|
| 1 | +--- |
| 2 | +title: Troubleshoot Microsoft Defender Antivirus service startup problems |
| 3 | +description: Find out where settings for Microsoft Defender Antivirus are coming from. |
| 4 | +author: denisebmsft |
| 5 | +ms.author: deniseb |
| 6 | +manager: deniseb |
| 7 | +ms.reviewer: yongrhee |
| 8 | +ms.service: defender-endpoint |
| 9 | +ms.topic: troubleshooting-general |
| 10 | +ms.date: 01/18/2025 |
| 11 | +ms.subservice: ngp |
| 12 | +ms.localizationpriority: medium |
| 13 | +ms.collection: # Useful for querying on a set of strategic or high-priority content. |
| 14 | +ms.custom: partner-contribution |
| 15 | +search.appverid: MET150 |
| 16 | +f1.keywords: NOCSH |
| 17 | +audience: ITPro |
| 18 | +--- |
| 19 | + |
| 20 | +## Troubleshoot Microsoft Defender Antivirus service startup problems |
| 21 | + |
| 22 | +**Applies to:** |
| 23 | + |
| 24 | +- [Microsoft Defender XDR](/defender-xdr) |
| 25 | + |
| 26 | +- [Microsoft Defender for Endpoint Plan 1 and 2](microsoft-defender-endpoint) |
| 27 | + |
| 28 | +- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) |
| 29 | + |
| 30 | +- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) |
| 31 | + |
| 32 | +- Microsoft Defender Antivirus |
| 33 | + |
| 34 | +You may notice that **Virus & threat protection** has a red cross, where it says **Threat service has stopped. Restart it now**. |
| 35 | + |
| 36 | +:::image type="content" source="media/virus-threat-protection.jpg" alt-text="Screenshot of virus and threat protection notification." lightbox="media/virus-threat-protection.jpg"::: |
| 37 | + |
| 38 | +Within **Security Providers**, you may see the following: |
| 39 | + |
| 40 | +:::image type="content" source="media/security-providers.png" alt-text="Screenshot of security providers." lightbox="media/security-providers.png"::: |
| 41 | + |
| 42 | +You can see that **Microsoft Defender Antivirus is turned off.** |
| 43 | + |
| 44 | +:::image type="content" source="media/virus-threat-protection-2.png" alt-text="Screenshot of threat service has stopped." lightbox="media/virus-threat-protection-2.png"::: |
| 45 | + |
| 46 | +See the message: **Threat service has stopped. Restart it now.** |
| 47 | + |
| 48 | +:::image type="content" source="media/unexpected-error.png" alt-text="Screenshot of unexpected error." lightbox="media/unexpected-error.png"::: |
| 49 | + |
| 50 | +You can see the message: **Unexpected error. Sorry, we ran into a problem. Please try again.** <br> Click **Close**. |
| 51 | + |
| 52 | +### Events |
| 53 | + |
| 54 | +You may see the following events in the *Windows Defender – Operational* event log: |
| 55 | + |
| 56 | +#### Event 5007 |
| 57 | + |
| 58 | +Microsoft Defender Antivirus Configuration has changed. If this is an expected event you should review the settings as this may be the result of malware. |
| 59 | + |
| 60 | +|Old value |New value | |
| 61 | +|---------|---------| |
| 62 | +|`HKLM\SOFTWARE\Microsoft\Windows Defender\Diagnostics\RolledbackPlatformHealthData = <OVERALL>:<BAD>,<AGE>:<36>,<DIRTY_SHUTDOWNS>:<22>` | `Default\Diagnostics\RolledbackPlatformHealthData = 0` | |
| 63 | +|`Default\ServiceStartStates = 0x0` | `HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1` | |
| 64 | +|`HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1` | `Default\ServiceStartStates = 0x0` | |
| 65 | +|`Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender` | `HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsft\Windows Defender` | |
| 66 | +|`Default\IsServiceRunning = 0x0` | `HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1` | |
| 67 | +|`Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender` | `HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender` | |
| 68 | +|`Default\IsServiceRunning = 0x0` |`HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1` | |
| 69 | + |
| 70 | +#### Event 5001 |
| 71 | + |
| 72 | +Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled. |
| 73 | + |
| 74 | +### Resolution |
| 75 | + |
| 76 | +The following steps will help to resolve the issue: |
| 77 | + |
| 78 | +1. Check the services and filter drivers for Microsoft Defender Antivirus. |
| 79 | + |
| 80 | + Run the following PowerShell command as an administrator. |
| 81 | +```powershell |
| 82 | +gsv WinDefend, WdBoot, WdFilter, WdNisSvc, WdNisDrv, SecurityHealthService, wscsvc | ft -auto DisplayName, Name, StartType, Status |
| 83 | +``` |
| 84 | + |
| 85 | +| Display Name | Name | StartType | Status | Comments | |
| 86 | +| --- | --- | --- | --- | --- | |
| 87 | +| Windows Security Service | SecurityHealthService | Manual | Running | | |
| 88 | +| Microsoft Defender Antivirus Boot Driver | WdBoot | Boot | Stopped | It’s normal to be stopped after boot. | |
| 89 | +| Microsoft Defender Antivirus Mini-Filter Driver | WdFilter | Boot | Running | If stopped, please check steps 3, 6, 7. | |
| 90 | +| Microsoft Defender Antivirus Network Inspection System Driver | WdNisDrv | Manual | Running | If stopped, please check steps 3, 6, 7. | |
| 91 | +| Microsoft Defender Antivirus Network Inspection Service | WdNisSvc | Manual | Running | If stopped, please check steps 3, 6, 7. | |
| 92 | +| Microsoft Defender Antivirus Service | WinDefend | Automatic | Running | If stopped, please check steps 3, 6, 7. | |
| 93 | +| wscsvc | Security Center | Automatic | Running | | |
| 94 | + |
| 95 | +2. Download and run the [Microsoft Safety Scanner](safety-scanner-download.md) to try ruling out any malware. |
| 96 | + |
| 97 | +3. If you are trying to use Microsoft Defender Antivirus as your primary antivirus, make sure to uninstall the third-party antivirus software. |
| 98 | + |
| 99 | +4. Remove the **Security Intelligence** and **engine**. |
| 100 | + |
| 101 | + Run the following PowerShell command as an administrator. |
| 102 | + |
| 103 | + ```powershell |
| 104 | + & "${env:ProgramFiles}\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All |
| 105 | + ``` |
| 106 | +
|
| 107 | +5. Reset the **Platform**. |
| 108 | +
|
| 109 | + Run the following PowerShell command as an administrator. |
| 110 | +
|
| 111 | + ```powershell |
| 112 | + & "${env:ProgramFiles}\Windows Defender\MpCmdRun.exe" -ResetPlatform |
| 113 | + ``` |
| 114 | +
|
| 115 | +6. Backup Microsoft Defender Antivirus policies |
| 116 | +
|
| 117 | + Run the following PowerShell command as an administrator. |
| 118 | +
|
| 119 | + ```powershell |
| 120 | + New-Item -Path "C:\temp" -ItemType Directory |
| 121 | + Invoke-Command {reg export 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' C:\Temp\MDAV\_backup.reg |
| 122 | + ``` |
| 123 | +
|
| 124 | +7. Delete any policies that might have been set for Microsoft Defender Antivirus. |
| 125 | +
|
| 126 | + Run the following PowerShell command as an administrator. |
| 127 | +
|
| 128 | + ```powershell |
| 129 | + Remove-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Force |
| 130 | + ``` |
| 131 | + For more information, see: [Troubleshoot Microsoft Defender Antivirus settings](troubleshoot-settings.md). |
| 132 | +
|
| 133 | +8. Re-enable Microsoft Defender Antivirus |
| 134 | +
|
| 135 | + Run the following PowerShell command as an administrator. |
| 136 | +
|
| 137 | + ```powershell |
| 138 | + & "${env:ProgramFiles}\Windows Defender\MpCmdRun.exe" -WdEnable |
| 139 | + ``` |
| 140 | +
|
| 141 | +9. Update Security Intelligence |
| 142 | +
|
| 143 | + Run the following PowerShell command as an administrator. |
| 144 | +
|
| 145 | + ```powershell |
| 146 | + & "${env:ProgramFiles}\Windows Defender\MpCmdRun.exe" -SignatureUpdate -MMPC |
| 147 | + ``` |
| 148 | +
|
| 149 | +10. Make sure that **Tamper Protection** is enabled. |
| 150 | +
|
| 151 | +11. Run **Microsoft Update**. |
0 commit comments