Windows defender: «Threat service has stopped»

It does not restart.. but I do not use any antivirus. How can I solve this

Moved from Windows

Some users might be experiencing a glitch with starting the Threat Service (Windows Defender Antimalware Service) that was apparently delivered on Patch Tuesday. The first thing to try would be manually restarting the PC lots of times, with a break between the restarts (Start button > Power > Restart), as described by Le Boule in this thread:

This issue might also be related to the known glitch where the Security Center Service needs to be restarted in order to get Windows Defender up and running – so try this:

• Manually restart the Security Center, and then attempt to start the Windows Defender Antivirus Service:

1. Press Win Key + R

2. Type “services.msc” and click OK.

3. Right-click on Security Center and click Restart

3. Right-click on the Windows Defender Antivirus Service and click Start.

If that doesn’t work, t hen you should follow these general troubleshooting steps:

• Remove any undetected malware by scanning with several third-party malware-removal apps, starting with Malwarebytes Free:

• Run the cleanup tools for any previously installed or preinstalled AV apps:

• Run the standard Windows 10 system integrity checks:

If the above steps fail to start the Windows Defender Antivirus Service, then you can try the steps provided here:

I hadn’t noticed that PrashantKumar96 actually advised setting DisableAntiSpyware = 0 in this forum article. Before you do that, you should always try just deleting any possible entry for DisableAntiSpyware = 1, since that setting might have been added by another program or by malware – and that setting will always prevent Windows Defender from starting. For the sake of both ease and safety, this should be done with a REG command.

Type “cmd” in the search box; and then right-click on Command Prompt and select Run as administrator .

And then copy, paste, and enter this command:

REG DELETE «HKLM\SOFTWARE\Policies\Microsoft\Windows Defender» /v DisableAntiSpyware

This is the proper way to enable Windows Defender when it’s been turned off via Group Policy.

We can see that there’s a general confusion with respect to this Group Policy setting by the way that Brink equivocates deleting the DisableAntiSpyware entry with setting its value to 0.

DisableAntiSpyware DWORD

(delete) or 0 = On
1 = Off

But this setting actually uses a three-state logic, where the absence of the setting specifies the normal Automatic Disabled compatibility mode for Windows Defender. Setting DisableAntiSpyware = 0 sets Windows Defender’s operational state to “always on” [DisableAntiSpyware = 0 (logical “no/never”)], whereas [DisableAntiSpyware = 1 (logical “yes/always”)] sets Defender’s operational state to “always off”; and where removing the DisableAntispyware registry entry simply returns Defender to its default operational state – where Defender will be automatically disabled by the installation of any third-party AV app, and automatically enabled when a third-party AV app is uninstalled.

As the «method of last resort», you can set the Group Policy for Windows Defender to its “always on” mode:

Type “cmd” in the search box; and then right-click on Command Prompt and select Run as administrator.

And then copy, paste, and enter this command:

REG ADD «HKLM\SOFTWARE\Policies\Microsoft\Windows Defender» /v DisableAntiSpyware /t REG_DWORD /d 0 /f

Then click the Restart button (it might be necessary to restart the PC first).

If this doesn’t work, then you should remove this setting with the REG DELETE command provided above. Note that this REG ADD command is just the safe and easy way to perform the registry edit that was described in the answer to this thread:

No internet-connected PC is safe when it’s running without real-time protection. So if you’re not able to restart the Windows Defender Antivirus Service, then the best course of action would be to just temporarily install a free third-party AV solution until we can get a handle on things. Replacing Defender with a third-party AV app should at least provide you with a viable alternative for Defender’s real-time protection, and thus let you safely connect to the internet:

Problems starting Windows Defender in Windows 8/8.1/10

Technical Level : Intermediate

Summary
Windows Defender in Windows 8/8.1/10 sometimes do not start automatically and may report an error when started manually. This wiki describes some methods that can be used to fix the problem.

Sometimes, due to various factors, Windows Defender do not start automatically when Windows starts and when Windows Defender is started manually via Action Center it may display an error code. Factors contributing to these issues may include malware infection, software conflicts (possibly with another antivirus program), corrupted registry, etc.

When you encounter these problems, here are some things you can try:

1. Restart your PC

Many times the issue is resolved by simple restart.

2. Remove existing antivirus and antispyware software

If your PC still has another antivirus installed or if one was installed previously then you should use appropriate removal tool to remove all third party antivirus and antispyware programs. You can download removal tools from here:

3. Scan your PC for malwares

This wiki lists out some malware scanners recommended here:

4. SFC scan

System File Checker (SFC) tool repairs corruption in system files. Use this tool to verify whether Windows Defender is corrupted or not. Follow this KB article:

5. Clean Boot

Start your PC in clean boot status to ensure any 3rd party application is not conflicting with Windows Defender. Here is a support article that will help you:

6. Restart Security Center Service

As reported in this and this thread, restarting Security Center service can help in solving the problem. To restart Security Center service, follow these steps:

1. Press Windows key + R. This will open Run. Alternatively, you can go to Start and search for ‘Run’.
2. In Run dialog box, type ‘services.msc‘ and hit enter.
3. In Services, search for ‘Security Center‘.
4. Right click on ‘Security Center’ and click on ‘Restart‘.

7. Delete conflicting Registry Entry

Some malwares adds malicious entries in registry that blocks real antiviruses from running. To remove these entries, follow these steps:

1. Press Windows key + R. This will open Run. Alternatively, you can go to Start and search for ‘Run’.
2. In Run dialog box, type ‘regedit‘ and hit enter. This will open Registry Editor.
3. In Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.
4. In this key, if you find any entry for MSASCui.exe, MpCmdRun.exe or MsMpEng.exe then right click on it and click on Delete. If you do not find any of these entry then it is normal and you don’t need to do anything.

8. Enabling Windows Defender from Group Policy

Important: You must proceed with this step only after trying all the steps mentioned above.

If you are facing an error like «This app is turned off by Group Policy» then Windows Defender can be manually enabled via registry. Windows Defender is disabled by Windows if it detects presence of another antivirus. Therefore, before enabling it manually, it must be ensured that there are no conflicting softwares and system is not infected. To enable Windows Defender manually, follow these steps:

1. Press Windows key + R. This will open Run. Alternatively, you can go to Start and search for ‘Run’.
2. In Run dialog box, type ‘regedit‘ and hit enter. This will open Registry Editor.
3. In Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender.
4. If you see a registry entry named DisableAntiSpyware, then change its value to 0. If you don’t find this registry key then add this it. To do that, right click on Windows Defender key and go to New > DWORD. Give this DWORD name ‘DisableAntiSpyware‘ and value 0. Registry will then look like this:

If these steps doesn’t solve your problem, please post a question in Virus and Malware forum with as much details as you can give and results of all the methods you have tried.

Temporarily Stop All Microsoft Windows Defender Processes In Windows 10

I’m running a huge sync job and Microsoft Windows Defender is hogging a ton of memory and creating a lot of disk I/O requests on my drive as well.

I know how to disable Windows Defender but I do not want to reboot my PC while this sync in going on to disable it. I also turned off real-time protection but that did not accomplish freeing the memory up like I expected. I really just need to stop the MsMpEng.exe application.

Is it possible to temporarily stop Windows Defender application and then start it again without needing to reboot the PC?

1 Answer 1

A Step-by-Step Guide to Temporarily Disabling Windows Defender and then Re-Enabling it on Windows 10

Initial One-Time Setup #1 — #4 per PC

1. Make a Windows Defender Folder Exclusion

First to start, create a new folder on your «C» drive or somewhere you can access and name it DefenderExclusions.

Press the Windows Key one time, start typing «Windows Defender» and click it once you see it.

From Windows Defender click on Settings

Go to Windows Defender and in the Exclusions area click the «Add an exclusion option»

• Click the «Exclude a folder» option

• Select the DefenderExclusions folder location you created above when the Select Folder window opens and then select the «Exclude this folder» option

Download the NoDefender App and it should save as a zip file named NoDefender.zip.

Open the NoDefender.zip file and then right-click and select Copy on the file within it named NoDefender.exe

Go to the DefenderExclusions folder location you created and setup the Windows Defender Exclusion, right-click and then paste to save the NoDefender.exe into this folder.

3. Create Disable Defender Script

• Save the below logic to a text document in the DefenderExclusions and name it to DisableDefender.cmd

DisableDefender.cmd Script

4. Create Enable Defender Script

• Save the below logic to a text document in the DefenderExclusions and name it to EnableDefender.cmd

EnableDefender.cmd Script

Disabling Windows Defender

Double-click the DisableDefender.cmd batch file saved in the DefenderExclusions location setup previously.

When Windows Defender opens, click on the Settings option and be sure the Windows Defender option is selected on the left.

Turn offReal-Time Protection, Cloud-based Protection, and the Automatic sample submission options.

It is expected to see the warning message pop up in the lower right-hand corner of the task bar indicating that Spyware and unwanted software protection may be disabled with the red X.

You will notice the Windows Defender app screen is more red than green now, the PC Status: At risk is showing, and the Real-time protection is off; just minimize that window for now.

Double-click the NoDefender.exe file previously saved in the DefenderExclusions location. If the User Account Control message pops up select the Yes option to run it

Select Next in the NoDefender app window

Select Next again in the NoDefender app window

Click on the Disable Window Defender option in the NoDefender app window and then select the Next option.

You should then see the NoDefender app window saying it’s Done and that Window Defender should be disabled, select the Exit option.

Now if you go back to the Windows Defender app window, you should notice that the Virus and spyware definitions with an Out of date status

Now it is time to run the process(es) or whatever that needs to run with Windows Defender being disabled. Let everything finish and then once you are ready to re-enable Windows Defender, follow the Enabling Windows Defender section below.

Enabling Windows Defender

Double-click the EnableDefender.cmd batch file saved in the DefenderExclusions location setup previously and give it a few seconds to finish and pop up the Windows Defender app window.

When the Windows Defender app window opens you should notice the Real-time protection is On and the Virus and spyware definitions have a value of Up to date now.

You want to select the Settings option from the Windows Defender app window again.

Turn On Real-Time Protection, Cloud-based Protection, and the Automatic sample submission options.

Now Windows Defender is re-enabled again.

As per the comment:

The point of this question was to actually start the application over again causing it to release it’s hold on all the memory it has consumed. I have used registry entries that will stop the WD application from running but that requires a reboot. I disable WD (real-time protection) by just going into settings and turning off real-time protection. If real-time protection is off WD is disabled, if MsMpEng.exe is not running, WD is stopped. – Arvo Bowen

Testing Results of MsMpEng.exe Before and After Running the Process

Below is a screen shot of the results of the command line of tasklist | FIND /I «ms» which shows whether or not the MsMpEng.exe process is running in memory. This process appears to kill the process from memory when it’s disabled, and it appears to have it start back up and running in memory when it’s enabled.

As per the comment:

OK so following these steps SOME of the results are true. 1) When I click the «Disable Windows Defender» button, WD has two messages (real-time and Antivirus protection) is turned off. After two seconds the Antivirus message disappears and only the real-time is left. Also, Virus and spyware definitions still show up to date (green check). – Arvo Bowen