In the aftermath of malware infection, when you open the Services MMC on a Windows 10 computer, you may find that the Windows Defender (“Microsoft Defender Antivirus Service”) service is missing.
Running the command
sc query windefend to query the status of the Microsoft Defender Antivirus Service would show this error:
[SC] EnumQueryServicesStatus:OpenService FAILED 1060: The specified service does not exist as an installed service.
The Windows Security settings “Security at a glance” page may show up empty as in the following screenshot.
Or else, the Security at a glance may show all the settings but may indicate to the user that Virus & threat protection is stopped. When attempting to restart the service, you may get the following error:
Unexpected error. Sorry, we ran into a problem. Please try again.
The Security providers page would indicate there are no Antivirus and Firewall providers installed on the computer.
In some cases, the providers would be listed normally, but it would indicate that the Microsoft Defender Antivirus is turned off.
The above symptoms are caused if the Microsoft Defender Antivirus Service (short name:
WinDefend) has been deleted from your computer — most probably by malware or rootkit. Another possibility is that the Windows Security Service (short name:
SecurityHealthService) is disabled or not running currently.
In the latter case, the Security providers and the Security at a glance page would show up empty even if the Microsoft Defender Antivirus Service registration is intact.
To fix the problem, set the Windows Security Service to Manual start. And then, restore the Windows Defender service if it’s missing from the computer.
Step 1: Start the Windows Security Service
- Start the Registry Editor (
- Go to the following location:
- Double-click Start and set its data to
- Exit the Registry Editor.
- Restart Windows.
Step 2: Restore the Windows Defender Service
Open the Services MMC (
services.msc) and see if Microsoft Defender Antivirus Service is present or not. Alternatively, you can run the command
sc query windefend from Command Prompt to query the Microsoft Defender Antivirus Service.
If the Windows Defender (“Microsoft Defender Antivirus Service”) is missing, to restore it back, you have two options:
- Run a thorough scan (especially Rootkits scanning) using Malwarebytes and then reinstate the Windows Defender service registry entries. (or)
- Repair your Windows 10 installation by running an in-place upgrade with the slipstreamed Windows 10 setup media. Repairing Windows would restore the missing services.
In this article, we’ll see how to reinstate the Windows Defender service registration manually. After scanning and removing every bit of malware from your computer and getting the clean bill of health, the next step is to import the Windows Defender service registry keys.
Windows Defender service registry keys restoration
- Download windefend-service.zip and save it to the desktop.
Important: The registry file and the screenshots below are from a Windows 10 v2004 system. If you have a different build of Windows 10, then it’s ideal to get the Windows Defender service’s registry export from a computer running the same Windows 10 build or version.
regedit.exeunder Trusted Installer rights. For more information on how to do that, see the article How to Run Programs as TrustedInstaller to Write to Certain Registry Keys or Files
- In the Registry Editor window, import the
windefend-service.regfile via the File menu.
- Press F5 to refresh the Registry Editor window.
- Go to the following registry key:
- In the right-pane, double-click
ImagePathand adjust the path to
MsMpEng.exe. The path varies depending upon the version of the Windows Defender platform update version installed. For example, here’s the correct path in my system:
You can find the correct path by opening the parent folder (“Platform”) using File Explorer. Then, note down the most recent (and the highest version numbered) subfolder in that folder.
- After fixing the
ImagePathvalue, exit the Registry Editor.
- Restart Windows.
Windows Defender service should be functional now. Open the Windows Security settings pages (“security at a glance”, “security providers”, “virus & threat protection”) pages to verify if the threat protection is enabled.
Step 3: Verify Windows Defender Service permissions
After you reinstate the Microsoft Defender Antivirus Service registry keys, you may verify the Defender service permissions by running the following command from an elevated Command Prompt.
sc sdshow windefend
The service permission DACL entries (SDDL) should look like this:
(In the above case, the SDDL settings are from a Windows 10 v2004 computer.)
The above SDDL means the following service permission levels:
 ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_USER_DEFINED_CONTROL READ_CONTROL  ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_USER_DEFINED_CONTROL READ_CONTROL WRITE_DAC  ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_USER_DEFINED_CONTROL READ_CONTROL  ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\INTERACTIVE SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_USER_DEFINED_CONTROL READ_CONTROL  ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SERVICE SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_USER_DEFINED_CONTROL READ_CONTROL  ACCESS_ALLOWED_ACE_TYPE: NT SERVICE\TrustedInstaller SERVICE_ALL_ACCESS  ACCESS_ALLOWED_ACE_TYPE: NT SERVICE\WinDefend SERVICE_ALL_ACCESS
Hope this article helped you restore the missing Windows Defender service on your Windows 10 computer.
One small request: If you liked this post, please share this?One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
About the author
Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.