Friday, December 19, 2008

Windows Defender: application failed to initialize: 0x80070006

I have been experiencing the following error on Windows Vista64 startup for 7 monthes:

Application failed to initialize: 0x80070006. The handle is invalid.
Application failed to initialize: 0x80070006. The handle is invalid.

I could live without Windows Defender and SpyNet. But today, I took time to debug.

The most obvious thing to do is to query the Microsoft knowledge base. And it worked ! Quoting KB935511:
Method 1: Use System Restore to restore Windows Vista
Method 2: Reinstall Windows Vista
Ok ... maybe I'll try something else.

Then I thought that interesting logs could appear in PerfMon, because Windows Defender implements WPP software tracing. I managed to find the right Event Trace Provider (Microsoft-Windows-Windows Defender), create a Data Collector ... but nothing was eventually logged. Therefore I gave up this option.

Then I had a look at the C:\Program Files\Windows Defender\MpCmdRun.exe command-line utility.

----------------------------------------------------------------------
Windows Defender Command Line Utility (c) 2006 Microsoft Corporation
Use this tool to automate and troubleshoot Windows Defender

Usage:
mpcmdrun.exe [command] [-options]

Command Description
-? [h] Displays all available options for this tool
-Scan [-ScanType] Scans for malicious software
-SignatureUpdate Checks for new definition updates
-Trace [-Grouping] [-Level] Starts diagnostic tracing
-GetFiles Collects support information
-RemoveDefinitions [-All] Restores the installed signature definitions
to a previous backup copy or to the original
default set of signatures
-GetSWE Exports information about software installed
on your computer
----------------------------------------------------------------------

I tried -GetFiles, went through all log files but ... found nothing interesting either.

Looks like it is time to get out with IDA Pro Debugger ... Fortunately, remote Vista64 debugging is available through the win64_remotex64.exe stub ! Of course this is not for the faint of heart :)

Fortunately, the error is pretty easy to figure out: Windows Defender cannot acquire a handle on the WinDefend service ... because this service does not exist!

Why on earth was the WinDefend service removed from my computer ? I guess I'll never know. But for the time being, it is enough to export the following registry key from another Vista computer, and to import it back again:

HKLM\SYSTEM\CurrentControlSet\Services\WinDefend

Case solved !
Posted by at 5 comments:
Subscribe to: Posts (Atom)