Windows 10 DebugDiag isn't capturing Windows Defender crashes

[pearj]

I'm trying to diagnose Windows Defender (MsMpEng.exe) crashes, which are happening every 5 to 10 minutes.

I've been following the post of Windows 10 - Troubleshooting program crashes to try and get crash logs, however DebugDiag isn't capturing the Windows Defender crashes.

I see in the DebugDiag logs that it attaches to the process:

[6/2/2021 11:37:04 AM] New process found:        Process Name - MsMpEng.exe          Process ID - 18620  Process Identity - SYSTEM                                 
[6/2/2021 11:37:04 AM] Attach Debugger:          Process Name - MsMpEng.exe          Process ID - 18620  Control Script - C:\Program Files\DebugDiag\Scripts\CrashRule_Process_MsMpEng.exe.vbs
...
[6/2/2021 11:39:43 AM] Process Exited:           Process Name - MsMpEng.exe          Process ID - 18620 
[6/2/2021 11:39:43 AM] Service state changed:    Service Name - WinDefend            Process ID - 0      Current State - SERVICE_STOPPED

But it never captures a Userdump.

Is it because Windows Defender is some sort of protected process?

 

[Neemobeer]

Defender shouldn't be protected, but it could be due to it running as system or it's not a capturable crash. Are there any errors in event log for it? You can also try running SFC /SCANNOW

 

[pearj]

Yes there are events in the event log:

Faulting application name: MsMpEng.exe, version: 4.18.1909.6, time stamp: 0x2b5ae0b5
Faulting module name: mprtp.dll, version: 4.18.1909.6, time stamp: 0x64f86809
Exception code: 0xc0000409
Fault offset: 0x000000000007c16d
Faulting process ID: 0x3c5c
Faulting application start time: 0x01d757fc3938d1bd
Faulting application path: C:\Program Files\Windows Defender\MsMpEng.exe
Faulting module path: C:\Program Files\Windows Defender\mprtp.dll
Report ID: 0a8163b8-7171-4287-9080-fcb8f536c3e0
Faulting package full name:
Faulting package-relative application ID:

I don't expect SFC /SCANNOW to help as this is present in a Corporate SOE that appears to affect all users.

We do also have Trend Micro installed too, but it's real-time scanning component is disabled. So I really need to find the smoking gun, which I was hoping that DebugDiag would give me.

 

[Neemobeer]

Well if it's affecting all systems then you can probably skip SFC. c0000409 is a stack overrun error, so it sounds like memory is getting corrupted or overridden. I would start by completely disabling all Trend Micro components. If they have a memory protection mechanism that could certainly cause the issue. If this is a work environment I would also investigate recent configuration, GPO or software changes as well as last patch cycle and does it match up to the first occurrence.

 

[pearj]

Great thanks for the advice, I'll try disabling the Trend Micro completely. It sounds like picking and choosing bits of Windows Defender and Trend Micro might not be viable.

 

[Neemobeer]

Well security experts will preach "Defense in Depth" which means complimenting security controls and not multiple controls of the same type (Such as endpoint protection), so not a great idea to run Defender and another end point protection suite.

 

[jakeqz]

I'm getting the exact same fault in Windows Defender (same offset and version). This is a fresh reinstall (because something seemed to have gone awry). No other AV is installed. I think Microsoft have broken quite a few things with recent updates.

 

[pearj]

Just for the record, we ended up disabling the real-time scanning of Windows Defender and using Trend Micro instead. So we're not getting the crashes of Defender anymore (because it isn't running )