[SOLVED] Microsoft Safety Scanner and Windows Defender Logs

[DR M]

Maybe it’s because the Admin account doesn’t have a password?

Yes.

You did it perfect until now. :)

Let's disable the Admin account now:

• Press Windows icon key on your keyboard, together with the letter R.
• Type cmd, and press Ctrl + Shift + Enter to run Command Prompt as administrator.
• Copy and paste the following command and press Enter to execute it:

net user administrator /active:no

• Restart the computer with your User account.

 

[Badram]

Okay, I think I did that successfully.
After restarting it brought me to my account, and the Admin account was no longer appearing in the bottom left of the log on screen

 

[DR M]

OK!

Now you can be assured that the computer is clean.

Is there any other question/issue/concern regarding this computer?

 

[Badram]

Would it be okay if I updated my software and stuff and sent another set of logs just to put my mind at ease?

Also, with the Admin account, is it okay for it to have some of those settings set up after using it for the first time. I got scared when booting it up for the first time, as it had the typical windows messages saying “we’re getting things ready for you” when you sign in for the first time on an account

 

[DR M]

You can update whatever you want now. No need for another set of logs.

As to the Admin account, is a very powerful account and it must not be enabled all the time, unless there is something specific to be done. That is why we disabled it.

If nothing else, just remove the logs by deleting them. To uninstall FRST tool, just rename it to Uninstall.exe and then double click to execute it.

 

[Badram]

Ok.

I assume it’s normal when you load the admin account for the first time, it’ll ask you for location preferences, telemetry, etc?
It also asked me for edge preferences in safe mode which was annoying

I’ve also got an administrator folder in my users folder, so is that okay to be there as well?

I guess another question I have is that why did we have to get rid of the restricted windows defender thing (I don’t know why it was like that and thought it was normal)
this thing:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
I thought it was supposed to be like this, is there a reason to remove this?

I‘m submitting a set of logs to my anti-virus vendors support since I have an ongoing ticket about an issue or conflict with something, and I noticed that the:
“HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION”
is gone now. Is this something to be concerned about?


I’ve also turned off the computer now, since I updated what I needed, but if you need logs again, I can provide them.
In the latest FRST log I took it replaced the “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION”
with something about Microsoft edge or something.

Sorry for the bombardment of questions

 

[DR M]

I assume it’s normal when you load the admin account for the first time, it’ll ask you for location preferences, telemetry, etc?
It also asked me for edge preferences in safe mode which was annoying

I’ve also got an administrator folder in my users folder, so is that okay to be there as well?

Yes, and yes.

I guess another question I have is that why did we have to get rid of the restricted windows defender thing (I don’t know why it was like that and thought it was normal)
this thing:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
I thought it was supposed to be like this, is there a reason to remove this?

Yes. We don't want a restriction on our security solution.

I‘m submitting a set of logs to my anti-virus vendors support since I have an ongoing ticket about an issue or conflict with something,

What do you mean? What is your antivirus vendor? In your logs I see you have Microsoft Defender along with Malwarebytes. You mean Malwarebytes? You have open 2 topics in 2 different forums asking for help? You know that this isn't the best practice, since conflicts may occur, plus you may make things for the 2 helpers more complicated. I'm a bit disappointed hearing that, and I would be pleased if you gave a clear explanation.

I’ve also turned off the computer now, since I updated what I needed, but if you need logs again, I can provide them.
In the latest FRST log I took it replaced the “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION”
with something about Microsoft edge or something.

As I told you, I don't need other logs. As to the restriction on the Defender, I removed it, because it had to be removed.

 

[Badram]

I'm a bit disappointed hearing that, and I would be pleased if you gave a clear explanation.

It’s not asking for another helper on another forum, so don’t worry. I’ve only been taking advice from here, and applying these fixes.
Basically, I’ve had a ticket open for a potential bug which consists of a conflict I’ve been having between it and another piece of software (something was not properly prompting notifications for some reason). I think it’s potentially been fixed now though.

I really appreciate all your help. I was worried something was extremely wrong, since prior, I had no way to reset my password, and I really didn’t understand why.

 

[DR M]

I explained to you why it's not a good practice asking at two (or more) places at a time. So, thank you for the explanation.

So, we are done. Since you have a topic pending elsewhere, don't uninstall FRST yet, since they may ask you to use it again. They will assist you how to do it when you finish.

 

[Badram]

I had one last thing I wanted to ask.
I noticed in the logs this appeared where the defender restriction used to be
"HKU\S-1-5-21-676346632-3412613119-591161220-500\...\Run: [MicrosoftEdgeAutoLaunch_98769996E24836F99EC8617644423B4C] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 [4088256 2023-07-27] (Microsoft Corporation -> Microsoft Corporation)"
Is this something to be concerned about? why is it appearing now?

It also says that the Administrator is a loaded profile now, despite being disabled so I don’t understand that.
Theres a lot I don’t know.

 

[Badram]

Also put my support ticket on pause for the time being, since it seems that issue is resolved (unless it starts again in the future)

 

[DR M]

I noticed in the logs this appeared where the defender restriction used to be
"HKU\S-1-5-21-676346632-3412613119-591161220-500\...\Run: [MicrosoftEdgeAutoLaunch_98769996E24836F99EC8617644423B4C] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 [4088256 2023-07-27] (Microsoft Corporation -> Microsoft Corporation)"
Is this something to be concerned about? why is it appearing now?

This has nothing to do with the Defender restriction removal. It's just a preference in Edge for the Administrator account, and no, it's not something to be concerned about.

The Administrator account is disabled.

P.S. You ran the FRST from the temp folder. You should always run it from the Desktop.

 

[Badram]

So since the administrator account is disabled, will it never auto-start up?
I remember a while ago I disabled it on my account.
So when an account is disabled, are all of the services associated with it also disabled, and will never start up? Not really familiar with how multiple users works.

P.S. You ran the FRST from the temp folder. You should always run it from the Desktop

I understand. I”ll make sure to always run it from the Desktop.
What happens when you run it elsewhere?

 

[DR M]

So since the administrator account is disabled, will it never auto-start up?

No. There is never auto-start up for User accounts.

That said, I think we covered everything, Badram.

Take care, stay safe.

 

[Badram]

Thank you.
Since I have no use for FRST at the moment, I decided to use that KPRM tool in order to clean up logs and delete the folder.
I think I ran into a bug with it though, because after I ran the tool, I restarted, and noticed that the windows security tray icon wouldn’t load at all for some reason. After a second restart it loaded normally, so I don’t really understand if this is something to be concerned about. Windows defender seemed like it was working normally, and loaded fine regardless as to if the icon is there or not.

Maybe this has always happened, and I’m just noticing it now or something. Maybe it’s a bug.

Not really sure if it’s worth using it again in the future.
I can supply logs if needed since I wasn’t planning on using my computer for anything till next week maybe.

 

[DR M]

If the Virus & Threat Protection has a green tick, then all is well.

 

[Badram]

Do you mean on the icon that appears in the windows tray?
it does have a green tick after it loads, but for some reason after running KpRm and restarting, it wouldn't load no matter how long I waited. After restarting again, it loaded just fine.
It makes me recall what happened last month, where my windows settings wouldn't load for some reason after running KpRm, and restarting. So I was forced to restart a second time, and that fixed.
Maybe it's an issue with KpRm or something, but I can't say.

 

[DR M]

Windows Security is running.

To uninstall FRST, just rename it to Uninstall.exe and then double click it to run.

 

[Badram]

it is, but for some reason the icon wasn’t appearing in the taskbar tray until I restarted a second time.

To uninstall FRST, just rename it to Uninstall.exe and then double click it to run.

Does that get rid of the logs that are created by it too?
I was always under the assumption that you had to use KpRm in order to clean up everything

 

[DR M]

You can delete the logs by yourself, in case you use the rename method to uninstall the tool.