Can't re-enable Windows Defender service even as administrator

2

1

I found that my Windows Defender settings were disabled, saying 'managed by organization', so I followed this guide to fix it (essentially getting rid of the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender key and subkeys. After a reboot, Windows Defender is still unable to start the service. A look at the service dialog and this is what I see:

This is while running as administrator, goes without saying

The same problem for the related Windows Defender Antivirus Network Inspection Service. How do I fix this?

Edit - I found this in the event log -

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscBrokerManager and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

I opened the Component services tool, but there's no mention of this component, and I don't know how to use this.

Rex

Posted 2018-11-03T05:05:51.387

Reputation: 390

Can you set the Start DWORD to 3 under: set:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend then restart the computer. I assume it's then started even if you can't change it from services.msc. – HelpingHand – 2018-11-03T09:24:27.057

It got changed to 'manual', and when I open security center I'm back to square one - 'all settings managed by organization', and under gpedit.msc everything has been verifiably set to 'not configured'. – Rex – 2018-11-03T11:16:55.393

Answers

2

Things to try :

  • If you have installed any third-party anti-virus, uninstall, reboot and try again. See this list for more thorough removal tools.

  • Start an elevated Command Prompt (cmd) and run the command:

    sc start WinDefend Enable

  • Run sfc /scannow

  • Start Local Group Policy Editor (gpedit.msc), navigate to Computer Configuration\Administrative Templates\Windows Components\Windows Defender, double-click Turn off Windows Defender, and set to Not Configured

  • Start an elevated Command Prompt (cmd) and run the following commands:

    regsvr32 wuaueng.dll
regsvr32 wucltui.dll
regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 wups.dll
regsvr32 wuweb.dll
regsvr32 atl.dll
regsvr32 mssip32.dll

    You may use the free FixWin to do that, using its option "Repair Windows Defender. Reset all Windows Defender settings to default".

  • In case of an an inconsistent WMI repository, run the command:

    winmgmt /verifyrepository

    If you get a message “WMI repository is not consistent“, run the following command:

    winmgmt /salvagerepository

  • Start a Command prompt (cmd) as SYSTEM using "psexec -sid cmd.exe", launch services.msc from it, and the Startup type drop-down should now become enabled.

  • Run deep anti-virus scans by several well-known anti-virus products. Many of these products offer online one-time scans.

  • As last resort, Do a Repair Install of Windows 10 with an In-place Upgrade.

Before starting, ensure you have very good backups.

Edit:

Regarding the specific error message you found in the log, it seems like it's not a serious problem, but can be avoided.

The thread says this :

The problem in this case is that the service for Windows SecurityCenter (wscsvc) have a delayed autostart while "things" like the WscBrokerManager and WscCloudBackupProvider tries to initiate very early in the startup process. It will fail with error event 10016. wscsvc will initiate after ~2 minutes and then everything will be instantiated as normal so you will have no side effects of these errors in the event log but it's annoying.

You solve this by changing the service wscsvc from delayed autostart to normal autostart. You don't (normally) have permission to do it from the services app so you must do it in the registry.

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc

Change the DWORD DelayedAutoStart from 1 to 0.

Try this fix, maybe it has some more effects than it seems.

harrymc

Posted 2018-11-03T05:05:51.387

Reputation: 306 093

Thanks for the detailed steps.

  • Not using any 3rd party AV, sfc reported no problems and I had already reset group policy to nil.
  • WMI repository is reported consistent.
  • psexec trick worked, now was able to make the service startup automatically, but I can't start it from there(1053: service did not respond in a timely fashion).

But after all this, when I click the button in Defender Security Center to restart the threat service, it again reports an 'unexpected' error. – Rex – 2018-11-04T04:44:49.420

I have added two more steps, which I hoped wouldn't be necessary. – harrymc – 2018-11-04T08:25:42.247

I found something else in the event log..have updated the question. – Rex – 2018-11-06T08:41:35.020

What is the event id? – harrymc – 2018-11-06T08:54:17.530

I added to my answer. – harrymc – 2018-11-06T09:01:54.927

Yup, the event ID was 10016. Let me try this. – Rex – 2018-11-06T09:22:11.707

Didn't work. Also have set ownership on the CLSID for Defender in the registry so I could fix permissions with dcomcnfg, and now even after changing service type to automatic, 'the service didn't respond in a timely fashion'. – Rex – 2018-11-07T11:47:59.727

I think you are getting closer to my above last resort measure. – harrymc – 2018-11-07T11:50:20.540

Decided to just get Kaspersky instead. Lo and behold, it found a bunch of malware. – Rex – 2018-11-07T13:54:05.370

That was my before-last item. – harrymc – 2018-11-07T14:16:35.083

Yep, marking this as the answer. I think I'll stick with Kaspersky, not sure if removing it will re-enable Defender or I'll be stuck with the permissions thing again. I'd gotten along fine with just Defender so far, now have to rethink it. – Rex – 2018-11-07T18:57:16.467

If your computer has been successfully cleaned, you could try without Kaspersky. – harrymc – 2018-11-07T19:43:25.277

Yeah, maybe I will do that. I've not used any antivirus since MSE was launched for WIndows 7 about 5 years ago. – Rex – 2018-11-09T13:28:58.610

You should also spend some time on your other defenses, especially in the browser, to avoid being re-infected. – harrymc – 2018-11-09T13:32:12.883

Uninstalled Kaspersky, and it's back to the same problem. I usually stick to Pale Moon, a Firefox fork, but had to use Chromium for a few sites. Behold, everything Kaspersky found was from Chromium's cache. Chrom(e/ium) is the new IE. – Rex – 2018-11-09T13:37:55.537

Asked: 2018-11-03T05:05:51.387

Viewed: 1 548 times

Active: 2018-11-06T09:01:42.640