windowd defender fails to start warning

[GSD]

I run windows XP SP3 .
I have recently installed Windows Defender . It appears to be running OK but
I notice in "Event Viewer -Application " there is a regular error that shows
"Windows Defender Real-Time Protection checkpoint has encountered an error
and failed to start.
User: HOME-AB9C136C40\**see below
Checkpoint ID: 27
Error Code: 0x80070005
Error description: Access is denied. "

** the suffix relates to my limited user account and may or may not affect
things

On the surface I can see no problem with the running of Windows Dfender in
any way . Can anyone tell me what the above error may relate to.
Graeme

 

[Bill Sanderson]

I'm not sure about the answer here--the question being whether this is a
"normal" error message, or one indicating a real problem.

I'd suggest that you test whether real-time protection is active by using
the EICAR test string, available here:

http://www.eicar.org/anti_virus_test_file.htm

You may need to turn off all antimalware protection to create a file
containing this string.

This is a perfectly safe test mechanism that all antivirus applications, and
Windows Defender, and perhaps other antispyware applications will respond to
as though it were a real virus.

You can create files containing the string in various ways, but a simple
text file created with notepad works fine.

If, with Windows Defender on, and logged in as your limited user, you save a
file containing this text from an attachment to an email message, say, I
think that would indicate that real-time protection is indeed active.

 

[GSD]

Thank's Bill

I did as you suggested and Defender picked up Eicar Ok so it confirms that
it is running in the limited user account . I was pretty sure it was .

Graeme

 

[Bill Sanderson]

Great - sorry for not being sure of the answer, and thanks for testing!

 

[GSD]

Yes on the surface everything seems to work OK but there must be some
explanation . When I look at the times of the event I do notice the it
occurs about the same time as Defender pops up it usual advice just after
start up of a change in known Application -that being itself as I understand
"Application registration- C:\Program Files \Windows\Defender\MpCmdRun.exe "

I guess this is just confirming that it has started .

Out of curiosity I will keep on watching to see if I might pick up the cause
of the Event error sometime

Thanks
Graeme

 

[Bill Sanderson]

Windows Defender re-schedules its daily scan each time it starts. I believe
that is what the "change in known Application" refers to.

You could experiment by switching the user capabilites to administrator and
doing a couple of startups, then switching back to limited.

I used to have a client running Windows Defender on machines with limited
users, but they moved to Symantec Endpoint Protection which suggested
disabling Windows Defender, and we followed that advice.

Yes on the surface everything seems to work OK but there must be some
explanation . When I look at the times of the event I do notice the it
occurs about the same time as Defender pops up it usual advice just after
start up of a change in known Application -that being itself as I
understand
"Application registration- C:\Program Files \Windows\Defender\MpCmdRun.exe
"

I guess this is just confirming that it has started .

Out of curiosity I will keep on watching to see if I might pick up the
cause of the Event error sometime

Thanks
Graeme

--

 

[GSD]

I probably did not make it clear in my initial post that this error in Event
Log does not always refer to the Limited User Account that was just the
example I copied ,it shows up even if I am using my Administrator account .
If that is what you mean .
Anyway I will keep an eye on it and see if I can isolate a cause without
spending too much time on it .If I do find anything I will post here .

Thanks again

Graeme

 

[Bill Sanderson]

That's clearer for me. I don't see why you should be getting this error
event when running as Administrator, unless it is related to the limited
user, and the limited user is also logged in....

I probably did not make it clear in my initial post that this error in
Event Log does not always refer to the Limited User Account that was
just the example I copied ,it shows up even if I am using my Administrator
account . If that is what you mean .
Anyway I will keep an eye on it and see if I can isolate a cause without
spending too much time on it .If I do find anything I will post here .

Thanks again

Graeme

--

 

[GSD]

Thats a thought , I do generally turn the computer off each night then in
the morning head for the limited user account first . I can try a few times
heading straight in to the Adminn Account for a while without logging in to
the limited one and watch the time on the event log that it appears .

If if I find out anything I will post

Graeme

 

[GSD]

I was wrong - the errors do all relate to when I logon to the Limited User
account .
Rebooted the computer a couple of times and went in to the Admin User
account and no error . Went in to the limited user account came back out
and checked Event Log and there it was . So thank you I have identified it
occurring when first logging in the limited user account but the cause is
still a mystery . It does not seem to affect the running in any way as far
as I can see .

Graeme

 

[Bill Sanderson]

I can think of one more bit of troubleshooting to try--but I'm not sure
whether it is worth the effort.

In tools, options, scroll down to the real-time protection section. Here
you can either disable real-time protection as a whole, or disable
individual parts of that protection (there's a name for them, but I can't
remember it right now!)

You could see what effect unchecking those boxes has on your error.

Perhaps first uncheck all real-time--or do I recall that you already did
that?

Then, maybe a binary search--uncheck the first half of the items and see
what effect that has, then the second half, and if one half is different
from the other, divide that one in half, etc, to see if you can get down to
a particular area of real-time protection.

I'm hoping you won't need to reboot to generate the error--but simply log
off and then on again with the limited user...

You might also see whether the very final checkbox in tools, options--which
allows limited users to take some actions within Windows Defender--makes any
difference, if that is not already checked.

I was wrong - the errors do all relate to when I logon to the Limited User
account .
Rebooted the computer a couple of times and went in to the Admin User
account and no error . Went in to the limited user account came back out
and checked Event Log and there it was . So thank you I have identified it
occurring when first logging in the limited user account but the cause is
still a mystery . It does not seem to affect the running in any way as far
as I can see .

Graeme

--

 

[GSD]

I have had a bit of a try at disabling various options in the Real Time protection area but it does not cure the problem .
In fact for each option I uncheck I can see a new error in the event log virtually telling me in non computer terms that Defender has looked for the option but cannot perform it . They are easy to fix I just enable the options again .

I honestly do not think it is worthwhile spending more time ,I guess if was a person who never looked in the Event logs I would never have known about it . I might even uninstall and use another application like Super Anti Spyware paid version . I do have the free version for occasional scanning .

Thanks for all your trouble shooting ideas .


Graeme

 

[Bill Sanderson]

You're welcome. Sorry we couldn't come to a more satisfactory outcome.

As a rule, my thinking is that when Windows Defender just writes a log
message, rather than bringing an issue to the direct attention of the user,
it is likely that the issue is more informational than of substance.

Unless you are very happy with your current antivirus application, I'd urge
you to try Microsoft's morro application when it is available, which is
still some months, at least, off. It should incorporate WIndows Defenders
protection, add antivirus, and if your issue is one which is a genuine bug
with Windows Defender, there's some chance that it will be fixed.

I have had a bit of a try at disabling various options in the Real Time
protection area but it does not cure the problem .
In fact for each option I uncheck I can see a new error in the event log
virtually telling me in non computer terms that Defender has looked for
the option but cannot perform it . They are easy to fix I just enable the
options again .

I honestly do not think it is worthwhile spending more time ,I guess if
was a person who never looked in the Event logs I would never have known
about it . I might even uninstall and use another application like Super
Anti Spyware paid version . I do have the free version for occasional
scanning .

Thanks for all your trouble shooting ideas .


Graeme

--

 

[GSD]

Thanks Bill,

I will have a look at the Microsoft Application I understand it will be free
??

I currently use Eset Nod32 which is quite good , it has a with a few quirks,
also a bit expensive .

Graeme