|
| 1 | +--- |
| 2 | +title: Troubleshoot Microsoft Defender Antivirus service startup problems |
| 3 | +description: Learn how to troubleshoot Microsoft Defender Antivirus service startup problems. |
| 4 | +author: denisebmsft |
| 5 | +ms.author: ewalsh |
| 6 | +manager: ewalsh |
| 7 | +ms.reviewer: yongrhee |
| 8 | +ms.service: defender-endpoint |
| 9 | +ms.topic: troubleshooting-general |
| 10 | +ms.date: 01/18/2025 |
| 11 | +ms.subservice: ngp |
| 12 | +ms.localizationpriority: medium |
| 13 | +ms.collection: # Useful for querying on a set of strategic or high-priority content. |
| 14 | +ms.custom: partner-contribution |
| 15 | +search.appverid: MET150 |
| 16 | +f1.keywords: NOCSH |
| 17 | +audience: ITPro |
| 18 | +--- |
| 19 | + |
| 20 | +# Troubleshoot Microsoft Defender Antivirus service startup problems |
| 21 | + |
| 22 | +**Applies to:** |
| 23 | + |
| 24 | +- [Microsoft Defender XDR](/defender-xdr) |
| 25 | + |
| 26 | +- [Microsoft Defender for Endpoint Plan 1 and 2](microsoft-defender-endpoint.md) |
| 27 | + |
| 28 | +- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) |
| 29 | + |
| 30 | +- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) |
| 31 | + |
| 32 | +- Microsoft Defender Antivirus |
| 33 | + |
| 34 | +In the following screenshot, **Virus & threat protection** displays a red cross, where it says **Threat service has stopped. Restart it now**. |
| 35 | + |
| 36 | +:::image type="content" source="media/virus-threat-protection.jpg" alt-text="Screenshot of virus and threat protection notification."::: |
| 37 | + |
| 38 | +Within **Security Providers**, you can see the following. <br> **Microsoft Defender Antivirus is turned off**. |
| 39 | + |
| 40 | +:::image type="content" source="media/security-providers.png" alt-text="Screenshot of security providers."::: |
| 41 | + |
| 42 | +The following screenshot displays the message: **Threat service has stopped. Restart it now.** |
| 43 | + |
| 44 | +:::image type="content" source="media/virus-threat-protection-2.png" alt-text="Screenshot of threat service has stopped."::: |
| 45 | + |
| 46 | +The following screenshot displays the message: **Unexpected error. Sorry, we ran into a problem. Please try again.** <br> Select **Close**. |
| 47 | + |
| 48 | +:::image type="content" source="media/unexpected-error.png" alt-text="Screenshot of unexpected error." lightbox="media/unexpected-error.png"::: |
| 49 | + |
| 50 | +## Events |
| 51 | + |
| 52 | +The *Windows Defender – Operational* event log might display the following events: |
| 53 | + |
| 54 | +### Event 5007 |
| 55 | + |
| 56 | +The configuration of Microsoft Defender Antivirus has changed. If you expected this event, review the settings, as it may be the result of malware. |
| 57 | + |
| 58 | +|Old value |New value | |
| 59 | +|---------|---------| |
| 60 | +|`HKLM\SOFTWARE\Microsoft\Windows Defender\Diagnostics\RolledbackPlatformHealthData = <OVERALL>:<BAD>, <AGE>:<36>, <DIRTY_SHUTDOWNS>:<22>` | `Default\Diagnostics\RolledbackPlatformHealthData = 0` | |
| 61 | +|`Default\ServiceStartStates = 0x0` | `HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1` | |
| 62 | +|`HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1` | `Default\ServiceStartStates = 0x0` | |
| 63 | +|`Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender` | `HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsft\Windows Defender` | |
| 64 | +|`Default\IsServiceRunning = 0x0` | `HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1` | |
| 65 | +|`Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender` | `HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender` | |
| 66 | +|`Default\IsServiceRunning = 0x0` |`HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1` | |
| 67 | + |
| 68 | +### Event 5001 |
| 69 | + |
| 70 | +Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled. |
| 71 | + |
| 72 | +## Resolution |
| 73 | + |
| 74 | +Follow these steps to resolve the issue: |
| 75 | + |
| 76 | +1. Check the services and filter drivers for Microsoft Defender Antivirus. |
| 77 | + |
| 78 | + Run the following PowerShell command as an administrator. |
| 79 | +```powershell |
| 80 | +gsv WinDefend, WdBoot, WdFilter, WdNisSvc, WdNisDrv, SecurityHealthService, wscsvc | ft -auto DisplayName, Name, StartType, Status |
| 81 | +``` |
| 82 | + |
| 83 | +| Display Name | Name | StartType | Status | Comments | |
| 84 | +| --- | --- | --- | --- | --- | |
| 85 | +| Windows Security Service | SecurityHealthService | Manual | Running | | |
| 86 | +| Microsoft Defender Antivirus Boot Driver | WdBoot | Boot | Stopped | It’s normal to be stopped after boot. | |
| 87 | +| Microsoft Defender Antivirus Mini-Filter Driver | WdFilter | Boot | Running | If stopped, check steps 3, 6, 7. | |
| 88 | +| Microsoft Defender Antivirus Network Inspection System Driver | WdNisDrv | Manual | Running | If stopped, check steps 3, 6, 7. | |
| 89 | +| Microsoft Defender Antivirus Network Inspection Service | WdNisSvc | Manual | Running | If stopped, check steps 3, 6, 7. | |
| 90 | +| Microsoft Defender Antivirus Service | WinDefend | Automatic | Running | If stopped, check steps 3, 6, 7. | |
| 91 | +| wscsvc | Security Center | Automatic | Running | | |
| 92 | + |
| 93 | +1. Download and run the [Microsoft Safety Scanner](safety-scanner-download.md) to rule out any malware. |
| 94 | + |
| 95 | +1. If you're using Microsoft Defender Antivirus as your primary antivirus, make sure to uninstall third-party antivirus software. |
| 96 | + |
| 97 | +1. Remove the **Security Intelligence** and **engine**. |
| 98 | + |
| 99 | + Run the following PowerShell command as an administrator. |
| 100 | + |
| 101 | + ```powershell |
| 102 | + & "${env:ProgramFiles}\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All |
| 103 | + ``` |
| 104 | +
|
| 105 | +1. Reset the **Platform**. |
| 106 | +
|
| 107 | + Run the following PowerShell command as an administrator. |
| 108 | +
|
| 109 | + ```powershell |
| 110 | + & "${env:ProgramFiles}\Windows Defender\MpCmdRun.exe" -ResetPlatform |
| 111 | + ``` |
| 112 | +
|
| 113 | +1. Backup Microsoft Defender Antivirus policies. |
| 114 | +
|
| 115 | + Run the following PowerShell command as an administrator. |
| 116 | +
|
| 117 | + ```powershell |
| 118 | + New-Item -Path "C:\temp" -ItemType Directory |
| 119 | + Invoke-Command {reg export 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' C:\Temp\MDAV\_backup.reg |
| 120 | + ``` |
| 121 | +
|
| 122 | +1. Delete any policies that are set for Microsoft Defender Antivirus. |
| 123 | +
|
| 124 | + Run the following PowerShell command as an administrator. |
| 125 | +
|
| 126 | + ```powershell |
| 127 | + Remove-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Force |
| 128 | + ``` |
| 129 | + For more information, see: [Troubleshoot Microsoft Defender Antivirus settings](troubleshoot-settings.md). |
| 130 | +
|
| 131 | +1. Re-enable Microsoft Defender Antivirus. |
| 132 | +
|
| 133 | + Run the following PowerShell command as an administrator. |
| 134 | +
|
| 135 | + ```powershell |
| 136 | + & "${env:ProgramFiles}\Windows Defender\MpCmdRun.exe" -WdEnable |
| 137 | + ``` |
| 138 | +
|
| 139 | +1. Update Security Intelligence. |
| 140 | +
|
| 141 | + Run the following PowerShell command as an administrator. |
| 142 | +
|
| 143 | + ```powershell |
| 144 | + & "${env:ProgramFiles}\Windows Defender\MpCmdRun.exe" -SignatureUpdate -MMPC |
| 145 | + ``` |
| 146 | +
|
| 147 | +1. Make sure that **Tamper Protection** is enabled. |
| 148 | +
|
| 149 | + :::image type="content" source="media/tamper-protection.png" alt-text="Screenshot of Tamper Protection is enabled."::: |
| 150 | +
|
| 151 | +1. Run **Microsoft Update**. |
0 commit comments