Windows Defender Fails to Start Event 5008

  • Thread starter Thread starter spartan223193
  • Start date Start date
S

spartan223193

Guest
Hello all,


I am having issues getting Windows Defender to start on my machine (fully patched Windows 10 as of 2/16/2020) and have had the problem for about 6 months at this point. Windows Defender does start at boot but will fail after several minutes (same thing occurs in Safe Mode).

The "Security at a Glance" pane shows that Window's Defender is not working. At this point I am at my wit's end for what is going on with the process and am looking for any help folk's can provide.


f9aa3059-eda3-4169-a78c-fbd3e166caf3?upload=true.png




What I have tried

1. Booting in safe mode makes no difference, I still cannot launch Defender.

2. Launching Defender using MpCmdRun.exe.

3. Ensuring DisableAntiSpyware and DisableAntiVirus registry values are not set.

4. Ensuring no other AV products are installed on the machine (OEM install, so nothing came preinstalled).

5. Integrity checking using sfc /scannow and

6. Checking the event log for any sort of usable lead as to what is going wrong.7. Restarting the service using net stop msmpsvc & net start net start msmpsvc (This one has the most interesting output)


Below is a collection of outputs from the various things I have tried:


Output from net stop msmpscv

C:\Program Files\Windows Defender>net stop msmpsvc
The service name is invalid.


Output from sfc \scannow

C:\WINDOWS\system32>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.


Event Log Output

- <Event xmlns="">
- <System>
<Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" />
<EventID>5008</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-02-16T05:46:58.432968300Z" />
<EventRecordID>3511</EventRecordID>
<Correlation />
<Execution ProcessID="3036" ThreadID="11404" />
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>DESKTOP-QSIL5H7</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="Product Name">%%827</Data>
<Data Name="Product Version">4.18.1907.4</Data>
<Data Name="Resource" />
<Data Name="Failure Type Index">1</Data>
<Data Name="Failure Type">%%831</Data>
<Data Name="Exception Code" />
</EventData>

</Event>


Output from MpCmdRun.exe

MpCmdRun.exe -wdenable
CmdTool: Failed with hr = 0x800705B4. Check C:\Users\spart\AppData\Local\Temp\MpCmdRun.log for more information

Output from MpCmdRun.log
-------------------------------------------------------------------------------------
MpCmdRun: Command Line: MpCmdRun.exe -wdenable
Start Time: ‎Sun ‎Feb ‎16 ‎2020 13:09:07

MpEnsureProcessMitigationPolicy: hr = 0x1
WDEnable
*********************************** WSC State Info *************************
*********************************** AntiVirusProduct *************************
displayName = [Windows Defender]
pathToSignedProductExe = [windowsdefender://]
productState = [397568]
*********************************** AntiSpywareProduct *************************
displayName = [Windows Defender]
pathToSignedProductExe = [windowsdefender://]
productState = [397568]
*********************************** IWscProduct(WSC_SECURITY_PROVIDER_ANTIVIRUS) *************************
Product #1 of 1
Name: Windows Defender Antivirus
ExePath: windowsdefender://
State: 0
SigStatus: 1
Substatus:
Scan: 0
Settings: 0
Updates: 0
*********************************** IWscProduct(WSC_SECURITY_PROVIDER_FIREWALL) *************************
Product #1 of 1
Name: Windows Firewall
ExePath: %windir%\system32\firewall.cpl
State: 0
Substatus:
Domain: 0
Private: 0
Public: 0
*****************************************************************************


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: MpCmdRun.exe -wdenable
Start Time: ‎Sun ‎Feb ‎16 ‎2020 13:09:40

MpEnsureProcessMitigationPolicy: hr = 0x1
WDEnable
*********************************** WSC State Info *************************
*********************************** AntiVirusProduct *************************
displayName = [Windows Defender]
pathToSignedProductExe = [windowsdefender://]
productState = [397568]
*********************************** AntiSpywareProduct *************************
displayName = [Windows Defender]
pathToSignedProductExe = [windowsdefender://]
productState = [397568]
*********************************** IWscProduct(WSC_SECURITY_PROVIDER_ANTIVIRUS) *************************
Product #1 of 1
Name: Windows Defender Antivirus
ExePath: windowsdefender://
State: 0
SigStatus: 1
Substatus:
Scan: 0
Settings: 0
Updates: 0
*********************************** IWscProduct(WSC_SECURITY_PROVIDER_FIREWALL) *************************
Product #1 of 1
Name: Windows Firewall
ExePath: %windir%\system32\firewall.cpl
State: 0
Substatus:
Domain: 0
Private: 0
Public: 0
*****************************************************************************
Time Info - ‎Sun ‎Feb ‎16 ‎2020 13:11:41 ERROR: MpWDEnable(TRUE) failed (800705B4)
MpCmdRun: End Time: ‎Sun ‎Feb ‎16 ‎2020 13:11:41
-------------------------------------------------------------------------------------

Output from Registry Checks

C:\Program Files\Windows Defender>Reg Query "HKLM\Software\Microsoft\Windows Defender" /v DisableAntiVirus

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender
DisableAntiVirus REG_DWORD 0x0


C:\Program Files\Windows Defender>Reg Query "HKLM\Software\Microsoft\Windows Defender" /v DisableAntiSpyware

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender
DisableAntiSpyware REG_DWORD 0x0

More...
 
Back
Top