+E" to start the process monitor again.
5. Restart Windows defend service and wait it to stop automatically or report error.
6. Press "Ctrl+E" to "Suspend" it again, then save the present log (Ctrl+S) and save all event as logfile.pml.
From above method, we can try to find which process to deny Windows Defend service running when we restart Windows Defend service.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, May 10, 2019 1:24 AM
Hi,
If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, May 10, 2019 7:50 AM
Hello,
I did the procmon trace and saved the pml file, where can I upload/send the file so you can get it?
Monday, May 13, 2019 2:50 AM
Hi,
The procmon trace contains a lot of private information, I think it may be inconvenient to upload such information in the forum, we can try to see if there is an error message related to our problem.
Or we try to hide private information and upload it as text.
I think the fastest and most effective way might be to reinstall the operating system.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, May 15, 2019 10:10 AM
Hi,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, May 17, 2019 5:51 AM
Well, you said the trace contains lot of private information, then you end the sentence with "we can try to see if there is an error message related to our problem" and then "Or we try to hide private information and upload it as text" - how should this be done?
Reinstalling the OS would be complicated, because it hosts HA services which are difficult to setuup again.
Monday, May 20, 2019 10:09 AM
Hi,
I think for our issue, it is not an efficient way to work in this forum, because we need procmon trace or more other logs.
To further analyze this issue, I suggest we submit a service request to MS Professional tech support service so that a dedicated support professional can further assist you with this request. We can select Professional Email-based Support or Professional Phone-based Support.
The following web site for more detail of Professional Support Options and incident submission methods is for your reference:
https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial
https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers
Thank you for your understanding and support.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, June 6, 2019 12:54 PM
I've taken this to MS professional support, they weren't able to help either, the case was closed with the recommendation to refresh/reinstall the OS as the issue is supposedly caused by a registry corruption (which cannot be fixed).
I cannot consider that a valid solution as it might as well be an answer to virtually any problem. Sad thing that a problem with builtin antivirus forces me to reinstall OS...
Friday, June 7, 2019 8:50 AM
Hi,
Thank you for your update and sharing.
Have a nice day!
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, June 18, 2019 6:31 PM
I'm seeing the same issue on all of our 2016 servers, has to be a more concrete solution than simply reinstalling OS. Can't believe thats the same pat answer that is always given. That just isn't practical in most production environments (and they should know that). I'm sorry you didn't get a better answer or help.
Faye Jasman
Wednesday, August 14, 2019 6:46 AM
Thanks a lot nitramz, that actually helped in my case.