Win 10 problems with Defender Offline

Topic

New Reply

[RetiredGeek]

Hey Y’all,

I alluded to a problem with my Laptop in this post.

Well, here’s the whole gruesome situation.

I had something weird show up on the screen of the laptop the other day. It was a command type window that was slowly typing letters. Of course, I shut it down in a hurry.

Next step run Defender Offline scan and obviously this didn’t work, it plain wouldn’t run.

Check it out on my 2 desktops and runs just fine.

Google the problem and guess what this has been a problem for quite some time. So attach it with all the suggestions: ( all run in an elevated command prompt ).

1. C:\Program Files\WindowsDefender\MpCmdRun.exe -Removedefinitions. Reboot and same behavior.
2.  DISM /Online /Cleanup-Image /RestoreHealth. Reboot and same behavior.
3. Disk Cleanup selecting system files. Reboot and same behavior.
4. SFC.exe /scannow. Fixed some problems, Reboot and same behavior.

Are we seeing a pattern here.

Time for the nuclear option ( with recent Image in hand of course ).

1. Download clean copy of W10 using MCT to a USB key.
2. Boot from USB key and do clean install.
3. Try Defender Offline…Waite for it… No problem!

However, rebuilding the machine from scratch posed some immediate problems that I decided I didn’t want to deal with:

• Upgrade to W10 Pro, said key no good but it upgraded anyway!
• Documents, Downloads, Music, Videos folders did NOT have a Location Tab.
• Unfortunately, I didn’t disconnect the net so it set me up with my MS Account and pointed a bunch of stuff to OneDrive.
• I switched to Local account but the damage was done.

At this point I restored my Image and decided to search for another solution.

I’m thinking an IN PLACE upgrade.

Note:
Dell XPS 8920:    W10 Pro 64-bit 21H2 19044.1766 – Daily driver (Last Upd: 6/28)
Dell XPS 8700:     W10 Pro 64-bit 21H2 19044.1826 – Test machine (Last Upd: 7/13)
Dell XPS 137000: W10 Pro 64-bit 21H2 19044.1826 – Laptop problem machine (Last Upd: 7/18)

EDIT: I forgot to mention that when I loaded the laptop from scratch the windows version ended in .2… can’t remember the exact 4 digits but I know it started with a 2 as it caught my eye!

After compiling the above information I’m going to be brave and update my Daily driver and see if it makes problems (again I’ve got a recent Image in hand!).

I’m open to any Ideas y’all may have. From the online comments it doesn’t look like MS is  making any progress if they even care.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

• This topic was modified 10 months ago by RetiredGeek.

1 user thanked author for this post.

geekdom

Reply | Quote

Replies

Hi RetiredGeek:

When you say “plain wouldn’t run” do you mean that you’ve followed the instructions in the MS support article Help Protect My PC with Microsoft Defender Offline (Start | Settings | Update & Security | Windows Security | Virus & Threat Protection | Current Threats | Scan Options | Microsoft Defender Offline Scan | Scan Now) but when you click the Scan Now button your system does not re-start and perform a Quick Scan from the recovery environment?

As noted in that MS support article, did you log in to Windows with an account with Administrator rights before starting the offline scan? Do you have backup account with Administrator rights you can log in with just to test if the offline scan will run from another Administrator account (i.e., just in case the permissions for your “regular” Administrator account are corrupted)? If not, create a new Administrator account (i.e., log in as an Administrator, create a new Microsoft or Local account at Settings | Account Family & Other Users | Other Users | Add Someone Else to This PC and then change the account type to Administrator) see if your offline scan runs correctly from this new account. Brink’s TenForums tutorial How to Add a Local Account or Microsoft Account in Windows 10 has instructions for creating both Microsoft and Local accounts (see Options 1 and 2).

I’d also suggest running a second-opinion scan with Malwarebytes Free for Windows (https://www.malwarebytes.com/mwb-download for the latest v4.x if you have Win 7 SP1 or higher; https://downloads.malwarebytes.com/file/mb3_legacy for the legacy v3.5.1 for Win XP and Vista) to see if this scanner can find malware or a PUP (potentially unwanted program like adware, unwanted browser toolbars, etc. – see their full PUP criteria <here>) or PUM (potentially unwanted registry modification) that might have been missed by your antivirus.

If you haven’t used Malwarebytes before I generally recommend that users deactivate the 14-trial trial of the Premium features after installation at Settings (gear icon) | Account | Deactivate (see Deactivate Premium Trial in Malwarebytes for Windows) and just use Malwarebytes Free as a second-opinion on-demand scanner. I also have Malwarebytes configured to warn me before it removes any PUPs or PUMs at Settings (gear icon) | Security | Potentially Unwanted Items so I have a chance to review any lower-risk threats like browser toolbars, etc. that might be detected by Malwarebytes that I actually want to keep.

Run Malwarebyte’s recommended default Threat Scan for your initial scan.  There is an option to run a deeper Threat Scan with rootkit scanning enabled (Scanner | Advanced Scans | Custom Scan | Configure Scan | Scan for Rootkits – see Scan Types in Malwarebytes for Windows) but I know of rare instances where some malware scanners can damage the Windows system files if it detects and tries to remove a rootkit or bootkit that is deeply embedded in the OS kernel. When I suspect I have hidden malware that was missed by both my antivirus and a Malwarebytes Threat Scan then I usually post in BleepingComputer’s Virus, Trojan, Spyware, and Malware Removal Help board [see the guidelines <here> for adding Farbar Recovery Scan Tool (FRST) diagnostic logs to your first post] and work one-on-one with a trained malware removal specialist until I’m sure my system is clean.
—————–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1826 * Firefox v103.0.0 * Microsoft Defender v4.18.2205.7-1.1.19400.3 * Malwarebytes Premium v4.5.12.204-1.0.1725 * Macrium Reflect Free v8.0.6867

Reply | Quote

Yes, running as Admin. Tried another admin account I had same result. Created a new Admin account same results.

Just to clarify, I run through the process and agree to all the prompts and then it just stops doing anything. On my other machines it tells me that it is going to log-off in 30 seconds and I never see that message.

I ram MB FULL SCAN which took 20 hrs! Nothing found!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

RG,

Before running an in-place reinstall, I always return libraries (Music, Pictures, etc.) to their default locations, then change them back after the reinstall.

Zig

 

1 user thanked author for this post.

RetiredGeek

Reply | Quote

Zig wrote:

I always return libraries (Music, Pictures, etc.) to their default locations, then change them back after the reinstall.

I have my data of Music, Pictures, etc… on the non OS drive.
I haven’t moved the folders, just created new ones leaving the original empty folders on drive C.

Reply | Quote

This worked for an older version of Windows 10, So if you have not already reinstalled Windows…

I really needed to check out some other systems because of a malware scare as a service. I too had also been looking for a solution to restoring Windows Defender Offline short of nuking & paving over a Windows installation for a year, everything else did not work. Just today with a little faith this afternoon after looking at @bbearren and many others postings with solutions involving the REAgentC.exe program, here is what restored all lost functions.

For people that find this post, Have an image backup ready for restoration just in case.

Start Disk Management to see if a Recovery Environment partition exists.

Open a Administrator Command prompt or PowerShell session to see the status of the Recovery Environment:

Type reagentc /info

You will see if there is a recovery partition (non zero id codes) and if the Recovery Environment is Enabled, and a recovery environment seems to need 900MB to 1GB of space to work.

If you are informed that the one you already have is a disabled recovery Environment Partition, type in this:

reagentc /enable

This will either work to enable the RE or maybe fail with the error message “Operation failed: b7”, for me it failed*. So after the failure I typed this in:

reagentc /disable

REagent said the Recovery Environment was disabled, then for a second time:

reagentc /enabled

After some time it reported success, I restarted the computer and started with going to the recovery environment in Windows Settings. All functions were restored even the system’s factory recovery function and a few more were added.. So I the big test was activating Windows Defender Offline and it too worked exactly as Microsoft described in the documentation! (Hallelujah!)

Hope this Helps you and many other terribly disaffected Windows 10 users!

*(What happened was reagentc deleted the newer winre.wim that the windows upgrade program created for this version of Windows. [shrug])

TL;DR

reagentc /info (
reagentc /enable (if it fails then…)
reagentc /disable
reagentc /enable

Goto Windows Settings -> Recovery or try to use Windows Defender Offline.

Reply | Quote

INAR,

Well, this seemed to work! I got to the point that the system rebooted when I attempted to run the Offline Scan but then got this:

Now I have to figure out how to update the RE!

Thanks to both you and bbearren we’re making progress.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Hi RetiredGeek:

Does Control Panel | Programs | Programs and Features show that you have Dell SupportAssist Remediation (a.k.a. SupportAssist OS Recovery) installed on your problem laptop? Your error message asks you to contact Dell Support, which suggests that you might have Dell emergency recovery software installed on your computer (or perhaps even a third-party antivirus – Dell computers often ship with a one-year trial of McAfee LifeSafe) that is preventing your system from booting into the “normal” Windows recovery environment when you try to run a Microsoft Defender Offline Scan.

Note that I’m not a fan of either SupportAssist or Dell SupportAssist Remediation/SupportAssist OS Recovery. I have disabled the services for Dell SupportAssist, Dell TechHub and Dell SupportAssist Remediation at Start | Windows Administrative Tools | Services to ensure none of these programs can start automatically at boot-up on my Inspiron laptop.
————–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1826 * Firefox v103.0.1 * Microsoft Defender v4.18.2205.7-1.1.19400.3 * Malwarebytes Premium v4.5.12.204-1.0.1725 * Macrium Reflect Free v8.0.6867 * Dell SupportAssist v3.11.4.29 * Dell SupportAssist Remediation v5.5.3.16171 * Dell Update Windows Universal v4.5.0 * Fusion Service v2.0.58 * Inspiron 5583/5584 BIOS v1.18.0

1 user thanked author for this post.

oldfry

Reply | Quote

RetiredGeek wrote:

Now I have to figure out how to update the RE!

RG, here’s a link.  Windows Recovery Environment

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

Hey Y’all,

Problem resolved. Unfortunately I didn’t see bbearren’s link before getting it done.

I did some googling and found one article that seemed to have a reasonable solution. So I started to work through it only to find that the two MCT created USB drives I had (20H1 & 21H2) did not contain the WinRE.wim nor Install.wim!

So I did some more searching and I found out that you need to extract the Install.wim from the Install.esd and then extract the WinRE.Wim from the Install.wim. You’re following all this right?

Knowing this would be a bear (not bbearren LOL) so I copied the two sources I used and combined them into a single document that will run you through the process with appropriate changes where the instructions were unclear or missing information. I hope this helps anyone else who runs into this process. (See attached .pdf document)

FYI: When I did this I forgot to take out the 20H1 USB and thus created the Recovery Environment with that version of Win 10. It stilled worked even though the Laptop was running 21H2 19044.1826 with the July Updates.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

So I did some more searching and I found out that you need to extract the Install.wim from the Install.esd and then extract the WinRE.Wim from the Install.wim. You’re following all this right?

The embedding of archives is what Microsoft does, it is like unboxing an gadget and digging though packing materials to find all of the parts and accessories. Glad you were able to fix your computer!

Reply | Quote

WinRE for Windows 10 2004 — 21H1 is the same (version 2.0) so you’re good.

1 user thanked author for this post.

RetiredGeek

Reply | Quote

Thanks to everyone who posted tips about how to restore the Windows Recovery Environment. Lots of good information here I’ve squirreled away in case I ever need it.

One thing I’m still not clear about. Why would the partition for the Windows Recovery Environment be missing on some systems in the first place? For example, is it normal for users to loose their Windows Recovery Environment partition after a clean reinstall of Win 10 or Win 11 using the Media Creation Tool (MCT)?  Could a malware attack deliberately target and delete the Windows Recovery Environment partition?

The MS support article Windows Recovery Environment (Windows RE) states that “By default, WinRE is preloaded into the Windows 10 and Windows 11 for desktop editions (Home, Pro, Enterprise, and Education)…” After reading the comments is this thread I confirmed that I was able to enter my Windows Recovery Environment (Ctrl+Alt+Del to bring up the login screen, click on Shutdown, and select Restart while holding the Shift key) and could run a Microsoft Defender offline scan, so I assume I’m good to go for now.
———-
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Firefox v103.0.2 * Microsoft Defender v4.18.2205.7-1.1.19500.2 * Malwarebytes Premium v4.5.12.204-1.0.1725 * Macrium Reflect Free v8.0.6867

Reply | Quote

As for my experience, when upgrading to 1809v2 (October release redux) there were two required recovery partitions before the upgrade and Windows setup just outright deleted the first Recovery Environment partition. (I couldn’t find a reason why so technically there was still some data loss.)

Happily the factory recovery function still worked, but it does pay off to capture disk image as Macrium Reflect Free* was able to restore the deleted Windows Recovery Environment partition.

 

*Not meant as an advertisement but that it is good to backup using a preferred program before making large system changes.

Reply | Quote