Windows 11 Unable to start Windows Defender Advanced Threat Protection Service

[Distorted Vision]

Window could not start the Windows Defender Advanced Threat Protection service on Local Computer

Error 1067. The process terminated unexpectedly.

 

[Mike]

@ChatGPT Summarize the original issue of this thread and what you have done to resolve.

Summary of the issue and fixes​

Original problems raised in this thread

• TP‑Link TX201 (Realtek 2.5GbE) on Windows: intermittent drops and very low download (≈115 Mbps) while Linux and another PC were ~900 Mbps.
• Windows 11 Home → Pro upgrade failing (0x803fa067, 0x80070490).
• Windows Security: “Your IT administrator has limited access,” Defender AV off, CFA unusable; ATP/Sense service errors; Kaspersky remnants present.
• Folder “read‑only” confusion when saving to Desktop\Scans.
• Canon i‑SENSYS MF752Cdw “Scan to folder” failing with Error #806 (SMB).

What we did to resolve

• NIC/throughput: re‑enabled TCP autotuning; disabled Advanced EEE/Energy‑Efficient/Green/Gigabit‑Lite; disabled LSO (IPv4/IPv6); kept Flow Control On; set Speed & Duplex Auto; raised buffers to driver‑allowed max (Rx 512, Tx 4096); adapter restart. Result: stable 2.5 Gbps link, Windows download ~780–900 Mbps and no drops.
• Home → Pro (in‑place, no rebuild): switched edition offline with generic Pro key (changepk.exe), then activated with your purchased key. Resolved activation errors.
• Defender/CFA: fully removed Kaspersky and stale SecurityCenter2 entries; cleared passive/disable policies; handled Tamper Protection by offline registry change; ensured WinDefend/WdFilter/WdNisSvc start types and services OK; refreshed signatures. Result: AMServiceEnabled/AntivirusEnabled/RealTimeProtectionEnabled = True; CFA available.
• “Read‑only” folder: clarified the UI tri‑state; fixed NTFS/share permissions with takeown/icacls and attrib to remove System/Hidden where needed.
• Canon scan Error #806: created simple share C:\Scans, made local account scanuser with Modify and share Change rights, enabled File/Printer Sharing (Private). In Canon Remote UI added a File (SMB) destination using Host = PC IP, Folder Path = Scans (not C:\Scans), Username = COMPUTERNAME\scanuser. Result: scans deliver successfully.

Current status

• Network stable and fast, Windows 11 Pro activated, Defender fully active, CFA controllable, and SMB “scan to folder” working.

@ChatGPT Actually just in this thread, not other threads created by the same person or others. This thread is 380533.

 

[ChatGPT]

Here’s a thread‑only recap for 380533 (Unable to start Windows Defender Advanced Threat Protection Service).
Original issue(s)

• “Windows could not start the Windows Defender Advanced Threat Protection service (Sense). Error 1067.”
• Windows Security banner: “Your IT administrator has limited access,” and Controlled Folder Access (CFA) could not be opened/changed.

What I diagnosed

• Sense (Windows Defender Advanced Threat Protection) is the Microsoft Defender for Endpoint EDR sensor. On non‑onboarded/home systems, starting Sense typically fails with 1067 by design; it does not affect antivirus protection.
• The “limited access” banner and CFA failure were because a third‑party AV (Kaspersky) was still registered with Windows, forcing Microsoft Defender Antivirus into passive/disabled mode. In that state, CFA can’t be managed.

What I did (and provided step‑by‑step)

• Clarified Sense’s role and gave two paths:
  • If not using Microsoft Defender for Endpoint: leave Sense set to Manual; don’t start it.
  • If you are using it: provided onboarding steps (check OnboardingState, run the official onboarding script, verify SENSE/Operational log).
• Restoring Defender AV and CFA:
  • Checked SecurityCenter2 to see which AVs were registered; your output showed both Windows Defender and Kaspersky.
  • Supplied commands to remove “disable/passive” Defender policies, start required services (WinDefend, WdNisSvc, SecurityHealthService), and repair/update Defender (SFC/DISM + MpCmdRun).
  • Gave Group Policy/Registry methods to unlock the CFA UI and a PowerShell path (Set‑MpPreference) once Defender is active.
  • In response to error 0x800106ba on Set‑MpPreference, explained it means Defender isn’t active and reiterated the need to remove the third‑party AV first.
  • Advised fully uninstalling Kaspersky (and running its cleanup tool), rebooting, verifying only Defender is registered, then enabling CFA and adding allowed apps/folders as needed.

Current/next step for this thread

• Remove Kaspersky completely, reboot, confirm only Microsoft Defender is registered, then enable CFA (Set‑MpPreference -EnableControlledFolderAccess Enabled). Sense can remain stopped unless you’re onboarding to Defender for Endpoint.

 

[Distorted Vision]

I have created a destination in the address book for another PC on the network: PATRE-Desktop.

But it is giving me Error 801.

 

[ChatGPT]

Error 801 on the MF752Cdw = “cannot connect to the file server”​

That means the printer can’t reach or open the share. It’s almost always one of: wrong host/path format, PC asleep, firewall/SMB blocked, or DNS/name lookup. Fix it in this order.
1) On PATRE-Desktop (the target PC)

• Create a simple share (don’t use Desktop paths):
  • Folder: C:\ScansD
  • Local user for the scanner (example): scanuser_d with a password.
  • NTFS and Share permissions:
    icacls C:\ScansD /inheritance:e
    icacls C:\ScansD /grant "%COMPUTERNAME%\scanuser_dOI)(CI)M"
    net share ScansD=C:\ScansD /GRANT:scanuser_d,CHANGE
• Network profile and firewall (Private profile):
  • Settings > Network & internet > your adapter > Network profile = Private.
  • Enable file sharing rules:
    netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
• Services/port check:
  • sc query LanmanServer (STATE should be RUNNING)
  • netstat -ano | find ":445" (should show LISTENING)
• Keep the PC awake while testing (no sleep).

2) Test the share from another device

• Win+R → \PATRE-DESKTOP\ScansD and also \<PATRE-Desktop-IP>\ScansD
• When prompted, use: PATRE-DESKTOP\scanuser_d + the password.
• Create a test file. If this works, credentials and share are good.

3) Program the Canon (Remote UI)

• Remote UI (http://PRINTER_IP) > Address Book > Register New Destination > Type: File.
• Protocol: Windows (SMB).
• Use the PC’s IP, not the name:
  • Host Name: <PATRE-Desktop-IP>
  • Folder Path: ScansD (not C:\ScansD)
  • User Name: PATRE-DESKTOP\scanuser_d
  • Password: (as set above)
• Network settings on printer: Settings/Registration > Network Settings > SMB Client Settings:
  • SMB version: Auto (ensure SMB2/SMB3 are enabled)
  • Authentication: NTLMv2

4) If 801 persists

• If the scan fails immediately, it’s still a connectivity/name issue. Verify you can ping the PC’s IP from another device, and that the PC isn’t sleeping. Stick with the IP (not the hostname) in the Canon entry.
• Check Windows Security log at the scan time:
  • If there is NO Event ID 4625, the printer never reached the PC (firewall/route/name). Re‑check step 1 and use the IP.
  • If you do see 4625, the error becomes an auth failure (that’s Error 806); in that case fix username/password or share rights.

If you want, post:

• The exact Host Name, Folder Path, and User Name you entered for PATRE‑Desktop,
• The PC’s IP, and
• The output of: Get-SmbShare -Name ScansD; Get-SmbShareAccess -Name ScansD; icacls C:\ScansD
  and I’ll spot the one field to change.

 

[Distorted Vision]

If I pause protection in Kaspersky Internet Security it works successfully.

What settings do I need to change in Kaspersky Internet Security?

 

[ChatGPT]

Why it works when Kaspersky is paused​

Your Canon scans via SMB (TCP 445) to the PC. Kaspersky Internet Security (KIS) is blocking the inbound SMB connection on the PC that hosts the share. You need to allow SMB from the printer, or mark your LAN/printer as trusted.
Do this on the PC that has the shared folder
Option A — Easiest: mark LAN/printer as Trusted

• Kaspersky > Settings (gear) > Protection > Firewall.
• Networks (or Manage networks):
  • Set your home network to Trusted.
• Settings > Network settings > Trusted addresses:
  • Add the printer’s IP (e.g., 192.168.1.50). Save.
• Test the scan.

Option B — Explicit firewall rule for SMB from the printer

• Kaspersky > Settings > Protection > Firewall > Configure rules (Packet rules).
• Add rule:
  • Action: Allow
  • Direction: Incoming
  • Protocol: TCP
  • Local ports: 445 (add 139 as well if you like)
  • Remote address: printer’s IP only (e.g., 192.168.1.50)
  • Network: Local/Trusted
• Move this rule above any generic “Block incoming” rules. Apply and test.

Option C — Keep KIS AV, use Windows Firewall for LAN

• In Kaspersky > Protection, turn off only Firewall (leave AV on).
• In Windows Firewall, ensure “File and Printer Sharing” rules are enabled for Private.
• Test. If this works, you can stay with Windows Firewall for LAN traffic.

If it still fails

• In Kaspersky > Reports, filter by Firewall; you’ll see the exact block event (port, IP, app). Click “Create rule” or re‑create the allow rule using the shown details.
• Also check Intrusion Prevention/Application Control:
  • Application rules > System group > “Windows Operating System” → make sure network activity isn’t blocked for Trusted networks.

Quick checklist

• Use the printer’s IP in the Canon address book.
• Share path is Scans (not C:\Scans) and user is PCNAME\scanuser.
• PC is awake; network profile is Private.

If you tell me your Kaspersky build (e.g., 21.3.x) and share a screenshot of the Firewall screen, I’ll give the exact clicks for that UI.

 

[Distorted Vision]

Issue is resolved.

Thank you ChatGPT!

 

[Distorted Vision]

Following the in-line repair of Windows 11.

Scanning fails with error #801

 

[ChatGPT]

Happy to hear that — glad it’s working!
A few quick follow‑ups you might find helpful (optional):

• If you created local scan accounts (scanuser), consider changing the password to something strong and store it securely.
• When not scanning, you can disable the share (net share Scans /delete) or tighten share permissions.
• Keep Kaspersky rules scoped to the printer IP (allow only that address → port 445) rather than opening SMB to the whole LAN.
• Save the working Canon Remote UI settings (Host = PC IP, Folder = Scans, Username = PCNAME\scanuser) so you can restore them if needed.

If you want, I can:

• Draft a moderator request to redact your real name from the thread, or
• Provide the exact Kaspersky firewall rule steps for your version, or
• Walk through securing/removing the temporary scan account.

Anything else I can do before you close this out?

 

[ChatGPT]

Thanks — that’s clear enough to move forward. Error 801 commonly means the scanner/MFP cannot reach or open the network share on the PC (i.e. “cannot connect to the file server”). That matches what I’ve seen after an in‑place repair of Windows 11 because such repairs often reset the network profile, firewall rules, SMB settings or share permissions.
I’ll give a short checklist you can follow now (fast checks first), then a recommended, safe script (copy/paste) to create a dedicated scan share + account and open the firewall rules. If you prefer I can walk you through each step interactively.
Quick checklist — try these first

1. Confirm the target: are you scanning to a network folder on your PC (Scan to Folder / SMB)? Which model MFP/printer is it? (If not SMB, tell me how you scan — to email, to PC client, etc.)
2. From the PC, confirm the server service and listening port:
   • Run in an elevated PowerShell / CMD:
     sc query LanmanServer
     netstat -ano | findstr ":445"
     If LanmanServer is not RUNNING or you don’t see port 445 LISTENING, the MFP can’t reach the SMB share.
3. Check the network profile and firewall:
   • Settings → Network & internet → your adapter → Network profile = Private
   • Ensure File and Printer Sharing rules are enabled:
     netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
4. Confirm the UNC you configured on the MFP is correct:
   • Use \PC-NAME\ScansD or \192.168.x.y\ScansD (use the PC’s LAN IP for testing to avoid name resolution problems).
5. Test access from another machine (or the PC itself) using the same SMB creds your MFP uses:
   • From CMD (run elevated): net use \PCNAME\ScansD /userCNAME\scanuser_d <password>
   • If that fails note the error (permission, path not found, network path not found).
6. Make sure the PC isn’t sleeping and that the share folder exists and has correct NTFS + Share permissions for the account the MFP uses.

One-click safe fix (PowerShell, run as Administrator)
This creates a dedicated folder C:\ScansD, creates a local scan user, grants NTFS + share permissions and enables the File & Printer Sharing firewall rules. It’s reversible and a standard, secure approach for MFPs.
Important: run this in an elevated PowerShell window. You’ll be prompted for a password for the scan user.
Copy/paste-run (Admin PowerShell)
(If you prefer the one-line net commands instead I can list those — this PowerShell is more robust.)

# Run as Administrator

# 1) Create scan folder
$ScanFolder = 'C:\ScansD'
New-Item -Path $ScanFolder -ItemType Directory -Force | Out-Null

# 2) Create local scan account (you will be prompted for password)
$scanUser = 'scanuser_d'
Write-Host "Enter password for local user $scanUser"
$pass = Read-Host -AsSecureString "Password"
if (-not (Get-LocalUser -Name $scanUser -ErrorAction SilentlyContinue)) {
  New-LocalUser -Name $scanUser -Password $pass -FullName "Scanner User" -Description "Account for MFP scan to folder" -PasswordNeverExpires:$false
  Add-LocalGroupMember -Group 'Users' -Member $scanUser
  Write-Host "Created local user $scanUser"
} else {
  Write-Host "Local user $scanUser already exists — skipping creation."
}

# 3) Set NTFS permissions (Modify for the scan user)
$acct = "$env:COMPUTERNAME\$scanUser"
$acl = Get-Acl -Path $ScanFolder
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($acct,'Modify','ContainerInherit, ObjectInherit','None','Allow')
$acl.SetAccessRule($rule)
Set-Acl -Path $ScanFolder -AclObject $acl
Write-Host "Set NTFS Modify permission for $acct on $ScanFolder"

# 4) Create share and grant Change/Full as needed
if (-not (Get-SmbShare -Name 'ScansD' -ErrorAction SilentlyContinue)) {
  New-SmbShare -Name 'ScansD' -Path $ScanFolder -FullAccess $acct
  # Optionally limit share perms to change only:
  Grant-SmbShareAccess -Name 'ScansD' -AccountName $acct -AccessRight Change -Force
  Write-Host "Created SMB share \\$env:COMPUTERNAME\ScansD and granted access to $acct"
} else {
  Write-Host "SMB share 'ScansD' already exists."
}

# 5) Ensure Server service is running
Start-Service -Name LanmanServer -ErrorAction SilentlyContinue
sc.exe query LanmanServer | Out-Host

# 6) Allow File and Printer Sharing through the firewall (Private profile)
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes

# 7) Helpful tests for you to run from the MFP or another PC:
Write-Host "`nTest suggestions:"
Write-Host " - UNC to configure on MFP: \\$env:COMPUTERNAME\ScansD"
Write-Host " - Or use the PC IP: \\<PC-IP>\ScansD (run ipconfig to get IP)"
Write-Host " - Try from another PC: net use \\$env:COMPUTERNAME\ScansD /user:$env:COMPUTERNAME\$scanUser <password>"
Write-Host "`nScript complete. If you want the user removed later run: Remove-LocalUser -Name $scanUser"

How to configure the MFP (typical)

• In the MFP control panel or web UI choose “Scan to Folder (SMB)”.
• Folder path (UNC): \PC-NAME\ScansD or \192.168.x.y\ScansD
• Username: PC-NAME\scanuser_d (some MFPs want just scanuser_d; try PC\username if the first fails)
• Password: the password you entered above
• Domain/Workgroup: leave blank or use the PC name/workgroup value if required

Diagnostic commands to gather and paste (if it still fails)
If the scan still fails after applying the fix, paste the outputs of these three commands (run in elevated PowerShell / CMD) and I’ll interpret them:

• sc query LanmanServer
• netstat -ano | findstr ":445"
• net use \PCNAME\ScansD /userCNAME\scanuser_d <password> (replace PCNAME and password with actual values; you can obfuscate password if you want)

Also useful:

• ipconfig /all (to show PC IP)
• Test-NetConnection -ComputerName <PC-IP> -Port 445

Common gotchas and notes

• Name resolution: printers sometimes don’t resolve PC names. Using the PC’s IP address in the UNC avoids this problem.
• Firewall: Windows Reset or in-place repair often reverts firewall rules — enabling the File & Printer Sharing rule is required.
• Sleep/Power: If the PC sleeps, the MFP cannot reach it. Set power plan to prevent sleeping when sharing.
• Credentials on the MFP must match a local account on the PC (not a Microsoft account). Use a local account or create a local password for your Microsoft account by creating a local user as above.
• SMB versions: modern Windows uses SMB2/3; you shouldn’t need SMB1. Avoid enabling SMB1 for security reasons.

If you want me to do this for you

• I can provide the exact one‑line net commands instead of the PowerShell script if you prefer CMD.
• Or, paste the model of your MFP and the current UNC you configured (and whether you used a username), and I’ll give the exact values to enter on the MFP.

If you prefer to stop now, that’s fine — when you come back paste the outputs of the diagnostic commands above and I’ll pick up where we left off.

 

[Distorted Vision]

I checked Event Viewer:

"The specified account's password has expired"

 

[ChatGPT]

Thanks — that Event 4625 entry is the key. The security log is telling you the account named "Scanner" is trying to authenticate and failing because its password has expired (Failure Reason: The specified account's password has expired). That explains why whatever component using that account (service / scheduled task / scanner-to‑share, etc.) can't start or authenticate.
What to do (step‑by‑step)
1) Confirm the event

• In Event Viewer open Windows Logs → Security and find the 4625 entry you captured. Note the Account Name (Scanner), Failure Reason (password expired) and the Status/SubStatus codes (your screenshot shows the expired password code). This confirms the account itself needs a password change or to be removed as the logon identity.

2) Find where the “Scanner” account is being used
Run these PowerShell commands as Administrator to quickly locate services / scheduled tasks that run as that account:

• Services:
  Get-CimInstance Win32Service |
  Where-Object { $.StartName -like 'Scanner' } |
  Select Name,DisplayName,StartName
• Scheduled Tasks:
  Get-ScheduledTask |
  Where-Object { $.Principal.UserId -like 'Scanner' } |
  Select TaskName,TaskPath,@{Name='User';Expression={$.Principal.UserId}}
• Registry (services stored in registry):
  Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Services' |
  ForEach-Object { Get-ItemProperty $.PsPath } |
  Where-Object { $.ObjectName -like 'Scanner' } |
  Select PSChildName,ObjectName

If any of those return entries, you’ve found the place that’s trying to use the expired account.
3) Is “Scanner” a local account or a domain account?

• If the PC is domain‑joined, “Scanner” may be a domain account — its password must be reset in Active Directory (contact your AD admin or use ADUC).
• If it’s a local account, reset the password locally (see step 4).

If you’re not sure whether the machine is domain‑joined, run:
(Get-WmiObject Win32_ComputerSystem).PartOfDomain
4) Fix the expired password

• Local account (Windows Pro/Home):
  • GUI: Computer Management → Local Users and Groups → Users → right‑click Scanner → Set Password… (or check “Password never expires” if appropriate).
  • PowerShell (Admin) to set a new password and disable expiry:
    $pw = ConvertTo-SecureString 'NewP@ssw0rd!' -AsPlainText -Force
    Set-LocalUser -Name 'Scanner' -Password $pw
    Set-LocalUser -Name 'Scanner' -PasswordNeverExpires $true
• Domain account:
  • Reset the password in Active Directory (ADUC) or ask your domain admin. If this account is used for a service, consider marking it as “Password never expires” only after evaluating security implications, or better use a Managed Service Account / gMSA.

5) Update the service / task / device with the new password and restart it

• Services: open services.msc → find the service (for Defender ATP the service name is “Microsoft Defender Advanced Threat Protection Service” / service name Sense) → right‑click Properties → Log On tab → enter the updated account/password (or change it back to Local System if it was incorrectly set to Scanner) → OK → Restart the service.
  • Quick check of a service’s account: sc.exe qc Sense
  • If the Defender service was changed to run under Scanner by mistake, set it to Local System via Services GUI (recommended) and restart.
• Scheduled Tasks: open Task Scheduler, find tasks that use Scanner, right‑click → Properties → Change User or Group → re-enter credentials / update password → Save.
• Network devices (e.g., a multifunction printer scanning to a share): update the stored credentials on the device (Remote UI / Address Book entry) to the new password. If this is the scanner scenario, Event 4625 is commonly used to diagnose failed scans to a Windows share — the same troubleshooting steps apply. fileciteturn0file4turn0file8

6) Test and verify

• After updating the password, restart the affected service or task and check:
  • Services: service status shows Running
  • Event Viewer: no new 4625 entries for Scanner
  • If it’s a scanner-to-share, attempt a scan and confirm no 4625 failure at that time.

7) If you don’t want passwords to expire for a service account

• Prefer managed service accounts (gMSA) for services because they handle password rotation automatically.
• As a quick measure you can set “Password never expires” for the account, but that has security tradeoffs — only do that if allowed by your security policy.

Extra notes / common pitfalls

• Don’t change a service logon account to a normal user account unless you understand the rights required — services often need specific privileges. If unsure, services like Defender should run as Local System/Service accounts by default.
• If the account is domain‑managed, resetting it locally won’t help — must reset in AD.
• After changing credentials, some apps cache old credentials (Credential Manager) — remove stale entries if you still see failures.

Tell me:

• Is this PC domain‑joined or standalone?
• Paste the exact output of one 4625 entry (Account Name, Failure Reason, Status/SubStatus) or confirm the screenshot details.
• If you want, paste the outputs of the PowerShell commands above and I’ll point exactly which service/task needs the credential fix and give the exact command to restart it safely.

I can walk you through any of the steps or review the PowerShell outputs you get.

 

[Distorted Vision]

I just fixed it myself by changing the the password with net user and changing the password in the Canon remote UI.

Completed test scan.

Everything working fine now.

I'm starting to learn how to do things myself thanks to you ChatGPT.

 

[ChatGPT]

Nice work — glad you got it fixed and that the test scan succeeded, well done!
A few quick follow-ups and tips now that it’s resolved

• Good call changing the local password with net user and updating the Canon Remote UI — Event ID 4625 failures like that are almost always an expired/incorrect credential and updating the account on both ends fixes it.
• If “Scanner” is a local account you created for the printer, consider documenting the password or storing it in a password manager so it doesn’t catch you out later.
• If this account is used by other devices/services, update those credentials too (or check for more 4625 entries in Event Viewer).
• Avoid setting “Password never expires” unless your security policy allows it; a better long‑term option for services in a domain is a managed service account (gMSA) so passwords rotate safely.
• If you want, I can show you how to:
  • Search Event Viewer for any remaining 4625 entries,
  • Replace the local account with a less-privileged dedicated account, or
  • Create a gMSA (if you’re on a domain).

Happy to walk through any of that — or just celebrate the success. Keep it up!

 

[Distorted Vision]

Time to unplug and relax!

 

[ChatGPT]

Nice work, Distorted Vision — you fixed it cleanly. Enjoy your unplugged time!
If you want next time, I can:

• show a quick Event Viewer filter for remaining 4625s,
• help store the scanner password securely (password manager / Credential Manager), or
• walk through replacing the account with a less‑privileged one or a gMSA (if on a domain).

Relax — I’m here when you need more help.