Windows Defender Service Missing; Security at a glance page is Empty

In the aftermath of malware infection, when you open the Services MMC on a Windows 10 computer, you may find that the Windows Defender (“Microsoft Defender Antivirus Service”) service is missing.

Running the command sc query windefend to query the status of the Microsoft Defender Antivirus Service would show this error:

[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

The Windows Security settings “Security at a glance” page may show up empty as in the following screenshot.

Or else, the Security at a glance may show all the settings but may indicate to the user that Virus & threat protection is stopped. When attempting to restart the service, you may get the following error:

Unexpected error. Sorry, we ran into a problem. Please try again.

The Security providers page would indicate there are no Antivirus and Firewall providers installed on the computer.

In some cases, the providers would be listed normally, but it would indicate that the Microsoft Defender Antivirus is turned off.

Cause

The above symptoms are caused if the Microsoft Defender Antivirus Service (short name: WinDefend) has been deleted from your computer — most probably by malware or rootkit. Another possibility is that the Windows Security Service (short name: SecurityHealthService) is disabled or not running currently.

In the latter case, the Security providers and the Security at a glance page would show up empty even if the Microsoft Defender Antivirus Service registration is intact.

Resolution

To fix the problem, set the Windows Security Service to Manual start. And then, restore the Windows Defender service if it’s missing from the computer.

Step 1: Start the Windows Security Service

1. Start the Registry Editor (regedit.exe)
2. Go to the following location:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService

3. Double-click Start and set its data to 3
4. Exit the Registry Editor.
5. Restart Windows.

Step 2: Restore the Windows Defender Service

Open the Services MMC (services.msc) and see if Microsoft Defender Antivirus Service is present or not. Alternatively, you can run the command sc query windefend from Command Prompt to query the Microsoft Defender Antivirus Service.

If the Windows Defender (“Microsoft Defender Antivirus Service”) is missing, to restore it back, you have two options:

1. Run a thorough scan (especially Rootkits scanning) using Malwarebytes and then reinstate the Windows Defender service registry entries.  (or)
2. Repair your Windows 10 installation by running an in-place upgrade with the slipstreamed Windows 10 setup media. Repairing Windows would restore the missing services.

In this article, we’ll see how to reinstate the Windows Defender service registration manually. After scanning and removing every bit of malware from your computer and getting the clean bill of health, the next step is to import the Windows Defender service registry keys.

Windows Defender service registry keys restoration

1. Download windefend-service.zip and save it to the desktop.
   Important: The registry file and the screenshots below are from a Windows 10 v2004 system. If you have a different build of Windows 10, then it’s ideal to get the Windows Defender service’s registry export from a computer running the same Windows 10 build or version.
2. Start regedit.exe under Trusted Installer rights. For more information on how to do that, see the article How to Run Programs as TrustedInstaller to Write to Certain Registry Keys or Files
3. In the Registry Editor window, import the windefend-service.reg file via the File menu.
4. Press F5 to refresh the Registry Editor window.
5. Go to the following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend

6. In the right-pane, double-click ImagePath and adjust the path to MsMpEng.exe. The path varies depending upon the version of the Windows Defender platform update version installed. For example, here’s the correct path in my system:

   "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MsMpEng.exe"

   You can find the correct path by opening the parent folder (“Platform”) using File Explorer. Then, note down the most recent (and the highest version numbered) subfolder in that folder.

   

7. After fixing the ImagePath value, exit the Registry Editor.
8. Restart Windows.

Windows Defender service should be functional now. Open the Windows Security settings pages (“security at a glance”, “security providers”, “virus & threat protection”) pages to verify if the threat protection is enabled.

Step 3: Verify Windows Defender Service permissions

After you reinstate the Microsoft Defender Antivirus Service registry keys, you may verify the Defender service permissions by running the following command from an elevated Command Prompt.

sc sdshow windefend

The service permission DACL entries (SDDL) should look like this:

D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)

(In the above case, the SDDL settings are from a Windows 10 v2004 computer.)

The above SDDL means the following service permission levels:

  [0] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users
	SERVICE_QUERY_STATUS
	SERVICE_QUERY_CONFIG
	SERVICE_INTERROGATE
	SERVICE_ENUMERATE_DEPENDENTS
	SERVICE_START
	SERVICE_USER_DEFINED_CONTROL
	READ_CONTROL
  [1] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM
	SERVICE_QUERY_STATUS
	SERVICE_QUERY_CONFIG
	SERVICE_INTERROGATE
	SERVICE_ENUMERATE_DEPENDENTS
	SERVICE_START
	SERVICE_USER_DEFINED_CONTROL
	READ_CONTROL
	WRITE_DAC
  [2] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators
	SERVICE_QUERY_STATUS
	SERVICE_QUERY_CONFIG
	SERVICE_INTERROGATE
	SERVICE_ENUMERATE_DEPENDENTS
	SERVICE_START
	SERVICE_USER_DEFINED_CONTROL
	READ_CONTROL
  [3] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\INTERACTIVE
	SERVICE_QUERY_STATUS
	SERVICE_QUERY_CONFIG
	SERVICE_INTERROGATE
	SERVICE_ENUMERATE_DEPENDENTS
	SERVICE_START
	SERVICE_USER_DEFINED_CONTROL
	READ_CONTROL
  [4] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SERVICE
	SERVICE_QUERY_STATUS
	SERVICE_QUERY_CONFIG
	SERVICE_INTERROGATE
	SERVICE_ENUMERATE_DEPENDENTS
	SERVICE_START
	SERVICE_USER_DEFINED_CONTROL
	READ_CONTROL
  [5] ACCESS_ALLOWED_ACE_TYPE: NT SERVICE\TrustedInstaller
	SERVICE_ALL_ACCESS
  [6] ACCESS_ALLOWED_ACE_TYPE: NT SERVICE\WinDefend
	SERVICE_ALL_ACCESS

Hope this article helped you restore the missing Windows Defender service on your Windows 10 computer.