Cannot be restored error code 0x80508014

Remove From My Forums

Question
MSSecurity Essentials detected a false positive during it’s scheduled scan and it automatically quarantined the item and every time I try to restore the item from quarantined I get the following error; 0x80508014 Unable to restore from Quarantined!!! how
do I fix this error???

Answers

Hi
Considering this issue is about Microsoft Security Essentials, it is recommended that you contact the corresponding support:

Support for Microsoft Security Essentials

http://support.microsoft.com/ph/15931Hope the issue will be resolved soon.

Terence Yu

TechNet Community Support
- Marked as answer by
  
  Monday, July 23, 2012 6:40 AM

Blue

Hello Everyone, Installed Windows Defender for xp, [v.1.1593.0
def.1.65.477.0] ran update, then scan, and it found 6 old files on my
computer (took a long time to finish scan — 1.5+ hr.). Quarantined all 6
files. After looking at history, found that one file contained a lot of music
and other programs. Tried to restore it but it failed. Error code 0x80508014.
This file was on my desktop. Tried numerous times — failed. Tried to system
restore to earlier date — ok, but file would not open? Set system restore
back to original. Still, Windows Defender quarantine restore will not work.
Really would like to have file back.
Searched the net, could not find any help; Hope someone here can.

1PW

Blue said:

Hello Everyone, Installed Windows Defender for xp, [v.1.1593.0
def.1.65.477.0] ran update, then scan, and it found 6 old files on my
computer (took a long time to finish scan — 1.5+ hr.). Quarantined all 6
files. After looking at history, found that one file contained a lot of music
and other programs. Tried to restore it but it failed. Error code 0x80508014.
This file was on my desktop. Tried numerous times — failed. Tried to system
restore to earlier date — ok, but file would not open? Set system restore
back to original. Still, Windows Defender quarantine restore will not work.
Really would like to have file back.
Searched the net, could not find any help; Hope someone here can.

Hello Blue:

Try bringing up your system in «Safe Mode» and see if you can deal
with it then.

Please post a reply to this thread with your progress.

Blue

—
Blue 2009

1PW said:

Blue said:

Hello Everyone, Installed Windows Defender for xp, [v.1.1593.0
def.1.65.477.0] ran update, then scan, and it found 6 old files on my
computer (took a long time to finish scan — 1.5+ hr.). Quarantined all 6
files. After looking at history, found that one file contained a lot of music
and other programs. Tried to restore it but it failed. Error code 0x80508014.
This file was on my desktop. Tried numerous times — failed. Tried to system
restore to earlier date — ok, but file would not open? Set system restore
back to original. Still, Windows Defender quarantine restore will not work.
Really would like to have file back.
Searched the net, could not find any help; Hope someone here can.

Hello Blue:

Try bringing up your system in «Safe Mode» and see if you can deal
with it then.

Please post a reply to this thread with your progress.

Thanks for trying to help. No this did not help, I still get an error
message 0x80508014 when I try to restore the quarantined files even in safe
mode.

Bill Sanderson

This is reminiscent of some issues with Defender early on where it ate vast
libraries of MP3 files which were stored in subdirectories of some app which
was removed as spyware, along with music at lower levels in the tree.

The quarantine is not too hard to find, as I recall, and files in it were
basically renamed as numbers.

So, if you can guess what kind of extension belongs on that file—from your
description, perhaps ZIP? you may be able to rescue it by finding the
quarantine and renaming the file and copying/moving it back to the desktop.

I should say that a not infrequent occurrence was that someone would see
that their music was being sucked down a black hole, yell «***** *****» and
hit the reset button, or something similar. This had the result of the
quarantine process being stopped dead in midstream, and the various indexes
and files not updated which would have allowed for proper restore function.

(and for more parenthetical info, MP3 files contain their titles in the file
itself, so with persistence, it was possible to not just recover the files,
but even rename them back to their original names if you were really
clever.)

So—where is the quarantine? Let me see if I can check that for you.

OK — (used XP Mode on Windows 7, uninstalled Microsoft Security Essentials,
installed WD, and here:

C:documents and settingsall usersapplication datamicrosoftwindows
defenderquarantine

is where I believe the quarantined files will be found. I retyped that by
hand, and I didn’t know which of those folders is hidden, so just go to a
command prompt and type in CD documents and settings (enter) and work your
way down the chain til you get there.

I also don’t recall if there are permissions issues—but I think not.

So—find files in that folder, and experiment with renaming them to see if
you can get back something usable..

Let us know whether this helps—thanks!

Blue

Actually wd has one folder called quarantine<then three folders(named
entries,resourses,resourse data)<resourse and resourse data have approx. 300
folders in each and those are numbered and lettered <and have 3 to 6 files in
each one. The file ext. seems to be just FILE or nothing? As you can see this
could be an ardous task. I tried a few first copying and then changing the
ext. and then trying out with windows media player but nothing worked. Why
won’t the quarentine restore work?
—
Blue 2009

Bill Sanderson said:

This is reminiscent of some issues with Defender early on where it ate vast
libraries of MP3 files which were stored in subdirectories of some app which
was removed as spyware, along with music at lower levels in the tree.

The quarantine is not too hard to find, as I recall, and files in it were
basically renamed as numbers.

So, if you can guess what kind of extension belongs on that file—from your
description, perhaps ZIP? you may be able to rescue it by finding the
quarantine and renaming the file and copying/moving it back to the desktop.

I should say that a not infrequent occurrence was that someone would see
that their music was being sucked down a black hole, yell «***** *****» and
hit the reset button, or something similar. This had the result of the
quarantine process being stopped dead in midstream, and the various indexes
and files not updated which would have allowed for proper restore function.

(and for more parenthetical info, MP3 files contain their titles in the file
itself, so with persistence, it was possible to not just recover the files,
but even rename them back to their original names if you were really
clever.)

So—where is the quarantine? Let me see if I can check that for you.

OK — (used XP Mode on Windows 7, uninstalled Microsoft Security Essentials,
installed WD, and here:

C:documents and settingsall usersapplication datamicrosoftwindows
defenderquarantine

is where I believe the quarantined files will be found. I retyped that by
hand, and I didn’t know which of those folders is hidden, so just go to a
command prompt and type in CD documents and settings (enter) and work your
way down the chain til you get there.

I also don’t recall if there are permissions issues—but I think not.

So—find files in that folder, and experiment with renaming them to see if
you can get back something usable..

Let us know whether this helps—thanks!

—

Blue said:

Hello Everyone, Installed Windows Defender for xp, [v.1.1593.0
def.1.65.477.0] ran update, then scan, and it found 6 old files on my
computer (took a long time to finish scan — 1.5+ hr.). Quarantined all 6
files. After looking at history, found that one file contained a lot of
music
and other programs. Tried to restore it but it failed. Error code
0x80508014.
This file was on my desktop. Tried numerous times — failed. Tried to
system
restore to earlier date — ok, but file would not open? Set system restore
back to original. Still, Windows Defender quarantine restore will not
work.
Really would like to have file back.
Searched the net, could not find any help; Hope someone here can.

ÆŽÐ¸Ã§Îµl

Hi Blue,

Just out of curiosity
are you running freeware programs, and P2P programs like Alnet, Grokster,
Imesh, LimeWire, Bearshare, Grokster, KaZaA, and WinMX, Emule, eDonkey, etc.
-=-

Blue said:

Actually wd has one folder called quarantine<then three folders(named
entries,resourses,resourse data)<resourse and resourse data have approx. 300
folders in each and those are numbered and lettered <and have 3 to 6 files in
each one. The file ext. seems to be just FILE or nothing? As you can see this
could be an ardous task. I tried a few first copying and then changing the
ext. and then trying out with windows media player but nothing worked. Why
won’t the quarentine restore work?
—
Blue 2009

Bill Sanderson said:

This is reminiscent of some issues with Defender early on where it ate vast
libraries of MP3 files which were stored in subdirectories of some app which
was removed as spyware, along with music at lower levels in the tree.

The quarantine is not too hard to find, as I recall, and files in it were
basically renamed as numbers.

So, if you can guess what kind of extension belongs on that file—from your
description, perhaps ZIP? you may be able to rescue it by finding the
quarantine and renaming the file and copying/moving it back to the desktop.

I should say that a not infrequent occurrence was that someone would see
that their music was being sucked down a black hole, yell «***** *****» and
hit the reset button, or something similar. This had the result of the
quarantine process being stopped dead in midstream, and the various indexes
and files not updated which would have allowed for proper restore function.

(and for more parenthetical info, MP3 files contain their titles in the file
itself, so with persistence, it was possible to not just recover the files,
but even rename them back to their original names if you were really
clever.)

So—where is the quarantine? Let me see if I can check that for you.

OK — (used XP Mode on Windows 7, uninstalled Microsoft Security Essentials,
installed WD, and here:

C:documents and settingsall usersapplication datamicrosoftwindows
defenderquarantine

is where I believe the quarantined files will be found. I retyped that by
hand, and I didn’t know which of those folders is hidden, so just go to a
command prompt and type in CD documents and settings (enter) and work your
way down the chain til you get there.

I also don’t recall if there are permissions issues—but I think not.

So—find files in that folder, and experiment with renaming them to see if
you can get back something usable..

Let us know whether this helps—thanks!

—

Blue said:

Hello Everyone, Installed Windows Defender for xp, [v.1.1593.0
def.1.65.477.0] ran update, then scan, and it found 6 old files on my
computer (took a long time to finish scan — 1.5+ hr.). Quarantined all 6
files. After looking at history, found that one file contained a lot of
music
and other programs. Tried to restore it but it failed. Error code
0x80508014.
This file was on my desktop. Tried numerous times — failed. Tried to
system
restore to earlier date — ok, but file would not open? Set system restore
back to original. Still, Windows Defender quarantine restore will not
work.
Really would like to have file back.
Searched the net, could not find any help; Hope someone here can.

Blue

Hi ÆŽÐ¸Ã§Îµl,
No freeware or p2p are running. Back in 2000 when I had dial-up, I had a
p2p called Kazaa but its been removed since then. Why do you ask, it must be
more than curiosity, is there a link to this mess? Well whatever, I would
just like it fixed.
Thanks for any help you can give.
Bill was there a fix for defender back when it ate those files?
—
Blue 2009

ÆŽÐ¸Ã§Îµl said:

Hi Blue,

Just out of curiosity
are you running freeware programs, and P2P programs like Alnet, Grokster,
Imesh, LimeWire, Bearshare, Grokster, KaZaA, and WinMX, Emule, eDonkey, etc.
-=-

Blue said:

Actually wd has one folder called quarantine<then three folders(named
entries,resourses,resourse data)<resourse and resourse data have approx. 300
folders in each and those are numbered and lettered <and have 3 to 6 files in
each one. The file ext. seems to be just FILE or nothing? As you can see this
could be an ardous task. I tried a few first copying and then changing the
ext. and then trying out with windows media player but nothing worked. Why
won’t the quarentine restore work?
—
Blue 2009

Bill Sanderson said:

This is reminiscent of some issues with Defender early on where it ate vast
libraries of MP3 files which were stored in subdirectories of some app which
was removed as spyware, along with music at lower levels in the tree.

The quarantine is not too hard to find, as I recall, and files in it were
basically renamed as numbers.

So, if you can guess what kind of extension belongs on that file—from your
description, perhaps ZIP? you may be able to rescue it by finding the
quarantine and renaming the file and copying/moving it back to the desktop.

I should say that a not infrequent occurrence was that someone would see
that their music was being sucked down a black hole, yell «***** *****» and
hit the reset button, or something similar. This had the result of the
quarantine process being stopped dead in midstream, and the various indexes
and files not updated which would have allowed for proper restore function.

(and for more parenthetical info, MP3 files contain their titles in the file
itself, so with persistence, it was possible to not just recover the files,
but even rename them back to their original names if you were really
clever.)

So—where is the quarantine? Let me see if I can check that for you.

OK — (used XP Mode on Windows 7, uninstalled Microsoft Security Essentials,
installed WD, and here:

C:documents and settingsall usersapplication datamicrosoftwindows
defenderquarantine

is where I believe the quarantined files will be found. I retyped that by
hand, and I didn’t know which of those folders is hidden, so just go to a
command prompt and type in CD documents and settings (enter) and work your
way down the chain til you get there.

I also don’t recall if there are permissions issues—but I think not.

So—find files in that folder, and experiment with renaming them to see if
you can get back something usable..

Let us know whether this helps—thanks!

—

Hello Everyone, Installed Windows Defender for xp, [v.1.1593.0
def.1.65.477.0] ran update, then scan, and it found 6 old files on my
computer (took a long time to finish scan — 1.5+ hr.). Quarantined all 6
files. After looking at history, found that one file contained a lot of
music
and other programs. Tried to restore it but it failed. Error code
0x80508014.
This file was on my desktop. Tried numerous times — failed. Tried to
system
restore to earlier date — ok, but file would not open? Set system restore
back to original. Still, Windows Defender quarantine restore will not
work.
Really would like to have file back.
Searched the net, could not find any help; Hope someone here can.

ÆŽÐ¸Ã§Îµl

Sorry Blue, I don’t have good news for you.

All the links from 2005 and 06 are broke.

I copy & paste (my specialty) this one from 2007

Subject: Can not acces any of my music in Kazza 3/11/2007 12:06 PM PST
By: alostsoul In: microsoft.private.security.spyware.general

<http://www.microsoft.com/communitie…&p=1&tid=957e1a8d-98d4-4f0c-b5c3-76caf023f0c8>

Question

Well her goes I will try to explain. I was allowing the Windows Defender to
remove threats when I realized it was removeing my Kazza Lite app. which my
kids have allot of music on. When I veiw the History I see
SoftwareBundle:Win32/KaZaA and the action taken was removed but the status
says error encounted. When I look in the lower window of the history I see
all the files with the songs, but can not restore.
Help before my kids go ballistic, is there a way to restore what Windows
defender has removed.
I did a couple of restores of my PC but nothinf has worked my Kazzaa Lite is
totally gone along with the files with it.
—

Engel 3/11/2007 1:00 PM PST

Hello alostsoul

Stop what you are doing now. And D/L this 2 free applications, and try to
undelete any files, before is late.

http://www.officerecovery.com/freeundelete/

www.recuva.com

I don’t use Kazaa, but I remember to be hard to undelete any files deleted
by WD.
http://www.microsoft.com/athome/security/spyware/software/about/releasenotes.mspx

Known issues

Windows Defender might prompt you to remove some peer-to-peer (P2P)
file-sharing programs. If you choose to remove such a program, Windows
Defender deletes all the contents of the Program Files folder associated with
the P2P program. Because some P2P programs store downloaded files in a
default folder under Program Files, this might remove all files you have
downloaded through the file-sharing program. For example, KaZaA stores .exe
and .dll files at C:Program FilesKazaa. Downloaded files are stored at
C:Program FilesKazaaMy Shared Folder. If you use Windows Defender to
remove KaZaA, all files and folders under C:Program FilesKazaa are removed.
If you have installed any P2P file-sharing programs, it is a good idea to
back up your downloaded files before you run Windows Defender.

Please let me know if you was lucky with the 2 programs, so I can recommend
the same solution to the next unlucky person.

I hope this post is helpful, but we would highly appreciate it if you could
rate the pÂºst, so we can keep the community informed.

Good luck

Ð•Ð¸Ã§Ðµl
—

Good luck
—

Bill Sanderson MVP 3/11/2007 2:08 PM PST

In addition to Engel’s excellent recommendation, please check Windows
Defender’s quarantine area to see whether the songs have been quarantined.
If they have, you can restore them from the quarantine. Tools, quarantined
items.
—
end
-=-

Maybe Bill knows how to open the restore points, and from there you have the
chance to get the files. Read this link

http://www.microsoft.com/communitie…9ff6&mid=ed2b2bf7-5719-4b6c-9f1a-5c2bf18a9ff6

Sorry, I’m out of ideas.

Good luck
-=-

Blue said:

Hi ÆŽÐ¸Ã§Îµl,
No freeware or p2p are running. Back in 2000 when I had dial-up, I had a
p2p called Kazaa but its been removed since then. Why do you ask, it must be
more than curiosity, is there a link to this mess? Well whatever, I would
just like it fixed.
Thanks for any help you can give.
Bill was there a fix for defender back when it ate those files?
—
Blue 2009

ÆŽÐ¸Ã§Îµl said:

Hi Blue,

Just out of curiosity
are you running freeware programs, and P2P programs like Alnet, Grokster,
Imesh, LimeWire, Bearshare, Grokster, KaZaA, and WinMX, Emule, eDonkey, etc.
-=-

Blue said:

Actually wd has one folder called quarantine<then three folders(named
entries,resourses,resourse data)<resourse and resourse data have approx. 300
folders in each and those are numbered and lettered <and have 3 to 6 files in
each one. The file ext. seems to be just FILE or nothing? As you can see this
could be an ardous task. I tried a few first copying and then changing the
ext. and then trying out with windows media player but nothing worked. Why
won’t the quarentine restore work?
—
Blue 2009

:

This is reminiscent of some issues with Defender early on where it ate vast
libraries of MP3 files which were stored in subdirectories of some app which
was removed as spyware, along with music at lower levels in the tree.

The quarantine is not too hard to find, as I recall, and files in it were
basically renamed as numbers.

So, if you can guess what kind of extension belongs on that file—from your
description, perhaps ZIP? you may be able to rescue it by finding the
quarantine and renaming the file and copying/moving it back to the desktop.

I should say that a not infrequent occurrence was that someone would see
that their music was being sucked down a black hole, yell «***** *****» and
hit the reset button, or something similar. This had the result of the
quarantine process being stopped dead in midstream, and the various indexes
and files not updated which would have allowed for proper restore function.

(and for more parenthetical info, MP3 files contain their titles in the file
itself, so with persistence, it was possible to not just recover the files,
but even rename them back to their original names if you were really
clever.)

So—where is the quarantine? Let me see if I can check that for you.

OK — (used XP Mode on Windows 7, uninstalled Microsoft Security Essentials,
installed WD, and here:

C:documents and settingsall usersapplication datamicrosoftwindows
defenderquarantine

is where I believe the quarantined files will be found. I retyped that by
hand, and I didn’t know which of those folders is hidden, so just go to a
command prompt and type in CD documents and settings (enter) and work your
way down the chain til you get there.

I also don’t recall if there are permissions issues—but I think not.

So—find files in that folder, and experiment with renaming them to see if
you can get back something usable..

Let us know whether this helps—thanks!

—

Hello Everyone, Installed Windows Defender for xp, [v.1.1593.0
def.1.65.477.0] ran update, then scan, and it found 6 old files on my
computer (took a long time to finish scan — 1.5+ hr.). Quarantined all 6
files. After looking at history, found that one file contained a lot of
music
and other programs. Tried to restore it but it failed. Error code
0x80508014.
This file was on my desktop. Tried numerous times — failed. Tried to
system
restore to earlier date — ok, but file would not open? Set system restore
back to original. Still, Windows Defender quarantine restore will not
work.
Really would like to have file back.
Searched the net, could not find any help; Hope someone here can.

Blue

Hello Bill and ÆŽÐ¸Ã§Îµl,
First of all thank you so much for your help. I was able to restore my
files. (yea!) I’m sorry it took me so long to post this final reply. I take a
lot of time reasearching things before I try them because I want to do it
right the first time. (What that really means is that I don’t want to screw
up; Which happens.) I wish I had done that with WD. I was going to do what
you sugested previously (downloading some utilities ), but I kept thinking
why can’t I just restore them in WD? Why??? To make a long story short the
reason WD wouldn’t restore the files was because the path was gone. (It
removed the folder the files were in also.) So I figured all I had to do was
make the computer believe that the file was still there. I created a file
with the exact same path and violia, WD restored my files to it. You both
were right about the p2p link. I guess some remenants of the old kazaa file
was still around and I guess WD doesn’t like Kazaa. I’m really appreciative
of your help though.
I just noticed I spelled Windows wrong in the subject line. Can that be
fixed? (to help someone find this post?)
Best of luck,
Blue
—
Blue 2009

ÆŽÐ¸Ã§Îµl said:

Sorry Blue, I don’t have good news for you.

All the links from 2005 and 06 are broke.

I copy & paste (my specialty) this one from 2007

Subject: Can not acces any of my music in Kazza 3/11/2007 12:06 PM PST
By: alostsoul In: microsoft.private.security.spyware.general

<http://www.microsoft.com/communitie…&p=1&tid=957e1a8d-98d4-4f0c-b5c3-76caf023f0c8>

Question

Well her goes I will try to explain. I was allowing the Windows Defender to
remove threats when I realized it was removeing my Kazza Lite app. which my
kids have allot of music on. When I veiw the History I see
SoftwareBundle:Win32/KaZaA and the action taken was removed but the status
says error encounted. When I look in the lower window of the history I see
all the files with the songs, but can not restore.
Help before my kids go ballistic, is there a way to restore what Windows
defender has removed.
I did a couple of restores of my PC but nothinf has worked my Kazzaa Lite is
totally gone along with the files with it.
—

Engel 3/11/2007 1:00 PM PST

Hello alostsoul

Stop what you are doing now. And D/L this 2 free applications, and try to
undelete any files, before is late.

http://www.officerecovery.com/freeundelete/

www.recuva.com

I don’t use Kazaa, but I remember to be hard to undelete any files deleted
by WD.
http://www.microsoft.com/athome/security/spyware/software/about/releasenotes.mspx

Known issues

Windows Defender might prompt you to remove some peer-to-peer (P2P)
file-sharing programs. If you choose to remove such a program, Windows
Defender deletes all the contents of the Program Files folder associated with
the P2P program. Because some P2P programs store downloaded files in a
default folder under Program Files, this might remove all files you have
downloaded through the file-sharing program. For example, KaZaA stores .exe
and .dll files at C:Program FilesKazaa. Downloaded files are stored at
C:Program FilesKazaaMy Shared Folder. If you use Windows Defender to
remove KaZaA, all files and folders under C:Program FilesKazaa are removed.
If you have installed any P2P file-sharing programs, it is a good idea to
back up your downloaded files before you run Windows Defender.

Please let me know if you was lucky with the 2 programs, so I can recommend
the same solution to the next unlucky person.

I hope this post is helpful, but we would highly appreciate it if you could
rate the pÂºst, so we can keep the community informed.

Good luck

Ð•Ð¸Ã§Ðµl
—

Good luck
—

Bill Sanderson MVP 3/11/2007 2:08 PM PST

In addition to Engel’s excellent recommendation, please check Windows
Defender’s quarantine area to see whether the songs have been quarantined.
If they have, you can restore them from the quarantine. Tools, quarantined
items.
—
end
-=-

Maybe Bill knows how to open the restore points, and from there you have the
chance to get the files. Read this link

http://www.microsoft.com/communitie…9ff6&mid=ed2b2bf7-5719-4b6c-9f1a-5c2bf18a9ff6

Sorry, I’m out of ideas.

Good luck
-=-

Blue said:

Hi ÆŽÐ¸Ã§Îµl,
No freeware or p2p are running. Back in 2000 when I had dial-up, I had a
p2p called Kazaa but its been removed since then. Why do you ask, it must be
more than curiosity, is there a link to this mess? Well whatever, I would
just like it fixed.
Thanks for any help you can give.
Bill was there a fix for defender back when it ate those files?
—
Blue 2009

ÆŽÐ¸Ã§Îµl said:

Hi Blue,

Just out of curiosity
are you running freeware programs, and P2P programs like Alnet, Grokster,
Imesh, LimeWire, Bearshare, Grokster, KaZaA, and WinMX, Emule, eDonkey, etc.
-=-

:

Actually wd has one folder called quarantine<then three folders(named
entries,resourses,resourse data)<resourse and resourse data have approx. 300
folders in each and those are numbered and lettered <and have 3 to 6 files in
each one. The file ext. seems to be just FILE or nothing? As you can see this
could be an ardous task. I tried a few first copying and then changing the
ext. and then trying out with windows media player but nothing worked. Why
won’t the quarentine restore work?
—
Blue 2009

:

This is reminiscent of some issues with Defender early on where it ate vast
libraries of MP3 files which were stored in subdirectories of some app which
was removed as spyware, along with music at lower levels in the tree.

The quarantine is not too hard to find, as I recall, and files in it were
basically renamed as numbers.

So, if you can guess what kind of extension belongs on that file—from your
description, perhaps ZIP? you may be able to rescue it by finding the
quarantine and renaming the file and copying/moving it back to the desktop.

I should say that a not infrequent occurrence was that someone would see
that their music was being sucked down a black hole, yell «***** *****» and
hit the reset button, or something similar. This had the result of the
quarantine process being stopped dead in midstream, and the various indexes
and files not updated which would have allowed for proper restore function.

(and for more parenthetical info, MP3 files contain their titles in the file
itself, so with persistence, it was possible to not just recover the files,
but even rename them back to their original names if you were really
clever.)

So—where is the quarantine? Let me see if I can check that for you.

OK — (used XP Mode on Windows 7, uninstalled Microsoft Security Essentials,
installed WD, and here:

C:documents and settingsall usersapplication datamicrosoftwindows
defenderquarantine

is where I believe the quarantined files will be found. I retyped that by
hand, and I didn’t know which of those folders is hidden, so just go to a
command prompt and type in CD documents and settings (enter) and work your
way down the chain til you get there.

I also don’t recall if there are permissions issues—but I think not.

So—find files in that folder, and experiment with renaming them to see if
you can get back something usable..

Let us know whether this helps—thanks!

—

Hello Everyone, Installed Windows Defender for xp, [v.1.1593.0
def.1.65.477.0] ran update, then scan, and it found 6 old files on my
computer (took a long time to finish scan — 1.5+ hr.). Quarantined all 6
files. After looking at history, found that one file contained a lot of
music
and other programs. Tried to restore it but it failed. Error code
0x80508014.
This file was on my desktop. Tried numerous times — failed. Tried to
system
restore to earlier date — ok, but file would not open? Set system restore
back to original. Still, Windows Defender quarantine restore will not
work.
Really would like to have file back.
Searched the net, could not find any help; Hope someone here can.

ÆŽÐ¸Ã§Îµl

Hi Blue,

Terrific—glad to hear it. It helps if you mark your initial question as
answered—that will enable otheÑs searching for an answer to find a correct
one more quickly.

Have a great weekend (enjoy the music

(Â¯`Â·._.Â·EÐ¸gelÂ·._.Â·Â´Â¯)
-=-

Blue said:

Hello Bill and ÆŽÐ¸Ã§Îµl,
First of all thank you so much for your help. I was able to restore my
files. (yea!) I’m sorry it took me so long to post this final reply. I take a
lot of time reasearching things before I try them because I want to do it
right the first time. (What that really means is that I don’t want to screw
up; Which happens.) I wish I had done that with WD. I was going to do what
you sugested previously (downloading some utilities ), but I kept thinking
why can’t I just restore them in WD? Why??? To make a long story short the
reason WD wouldn’t restore the files was because the path was gone. (It
removed the folder the files were in also.) So I figured all I had to do was
make the computer believe that the file was still there. I created a file
with the exact same path and violia, WD restored my files to it. You both
were right about the p2p link. I guess some remenants of the old kazaa file
was still around and I guess WD doesn’t like Kazaa. I’m really appreciative
of your help though.
I just noticed I spelled Windows wrong in the subject line. Can that be
fixed? (to help someone find this post?)
Best of luck,
Blue
—
Blue 2009

ÆŽÐ¸Ã§Îµl said:

Sorry Blue, I don’t have good news for you.

All the links from 2005 and 06 are broke.

I copy & paste (my specialty) this one from 2007

Subject: Can not acces any of my music in Kazza 3/11/2007 12:06 PM PST
By: alostsoul In: microsoft.private.security.spyware.general

<http://www.microsoft.com/communitie…&p=1&tid=957e1a8d-98d4-4f0c-b5c3-76caf023f0c8>

Question

Well her goes I will try to explain. I was allowing the Windows Defender to
remove threats when I realized it was removeing my Kazza Lite app. which my
kids have allot of music on. When I veiw the History I see
SoftwareBundle:Win32/KaZaA and the action taken was removed but the status
says error encounted. When I look in the lower window of the history I see
all the files with the songs, but can not restore.
Help before my kids go ballistic, is there a way to restore what Windows
defender has removed.
I did a couple of restores of my PC but nothinf has worked my Kazzaa Lite is
totally gone along with the files with it.
—

Engel 3/11/2007 1:00 PM PST

Hello alostsoul

Stop what you are doing now. And D/L this 2 free applications, and try to
undelete any files, before is late.

http://www.officerecovery.com/freeundelete/

www.recuva.com

I don’t use Kazaa, but I remember to be hard to undelete any files deleted
by WD.
http://www.microsoft.com/athome/security/spyware/software/about/releasenotes.mspx

Known issues

Windows Defender might prompt you to remove some peer-to-peer (P2P)
file-sharing programs. If you choose to remove such a program, Windows
Defender deletes all the contents of the Program Files folder associated with
the P2P program. Because some P2P programs store downloaded files in a
default folder under Program Files, this might remove all files you have
downloaded through the file-sharing program. For example, KaZaA stores .exe
and .dll files at C:Program FilesKazaa. Downloaded files are stored at
C:Program FilesKazaaMy Shared Folder. If you use Windows Defender to
remove KaZaA, all files and folders under C:Program FilesKazaa are removed.
If you have installed any P2P file-sharing programs, it is a good idea to
back up your downloaded files before you run Windows Defender.

Please let me know if you was lucky with the 2 programs, so I can recommend
the same solution to the next unlucky person.

I hope this post is helpful, but we would highly appreciate it if you could
rate the pÂºst, so we can keep the community informed.

Good luck

Ð•Ð¸Ã§Ðµl
—

Good luck
—

Bill Sanderson MVP 3/11/2007 2:08 PM PST

In addition to Engel’s excellent recommendation, please check Windows
Defender’s quarantine area to see whether the songs have been quarantined.
If they have, you can restore them from the quarantine. Tools, quarantined
items.
—
end
-=-

Maybe Bill knows how to open the restore points, and from there you have the
chance to get the files. Read this link

http://www.microsoft.com/communitie…9ff6&mid=ed2b2bf7-5719-4b6c-9f1a-5c2bf18a9ff6

Sorry, I’m out of ideas.

Good luck
-=-

Blue said:

Hi ÆŽÐ¸Ã§Îµl,
No freeware or p2p are running. Back in 2000 when I had dial-up, I had a
p2p called Kazaa but its been removed since then. Why do you ask, it must be
more than curiosity, is there a link to this mess? Well whatever, I would
just like it fixed.
Thanks for any help you can give.
Bill was there a fix for defender back when it ate those files?
—
Blue 2009

:

Hi Blue,

Just out of curiosity
are you running freeware programs, and P2P programs like Alnet, Grokster,
Imesh, LimeWire, Bearshare, Grokster, KaZaA, and WinMX, Emule, eDonkey, etc.
-=-

:

Actually wd has one folder called quarantine<then three folders(named
entries,resourses,resourse data)<resourse and resourse data have approx. 300
folders in each and those are numbered and lettered <and have 3 to 6 files in
each one. The file ext. seems to be just FILE or nothing? As you can see this
could be an ardous task. I tried a few first copying and then changing the
ext. and then trying out with windows media player but nothing worked. Why
won’t the quarentine restore work?
—
Blue 2009

:

This is reminiscent of some issues with Defender early on where it ate vast
libraries of MP3 files which were stored in subdirectories of some app which
was removed as spyware, along with music at lower levels in the tree.

The quarantine is not too hard to find, as I recall, and files in it were
basically renamed as numbers.

So, if you can guess what kind of extension belongs on that file—from your
description, perhaps ZIP? you may be able to rescue it by finding the
quarantine and renaming the file and copying/moving it back to the desktop.

I should say that a not infrequent occurrence was that someone would see
that their music was being sucked down a black hole, yell «***** *****» and
hit the reset button, or something similar. This had the result of the
quarantine process being stopped dead in midstream, and the various indexes
and files not updated which would have allowed for proper restore function.

(and for more parenthetical info, MP3 files contain their titles in the file
itself, so with persistence, it was possible to not just recover the files,
but even rename them back to their original names if you were really
clever.)

So—where is the quarantine? Let me see if I can check that for you.

OK — (used XP Mode on Windows 7, uninstalled Microsoft Security Essentials,
installed WD, and here:

C:documents and settingsall usersapplication datamicrosoftwindows
defenderquarantine

is where I believe the quarantined files will be found. I retyped that by
hand, and I didn’t know which of those folders is hidden, so just go to a
command prompt and type in CD documents and settings (enter) and work your
way down the chain til you get there.

I also don’t recall if there are permissions issues—but I think not.

So—find files in that folder, and experiment with renaming them to see if
you can get back something usable..

Let us know whether this helps—thanks!

—

Hello Everyone, Installed Windows Defender for xp, [v.1.1593.0
def.1.65.477.0] ran update, then scan, and it found 6 old files on my
computer (took a long time to finish scan — 1.5+ hr.). Quarantined all 6
files. After looking at history, found that one file contained a lot of
music
and other programs. Tried to restore it but it failed. Error code
0x80508014.
This file was on my desktop. Tried numerous times — failed. Tried to
system
restore to earlier date — ok, but file would not open? Set system restore
back to original. Still, Windows Defender quarantine restore will not
work.
Really would like to have file back.
Searched the net, could not find any help; Hope someone here can.

Источник

I have a file that Security Essentials quarantined «on sight» that I want to restore to perform some further analysis on.

However, the file was stored on my NAS server. This means I had accessed the server by entering \192.168.1.5 into my Run box, entering the credentials and browsing to the folder. Security Essentials removed the item and stored it in quarantine. I am unable to restore the item from quarantine, with the error code 0x80508014.

My research shows that this error indicates that SE can’t access the path the original file was in, and suggests recreating the path. The problem is that I haven’t removed any folders so the path already exists. Further digging seems to indicate that the issue is that SE cannot access the network share because the share is connected to my user account session and not to SYSTEM or Administrator. SE lists the path of the original file in the details as file:\192.168.1.5storageresearchfile.exe, so it appears SE is trying to directly restore the file to this location and is unable to do so because the SE process does not have access to the share connection.

I tried opening an Administrator command prompt and manually connecting the network share to Admin’s session using net use but this did not help.

Is there a way to direct SE to restore a quarantined file to a different location than it was originally found in? I do not see a way for me to be able to give the SE process access to the network share so it can restore the file.

asked Oct 1, 2016 at 17:39

I hit a similar problem when Windows 10 Defender quarantined some files from my NAS box.

In a Command Prompt (opened as administrator) I was able to use the command line tool to list the quarantined files:

c:Program FilesWindows Defender>MpCmdRun.exe -restore -listall

The following items are quarantined:

XXX
XXX

Then I used the -restore option along with -Path to restore to a local path:

c:Program FilesWindows Defender>MpCmdRun.exe -restore -All -Path C:PathToRestore

After that I was able to copy the files back to my network drive (which is now on the exclusion list!).

answered Nov 15, 2016 at 9:40

SnoophoggSnoophogg

2161 silver badge4 bronze badges

When you ran the net use command from the administrative command prompt, did you then also run/launch the SE interface from that command prompt?

net use \192.168.1.5ipc$ /user:username pwd
net use \192.168.1.5storage /user:username pwd
"C:Program FilesMicrosoft Security Clientmsseces.exe"

In my experience this is required because the SE process must not only run under the same user ID, but the same session. If you run net use from an administrative command prompt it may not have any effect on the administrative SE app if SE was launched separately from the command prompt.

answered Oct 2, 2016 at 1:59

Источник

Value: -2142207980 | 0x80508014 | 2152759316

What does it mean ?

ERR_MP_RESTORE_FAILED


Value: 32788 | 0x8014 | 0b1000000000010100

Where does it come from ?

FACILITY_WINDOWS_DEFENDER

Windows Defender
Value: 80 | 0x050 | 0b01010000

Источник

Основы безопасности: восстановить файл из карантина в другом месте?

fdmillion

2016-10-01 в 17:39

У меня есть файл, который Security Essentials помещает в карантин «на месте», и я хочу восстановить его для дальнейшего анализа.

Тем не менее, файл был сохранен на моем сервере NAS. Это означает, что я получил доступ к серверу, войдя \192.168.1.5в окно «Выполнить», введя учетные данные и просмотрев папку. Security Essentials удалил элемент и сохранил его в карантине. Я не могу восстановить элемент из карантина, с кодом ошибки 0x80508014.

Мои исследования показывают, что эта ошибка указывает, что SE не может получить доступ к пути, в котором находился исходный файл, и предлагает воссоздать путь. Проблема в том, что я не удалил никаких папок, поэтому путь уже существует. Дальнейшее копание указывает на то, что проблема в том, что SE не может получить доступ к общему сетевому ресурсу, потому что общий ресурс подключен к сеансу моей учетной записи пользователя, а не к SYSTEM или администратору. SE перечисляет путь к исходному файлу в деталях как file:\192.168.1.5storageresearchfile.exe, поэтому кажется, что SE пытается напрямую восстановить файл в этом месте и не может этого сделать, потому что процесс SE не имеет доступа к соединению общего ресурса.

Я попытался открыть командную строку администратора и вручную подключить сетевой ресурс к сеансу администратора, net useно это не помогло.

Есть ли способ направить SE для восстановления файла на карантине в другое место, чем он был изначально найден? Я не вижу способа предоставить процессу SE доступ к общему сетевому ресурсу, чтобы он мог восстановить файл.

Snoophogg

2016-11-15 в 09:40

Я столкнулся с подобной проблемой, когда Защитник Windows 10 помещал на карантин некоторые файлы из моей коробки NAS.

В командной строке (открытой как администратор) я смог использовать инструмент командной строки, чтобы вывести список помещенных в карантин файлов:

c:Program FilesWindows Defender>MpCmdRun.exe -restore -listall  The following items are quarantined:  XXX XXX

Затем я использовал опцию -restore вместе с -Path, чтобы восстановить локальный путь:

c:Program FilesWindows Defender>MpCmdRun.exe -restore -All -Path C:PathToRestore

После этого я смог скопировать файлы обратно на сетевой диск (который теперь находится в списке исключений!).

David Woodward

2016-10-02 в 01:59

Когда вы запустили net useкоманду из командной строки администратора, вы также запустили / запустили интерфейс SE из этой командной строки?

net use \192.168.1.5ipc$ /user:username pwd net use \192.168.1.5storage /user:username pwd "C:Program FilesMicrosoft Security Clientmsseces.exe"

По моему опыту это необходимо, потому что процесс SE должен работать не только под тем же идентификатором пользователя, но и с тем же сеансом. Если вы запускаете net useиз командной строки администратора, это может не повлиять на административное приложение SE, если SE был запущен отдельно от командной строки.

title	description	ms.assetid	ms.prod	ms.mktglfcycl	ms.sitesec	ms.pagetype	author
Troubleshoot Windows Defender in Windows 10 (Windows 10)	IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.	EE488CC1-E340-4D47-B50B-35BD23CB4D70	w10	manage	library	security	jasesso

Troubleshoot Windows Defender in Windows 10

Applies to

Windows 10

IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.

Windows Defender client event IDs

This section provides the following information about Windows Defender client events:

The text of the message as it appears in the event
The name of the source of the message
The symbolic name that identifies each message in the programming source code
Additional information about the message

Use the information in this table to help troubleshoot Windows Defender client events; these are located in the Windows Event Viewer, under Windows Logs.

To view a Windows Defender client event

Open Event Viewer.
In the console tree, expand Applications and Services Logs, then Microsoft, then Windows, then Windows Defender.
Double-click on Operational.
In the details pane, view the list of individual events to find your event.
Click the event to see specific details about an event in the lower pane, under the General and Details tabs.

You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in Windows Server Antimalware Events TechNet.

Event ID: 1000

Symbolic name:

MALWAREPROTECTION_SCAN_STARTED

Message:

An antimalware scan started.

Description:

Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example: Antivirus Antispyware Antimalware
Scan Parameters: <Scan parameters>, for example: Full scan Quick scan Customer scan
Scan Resources: <Resources (such as files/directories/BHO) that were scanned.>
User: <Domain><User>

Event ID: 1001

Symbolic name:

MALWAREPROTECTION_SCAN_COMPLETED

Message:

An antimalware scan finished.

Description:

Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example: Antivirus Antispyware Antimalware
Scan Parameters: <Scan parameters>, for example: Full scan Quick scan Customer scan
User: <Domain><User>
Scan Time: <The duration of a scan.>

Event ID: 1002

Symbolic name:

MALWAREPROTECTION_SCAN_CANCELLED

Message:

An antimalware scan was stopped before it finished.

Description:

Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example: Antivirus Antispyware Antimalware
Scan Parameters: <Scan parameters>, for example: Full scan Quick scan Customer scan
User: <Domain><User>
Scan Time: <The duration of a scan.>

Event ID: 1003

Symbolic name:

MALWAREPROTECTION_SCAN_PAUSED

Message:

An antimalware scan was paused.

Description:

Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example: Antivirus Antispyware Antimalware
Scan Parameters: <Scan parameters>, for example: Full scan Quick scan Customer scan
User: <Domain><User>

Event ID: 1004

Symbolic name:

MALWAREPROTECTION_SCAN_RESUMED

Message:

An antimalware scan was resumed.

Description:

Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example: Antivirus Antispyware Antimalware
Scan Parameters: <Scan parameters>, for example: Full scan Quick scan Customer scan
User: <Domain><User>

Event ID: 1005

Symbolic name:

MALWAREPROTECTION_SCAN_FAILED

Message:

An antimalware scan failed.

Description:

Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example: Antivirus Antispyware Antimalware
Scan Parameters: <Scan parameters>, for example: Full scan Quick scan Customer scan
User: <Domain><User>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.

User action:

The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.

To troubleshoot this event:

Run the scan again.
If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
Contact Microsoft Technical Support.

Event ID: 1006

Symbolic name:

MALWAREPROTECTION_MALWARE_DETECTED

Message:

The antimalware engine found malware or other potentially unwanted software.

Description:

For more information please see the following:

Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
Detection Origin: <Detection origin>, for example: Unknown Local computer Network share Internet Incoming traffic Outgoing traffic
Detection Type: <Detection type>, for example: Heuristics Generic Concrete Dynamic signature
Detection Source: <Detection source> for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE — IExtensionValidation; this protects against malicious webpage controls Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
Status: <Status>
User: <Domain><User>
Process Name: <Process in the PID>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

Event ID: 1007

Symbolic name:

MALWAREPROTECTION_MALWARE_ACTION_TAKEN

Message:

The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.

Description:

Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:

User: <Domain><User>
Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Action: <Action>, for example: Clean: The resource was cleaned Quarantine: The resource was quarantined Remove: The resource was deleted Allow: The resource was allowed to execute/exist User defined: User defined action which is normally one from this list of actions that the user has specified No action: No action Block: The resource was blocked from executing
Status: <Status>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

Event ID: 1008

Symbolic name:

MALWAREPROTECTION_MALWARE_ACTION_FAILED

Message:

The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.

Description:

Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:

User: <Domain><User>
Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
Action: <Action>, for example: Clean: The resource was cleaned Quarantine: The resource was quarantined Remove: The resource was deleted Allow: The resource was allowed to execute/exist User defined: User defined action which is normally one from this list of actions that the user has specified No action: No action Block: The resource was blocked from executing
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
Status: <Status>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

Event ID: 1009

Symbolic name:

MALWAREPROTECTION_QUARANTINE_RESTORE

Message:

The antimalware platform restored an item from quarantine.

Description:

Windows Defender has restored an item from quarantine. For more information please see the following:

Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
User: <Domain><User>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

Event ID: 1010

Symbolic name:

MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED

Message:

The antimalware platform could not restore an item from quarantine.

Description:

Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:

Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
User: <Domain><User>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

Event ID: 1011

Symbolic name:

MALWAREPROTECTION_QUARANTINE_DELETE

Message:

The antimalware platform deleted an item from quarantine.

Description:

Windows Defender has deleted an item from quarantine.
For more information please see the following:

Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
User: <Domain><User>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

Event ID: 1012

Symbolic name:

MALWAREPROTECTION_QUARANTINE_DELETE_FAILED

Message:

The antimalware platform could not delete an item from quarantine.

Description:

Windows Defender has encountered an error trying to delete an item from quarantine.
For more information please see the following:

Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
User: <Domain><User>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

Event ID: 1013

Symbolic name:

MALWAREPROTECTION_MALWARE_HISTORY_DELETE

Message:

The antimalware platform deleted history of malware and other potentially unwanted software.

Description:

Windows Defender has removed history of malware and other potentially unwanted software.

Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
User: <Domain><User>

Event ID: 1014

Symbolic name:

MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED

Message:

The antimalware platform could not delete history of malware and other potentially unwanted software.

Description:

Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.

Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
User: <Domain><User>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.

Event ID: 1015

Symbolic name:

MALWAREPROTECTION_BEHAVIOR_DETECTED

Message:

The antimalware platform detected suspicious behavior.

Description:

Windows Defender has detected a suspicious behavior.
For more information please see the following:

Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
Detection Origin: <Detection origin>, for example: Unknown Local computer Network share Internet Incoming traffic Outgoing traffic
Detection Type: <Detection type>, for example: Heuristics Generic Concrete Dynamic signature
Detection Source: <Detection source> for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE — IExtensionValidation; this protects against malicious webpage controls Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
Status: <Status>
User: <Domain><User>
Process Name: <Process in the PID>
Signature ID: Enumeration matching severity.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
Fidelity Label:
Target File Name: <File name> Name of the file.

Event ID: 1116

Symbolic name:

MALWAREPROTECTION_STATE_MALWARE_DETECTED

Message:

The antimalware platform detected malware or other potentially unwanted software.

Description:

Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:

Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
Detection Origin: <Detection origin>, for example: Unknown Local computer Network share Internet Incoming traffic Outgoing traffic
Detection Type: <Detection type>, for example: Heuristics Generic Concrete Dynamic signature
Detection Source: <Detection source> for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE — IExtensionValidation; this protects against malicious webpage controls Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
User: <Domain><User>
Process Name: <Process in the PID>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

User action:

No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click Clean Computer.

Event ID: 1117

Symbolic name:

MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN

Message:

The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.

Description:

Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.
For more information please see the following:

Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
Detection Origin: <Detection origin>, for example: Unknown Local computer Network share Internet Incoming traffic Outgoing traffic
Detection Type: <Detection type>, for example: Heuristics Generic Concrete Dynamic signature
Detection Source: <Detection source> for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE — IExtensionValidation; this protects against malicious webpage controls Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
User: <Domain><User>
Process Name: <Process in the PID>
Action: <Action>, for example: Clean: The resource was cleaned Quarantine: The resource was quarantined Remove: The resource was deleted Allow: The resource was allowed to execute/exist User defined: User defined action which is normally one from this list of actions that the user has specified No action: No action Block: The resource was blocked from executing
Action Status: <Description of additional actions>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

User action:

No action is necessary. Windows Defender removed or quarantined a threat.

Event ID: 1118

Symbolic name:

MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED

Message:

The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.

Description:

Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:

Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
Detection Origin: <Detection origin>, for example: Unknown Local computer Network share Internet Incoming traffic Outgoing traffic
Detection Type: <Detection type>, for example: Heuristics Generic Concrete Dynamic signature
Detection Source: <Detection source> for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE — IExtensionValidation; this protects against malicious webpage controls Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
User: <Domain><User>
Process Name: <Process in the PID>
Action: <Action>, for example: Clean: The resource was cleaned Quarantine: The resource was quarantined Remove: The resource was deleted Allow: The resource was allowed to execute/exist User defined: User defined action which is normally one from this list of actions that the user has specified No action: No action Block: The resource was blocked from executing
Action Status: <Description of additional actions>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

User action:

No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.

Event ID: 1119

Symbolic name:

MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED

Message:

The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.

Description:

Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:

Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example: Low Moderate High Severe
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
Detection Origin: <Detection origin>, for example: Unknown Local computer Network share Internet Incoming traffic Outgoing traffic
Detection Type: <Detection type>, for example: Heuristics Generic Concrete Dynamic signature
Detection Source: <Detection source> for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE — IExtensionValidation; this protects against malicious webpage controls Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
User: <Domain><User>
Process Name: <Process in the PID>
Action: <Action>, for example: Clean: The resource was cleaned Quarantine: The resource was quarantined Remove: The resource was deleted Allow: The resource was allowed to execute/exist User defined: User defined action which is normally one from this list of actions that the user has specified No action: No action Block: The resource was blocked from executing
Action Status: <Description of additional actions>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

User action:

The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below.

Action	User action
Remove	Update the definitions then verify that the removal was successful.
Clean	Update the definitions then verify that the remediation was successful.
Quarantine	Update the definitions and verify that the user has permission to access the necessary resources.
Allow	Verify that the user has permission to access the necessary resources.

If this event persists:

Run the scan again.
If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
Contact Microsoft Technical Support.

Event ID: 1120

Symbolic name:

MALWAREPROTECTION_THREAT_HASH

Message:

Windows Defender has deduced the hashes for a threat resource.

Description:

Windows Defender client is up and running in a healthy state.

Current Platform Version: <Current platform version>
Threat Resource Path: <Path>
Hashes: <Hashes>

Note This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.

Event ID: 1150

Symbolic name:

MALWAREPROTECTION_SERVICE_HEALTHY

Message:

If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.

Description:

Windows Defender client is up and running in a healthy state.

Platform Version: <Current platform version>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>

User action:

No action is necessary. The Windows Defenderclient is in a healthy state. This event is reported on an hourly basis.

Event ID: 2000

Symbolic name:

MALWAREPROTECTION_SIGNATURE_UPDATED

Message:

The antimalware definitions updated successfully.

Description:

Windows Defender signature version has been updated.

Current Signature Version: <Current signature version>
Previous Signature Version: <Previous signature version>
Signature Type: <Signature type>, for example: Antivirus Antispyware Antimalware Network Inspection System
Update Type: <Update type>, either Full or Delta.
User: <Domain><User>
Current Engine Version: <Current engine version>
Previous Engine Version: <Previous engine version>

User action:

No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.

Event ID: 2001

Symbolic name:

MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED

Message:

The antimalware definition update failed.

Description:

Windows Defender has encountered an error trying to update signatures.

New Signature Version: <New version number>
Previous Signature Version: <Previous signature version>
Update Source: <Update source>, for example: Signature update folder Internal definition update server Microsoft Update Server File share Microsoft Malware Protection Center (MMPC)
Update Stage: <Update stage>, for example: Search Download Install
Source Path: File share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.
Signature Type: <Signature type>, for example: Antivirus Antispyware Antimalware Network Inspection System
Update Type: <Update type>, either Full or Delta.
User: <Domain><User>
Current Engine Version: <Current engine version>
Previous Engine Version: <Previous engine version>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.

User action:

This error occurs when there is a problem updating definitions.

To troubleshoot this event:

Update the definitions. Either:
1. Click the Update definitions button on the Update tab in Windows Defender.
  Or,
2. Download the latest definitions from the Microsoft Malware Protection Center.
  Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
Review the entries in the %Windir%WindowsUpdate.log file for more information about this error.
Contact Microsoft Technical Support.

Event ID: 2002

Symbolic name:

MALWAREPROTECTION_ENGINE_UPDATED

Message:

The antimalware engine updated successfully.

Description:

Windows Defender engine version has been updated.

Current Engine Version: <Current engine version>
Previous Engine Version: <Previous engine version>
Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.
User: <Domain><User>

User action:

No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.

Event ID: 2003

Symbolic name:

MALWAREPROTECTION_ENGINE_UPDATE_FAILED

Message:

The antimalware engine update failed.

Description:

Windows Defender has encountered an error trying to update the engine.

New Engine Version:
Previous Engine Version: <Previous engine version>
Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.
User: <Domain><User>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.

User action:

The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.

To troubleshoot this event:

Update the definitions. Either:
1. Click the Update definitions button on the Update tab in Windows Defender.
  Or,
2. Download the latest definitions from the Microsoft Malware Protection Center.
  Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
Contact Microsoft Technical Support.

Event ID: 2004

Symbolic name:

MALWAREPROTECTION_SIGNATURE_REVERSION

Message:

There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.

Description:

Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.

Signatures Attempted:
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware engine version>

User action:

The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.

To troubleshoot this event:

Restart the computer and try again.
Download the latest definitions from the Microsoft Malware Protection Center.
Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
Contact Microsoft Technical Support.

Event ID: 2005

Symbolic name:

MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE

Message:

The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.

Description:

Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.

Current Platform Version: <Current platform version>

Event ID: 2006

Symbolic name:

MALWAREPROTECTION_PLATFORM_UPDATE_FAILED

Message:

The platform update failed.

Description:

Windows Defender has encountered an error trying to update the platform.

Current Platform Version: <Current platform version>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.

Event ID: 2007

Symbolic name:

MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE

Message:

The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.

Description:

Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.

Current Platform Version: <Current platform version>

Event ID: 2010

Symbolic name:

MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED

Message:

The antimalware engine used the Dynamic Signature Service to get additional definitions.

Description:

Windows Defender used Dynamic Signature Service to retrieve additional signatures to help protect your machine.

Current Signature Version: <Current signature version>
Signature Type: <Signature type>, for example: Antivirus Antispyware Antimalware Network Inspection System
Current Engine Version: <Current engine version>
Dynamic Signature Type: <Dynamic signature type>, for example: Version Timestamp No limit Duration
Persistence Path: <Path>
Dynamic Signature Version: <Version number>
Dynamic Signature Compilation Timestamp: <Timestamp>
Persistence Limit Type: <Persistence limit type>, for example: VDM version Timestamp No limit
Persistence Limit: Persistence limit of the fastpath signature.

Event ID: 2011

Symbolic name:

MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED

Message:

The Dynamic Signature Service deleted the out-of-date dynamic definitions.

Description:

Windows Defender used Dynamic Signature Service to discard obsolete signatures.

Current Signature Version: <Current signature version>
Signature Type: <Signature type>, for example: Antivirus Antispyware Antimalware Network Inspection System
Current Engine Version: <Current engine version>
Dynamic Signature Type: <Dynamic signature type>, for example: Version Timestamp No limit Duration
Persistence Path: <Path>
Dynamic Signature Version: <Version number>
Dynamic Signature Compilation Timestamp: <Timestamp>
Removal Reason:
Persistence Limit Type: <Persistence limit type>, for example: VDM version Timestamp No limit
Persistence Limit: Persistence limit of the fastpath signature.

User action:

No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.

Event ID: 2012

Symbolic name:

MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED

Message:

The antimalware engine encountered an error when trying to use the Dynamic Signature Service.

Description:

Windows Defender has encountered an error trying to use Dynamic Signature Service.

Current Signature Version: <Current signature version>
Signature Type: <Signature type>, for example: Antivirus Antispyware Antimalware Network Inspection System
Current Engine Version: <Current engine version>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
Dynamic Signature Type: <Dynamic signature type>, for example: Version Timestamp No limit Duration
Persistence Path: <Path>
Dynamic Signature Version: <Version number>
Dynamic Signature Compilation Timestamp: <Timestamp>
Persistence Limit Type: <Persistence limit type>, for example: VDM version Timestamp No limit
Persistence Limit: Persistence limit of the fastpath signature.

User action:

Check your Internet connectivity settings.

Event ID: 2013

Symbolic name:

MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL

Message:

The Dynamic Signature Service deleted all dynamic definitions.

Description:

Windows Defender discarded all Dynamic Signature Service signatures.

Current Signature Version: <Current signature version>

Event ID: 2020

Symbolic name:

MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED

Message:

The antimalware engine downloaded a clean file.

Description:

Windows Defender downloaded a clean file.

Filename: <File name> Name of the file.
Current Signature Version: <Current signature version>
Current Engine Version: <Current engine version>

Event ID: 2021

Symbolic name:

MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED

Message:

The antimalware engine failed to download a clean file.

Description:

Windows Defender has encountered an error trying to download a clean file.

Filename: <File name> Name of the file.
Current Signature Version: <Current signature version>
Current Engine Version: <Current engine version>
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.

User action:

Check your Internet connectivity settings.

The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.

Event ID: 2030

Symbolic name:

MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED

Message:

The antimalware engine was downloaded and is configured to run offline on the next system restart.

Description:

Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.

Event ID: 2031

Symbolic name:

MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED

Message:

The antimalware engine was unable to download and configure an offline scan.

Description:

Windows Defender has encountered an error trying to download and configure Windows Defender Offline.

Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.

Event ID: 2040

Symbolic name:

MALWAREPROTECTION_OS_EXPIRING

Message:

Antimalware support for this operating system version will soon end.

Description:

The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.

Event ID: 2041

Symbolic name:

MALWAREPROTECTION_OS_EOL

Message:

Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.

Description:

The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.

Event ID: 2042

Symbolic name:

MALWAREPROTECTION_PROTECTION_EOL

Message:

The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.

Description:

The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.

Event ID: 3002

Symbolic name:

MALWAREPROTECTION_RTP_FEATURE_FAILURE

Message:

Real-time protection encountered an error and failed.

Description:

Windows Defender Real-Time Protection feature has encountered an error and failed.

Feature: <Feature>, for example: On Access Internet Explorer downloads and Microsoft Outlook Express attachments Behavior monitoring Network Inspection System
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
Reason: The reason Windows Defender real-time protection has restarted a feature.

User action:

You should restart the system then run a full scan because it’s possible the system was not protected for some time.

The Windows Defender client’s real-time protection feature encountered an error because one of the services failed to start.

If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.

Event ID: 3007

Symbolic name:

MALWAREPROTECTION_RTP_FEATURE_RECOVERED

Message:

Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.

Description:

Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.

Feature: <Feature>, for example: On Access IE downloads and Outlook Express attachments Behavior monitoring Network Inspection System
Reason: The reason Windows Defender real-time protection has restarted a feature.

User action:

The real-time protection feature has restarted. If this event happens again, contact Microsoft Technical Support.

Event ID: 5000

Symbolic name:

MALWAREPROTECTION_RTP_ENABLED

Message:

Real-time protection is enabled.

Description:

Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.

Event ID: 5001

Symbolic name:

MALWAREPROTECTION_RTP_DISABLED

Message:

Real-time protection is disabled.

Description:

Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled.

Event ID: 5004

Symbolic name:

MALWAREPROTECTION_RTP_FEATURE_CONFIGURED

Message:

The real-time protection configuration changed.

Description:

Windows Defender Real-time Protection feature configuration has changed.

Feature: <Feature>, for example: On Access IE downloads and Outlook Express attachments Behavior monitoring Network Inspection System
Configuration:

Event ID: 5007

Symbolic name:

MALWAREPROTECTION_CONFIG_CHANGED

Message:

The antimalware platform configuration changed.

Description:

Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: <Old value number> Old Windows Defender configuration value.
New value: <New value number> New Windows Defender configuration value.

Event ID: 5008

Symbolic name:

MALWAREPROTECTION_ENGINE_FAILURE

Message:

The antimalware engine encountered an error and failed.

Description:

Windows Defender engine has been terminated due to an unexpected error.

Failure Type: <Failure type>, for example: Crash or Hang
Exception Code: <Error code>
Resource: <Resource>

User action:

To troubleshoot this event:

Try to restart the service.
- For antimalware, antivirus and spyware, at an elevated command prompt, type net stop msmpsvc, and then type net start msmpsvc to restart the antimalware engine.
- For the Network Inspection System, at an elevated command prompt, type net start nissrv, and then type net start nissrv to restart the Network Inspection System engine by using the NiSSRV.exe file.
If it fails in the same way, look up the error code by accessing the Microsoft Support Site and entering the error number in the Search box, and contact Microsoft Technical Support.

User action:

The Windows Defender client engine stopped due to an unexpected error.

To troubleshoot this event:

Run the scan again.
If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
Contact Microsoft Technical Support.

Event ID: 5009

Symbolic name:

MALWAREPROTECTION_ANTISPYWARE_ENABLED

Message:

Scanning for malware and other potentially unwanted software is enabled.

Description:

Windows Defender scanning for malware and other potentially unwanted software has been enabled.

Event ID: 5010

Symbolic name:

MALWAREPROTECTION_ANTISPYWARE_DISABLED

Message:

Scanning for malware and other potentially unwanted software is disabled.

Description:

Windows Defender scanning for malware and other potentially unwanted software is disabled.

Event ID: 5011

Symbolic name:

MALWAREPROTECTION_ANTIVIRUS_ENABLED

Message:

Scanning for viruses is enabled.

Description:

Windows Defender scanning for viruses has been enabled.

Event ID: 5012

Symbolic name:

MALWAREPROTECTION_ANTIVIRUS_DISABLED

Message:

Scanning for viruses is disabled.

Description:

Windows Defender scanning for viruses is disabled.

Event ID: 5100

Symbolic name:

MALWAREPROTECTION_EXPIRATION_WARNING_STATE

Message:

The antimalware platform will expire soon.

Description:

Windows Defender has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.

Expiration Reason: The reason Windows Defender will expire.
Expiration Date: The date Windows Defender will expire.

Event ID: 5101

Symbolic name:

MALWAREPROTECTION_DISABLED_EXPIRED_STATE

Message:

The antimalware platform is expired.

Description::

Windows Defender grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.

Expiration Reason:
Expiration Date:
Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.

## Windows Defender client error codes
If Windows Defender experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
This section provides the following information about Windows Defender client errors.
— The error code
— The possible reason for the error
— Advice on what to do now
Use the information in these tables to help troubleshoot Windows Defender error codes.

External error codes
Error code	Message displayed	Possible reason for error	What to do now
0x80508007	ERR_MP_NO_MEMORY	This error indicates that you might have run out of memory.	Check the available memory on your device. Close any unused applications that are running to free up memory on your device. Restart the device and run the scan again.
0x8050800C	ERR_MP_BAD_INPUT_DATA	This error indicates that there might be a problem with your security product.	Update the definitions. Either: Click the Update definitions button on the Update tab in Windows Defender. Or, Download the latest definitions from the Microsoft Malware Protection Center. Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions. Run a full scan. Restart the device and try again.
0x80508020	ERR_MP_BAD_CONFIGURATION	This error indicates that there might be an engine configuration error; commonly, this is related to input data that does not allow the engine to function properly.
0x805080211	ERR_MP_QUARANTINE_FAILED	This error indicates that Windows Defender failed to quarantine a threat.
0x80508022	ERR_MP_REBOOT_REQUIRED	This error indicates that a reboot is required to complete threat removal.
0x80508023	ERR_MP_THREAT_NOT_FOUND	This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device.	Run the Microsoft Safety Scanner then update your security software and try again.
ERR_MP_FULL_SCAN_REQUIRED	This error indicates that a full system scan might be required.	Run a full system scan.
0x80508024
0x80508025	ERR_MP_MANUAL_STEPS_REQUIRED	This error indicates that manual steps are required to complete threat removal.	Follow the manual remediation steps outlined in the Microsoft Malware Protection Encyclopedia. You can find a threat-specific link in the event history.
0x80508026	ERR_MP_REMOVE_NOT_SUPPORTED	This error indicates that removal inside the container type might not be not supported.	Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
0x80508027	ERR_MP_REMOVE_LOW_MEDIUM_DISABLED	This error indicates that removal of low and medium threats might be disabled.	Check the detected threats and resolve them as required.
0x80508029	ERROR_MP_RESCAN_REQUIRED	This error indicates a rescan of the threat is required.	Run a full system scan.
0x80508030	ERROR_MP_CALLISTO_REQUIRED	This error indicates that an offline scan is required.	Run Windows Defender Offline. You can read about how to do this in the Windows Defender Offline article.
0x80508031	ERROR_MP_PLATFORM_OUTDATED	This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform.	You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.

Internal error codes
Error code	Message displayed	Possible reason for error	What to do now
0x80501004	ERROR_MP_NO_INTERNET_CONN	Check your Internet connection, then run the scan again.	Check your Internet connection, then run the scan again.
0x80501000	ERROR_MP_UI_CONSOLIDATION_BASE	This is an internal error. The cause is not clearly defined.	Update the definitions. Either: Click the Update definitions button on the Update tab in Windows Defender. Or, Download the latest definitions from the Microsoft Malware Protection Center. Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions. Run a full scan. Restart the device and try again.
0x80501001	ERROR_MP_ACTIONS_FAILED
0x80501002	ERROR_MP_NOENGINE
0x80501003	ERROR_MP_ACTIVE_THREATS
0x805011011	MP_ERROR_CODE_LUA_CANCELLED
0x80501101	ERROR_LUA_CANCELLATION
0x80501102	MP_ERROR_CODE_ALREADY_SHUTDOWN
0x80501103	MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING
0x80501104	MP_ERROR_CODE_CANCELLED
0x80501105	MP_ERROR_CODE_NO_TARGETOS
0x80501106	MP_ERROR_CODE_BAD_REGEXP
0x80501107	MP_ERROR_TEST_INDUCED_ERROR
0x80501108	MP_ERROR_SIG_BACKUP_DISABLED
0x80508001	ERR_MP_BAD_INIT_MODULES
0x80508002	ERR_MP_BAD_DATABASE
0x80508004	ERR_MP_BAD_UFS
0x8050800C	ERR_MP_BAD_INPUT_DATA
0x8050800D	ERR_MP_BAD_GLOBAL_STORAGE
0x8050800E	ERR_MP_OBSOLETE
0x8050800F	ERR_MP_NOT_SUPPORTED
0x8050800F 0x80508010	ERR_MP_NO_MORE_ITEMS
0x80508011	ERR_MP_DUPLICATE_SCANID
0x80508012	ERR_MP_BAD_SCANID
0x80508013	ERR_MP_BAD_USERDB_VERSION
0x80508014	ERR_MP_RESTORE_FAILED
0x80508016	ERR_MP_BAD_ACTION
0x80508019	ERR_MP_NOT_FOUND
0x80509001	ERR_RELO_BAD_EHANDLE
0x80509003	ERR_RELO_KERNEL_NOT_LOADED
0x8050A001	ERR_MP_BADDB_OPEN
0x8050A002	ERR_MP_BADDB_HEADER
0x8050A003	ERR_MP_BADDB_OLDENGINE
0x8050A004	ERR_MP_BADDB_CONTENT
0x8050A005	ERR_MP_BADDB_NOTSIGNED
0x8050801	ERR_MP_REMOVE_FAILED	This is an internal error. It might be triggered when malware removal is not successful.
0x80508018	ERR_MP_SCAN_ABORTED	This is an internal error. It might have triggered when a scan fails to complete.

Question

Answers

Blue

Advertisements

1PW

Blue

Bill Sanderson

Blue

ÆŽÐ¸Ã§Îµl

Advertisements

Blue

ÆŽÐ¸Ã§Îµl

Blue

Advertisements

ÆŽÐ¸Ã§Îµl

What does it mean ?

Where does it come from ?

Основы безопасности: восстановить файл из карантина в другом месте?

Похожие вопросы

jimmy

Adrian Caspersz

Troubleshoot Windows Defender in Windows 10

Windows Defender client event IDs

Related topics