Tuesday, January 31, 2012

Windows Defender Service Missing

[Fix is at the bottom]

Back story

Recently I was repairing a computer that had 'Win 7 Antivirus' on it, which is a fake antivirus that is actually malware. After removing it and cleaning the system, I noticed that Windows Defender was off. When I started the program, I received an error notifying me that the service could not start. I looked in the windows services and the service was not present. Since the program is baked in to Windows 7, it cannot be uninstall and reinstalled, which is something that would typically fix this kind of problem.
After looking on Google for the answer, I noticed most forum post basically said the same thing:
  • You still have a virus.
  • Just reinstall windows or do a repair installation.
  • Run some Microsoft program that would fix it for me.
  • Windows Defender sucks, who cares?

None of the above worked for me. So I started comparing a working Windows 7 system with the system I was trying to repair. I looked at the service running for Defender, it's C:\Windows\System32\svchost.exe -k secsvcs
I ran ProcessMonitor then launched Windows Defender and used the search function for ProcessMonitor to find 'secsvcs'. The search return a value from the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend\ImagePath
When I looked on the system I was repairing, the value was missing. I exported the root key (WindDefend) and then added it to the registry on the infected system and rebooted it. After the boot I launched Windows Defender and started the service, everything was back to normal.

I'm just surprise that this fix wasn't mentioned on any of the posts I found and was not identified as a problem by any of the scans I ran.

Fix

Download:
https://sites.google.com/site/windowsguidesforall/troubleshooting/windows-defender-service-missing/windows_defender_reg_for_win7x64.reg?attredirects=0&d=1

Do:

  • Open the file and allow the information to be added to your registry.
  • Restart your computer.
  • Run Windows Defender and start the service.
  • Comment on this blog to let everyone know if it worked or not.