DebugDiag isn't capturing Windows Defender crashes

pearj

New Member
I'm trying to diagnose Windows Defender (MsMpEng.exe) crashes, which are happening every 5 to 10 minutes.

I've been following the post of Windows 10 - Troubleshooting program crashes to try and get crash logs, however DebugDiag isn't capturing the Windows Defender crashes.

I see in the DebugDiag logs that it attaches to the process:

Code:
[6/2/2021 11:37:04 AM] New process found:        Process Name - MsMpEng.exe          Process ID - 18620  Process Identity - SYSTEM                                 
[6/2/2021 11:37:04 AM] Attach Debugger:          Process Name - MsMpEng.exe          Process ID - 18620  Control Script - C:\Program Files\DebugDiag\Scripts\CrashRule_Process_MsMpEng.exe.vbs
...
[6/2/2021 11:39:43 AM] Process Exited:           Process Name - MsMpEng.exe          Process ID - 18620 
[6/2/2021 11:39:43 AM] Service state changed:    Service Name - WinDefend            Process ID - 0      Current State - SERVICE_STOPPED

But it never captures a Userdump.

Is it because Windows Defender is some sort of protected process?
 

Neemobeer

Application and Cloud Security Engineer
Staff member
Defender shouldn't be protected, but it could be due to it running as system or it's not a capturable crash. Are there any errors in event log for it? You can also try running SFC /SCANNOW
 

pearj

New Member
Yes there are events in the event log:

Faulting application name: MsMpEng.exe, version: 4.18.1909.6, time stamp: 0x2b5ae0b5
Faulting module name: mprtp.dll, version: 4.18.1909.6, time stamp: 0x64f86809
Exception code: 0xc0000409
Fault offset: 0x000000000007c16d
Faulting process ID: 0x3c5c
Faulting application start time: 0x01d757fc3938d1bd
Faulting application path: C:\Program Files\Windows Defender\MsMpEng.exe
Faulting module path: C:\Program Files\Windows Defender\mprtp.dll
Report ID: 0a8163b8-7171-4287-9080-fcb8f536c3e0
Faulting package full name:
Faulting package-relative application ID:

I don't expect SFC /SCANNOW to help as this is present in a Corporate SOE that appears to affect all users.

We do also have Trend Micro installed too, but it's real-time scanning component is disabled. So I really need to find the smoking gun, which I was hoping that DebugDiag would give me.
 

Neemobeer

Application and Cloud Security Engineer
Staff member
Well if it's affecting all systems then you can probably skip SFC. c0000409 is a stack overrun error, so it sounds like memory is getting corrupted or overridden. I would start by completely disabling all Trend Micro components. If they have a memory protection mechanism that could certainly cause the issue. If this is a work environment I would also investigate recent configuration, GPO or software changes as well as last patch cycle and does it match up to the first occurrence.
 

pearj

New Member
Great thanks for the advice, I'll try disabling the Trend Micro completely. It sounds like picking and choosing bits of Windows Defender and Trend Micro might not be viable.
 

Neemobeer

Application and Cloud Security Engineer
Staff member
Well security experts will preach "Defense in Depth" which means complimenting security controls and not multiple controls of the same type (Such as endpoint protection), so not a great idea to run Defender and another end point protection suite.
 

jakeqz

New Member
I'm getting the exact same fault in Windows Defender (same offset and version). This is a fresh reinstall (because something seemed to have gone awry). No other AV is installed. I think Microsoft have broken quite a few things with recent updates.
 

pearj

New Member
Just for the record, we ended up disabling the real-time scanning of Windows Defender and using Trend Micro instead. So we're not getting the crashes of Defender anymore (because it isn't running ;))
 
Top