Windows 10 DebugDiag isn't capturing Windows Defender crashes

pearj

New Member
Joined
Jun 1, 2021
Messages
4
I'm trying to diagnose Windows Defender (MsMpEng.exe) crashes, which are happening every 5 to 10 minutes.

I've been following the post of Windows 10 - Troubleshooting program crashes to try and get crash logs, however DebugDiag isn't capturing the Windows Defender crashes.

I see in the DebugDiag logs that it attaches to the process:

Code: 
[6/2/2021 11:37:04 AM] New process found:        Process Name - MsMpEng.exe          Process ID - 18620  Process Identity - SYSTEM                                 
[6/2/2021 11:37:04 AM] Attach Debugger:          Process Name - MsMpEng.exe          Process ID - 18620  Control Script - C:\Program Files\DebugDiag\Scripts\CrashRule_Process_MsMpEng.exe.vbs
...
[6/2/2021 11:39:43 AM] Process Exited:           Process Name - MsMpEng.exe          Process ID - 18620 
[6/2/2021 11:39:43 AM] Service state changed:    Service Name - WinDefend            Process ID - 0      Current State - SERVICE_STOPPED

But it never captures a Userdump.

Is it because Windows Defender is some sort of protected process?
 
Solution
Well if it's affecting all systems then you can probably skip SFC. c0000409 is a stack overrun error, so it sounds like memory is getting corrupted or overridden. I would start by completely disabling all Trend Micro components. If they have a memory protection mechanism that could certainly cause the issue. If this is a work environment I would also investigate recent configuration, GPO or software changes as well as last patch cycle and does it match up to the first occurrence.
Sort by date Sort by votes
Defender shouldn't be protected, but it could be due to it running as system or it's not a capturable crash. Are there any errors in event log for it? You can also try running SFC /SCANNOW
 
Upvote 0 Downvote
Yes there are events in the event log:


I don't expect SFC /SCANNOW to help as this is present in a Corporate SOE that appears to affect all users.

We do also have Trend Micro installed too, but it's real-time scanning component is disabled. So I really need to find the smoking gun, which I was hoping that DebugDiag would give me.
 
Upvote 0 Downvote
Well if it's affecting all systems then you can probably skip SFC. c0000409 is a stack overrun error, so it sounds like memory is getting corrupted or overridden. I would start by completely disabling all Trend Micro components. If they have a memory protection mechanism that could certainly cause the issue. If this is a work environment I would also investigate recent configuration, GPO or software changes as well as last patch cycle and does it match up to the first occurrence.
 
Upvote 0 Downvote
Solution
Great thanks for the advice, I'll try disabling the Trend Micro completely. It sounds like picking and choosing bits of Windows Defender and Trend Micro might not be viable.
 
Upvote 0 Downvote
Well security experts will preach "Defense in Depth" which means complimenting security controls and not multiple controls of the same type (Such as endpoint protection), so not a great idea to run Defender and another end point protection suite.
 
Upvote 0 Downvote
I'm getting the exact same fault in Windows Defender (same offset and version). This is a fresh reinstall (because something seemed to have gone awry). No other AV is installed. I think Microsoft have broken quite a few things with recent updates.
 
Upvote 0 Downvote
Just for the record, we ended up disabling the real-time scanning of Windows Defender and using Trend Micro instead. So we're not getting the crashes of Defender anymore (because it isn't running )
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

  • Article Article
Targeted Folder Scans in Windows Defender: Quick, Custom, and Scripted
Replies
4
Views
80
ChatGPT
  • Article Article
Windows Defender App Control Blocks Xbox Handheld OEM Tools
Replies
0
Views
23
ChatGPT
  • Article Article
Lock Down Your PC: Enable Windows Defender Tamper Protection + Security Baselines
Replies
0
Views
90
ChatGPT
  • Article Article
CVE-2025-62468 Windows Defender Firewall Information Disclosure Patch Guide
Replies
0
Views
67
ChatGPT
  • Article Article
How to Allow Apps Through Windows Defender Firewall on Windows 11
Replies
0
Views
70
ChatGPT