In the aftermath of malware infection, when you open the Services MMC on a Windows 10 computer, you may find that the Windows Defender (“Microsoft Defender Antivirus Service”) service is missing.
Running the command sc query windefend to query the status of the Microsoft Defender Antivirus Service would show this error:
[SC] EnumQueryServicesStatus:OpenService FAILED 1060: The specified service does not exist as an installed service.
The Windows Security settings “Security at a glance” page may show up empty as in the following screenshot.
Or else, the Security at a glance may show all the settings but may indicate to the user that Virus & threat protection is stopped. When attempting to restart the service, you may get the following error:
Unexpected error. Sorry, we ran into a problem. Please try again.
The Security providers page would indicate there are no Antivirus and Firewall providers installed on the computer.
In some cases, the providers would be listed normally, but it would indicate that the Microsoft Defender Antivirus is turned off.
Cause
The above symptoms are caused if the Microsoft Defender Antivirus Service (short name: WinDefend) has been deleted from your computer — most probably by malware or rootkit. Another possibility is that the Windows Security Service (short name: SecurityHealthService) is disabled or not running currently.
In the latter case, the Security providers and the Security at a glance page would show up empty even if the Microsoft Defender Antivirus Service registration is intact.
Resolution
To fix the problem, set the Windows Security Service to Manual start. And then, restore the Windows Defender service if it’s missing from the computer.
Step 1: Start the Windows Security Service
- Start the Registry Editor (
regedit.exe) - Go to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService
- Double-click Start and set its data to
3 - Exit the Registry Editor.
- Restart Windows.
Step 2: Restore the Windows Defender Service
Open the Services MMC (services.msc) and see if Microsoft Defender Antivirus Service is present or not. Alternatively, you can run the command sc query windefend from Command Prompt to query the Microsoft Defender Antivirus Service.
If the Windows Defender (“Microsoft Defender Antivirus Service”) is missing, to restore it back, you have two options:
- Run a thorough scan (especially Rootkits scanning) using Malwarebytes and then reinstate the Windows Defender service registry entries. (or)
- Repair your Windows 10 installation by running an in-place upgrade with the slipstreamed Windows 10 setup media. Repairing Windows would restore the missing services.
In this article, we’ll see how to reinstate the Windows Defender service registration manually. After scanning and removing every bit of malware from your computer and getting the clean bill of health, the next step is to import the Windows Defender service registry keys.
Windows Defender service registry keys restoration
- Download windefend-service.zip and save it to the desktop.
Important: The registry file and the screenshots below are from a Windows 10 v2004 system. If you have a different build of Windows 10, then it’s ideal to get the Windows Defender service’s registry export from a computer running the same Windows 10 build or version.
- Start
regedit.exeunder Trusted Installer rights. For more information on how to do that, see the article How to Run Programs as TrustedInstaller to Write to Certain Registry Keys or Files - In the Registry Editor window, import the
windefend-service.regfile via the File menu. - Press F5 to refresh the Registry Editor window.
- Go to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
- In the right-pane, double-click
ImagePathand adjust the path toMsMpEng.exe. The path varies depending upon the version of the Windows Defender platform update version installed. For example, here’s the correct path in my system:"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MsMpEng.exe"
You can find the correct path by opening the parent folder (“Platform”) using File Explorer. Then, note down the most recent (and the highest version numbered) subfolder in that folder.
- After fixing the
ImagePathvalue, exit the Registry Editor. - Restart Windows.
Windows Defender service should be functional now. Open the Windows Security settings pages (“security at a glance”, “security providers”, “virus & threat protection”) pages to verify if the threat protection is enabled.
Step 3: Verify Windows Defender Service permissions
After you reinstate the Microsoft Defender Antivirus Service registry keys, you may verify the Defender service permissions by running the following command from an elevated Command Prompt.
sc sdshow windefend
The service permission DACL entries (SDDL) should look like this:
D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)
(In the above case, the SDDL settings are from a Windows 10 v2004 computer.)
The above SDDL means the following service permission levels:
[0] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_USER_DEFINED_CONTROL READ_CONTROL [1] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_USER_DEFINED_CONTROL READ_CONTROL WRITE_DAC [2] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_USER_DEFINED_CONTROL READ_CONTROL [3] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\INTERACTIVE SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_USER_DEFINED_CONTROL READ_CONTROL [4] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SERVICE SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_USER_DEFINED_CONTROL READ_CONTROL [5] ACCESS_ALLOWED_ACE_TYPE: NT SERVICE\TrustedInstaller SERVICE_ALL_ACCESS [6] ACCESS_ALLOWED_ACE_TYPE: NT SERVICE\WinDefend SERVICE_ALL_ACCESS
Hope this article helped you restore the missing Windows Defender service on your Windows 10 computer.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
I just would like to say this article helped me to avoid formating my pc, real life saver
my “securityHealthService” does not show in the registry service list.
When I ran (sc sdshow windefend) it shows extra values like this “S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)”
@Marino: those SACL values ( starting with S: ) can remain.
I’m missing WinDefend key in the registry and can’t recreate or import it.
@Kirill: Did you make sure to run regedit.exe under TrustedInstaller rights?
the Imagepath platform folder is empty. what should is do now ?
@Alok:
See if setting this path (in the Regedit) helps:
Thank You so much , it helped me a lot… I read too many articles but finally this article worked.
Our hero! This article saved my PC’s life. I’ve searched lots of solutions for my Windows Defender at a Glace on internet, but none of those solved my problem. Thank you. At a last try I did this solution and totally WORKS!
Wish all best for you!
my windows defender has been blocked so many times as 2013, 2016, 2018, 2020. So, I need help to repair those issues because I unable to accesses internet properly.
The problem I have is that my LC does not have the SecurityHealthService in the Registry.
Also, I somehow got the WindDefend.reg from the internet but there are also not keys in it. Its just empty.