Switching on RTP again - but how to deal with alerts?

[Guest]

I decided to try the idea that someone proposed recently, that the multiple
checkpoints in system restore don't happen if, under 'options', we tick the
two boxes requesting notifications about 'software that has not yet been
classified' and 'changes made to your computer'. (I should add that I'd never
tried ticking those boxes before; also that most of my multiple 'Defender
checkpoints' were caused by Defender recording suspicious activity by an AOL
driver, ATWPK2.)

So I ticked the two boxes, and switched on RTP again.
Then I started AOL. Immediately I got a little Defender bubble saying that
'a service and drivers change was made for a known application file' (ATWPK2
- I expected something like that). So I looked in the Defender history log,
where this activity had always been logged - to find no record of this event.
I looked in System Restore, where previously a checkpoint would have been
created - no checkpoint! Hoorah!

So I restarted my machine, and checked System restore. No checkpoint - so
clearly, Defender wasn't creating a checkpoint every startup. Then I started
AOL - up came the ATWPK2 bubble again, as expected. A few moments later this
was followed by another bubble saying something like 'an application register
change was made for ... MPCmdRun.exe' (which I don't understand at all).

Neither of these events were recorded in the Defender History log. Again, no
Defender Checkpoint was created.

So this looks like a solution, for me, to the multiple checkpoint issue. But
I'm left with some questions:

When these bubbles pop up, I'm not given any option to do anything. If I
click on the bubble it just disappears, and I can't look them up in Defender
History because they aren't recorded. So... what do I do? Just ignore them?
It seems that if we ask to be notified, Defender doesn't record the events in
History. It records them only if we ask not to be notified (and that's when
all the unwanted checkpoints are generated).

Can anyone please say something helpful?

 

[Guest]

Two additional thoughts:
1. I checked the Windows event viewer for all these occasions, but it
recorded nothing excepet the changes I was making to the Defender settings.
2. I think the second of the two alerts I mentioned may simply have been
Defender alerting me to the changes I'd made in its configuration. So perhaps
that second alerts requires no further explanation.

But the main question remains: how do I tell Defender to cool it with regard
to ATWPK2, so I don't have to choose between spurious notification bubbles,
or multiple checkpoints??

 

[Guest]

At some point I must get a life, but at present observing the behaviour of
Windows Defender is nearly as interesting as (and less predictable than)
watching the feeding habits of marsh harriers. Well, not really.

But I'm now finding that Defender has a long memory when you do things to
it. OK it's now running in RTP mode; the two magic boxes are ticked that are
preventing the Defender checkpoints and obliterating the history log (see
above). And it boringly keeps on nagging me about the AOL driver every time I
start AOL. BUT ALSO, it keeps telling me at every system startup that 'An
application Registration change was made for a known application file
C:\Program Files\Windows Defender\MpCmdRun.exe'. At first I thought this was
just Defender letting me know that I'd switched the RTP on. I think it
actually was, initially. But it keeps flagging this up at every system
restart, and I feel like saying OK, OK, I got the message. Yes, I changed you
early this morning! Get used to it!

Someone out there might be able to make some sense out of all this? Or
perhaps everyone will be too busy studying the feeding habits of marsh
harriers.

 

[Guest]

Alan,

Excellent job of verification testing and trying to help solve your own
problem, which is exactly what a Beta is about. Also, very good and clear
explanation of your test and results. Though the previous poster (J Mitch)
posted the original 'fix', your post does much more to explain its effects.

What it appears you've exposed is that the choice to direct the
notifications to not be displayed instead results in their generating a
system restore point. We may not understand why ourselves, but this is
something the Defender Development Team can now look for as a cause. We know
the System Restore Points were intended under certain circumstances, so the
supression of one or more of these types of notification messages (ballons)
must somehow mis-trigger the same process.

Come to think of it, the act of disabling these warnings is also affected by
the choice of SpyNet membership level, Basic or Advanced. Since the choice of
Basic also results in the automatic selection of 'Allow' by default, it's
possible this generates the choice to create a Restore Point as a side
effect. Whether this was intended or not would only be known by those in
development.

As for the 'an application register change was made for ... MPCmdRun.exe'
notification, I'm sure this has been asked and answered before, but I'll give
my version as I understand it. Since the executable file mentioned is what
runs the scheduled scans, it might likely be attacked by malware. To insure
that it is properly registered to run and possibly even to reschedule the
item in tasks, this registration is performed every time you restart Windows.
Since you now have the option 'Changes made to your computer by software that
is allowed to run' enabled, this message is displayed.

I told you that you were the type who would learn and understand for
yourself, which makes you the perfect type for testing a beta, if you're
willing. That's the difference between someone who just wants free software
and someone who wants to help in its development.

I'm sure this thread will be useful to the Devlopment Team, whether they've
already found the issue or not.

Bitman

 

[Guest]

:
That's the difference between someone who just wants free software

and someone who wants to help in its development.

Thank you for the compliments - though of course I want the free software
just like anyone else. It's just that the doctor can't fix you if he doesn't
know all your symptoms....

Thanks for the explanation of the Defender registration change. At some
stage I'll see what happens when I turn that option off, but I want to run
like this for a few days to see if any other oddities occur. At the moment it
would introduce yet another variable, which isn't a good idea I think.

 

[Guest]

This ball of wool just goes on unravelling.

OK, so ticking the two boxes and restarting RTP has achieved the following:

1. I get spurious notifications in pop-up bubbles that I ignore (because
it's not possible to do anything else).
2. These notifications used to be logged in history but now are not. In
fact, history seems to be recording nothing at all.
3. Not only have the Defender checkpoints stopped - but no restore points of
any kind have been made for three days. Looks as if the whole automatic
creation of restore points has been shut down, just by ticking those two
boxes..... I've read a thread about this somewhere but I can't remember
where. Can anyone remember what the dodge was, to get the restore point
function running again?

 

[Dave M]

System Restore Service is a System Service , you might ensure it's status
is started and set for automatic startup.

Control Panel > Admin Tools > Services

I didn't have any problem like that when I clicked the notifies, but then
again my RTP was never disabled. Still running at one WD checkpoint per
day over the last week, although I once had two, and the occasional
Software Distribution and System checkpoint as well, another day had no
checkpoints at all.

 

[Guest]

System Restore Service is a System Service , you might ensure it's status
is started and set for automatic startup.

Thank for this Dave. Yes, it's set correctly.

 

[robin]

I only have the second one checked- I had the first one originally checked
and it was creating multiple check points. Took off the 1st one and so far
no multiple check points.
I do not use aol and I do not see anything popping up at all telling me
there are changes and i have WD running on two computers and both are not
experincing warning message popups.
Are you seeing this popup because you have WD icon running in the task bar?
because I have it as only to notify me if there is a significant change.
robin

 

[Guest]

I only have the second one checked- I had the first one originally checked
and it was creating multiple check points. Took off the 1st one and so far
no multiple check points.

That's very curious. I've never had these 2 boxes ticked till now - and yet
ticking them has stopped the multiple checkpoints - which seems to be the
opposite of what you're getting.

Are you seeing this popup because you have WD icon running in the task bar?
because I have it as only to notify me if there is a significant change.

Aha! Nice suggestion - thanks Robin. I'll try killing the icon (shame - I'm
one of those who finds its presence reassuring) and see if that changes the
popups.

 

[robin]

i am keeping a log per day on both computers of how many checkpoints WD is
making per computer since i put Real Time protection back on (I started this
on 7/23/2006).
I also have it set to notify me only if there is a problem. I do not have
the icon set in the right side of the task bar.
I will let you all know by the end of the week my findings but so far there
were no WD checkpoints yesterday on both computers, as of this hour there
are none but also no System Restore points have been set yet today,
yesterday there was one on each computer.
robin

 

[Guest]

I do not have the icon set in the right side of the task bar.

Robin, I have some results!

1. It makes no difference if I disable the Defender icon. It still pops up
with the spurious notifications, and then the icon disappears again.

2. I had almost abandoned hope, but - I found a plain old ordinary regular
automatic system checkpoint today. So System Restore is back to work as usual.

 

[Robin]

Alan I just got almost the same thing you got on one machine here.
I am also getting a message in the right corner from WD saying something
like 'an application register change was made for ... MPCmdRun.exe I
cannot find this in the History Log nor Event Viewer. This started today
and it did it 2x. I did a search on MPCmdRun.exe and it is part of Windows
Defender.
Someone want to tell us why it is saying this about itself?

btw this started happening once I returned on Realtime Protection and
checked the second notify box, but not the first day but the second day
which is today.

robin

 

[Guest]

Alan I just got almost the same thing you got on one machine here.
I am also getting a message in the right corner from WD saying something
like 'an application register change was made for ... MPCmdRun.exe I
cannot find this in the History Log nor Event Viewer. This started today
and it did it 2x. I did a search on MPCmdRun.exe and it is part of Windows
Defender.
Someone want to tell us why it is saying this about itself?

btw this started happening once I returned on Realtime Protection and
checked the second notify box, but not the first day but the second day
which is today.

robin

Yes, that's exactly what happens on my machine, at some stage soon after
every startup. Bitman's explanation (elsewhere in this thread) is that as a
security measure, Defender makes an application register change at every
startup, and then - because we've ticked the box asking for notifications
about such changes that any software makes - it reports the change. It's odd
that for you it's only showing up on day 2 though.

It's starting to look as if selecting the option to be notified (using
either of the two tick boxes) disables the history log - and that must surely
need correcting.

 

[Guest]

Yes, that's exactly what happens on my machine, at some stage soon after
every startup. Bitman's explanation (elsewhere in this thread) is that as a
security measure, Defender makes an application register change at every
startup, and then - because we've ticked the box asking for notifications
about such changes that any software makes - it reports the change. It's odd
that for you it's only showing up on day 2 though.

It's starting to look as if selecting the option to be notified (using
either of the two tick boxes) disables the history log - and that must surely
need correcting.

Robin,
Since the action only occurs after a system startup, I'd venture a guess
that you never restarted the PC after enabling the RTP and notifications.
Most will only see one of these a day, so they aren't really a big deal.

I find it interesting that some find the ballons extremely irritating, while
others like myself find them generally informative, but can simply ignore
them when they realize they're not a real issue. Must have something to do
with visual stimulation and concentration. The mind is such a fuzzy thing,
ever notice a 'Z' is an 'N' on it's side?

Alan, again it's hard to say if the toggling of History with notifications
settings was intended, possibly for trouble-shooting, or if it's a
programming flulke. I do tend to agree that I'd rather see them logged in all
cases for trouble-shooting, though I can also see how this might create a
clogged log (say that three times fast). Might be good to log them, but allow
you to toggle their display in History, so you don't have to look through the
'information' messages to find those that are more critical.

Bitman

 

[robin]

i would rather it just do its thing and only warn me when there are
problems.
I just wanted to state it was doing the same thing that Alan saw
it doesn't bother me when it pops up- i just wanted to report it just in
case it is a bug
robin

 

[Guest]

Agreed, you should be able to leave this setting turned off if you prefer, my
comment was meant as a general observation of what some others have said, not
you in particular.

Hopefully, now that this thread has discussed the symptoms of the
relationships between these settings, System Restore Point creation and
History logging, the Defender development group will be able to find and
solve the real issues that exist.

Bitman

 

[Guest]

I find it interesting that some find the ballons extremely irritating, while
others like myself find them generally informative, but can simply ignore
them when they realize they're not a real issue.

Like Robin, I don't find the balloons a big deal - but there is a deeper and
more important issue, which is the inability to tell Defender to ignore
certain actions. My several-time-daily notifications of the dubious behaviour
of ATWPK2.exe are getting irritating, because they're completely pointless
repetitions and I have no way of informing Defender of that fact.

 

[robin]

well hopefully you are right and the WD defender ms will read all of this
and fix this problem
robin

 

[Guest]

Like Robin, I don't find the balloons a big deal - but there is a deeper and
more important issue, which is the inability to tell Defender to ignore
certain actions. My several-time-daily notifications of the dubious behaviour
of ATWPK2.exe are getting irritating, because they're completely pointless
repetitions and I have no way of informing Defender of that fact.

Alan,

Yes, the issue with being unable to easily set a permanent allow, if at all,
has been discussed for several months now. I've lost track of any specific MS
development response to the issue, and can't recall what you've gotten as
responses to this yourself.

I do know that I personally had an issue with a Browser Helper Object DLL
file causing such alerts, which I managed to resolve using the 'Tools',
'Options', 'Advanced options' section, 'Do not scan these files or locations'
dialog box. By clicking 'Add', browsing to the file and selecting it, it was
apparently also ignored by Real-time protection, since the alerts stopped at
that point.

I'm not certain that this works either with Services or true Startups
however, since I've heard others report that this didn't work for them, at
least with some services. Give it a try if you haven't already, but remember
you've done it and remove it when you update Defender to see if the problem
is really resolved.

Bitman