Windows Server 2016 x64 - unable to enable Defender Missing KB's

[Maxstar]

Please post also the latest Event Logs.

wevtutil epl SYSTEM "%userprofile%\Desktop\System.evt"
wevtutil epl APPLICATION "%userprofile%\Desktop\Application.evt"

 

[stinger007]

Cheers, Eventlogs.zip attached

 

[Maxstar]

It seems something went wrong uploading the ZIP-file, maybe too large?

 

[stinger007]

Will try again, it's 4mb so size should be ok

Update - Sorry should be attached now

 

[Maxstar]

This is a copy of the ProcMon trace, not the ZIP-file with the Event logs.

 

[stinger007]

Doh, sorry post 224 updated with correct attachment

 

[Maxstar]

(...) He's just sent a policy update that will enable me to stop the Trend service.

It looks like MsSense is still crashing because TrendMicro is running? Please disable the TM-services and try to start the WinDefend en Sense service again.

6/13/2024 10:26:54 AM    coreServiceShell.exe    QueryStandardInformationFile    C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\MsSense.exe.4268.protected.dmp    SUCCESS    AllocationSize: 1,724,416, EndOfFile: 1,720,782, NumberOfLinks: 1, DeletePending: False, Directory: False
6/13/2024 10:26:54 AM    coreServiceShell.exe    CreateFile    C:\ProgramData\Trend Micro\AMSP\temp\virus\VSLJE000.800    SUCCESS    Desired Access: Generic Read/Write, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Created
6/13/2024 10:26:54 AM    coreServiceShell.exe    ReadFile    C:\Program Files\Trend Micro\AMSP\module\10008\pattern\crcz.ptn    SUCCESS    Offset: 85,190, Length: 3
6/13/2024 10:26:54 AM    coreServiceShell.exe    CloseFile    C:\ProgramData\Trend Micro\AMSP\temp\virus\VSLJE000.800    SUCCESS   
6/13/2024 10:26:54 AM    coreServiceShell.exe    CloseFile    C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\MsSense.exe.4268.protected.dmp    SUCCESS   
6/13/2024 10:26:54 AM    coreServiceShell.exe    CreateFile    C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\MsSense.exe.4268.protected.dmp    SUCCESS    Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Requiring Oplock, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened
6/13/2024 10:26:54 AM    coreServiceShell.exe    QueryInformationVolume    C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\MsSense.exe.4268.protected.dmp    SUCCESS    VolumeCreationTime: 3/9/2020 7:18:06 PM, VolumeSerialNumber: 58B3-1309, SupportsObjects: True, VolumeLabel:
6/13/2024 10:26:54 AM    coreServiceShell.exe    QueryAllInformationFile    C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\MsSense.exe.4268.protected.dmp    BUFFER OVERFLOW    CreationTime: 6/13/2024 10:26:54 AM, LastAccessTime: 6/13/2024 10:26:54 AM, LastWriteTime: 6/13/2024 10:26:54 AM, ChangeTime: 6/13/2024 10:26:54 AM, FileAttributes: ANCI, AllocationSize: 1,724,416, EndOfFile: 1,720,782
6/13/2024 10:26:54 AM    coreServiceShell.exe    CloseFile    C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\MsSense.exe.4268.protected.dmp    SUCCESS   
6/13/2024 10:26:54 AM    WerFaultSecure.exe    QueryNameInformationFile    C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8735.26020.1009\MsSense.exe    BUFFER OVERFLOW    Name: \ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8735.26020.100

 

[stinger007]

Bravo!! WinDefend is now running!! - That's why I was able to start Windefend a few days ago. Trend must have been disabled. When I rebooted trend must have reactivated.

WinDefend is now running
Sense still will not start

Services View Sense is not running



CMD View (seems to think it's running when I try to start it)

 

[Maxstar]

I wonder if Trend Micro has quarantined or preventably blocked certain files of the ATP folder? Please copy the folder below from the working server again to the problem server. The ProcMon trace shows also several missing files.

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection

 

[stinger007]

I've copied the folder across and here's how we are looking

working server


Problem Server



The files below would not copy but they look like log outputs

and this one



service still not starting
I'll attach fresh event logs and process mon logs in next post

 

[stinger007]

Event & process mon logs attached when I tried to start sense service

 

[Maxstar]

Please run to following command(s) on the working and problem server:

reg save "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" "%userprofile%\Desktop\Working.hiv"
reg save "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" "%userprofile%\Desktop\Problem.hiv"

 

[stinger007]

Thanks, Files attached

 

[Maxstar]

Please do the following on both servers.

Start the

Farbar Recovery Scan Tool again.

• Right-click on the file FRST64.exe and choose Run as administrator.
• Copy and paste the following (code) into the Search box and click the Search Registry button.

Windows Defender Advanced Threat Protection

• When the scan is complete, a message will display that SearchReg.txt is saved in the same folder FRST was started from.
• Post the logfile SearchReg.txt as attachment in your next reply.

 

[stinger007]

Thanks, Run on both servers, files attached

 

[Maxstar]

Please run the following command on both servers.

dir /s /a "C:\Program Files\Windows Defender Advanced Threat Protection\" > "%userprofile%\Desktop\Dirlist.txt"

[Edit] Do also the following:

Start the

Farbar Recovery Scan Tool again.

• Right-click on the file FRST64.exe and choose Run as administrator.
• Copy and paste the following (code) into the Search box and click the Search Registry button.

MsSense.exe

• When the scan is complete, a message will display that SearchReg.txt is saved in the same folder FRST was started from.
• Post the logfile SearchReg.txt as attachment in your next reply.

 

[stinger007]

Thanks, All 4 files attached in Problem&Working - Dirlist&SearchReg.zip

 

[Maxstar]

Please export the following keys from the working server:

reg export "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsSense.exe" "%userprofile%\Desktop\IFEO1.reg"
reg export "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsSense.exe" "%userprofile%\Desktop\IFEO2.reg"

 

[stinger007]

Thanks, Files attached

 

[Maxstar]

Warning: This fix was written specifically for this system. Do not run this fix on another system.

• Save any work you have open, and close all programs.
• Download the attachment SFCFixScript.txt and save it to your desktop.
• Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.

• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Post the logfile (SFCFix.txt) as attachment in your next reply.

Afterwards reboot the problem server, disable the TM-service and try to start the Sense service.