[SOLVED] Windows Server 2016 failing updates error 0x80246002

Rich (BB code): 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend => could not remove, key could be protected
Registry ====> ERROR: Not all data was successfully written to the registry.
       Some keys are open by the system or other processes, or you have insufficient privileges to perform this operation.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 26-07-2023 13:42:56)


Result of scheduled keys to remove after reboot:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend => could not remove, key could be protected

FRST failed as well, is Vimana.Companion.exe still running and is it a part of RMM software which is monitoring registry changes and does it have a behaviour blocking function?
 
Vimana.Companion.exe is running again (to avoid alerts for being disabled longer).
To my knowledge it should not be a part of RMM software (as I understand what RMM is).
Should not have a behaviour blocking function. Can usually change in registry.
 
Ok, let's list the permissions for the service key using FRST.

Start the
577bf0efb8088-FRST.png
Farbar Recovery Scan Tool again.
  • Download the attachment fixlist.txt and save it to your desktop.
  • Right-click on FRST.exe and select "Run as administrator".
  • Press the Fix button.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally.
  • When finished, a log called Fixlog.txt will appear in the same directory the tool is run from.
  • Post the logfile Fixlog.txt as attachment in your next reply.
 

Attachments

Do you recognize the following SID (for account x)?
Code: 
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681    ALLOW    Read    (CI-I)
 
Can't even find any user or group with a SID starting with "S-1-15".
Checked both AD and local
 
Hmm, then I wonder if this SID is set for other services as well or only for WinDefend. Could you please check that into the registry?
Code: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend
 
Please right click "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend" and click permissions, then you will see the SID.

Do the same for some other services like: Winmgmt, wuauserv to see if it also contain this SID?
 
Ok, please do the following.

Code: 
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s > "%userprofile%\desktop\ProfileList.txt"
reg query "HKEY_USERS" /s >> "%userprofile%\desktop\ProfileList.txt"
 
Hi,

Perhaps it is worth to try to re-install Windows Defender.
Code: 
Dism /Online /Disable-Feature /FeatureName:Windows-Defender-Features
Dism /Online /Disable-Feature /FeatureName:Windows-Defender
Dism /Online /Disable-Feature /FeatureName:Windows-Defender-Gui
Reboot the server and install Windows Defender.
Code: 
Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Features
Dism /Online /Enable-Feature /FeatureName:Windows-Defender
Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Gui
 
Please check if the Windows Defender service is started, if not please try to start it manually.
 
Service is not running.
When trying to start it,
Code: 
---------------------------
Services
---------------------------
Windows could not start the Windows Defender Service service on Local Computer.



Error 0x80070003: The system cannot find the path specified.


---------------------------
OK   
---------------------------
 
Open REGEDIT and navigate to: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend" > right click permissions, select administrators and post a screenshot of it.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top