The case of Windows Defender not starting.

Had a client whose machine would not load Windows Defender, each time it was opened it would eventually die on initialization:

Log Name: Application
Source: Application Error
Date: 8/13/2007 4:03:10 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: server1

Description:
Faulting application MSASCui.exe, version 1.1.1505.0, time stamp 0x45ad8d6e, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549d372, exception code 0xc0000005, fault offset 0x000000000002aa74, process id 0x1268, application start time 0x01c7dde39a6e9100.

Since it was a problem was with initialization, the first thing I did was enable loader snaps and then put the executable under an IFEO.  I didn't see anything jump out from the loader snaps, but when the system was g'd I did see these errors:
0:000> g
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)

 

This translates to STATUS_DEVICE_DATA_ERROR  which means that the OS couldn't page in the memory due to a disk error (maps to Win32 error: ERROR_CRC). This is most likely a hardware failure.

I ran chkdsk /r on the c: drive and it was unable to recover the sectors. I ended up having to go to the HDD maker's site and downloading there utility to scan the hard drive and recover the sectors.  Once done Defender was happy again.  Your probably asking yourself (all three of you that read this blog) Why didn't you see the below event in the eventvwr?  I I would have looked in the System log and saw this but unfortunately that wasn't opening before I fixed the disk errors.

 

Log Name: System
Source: disk
Date: 8/13/2007 5:31:43 PM
Event ID: 7
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: server1
Description:
The device, \Device\Harddisk0\DR0, has a bad block.

 

If you don't have disk errors on the system another thing you can do is use SFC (/VERIFYFILE ) to check the integrity of the files in question if there are problems they will be dumped to the CBS.log file under c:\windows\logs\cbs.

SFC [/SCANNOW] [/VERIFYONLY] [/SCANFILE=<file>] [/VERIFYFILE=<file>]
[/OFFWINDIR=<offline windows directory> /OFFBOOTDIR=<offline boot directory>]

/SCANNOW Scans integrity of all protected system files and repairs files with
problems when possible.
/VERIFYONLY Scans integrity of all protected system files. No repair operation is
performed.
/SCANFILE Scans integrity of the referenced file, repairs file if problems are
identified. Specify full path <file>
/VERIFYFILE Verifies the integrity of the file with full path <file>. No repair
operation is performed.
/OFFBOOTDIR For offline repair specify the location of the offline boot directory
/OFFWINDIR For offline repair specify the location of the offline windows directory

 

Technorati tags: debugging.vista, windows 2008

Comments

  • Anonymous
    August 16, 2007
    I'm sure there are more than 3 persons reading this blog, so keep it going Brad! Many greetings from Germany, Christian