M
MarshallD'Arcy
Guest
I am running 1903 on 3 laptops and have not been able to get Window Defenders boot time scan to work on any of them. I assume this being that their is no clear visual indication that one is running as it supposedly scans and no where in the log does it indicate that a successful scan has occurred as well as the time of completion is very quick like 10 seconds. I have not even been able to get Windows Defender to scan in "safe mode" in two of the laptops and I have not tried on the third laptop. I go to the Settings>Update&Security>Windows Security>Open Windows Security> and get a blank screen when I am in "safe mode" and this occurred on both laptops.
If I go to Event Viewer>Application and Services Log>Microsoft>Windows>Windows Defender>Operational I get a message as follows
"Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware."
Please try to understand the reason for knowing that boot time scan is working is because you might have to use it or have to use it. The reason I try to use it is not important what is important is that it works if and when I get infected so information about the reason it may not work is not useful however how to get it to work every time with out fail is useful. Being that I would never check this log, an had problems finding this information in the log, the assertion of "if this is an unexpected event" seems a bit cruel and an indication that their seems to be a bit of a confusion as to why one would run a boot time scan.
I have run DISM using all 3 of it's main command line options and then after that I run sfc /scannow which I have done on all the computers that I have updated to 1903.
Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Date: 6/25/2019 5:34:18 AM
Event ID: 5007
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: LAPTOP-N13L026S
Description:
Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: N/A\Scan\OfflineScanRun =
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\OfflineScanRun = 0x0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" />
<EventID>5007</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-06-25T10:34:18.913730000Z" />
<EventRecordID>124</EventRecordID>
<Correlation />
<Execution ProcessID="4128" ThreadID="3740" />
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>LAPTOP-N13L026S</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Product Name">%%827</Data>
<Data Name="Product Version">4.18.1905.4</Data>
<Data Name="Old Value">N/A\Scan\OfflineScanRun = </Data>
<Data Name="New Value">HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\OfflineScanRun = 0x0</Data>
</EventData>
</Event>
NO error message that does not present itself right now in a boot time scan is acceptable.
How can I get the boot time scan in Windows Defender to work?
More...
If I go to Event Viewer>Application and Services Log>Microsoft>Windows>Windows Defender>Operational I get a message as follows
"Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware."
Please try to understand the reason for knowing that boot time scan is working is because you might have to use it or have to use it. The reason I try to use it is not important what is important is that it works if and when I get infected so information about the reason it may not work is not useful however how to get it to work every time with out fail is useful. Being that I would never check this log, an had problems finding this information in the log, the assertion of "if this is an unexpected event" seems a bit cruel and an indication that their seems to be a bit of a confusion as to why one would run a boot time scan.
I have run DISM using all 3 of it's main command line options and then after that I run sfc /scannow which I have done on all the computers that I have updated to 1903.
Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Date: 6/25/2019 5:34:18 AM
Event ID: 5007
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: LAPTOP-N13L026S
Description:
Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: N/A\Scan\OfflineScanRun =
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\OfflineScanRun = 0x0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" />
<EventID>5007</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-06-25T10:34:18.913730000Z" />
<EventRecordID>124</EventRecordID>
<Correlation />
<Execution ProcessID="4128" ThreadID="3740" />
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>LAPTOP-N13L026S</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Product Name">%%827</Data>
<Data Name="Product Version">4.18.1905.4</Data>
<Data Name="Old Value">N/A\Scan\OfflineScanRun = </Data>
<Data Name="New Value">HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\OfflineScanRun = 0x0</Data>
</EventData>
</Event>
NO error message that does not present itself right now in a boot time scan is acceptable.
How can I get the boot time scan in Windows Defender to work?
More...