The case of Windows Defender not starting.

The case of Windows Defender not starting.

  • Comments 1
  • Likes

Had a client whose machine would not load Windows Defender, each time it was opened it would eventually die on initialization:

Log Name:      Application
Source:        Application Error
Date:          8/13/2007 4:03:10 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server1

Description:
Faulting application MSASCui.exe, version 1.1.1505.0, time stamp 0x45ad8d6e, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549d372, exception code 0xc0000005, fault offset 0x000000000002aa74, process id 0x1268, application start time 0x01c7dde39a6e9100.

Since it was a problem was with initialization, the first thing I did was enable loader snaps and then put the executable under an IFEO.  I didn't see anything jump out from the loader snaps, but when the system was g'd I did see these errors:
0:000> g
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)

 

This translates to STATUS_DEVICE_DATA_ERROR  which means that the OS couldn't page in the memory due to a disk error (maps to Win32 error: ERROR_CRC). This is most likely a hardware failure.

I ran chkdsk /r on the c: drive and it was unable to recover the sectors. I ended up having to go to the HDD maker's site and downloading there utility to scan the hard drive and recover the sectors.  Once done Defender was happy again.  Your probably asking yourself (all three of you that read this blog) Why didn't you see the below event in the eventvwr?  I I would have looked in the System log and saw this but unfortunately that wasn't opening before I fixed the disk errors.

 

Log Name:      System
Source:        disk
Date:          8/13/2007 5:31:43 PM
Event ID:      7
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server1
Description:
The device, \Device\Harddisk0\DR0, has a bad block.

 

If you don't have  disk errors on the system another thing you can do is use SFC (/VERIFYFILE ) to check the integrity of the files in question if there are problems they will be dumped to the CBS.log file under c:\windows\logs\cbs.

SFC [/SCANNOW] [/VERIFYONLY] [/SCANFILE=<file>] [/VERIFYFILE=<file>]
    [/OFFWINDIR=<offline windows directory> /OFFBOOTDIR=<offline boot directory>]

/SCANNOW        Scans integrity of all protected system files and repairs files with
                problems when possible.
/VERIFYONLY     Scans integrity of all protected system files. No repair operation is
                performed.
/SCANFILE       Scans integrity of the referenced file, repairs file if problems are
                identified. Specify full path <file>
/VERIFYFILE     Verifies the integrity of the file with full path <file>.  No repair
                operation is performed.
/OFFBOOTDIR     For offline repair specify the location of the offline boot directory
/OFFWINDIR      For offline repair specify the location of the offline windows directory

 

Technorati tags: ,
Comments
  • I'm sure there are more than 3 persons reading this blog, so keep it going Brad!

    Many greetings from Germany,

    Christian

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment