Error with WIndows Update

[coolingwater]

Hello, I hope you can help me.

I am experiencing an error with windows update, particularly with "Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.401.1431.0) - Current Channel (Broad)" giving an Install error - 0x80070643 where its been failing to install for the past month. As a result, though im not sure if its related, i cannot start my windows security virus and threat protection.

I was asked to post here by Maurice Naggar over at the Malwarebytes forum, who has been very helpful but unable to find a solution to this tricky issue. Below is the link to the thread: Error with WIndows Update

Attached are the logs as requested at the "windows update forum posting instruction" thread.

I hope you can help me with this annoying issue thats been plaguing me for a while now. I appreciate any help and your time for reading this.

Thank you.

 

[coolingwater]

Bumping this thread. Sorry

 

[Maxstar]

Hi and Welcome to Sysnative,

I've just read your thread at Malwarebytes forums, the main issue has to due with updating Windows Defender. So please follow the instructions below.

Step#1 - Capture Process Monitor Trace
1. Download and run Process Monitor. Leave this running while you perform the next steps.
2. Try updating the system just like you have in the past.
3. Stop Process Monitor as soon as it fails. You can simply do this by clicking the square (CTRL +E) on the toolbar as shown below.



4. Select the File menu...Save... and save the file to your desktop. This is likely the default location. The name (unless changed) will be LogFile.PML. This is fine.
5. Zip up the LogFile.PML and upload it to WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free and provide the link.

Please provide also the latest CBS logs.

Upload a copy of the CBS folder

• Open Windows Explorer and browse to the C:\Windows\Logs folder.
• Right-click on the CBS folder and choose Send to > Compressed (zipped) folder.
• Now the message will appear, "Windows cannot create the Compressed (zipped) Folder here. Do you want it to be placed on the desktop instead?"
• Click on the Yes button here.

• Attach the file CBS.zip to your next reply.

 

[coolingwater]

Hi Maxstar, thank you for your kind assistance. Here is the log as requested.

Sorry i added the wrong file, i wil lreupload

Logfile.zip

 

[Maxstar]

Please attempt to update again with Process Monitor running, but let run ProcMon a bit longer for a minute of 2...

Attach this trace *.PML file and the latest CBS logs as well.

 

[coolingwater]

Here you go:

Logfile.zip

 

[Maxstar]

It seems the trace is stopped to early, so please try to update again and let run Process Monitor for 5/10 minutes! I want to capture something like this.

11:23:36.7782563 AM    wmiprvse.exe    6104    RegQueryValue    HKLM\SOFTWARE\Microsoft\Windows Defender\InstallLocation    BUFFER OVERFLOW    Length: 144
11:23:36.7782669 AM    wmiprvse.exe    6104    RegQueryValue    HKLM\SOFTWARE\Microsoft\Windows Defender\InstallLocation    SUCCESS    Type: REG_SZ, Length: 134, Data: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.5-0\
11:23:36.7815546 AM    wmiprvse.exe    6104    CreateFile    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.5-0\msmplics.dll    PATH NOT FOUND    Desired Access: Read Attributes, Disposition: Open, Options: Open For Backup, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: S-1-5-21-66341371-841568390-1681478816-11153
11:23:36.7817212 AM    wmiprvse.exe    6104    CreateFile    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.5-0\msmplics.dll.DLL    PATH NOT FOUND    Desired Access: Read Attributes, Disposition: Open, Options: Open For Backup, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: S-1-5-21-66341371-841568390-1681478816-11153]

So please provide a new trace LOG (*.PML-file) after attempting to update and wait for 5/10 minutes and then stop the trace and post the log file.

 

[Maxstar]

Hi,

In addition to my previous post, please do the following as well to get some more information.

Start the

Farbar Recovery Scan Tool again.

• Download the attachment fixlist.txt and save it to your desktop.
• Right-click on FRST.exe and select "Run as administrator".
• Press the Fix button.
• If for some reason the tool needs a restart, please make sure you let the system restart normally.
• When finished, a log called Fixlog.txt will appear in the same directory the tool is run from.
• Post the logfile Fixlog.txt as attachment in your next reply.

 

[coolingwater]

Okay, hopefully this one works this time.

Logfile.zip

 

[Maxstar]

========= certutil -hashfile "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" SHA256 =========

CertUtil: -hashfile command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.

========= dir /s /a "C:\Program Files\Windows Defender Advanced Threat Protection" =========

 Volume in drive C has no label.
 Volume Serial Number is 3ED4-FCCC

Hi,

Please open Windows Explorer and navigate to: "C:\Program Files\Windows Defender Advanced Threat Protection"

It seems this directory is completely empty or not accessible, please check if you can open this directory or not. Normally you should be able to open it without system privileges.

 

[coolingwater]

Hi, i cant find a folder called "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe", only a folder called Windows Defender (not sure if its the same). I was able to enter the Windows Defender folder (as shown in the attached screenshot), but no file called MsSense.exe.

 

[Maxstar]

Ok, thanks! Currently, I'm setting up a VM with Windows 11 23H2 to see if I can reproduce this issue. In the meantime could you please run the following commands in an elevated command prompt.

SFC /Scannow
DISM /online /cleanup-image /RestoreHealth

 

[coolingwater]

I've already run the command as requested. Also just want to say thanks a bunch and taking the time to help me with this.

 

[Maxstar]

You're welcome. I suppose en-US is the primary installed language pack, or other languages as well?

 

[coolingwater]

Yes sir, en-US

 

[Maxstar]

Ok. Open an elevated command prompt and run the following command. Attach DEF.txt to your next post.

dir /s /a "%ProgramData%\Microsoft\Windows Defender\Definition Updates" > "%userprofile%\Desktop\DEF.txt"

 

[coolingwater]

Here you go

 

[Maxstar]

The good news is that I was able to reproduce this issue on my VM, I get the same error 0x80070643 for KB2267602 with a different (signature version: 1.401.1602.0) as posted here.

Now I'll need to find a neat way to fix this issue, so tomorrow I will look into this again and provide a fix.

Example of the same error on my VM:

 

[coolingwater]

Oh my, that is good news indeed. Appreciate your help really much, hope you manage to find some fix!

 

[Maxstar]

Hi,

Important! Make a full backup (systemimage) first and then perform the following steps.

Unzip the attachement (Platform.zip) and copy the unzipped folder to you USB-drive or the documents folder on your system drive.

1. Download Ubuntu (22.04.3 LTS) from the following location: Thank you for downloading Ubuntu Desktop | Ubuntu
2. Create the USB-stick with Rufus (portable): https://github.com/pbatard/rufus/releases/download/v4.3/rufus-4.3p.exe
3. Boot from the USB-stick and select in the GNU Grub menu the option: Ubuntu Safe Graphics.
4. When the install screen appears - select your preferred language and click Try Ubuntu.
5. In the left menu click Files and click on + Other locations to open the system drive, this should be /dev/sda2 like the example below.



5. Navigate to the directory: /dev/sda2/ProgramData/Microsoft/Windows Defender/Platform - and copy this directory to your USB-drive (or another location) as backup.
6. Open the Platform directory and delete the folder 4.18.23100.2009-0.
7. Copy the folder 4.18.23100.2009-0 from the unzipped Platform directory and copy it to /dev/sda2/ProgramData/Microsoft/Windows Defender/Platform
8. Reboot the system and attempt to update again and post the result.