Windows 11 Unable to start Windows Defender Advanced Threat Protection Service

Distorted Vision

Senior Member
Joined
Jun 18, 2022
Messages
480
Window could not start the Windows Defender Advanced Threat Protection service on Local Computer

Error 1067. The process terminated unexpectedly.
 
Solution

Quick take​

“Windows Defender Advanced Threat Protection Service” (service name: Sense) is the enterprise EDR sensor for Microsoft Defender for Endpoint. On a PC that is not onboarded to a Defender for Endpoint tenant, starting Sense manually typically returns Error 1067 (process terminated) and then stops. That’s expected and not a problem for consumer/stand‑alone use—the normal antivirus is the “Microsoft Defender Antivirus” service (WinDefend), not Sense.

What do you actually want to do?​

  • If you are NOT onboarding this PC to Microsoft Defender for Endpoint (business/E5), leave Sense alone. Set it to Manual (Trigger Start) and don’t try to start it—your AV protection is still active via WinDefend.
  • If you DO intend...
Sort by date Sort by votes
You’re hitting two things:
  • The script line had a typo (missing value name on the Real‑Time Protection key).
  • “Access is denied” is almost always Defender Tamper Protection and/or not running the shell elevated. Tamper Protection blocks changing Defender’s services and registry values.
Do this exactly
1) Turn off Tamper Protection temporarily
  • Windows Security > Virus & threat protection > Manage settings > Tamper Protection = Off.
  • If the app won’t open or shows stale info: run this, then try again and turn it Off:
    Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage
2) Open an elevated shell
  • Right‑click Start > Windows Terminal (Admin) or PowerShell (Admin).
3) Run the corrected commands
Copy/paste the whole block:
sc.exe config WinDefend start= auto
sc.exe start WinDefend
sc.exe config WdNisSvc start= demand
sc.exe start WdNisSvc
sc.exe config SecurityHealthService start= auto
sc.exe start SecurityHealthService
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v ForceDefenderPassiveMode /f
gpupdate /force
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
4) Reboot, then enable Controlled Folder Access
  • Admin PowerShell:
    Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
    Set-MpPreference -EnableControlledFolderAccess Enabled
  • Turn Tamper Protection back On in Windows Security.
If anything still fails, paste the outputs of:
  • sc.exe qc WinDefend
  • sc.exe query WinDefend
  • Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
    and I’ll give the next exact fix.
 
Upvote 0 Downvote
At line:15 char:48
+ ... %ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
+ ~~~~~~~~~~~~~~~~~~
Unexpected token '-RemoveDefinitions' in expression or statement.
At line:15 char:67
+ ... %ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
+ ~~~~
Unexpected token '-All' in expression or statement.
At line:16 char:48
+ "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
+ ~~~~~~~~~~~~~~~~
Unexpected token '-SignatureUpdate' in expression or statement.
+ CategoryInfo : ParserError: ) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
 
Upvote 0 Downvote
You’re seeing that error because in PowerShell a quoted path is just a string; you must invoke it with the call operator (&) or Start-Process.
Do this exactly (elevated PowerShell; temporarily turn Tamper Protection off first)
  • Repair/refresh Defender signatures:
    Code: 
    $mp = "$env:ProgramFiles\Windows Defender\MpCmdRun.exe"
& $mp -RemoveDefinitions -All
& $mp -SignatureUpdate
    (Alternative)
    Code: 
    Start-Process -FilePath "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -ArgumentList "-RemoveDefinitions -All" -Wait
Start-Process -FilePath "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -ArgumentList "-SignatureUpdate" -Wait
Then verify Defender is active and enable Controlled Folder Access:
Code: 
Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
# If any are False or PassiveMode is True, run:
Start-Service WinDefend, WdNisSvc, SecurityHealthService Set-MpPreference -EnableControlledFolderAccess Enabled
If Set-MpPreference still returns 0x800106ba, it means a service is blocked or Tamper Protection is still on. Double‑check:
  • Tamper Protection is Off while you run the commands, then turn it back On after.
  • Services are running: sc.exe query WinDefend should show STATE = RUNNING. If not, post:
    Code: 
    sc.exe query WinDefend
Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
    and I’ll give the next exact fix.
 
Upvote 0 Downvote
Start-Service : Service 'Microsoft Defender Antivirus Network Inspection Service (WdNisSvc)' cannot be started due to
the following error: Cannot start service WdNisSvc on computer '.'.
At line:3 char:1
+ Start-Service WinDefend, WdNisSvc, SecurityHealthService
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
ServiceCommandException
+ FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

Start-Service : Service 'Microsoft Defender Antivirus Service (WinDefend)' cannot be started due to the following
error: Cannot start service WinDefend on computer '.'.
At line:3 char:1
+ Start-Service WinDefend, WdNisSvc, SecurityHealthService
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
ServiceCommandException
+ FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

Set-MpPreference : Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. Target:
EnableControlledFolderAccess.
At line:5 char:1
+ Set-MpPreference -EnableControlledFolderAccess Enabled
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference],
CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference
 
Upvote 0 Downvote
sc.exe query WinDefend
>> Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode

SERVICE_NAME: WinDefend
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

AMServiceEnabled AntivirusEnabled RealTimeProtectionEnabled PassiveMode
---------------- ---------------- ------------------------- -----------
False False False
 
Upvote 0 Downvote
Thanks for the detailed outputs. Right now WinDefend and WdNisSvc won’t start because Windows still sees Defender as disabled/passive or its platform/feature isn’t fully present. Let’s bring Defender AV online first, then enable Controlled Folder Access (CFA).
Do this exactly (Admin PowerShell; step-by-step)
Prep
  • Turn Tamper Protection OFF temporarily:
    Windows Security > Virus & threat protection > Manage settings > Tamper Protection = Off.
1) Remove any policies that disable Defender
Copy/paste the whole block. “Cannot find” is OK.
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v ForceDefenderPassiveMode /f
gpupdate /force
2) Make sure the Defender feature is enabled and files exist
  • Check the feature:
    dism /online /Get-Features /Format:Table | findstr /i Defender
  • If you see Windows-Defender-Features = Disabled, enable it:
    dism /online /Enable-Feature /FeatureName:Windows-Defender-Features /All /NoRestart
  • Repair system files (safe):
    sfc /scannow
    DISM /online /Cleanup-Image /RestoreHealth
3) Refresh Defender platform/signatures
Use the call operator so PowerShell actually runs the EXE:
$mp = "$envrogramFiles\Windows Defender\MpCmdRun.exe"
& $mp -RemoveDefinitions -All
& $mp -SignatureUpdate
& $mp -PlatformUpdate
4) Start the required services
sc.exe config WinDefend start= auto
sc.exe start WinDefend
sc.exe config WdNisSvc start= demand
sc.exe start WdNisSvc
sc.exe config SecurityHealthService start= auto
sc.exe start SecurityHealthService
5) Verify status, then enable CFA
Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode,AMProductVersion
Set-MpPreference -EnableControlledFolderAccess Enabled
Turn Tamper Protection back ON in Windows Security.
If any start command fails
Please run these and paste the outputs (they give the exact reason):
  • sc.exe qc WinDefend
  • sc.exe queryex WinDefend
  • sc.exe qc WdNisSvc
  • sc.exe queryex WdNisSvc
  • wevtutil qe System /q:"*[System[Provider[@Name='Service Control Manager'] and (EventID=7000 or EventID=7001 or EventID=7034)]" /c:5 /f:text /rd:true
Typical next fixes based on those results
  • If “The system cannot find the file specified”: the Defender platform folder is missing; the PlatformUpdate above should fix it. If not, run Windows Update or do an in‑place repair (keep apps/files) from the 24H2 ISO.
  • If “Access is denied”: Tamper Protection is still on, or a policy remains—recheck step 1 and confirm Tamper is Off while changing services.
  • If WDFilter driver isn’t running (sc query wdfilter shows Stopped/Not found): run sfc/DISM again; this driver is part of Defender features.
Once WinDefend shows Running and PassiveMode=False in Get‑MpComputerStatus, CFA will enable without error.
 
Upvote 0 Downvote
Thanks—right now Defender AV is completely off. We’ll flip it back on cleanly. Do this exactly, in order.
Before you start
  • Turn OFF Tamper Protection temporarily: Windows Security > Virus & threat protection > Manage settings > Tamper Protection = Off.
  • Open Windows Terminal or PowerShell as Administrator.
Step 1 — Remove “passive/disable” policies and fix service start types
Copy/paste the whole block:
sc.exe stop WinDefend
sc.exe stop WdNisSvc
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v ForceDefenderPassiveMode /f
REM Ensure Defender services/drivers aren’t disabled
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v Start /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v Start /t REG_DWORD /d 3 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v Start /t REG_DWORD /d 0 /f
gpupdate /force
shutdown /r /t 0
Step 2 — After reboot, start services and refresh Defender
Run (Admin PowerShell):
sc.exe query WinDefend
sc.exe start WinDefend
sc.exe start WdNisSvc
sc.exe start SecurityHealthService

Refresh Defender engine/signatures​

$mp = "$envrogramFiles\Windows Defender\MpCmdRun.exe"
& $mp -RemoveDefinitions -All
& $mp -SignatureUpdate
Step 3 — Verify Defender is active, then enable Controlled Folder Access
Run:
Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
Set-MpPreference -EnableControlledFolderAccess Enabled
Finally, turn Tamper Protection back ON in Windows Security.
If anything fails, please paste just these outputs:
  • sc.exe qc WinDefend
  • sc.exe query WinDefend
  • sc.exe query WdFilter
  • Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
Notes
  • If WdFilter was Disabled (Start=4) earlier, changing it to 0 (Boot start) requires that reboot in Step 1 before WinDefend can run.
  • If you ever see “Access is denied” again while changing Defender settings, Tamper Protection is still on. Turn it off temporarily, make the changes, then re‑enable it.
 
Upvote 0 Downvote
I am unable to perform this step:

Windows Security > Virus & threat protection > Manage settings > Tamper Protection = Off.

"Page not available

Your IT administrator has limited access to some areas of this app, and the item you tried to access is not available. Contact IT helpdesk for more information"
 
Upvote 0 Downvote
Understood. The Windows Security UI is policy‑blocked, so just toggle Tamper Protection and re‑enable Defender from Safe Mode (Tamper Protection doesn’t load there).
Do this exactly
1) Boot to Safe Mode
  • Settings > System > Recovery > Advanced startup > Restart now.
  • Troubleshoot > Advanced options > Startup Settings > Restart > press 4 (Safe Mode).
2) In Safe Mode, open PowerShell (Admin) and run:
  • Turn off Tamper Protection and clear “passive/disable” flags
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v ForceDefenderPassiveMode /f
  • Ensure Defender drivers/services start
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v Start /t REG_DWORD /d 0 /f
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v Start /t REG_DWORD /d 2 /f
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v Start /t REG_DWORD /d 3 /f
  • Reboot normally.
3) Back in normal Windows (PowerShell as Admin), run:
  • Start services
    sc.exe start WinDefend
    sc.exe start WdNisSvc
    sc.exe start SecurityHealthService
  • Refresh Defender engine/signatures
    $mp="$envrogramFiles\Windows Defender\MpCmdRun.exe"
    & $mp -RemoveDefinitions -All
    & $mp -SignatureUpdate
  • Verify Defender is active
    Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
    sc.exe query WinDefend
4) Enable Controlled Folder Access and re‑enable Tamper Protection
  • Turn CFA on:
    Set-MpPreference -EnableControlledFolderAccess Enabled
  • Open Windows Security > Virus & threat protection > Manage settings and turn Tamper Protection back On.
    If the app still shows “limited access”, reset it:
    Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage
    Reboot once.
If any step fails, paste:
  • sc query WinDefend
  • Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
  • reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection
    and I’ll give the next exact command.
 
Upvote 0 Downvote
PS C:\WINDOWS\system32> reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
>> reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /f
>> reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /f
>> reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
>> reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v ForceDefenderPassiveMode /f
>> reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v Start /t REG_DWORD /d 0 /f
>> reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v Start /t REG_DWORD /d 2 /f
>> reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v Start /t REG_DWORD /d 3 /f
ERROR: Access is denied.
ERROR: Access is denied.
ERROR: The system was unable to find the specified registry key or value.
ERROR: The system was unable to find the specified registry key or value.
ERROR: The system was unable to find the specified registry key or value.
The operation completed successfully.
The operation completed successfully.
The operation completed successfully.
 
Upvote 0 Downvote
Thanks for the details. “Access is denied” on those registry paths means Tamper Protection is still active and blocking changes. The easiest way around it is to flip the switches offline (from WinRE), then Windows will let Defender start normally. Do this exactly:
Step 1 — Boot to Windows Recovery (WinRE)
  • Settings > System > Recovery > Advanced startup > Restart now.
  • Troubleshoot > Advanced options > Command Prompt.
  • Choose your account and sign in.
Step 2 — Load the offline registry and clear the blocks
In the WinRE Command Prompt:
  • Find your Windows drive (in WinRE it might not be C. One of these will show files:
    dir C:\Windows
    dir D:\Windows
    Assume it’s on C: in the example below. If yours is D:, replace C: with D:.
  • Load the SOFTWARE and SYSTEM hives:
    reg load HKLM\OFFSOFT C:\Windows\System32\Config\SOFTWARE
    reg load HKLM\OFFSYSTEM C:\Windows\System32\Config\SYSTEM
  • Turn off Tamper Protection and clear passive/disable policies (offline):
    reg add "HKLM\OFFSOFT\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
    reg delete "HKLM\OFFSOFT\Microsoft\Windows Defender" /v PassiveMode /f
    reg delete "HKLM\OFFSOFT\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /f
    reg delete "HKLM\OFFSOFT\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
    reg delete "HKLM\OFFSOFT\Policies\Microsoft\Windows Advanced Threat Protection" /v ForceDefenderPassiveMode /f
  • Ensure Defender drivers/services start at boot/auto:
    reg add "HKLM\OFFSYSTEM\CurrentControlSet\Services\WdFilter" /v Start /t REG_DWORD /d 0 /f
    reg add "HKLM\OFFSYSTEM\CurrentControlSet\Services\WinDefend" /v Start /t REG_DWORD /d 2 /f
    reg add "HKLM\OFFSYSTEM\CurrentControlSet\Services\WdNisSvc" /v Start /t REG_DWORD /d 3 /f
  • Unload the hives:
    reg unload HKLM\OFFSOFT
    reg unload HKLM\OFFSYSTEM
  • Type exit and Continue to Windows.
Step 3 — Back in normal Windows (elevated PowerShell)
  • Start services and refresh Defender:
    sc.exe start WinDefend
    sc.exe start WdNisSvc
    sc.exe start SecurityHealthService
    $mp = "$envrogramFiles\Windows Defender\MpCmdRun.exe"
    & $mp -RemoveDefinitions -All
    & $mp -SignatureUpdate
  • Verify Defender is active:
    Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
  • Enable Controlled Folder Access:
    Set-MpPreference -EnableControlledFolderAccess Enabled
  • If the Windows Security app still shows “limited access,” reset it:
    Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage
    Reboot once, then re‑check.
If any command errors, tell me:
  • The drive you used in WinRE (C: or D,
  • Output of sc query WinDefend,
  • Output of Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode,
    and I’ll provide the next exact fix.
 
Upvote 0 Downvote
This completed successfully:

PS C:\WINDOWS\system32> Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode

AMServiceEnabled AntivirusEnabled RealTimeProtectionEnabled PassiveMode
---------------- ---------------- ------------------------- -----------
True True True
 
Upvote 0 Downvote
Great—Defender AV is fully active now. Next steps to finish up and enable Controlled Folder Access (CFA):
1) Enable CFA and verify
  • Run (Admin PowerShell):
    Set-MpPreference -EnableControlledFolderAccess Enabled
    Get-MpPreference | Select EnableControlledFolderAccess

    1 = Enabled, 0 = Disabled​

  • Optional allow-lists:
    Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Path\YourApp.exe"
    Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Data"
2) Re‑enable Tamper Protection
  • Windows Security > Virus & threat protection > Manage settings > Tamper Protection = On.
  • If the UI still shows “limited access,” reset it, then reopen:
    Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage
3) Quick health check
  • Signatures up to date:
    $mp="$envrogramFiles\Windows Defender\MpCmdRun.exe"; & $mp -SignatureUpdate
  • Services running and status OK:
    sc.exe query WinDefend
    Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,IsTamperProtected
  • Note: PassiveMode should be False/blank now. If it ever shows True:
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /t REG_DWORD /d 0 /f
    Restart-Computer
Reply back if Set‑MpPreference throws any error, and I’ll zero in on it. Otherwise, you’re good to go.
 
Upvote 0 Downvote
PS C:\users\[edited out]\desktop\Scans> Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,IsTamperProtected

AMServiceEnabled AntivirusEnabled RealTimeProtectionEnabled IsTamperProtected
---------------- ---------------- ------------------------- -----------------
True True True True
 
Last edited by a moderator:
Upvote 0 Downvote
Great—Defender is fully active and Tamper Protection is on. You’re in a good state.
If you still want Controlled Folder Access (CFA):
  • Enable and verify (Admin PowerShell):
    Set-MpPreference -EnableControlledFolderAccess Enabled
    Get-MpPreference | Select EnableControlledFolderAccess # 1 means enabled
  • Optional allow‑lists:
    Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Path\YourApp.exe"
    Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Data"
  • You can also turn it on in the UI: Windows Security > Virus & threat protection > Ransomware protection.
Keep signatures current:
$mp="$envrogramFiles\Windows Defender\MpCmdRun.exe"; & $mp -SignatureUpdate
If the CFA command throws any error, tell me the exact message and I’ll pinpoint the fix.
 
Upvote 0 Downvote
The issue I am now trying to resolve is disabling read only for folder:

C:\users\[\desktop\scans

Right Click->Properties when I uncheck Read only it does not work when I try and check it again.

Also tried:

attrib -r /s /d "C:\users\[edited out]\desktop\scans"

Result:

Not resetting system file - C:\users\[edited out]\desktop\Scans
 
Last edited by a moderator:
Upvote 0 Downvote
You’re running into two separate things:
1) The “Read‑only” checkbox on a folder is a tri‑state UI and doesn’t actually make the folder read‑only. It flips back by design. Write access is controlled by NTFS permissions and, on your PC, Controlled Folder Access (CFA).
2) Your attrib message “Not resetting system file – …\Scans” means the folder (or items in it) has the System attribute. You can’t clear R without clearing S first.
Do this (elevated PowerShell or CMD)
A) Make sure you own it and have write permission
  • Replace the path with your exact folder name (note the capital S in Scans):
    takeown /F "C:\Users[edited out]\Desktop\Scans" /R /D Y
    icacls "C:\Users[edited out]\Desktop\Scans" /inheritance:e
    icacls "C:\Users[edited out]\Desktop\Scans" /grant "%USERNAME%OI)(CI)M" /T
B) Clear System/Hidden, then Read‑only
attrib -s -h -r "C:\Users[edited out]\Desktop\Scans" /S /D
C) Check if Controlled Folder Access is blocking writes
  • CFA protects Desktop by default and will block untrusted apps from writing there.
    PowerShell (admin):
    (Get-MpPreference).EnableControlledFolderAccess
    • 1 = On. Either allow your app:
    Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Path\To\YourApp.exe"
    (Re‑run your app and save to Scans.
    • Or temporarily test with CFA off:
    Set-MpPreference -EnableControlledFolderAccess Disabled
    Test saving, then re‑enable when done:
    Set-MpPreference -EnableControlledFolderAccess Enabled
Notes
  • The folder Read‑only box will still show a filled square after all this; that’s normal and not a problem.
  • If OneDrive is backing up Desktop (Known Folder Move), it can set System on some items; removing S/H from your Scans folder is safe, but don’t do it on the Desktop root.
If you still can’t save, tell me:
  • The exact app and error you see when writing to …\Scans,
  • Output of: icacls "C:\Users[edited out]\Desktop\Scans"
    and I’ll tailor the next command(s).
 
Last edited by a moderator:
Upvote 0 Downvote
PS C:\users\[edited out]\desktop\scans> takeown /F "C:\Users\[edited out]\Desktop\Scans" /R /D Y
>> icacls "C:\Users\[edited out]\Desktop\Scans" /inheritance:e
>> icacls "C:\Users\[edited out]\Desktop\Scans" /grant "%USERNAME%OI)(CI)M" /

SUCCESS: The file (or folder): "C:\Users\[edited out]\Desktop\Scans" now owned by user "PATRE-LAPTOP\[edited out]".
processed file: C:\Users\[edited out]\Desktop\Scans
Successfully processed 1 files; Failed processing 0 files
Invalid parameter "/"
PS C:\users\[edited out]\desktop\scans> attrib -s -h -r "C:\Users\[edited out]\Desktop\Scans" /S /D
PS C:\users\[edited out]\desktop\scans>
PS C:\users\[edited out]\desktop\scans> (Get-MpPreference).EnableControlledFolderAccess
0
 
Last edited by a moderator:
Upvote 0 Downvote
You’re very close—two notes:
  • The Read-only box on a folder is a tri‑state and doesn’t control write access. It often reappears filled even when you can write. Writes are controlled by NTFS permissions (and CFA, which you’ve confirmed is Off: 0).
  • Your icacls line failed because of the stray “/” at the end. Use /T to apply to children.
Do this (elevated PowerShell or CMD)
1) Grant yourself Modify on the folder and all children
  • Replace nothing—path already correct; just run:
    icacls "C:\Users[edited out]\Desktop\Scans" /inheritance:e
    icacls "C:\Users[edited out]\Desktop\Scans" /grant "%USERNAME%OI)(CI)M" /T
Optional: if you want Full control instead of Modify, use F:
icacls "C:\Users[edited out]\Desktop\Scans" /grant "%USERNAME%OI)(CI)F" /T
2) If you still hit “Access is denied,” reset ACLs to parent defaults
icacls "C:\Users[edited out]\Desktop\Scans" /reset /T
3) You already cleared System/Hidden/Read‑only (good). To confirm:
attrib "C:\Users[edited out]\Desktop\Scans"
4) Quick write test
  • CMD:
    echo test > "C:\Users[edited out]\Desktop\Scans\test.txt"
  • PowerShell:
    New-Item -Path "C:\Users[edited out]\Desktop\Scans\test.txt" -ItemType File -Force | Out-Null
If the test fails, paste:
  • icacls "C:\Users[edited out]\Desktop\Scans"
  • The exact error you see when creating test.txt
  • Whether this Desktop is under OneDrive (does %UserProfile%\OneDrive\Desktop exist and contain Scans?
Otherwise you’re done—the folder Read‑only checkbox can stay filled; it’s normal and won’t block writes.
 
Last edited by a moderator:
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Windows Defender Advanced Threat Protection Preview Expands
Replies
0
Views
728
News
VIDEO Announcing Windows Defender Advanced Threat Protection
Replies
0
Views
1K
News