Windows Server 2016 Unable to reinstall Defender or repair file corruption

[Ming]

Greetings.
Active Directory Domain. Kaspersky Security for Servers installed on entire network. Kaspersky had to be uninstalled (USA). Onboarding Windows Defender for Business. Did uninstall of Kaspersky from the Admin Center.
Of 3 servers, the ADDC had issues with the uninstall (needed Kaspersky removal tool to complete). I cannot reinstall Defender on the ADDC. It fails 0x80073701 cannot find source files.
SFC, DISM (numerous different source files) and reinstalled questionable Windows updates. SFC and Dism both show corruption but neither can fix it. The server was promoted to primary domain controller shortly
before we were informed Kaspersky had to go.
Kaspersky was installed when it was promoted, although disabled for the promotion. For whatever reason this is the only server that Defender was completely uninstalled, I don't know why.
I've attached the requested files. Thank you in advance for your input.
Regards,

 

[Windows Update Bot]

Hi @Ming,

Welcome to Sysnative Forums!

If you haven't already, please review the posting instructions here, and attach the requested log files. Without log files, our helpers will not be able to assist, and this will slow down fixing your machine.

If logs have been already been provided, our team of volunteers will analyse the provided log files to build a fix for your system. Please be aware that this may take several days from your initial post, due to the high volume of threads that we receive.


- Sysnative Windows Update Team

 

[PeterJ]

Hello and welcome,

Follow the instructions below please.

Step 1:
WARNING! The following fix is specific to the user's system in this thread only. No one else should follow these instructions, as it could damage your system.

• Download the attachment SFCFix.zip and save it on your desktop.
• Save any work you have open, and close all programs.
• Drag the SFCFix.zip file over the SFCFix.exe executable and release it.
  
  
• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Open the file, then copy and paste its content in your next reply.

Step 2:
Run the command sfc /scannow in an elevated commandprompt and report the result.
If it fails, copy the file C:\Windows\Logs\CBS\cbs.log to your desktop.
Zip the copied file and attach the zipped cbs.log to your next reply.

 

[Ming]

Peter,
Fantastic, SFC and DISM are free of corruption. I appreciate your fix.
I need to address what started this journey, reinstalling Defender. It still fails to install. CBS attached.
One item to note, the Defender settings tab still displays "Some settings are managed by your organization".
No group policies and no registry entries that I could uncover.
Thank you again.
Ming

 

[PeterJ]

Great.
First of all best wishes for 2025.

SFCFix Scan:

• Download the attachment SFCFixScript.txt and save it on your desktop.
• Save any work you have open, and close all programs.
• Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.
  
  
• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Attach that file to your next reply.

 

[Ming]

Happy New Year! Best wishes for a safe and healthy 2025.

 

[PeterJ]

SFCFix Scan:

• Download the attachment SFCFixScript.txt and save it on your desktop.
• Save any work you have open, and close all programs.
• Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.
  
  
• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Attach that file to your next reply.

 

[Ming]

01/01/25 2nd Script run results

 

[PeterJ]

The log looks normal.
Do you have any other security program installed ?

 

[Ming]

I couldn't find any issues with the registry and all security programs have been uninstalled.
My main issue is reinstalling Defender. Any thoughts on that problem?

 

[PeterJ]

all security programs have been uninstalled.

Which were they ?

Step 1: Remove Update Manually

1. Click on the Start button and in the search box, type Command Prompt.
2. When you see Command Prompt on the list, right-click on it and select Run as administrator.
3. When command prompt opens, copy and paste the following command into it, then press enter.
   wusa /uninstall /KB:4598243
4. Let me know if it says it was successful or if there are any errors.

Step 2: FRST Registry Search

1. Click the Start button and in the search box, type CMD
2. When you see cmd.exe on the list, right-click on it and select Run as administrator.
3. When command prompt opens, copy and paste the following command into it, press enter afterwards.
   
   

   REG LOAD HKLM\COMPONENTS C:\Windows\System32\config\COMPONENTS

   
   Note: This loads your components hive which is what we want. Please keep the command prompt window open while you perform the remaining steps. You can minimize it if you wish but keep it open.
4. Download the Farbar Recovery Scan Tool and save it to your Desktop:
   64-bit: Downloading Farbar Recovery Scan Tool
   Note: Your antivirus program may report FRST incorrectly as an infection. If so, disable the real-time protection when downloading and running FRST.
5. Right-click on the file FRST64.exe and choose Run as administrator.
6. Copy and paste KB4598243 into the Search box and click the Search Registry button.
7. When the scan is complete, a message will display that 'SearchReg.txt' is saved in the same folder FRST was started from. Notepad will open this file also. Close Notepad and attach the file 'SearchReg.txt' to your next reply.
8. You may close any remaining open windows now.

 

[Ming]

Defender and Kaspersky 11.0 security for servers
KB4598243 is not installed.

 

[PeterJ]

Step 1:
Warning: This script was written specifically for this user, for use on that particular machine. Do not run this script on another machine.

1. Download the attachment fixlist.txt and save it to your desktop.
2. Right-click on FRST64.exe and select "Run as administrator".
3. Press the Fix button.
4. The tool will now process fixlist.txt.
5. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
6. When finished, a log called Fixlog.txt will appear in the same directory the tool is run from.
7. Attach the logfile Fixlog.txt to your next reply.

Step 2:
Restart the machine.
Check Windows Defender and report the result.

 

[Ming]

Hi,
It worked but I cannot open the GUI interface for Defender.
The CBS is the Defender install.
Thanks So far so good.
Looks like it might be a permissions issue.
I cannot find anything in the event log.
***Error when trying to start Defender***
C:\ProgramFiles\Windows Defender\msascui.exe
Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.

I did notice that it was still updating when I checked the event log. It was at status 10

 

[PeterJ]

Maybe there are some Kaspersky left-overs.

Step 1:
Download the Kaspersky Removal Tool kavremvr.exe.
Doubleclick kavremr.exe to start the tool.
Click Agree on the "End User License Agreement" window.
Follow the instructions that appear.
Info: Removal tool for Kaspersky applications on Windows (kavremover)

Step 2:
Restart the machine.
Check Windows Defender and report the result.

 

[Ming]

First off, Peter, thank you for all your help. Fantastic work.

I've been thru it several times already. Went back thru my notes and the only thing I found was this server at one time was a testbox for Bitdefender Gravity Zone.
A force uninstall was done before moving it to an ADDC. Ran the uninstalls again with the same results for both Bitdefender and Kaspersky. Cleared of all components.

The only thing I can see is a problem with the integration between the Windows settings interface and the Windows Defender Service.
I can open Defender directly thru msascui.exe but not thru the Windows settings interface.

If that is all it is I'm good, but I am unfamiliar with Defender for Business and if it is required at some point.
I would feel more comfortable knowing that everything was correct before I proceed with the onboarding.

I uninstalled the GUI feature and reinstalled it with no change in function.
Ran SFC /scannow and it shows no corruption. The Defender Policy CSP for doesn't seem to be an issue.

Regards,
Ming

 

[PeterJ]

Your welcome. It is up to you if you want to stop here or not.

You mentioned earlier:

***Error when trying to start Defender***
C:\ProgramFiles\Windows Defender\msascui.exe
Windows cannot access the specified device, path or file.

The path is incorrect. There should be a space between Program and Files. Is that a typo on your part or is it the actual error message?

 

[Ming]

Ah, That's a typo on me.
All the services look like they are loaded and functioning.
I can type that path in file explorer, and it executes the program.
But windows update does have an issue 0x80070006 when checking for updates.

 

[Ming]

Checking the event log.
Service control manager event id 7000
Checking services
BITS not running and would not start. Error 1290

 

[PeterJ]

Step 1:
Warning: This script was written specifically for this user, for use on that particular machine. Do not run this script on another machine.

1. Download the attachment fixlist.txt and save it to your desktop.
2. Right-click on FRST64.exe and select "Run as administrator".
3. Press the Fix button.
4. The tool will now process fixlist.txt.
5. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
6. When finished, a log called Fixlog.txt will appear in the same directory the tool is run from.
7. Attach the logfile Fixlog.txt to your next reply.

Step 2:
Restart the machine.
Any improvement in Control Panel about Windows Defender ?