asked on MS Defender creating MsWppTracing files and hanging OS every 5 minutes.
We have machines running a separate antivirus solution; therefore, it disables Microsoft Defender Antivirus. I have this same standard configuration across thousands of PCs at many clients.
ONE client is showing an issue where end users that are seeing a cessation of work every 5 minutes for about 5-10 seconds. They cannot do anything and must wait for the OS to give up control again. It began happening to mostly systems that have magnetic HDD drives, and that have recently been upgraded to 21H2. We have found this to be due to MsMpEng.exe (Microsoft Defender Antivirus) trying to start, then giving up, assuming because it finds it is not the AV in control. We have verified that the AV we install is running, and that Microsoft Defender Antivirus is not running, and we have even disabled the option offered to do "periodic scans" by Defender. The other symptom is that MsMpEng.exe writes logs every 5 minutes after this pause in the OS has happened, this is how we know it is Defender. The files are in C:\ProgramData\Microsoft\Windows Defender\Support and called "MpWppTracing-blahblahblah.bin". A google search on this symptom anytime in the last year has very few hits.
Anyone see this, and how do we stop it?
* microsoft defenderWindows 10* 21H2
Last Comment
Michael Jackson
ASKER
Thank you for your response. I've seen a document that has those suggestions and looked into them already.
Here's issue 1, Defender is not "running", so the ability/option to add Exclusions to it do not exist. It is not the product chosen to run as primary..
Here's issue 2, the ability to change the services to "Disabled" cannot be done as I assume a "Self Protect" mechanism is in place to prevent them from being tampered with.
I did NOT exclude the folders/files in my AV product, but will give it a try.
Here's issue 1, Defender is not "running", so the ability/option to add Exclusions to it do not exist. It is not the product chosen to run as primary..
Here's issue 2, the ability to change the services to "Disabled" cannot be done as I assume a "Self Protect" mechanism is in place to prevent them from being tampered with.
I did NOT exclude the folders/files in my AV product, but will give it a try.
if you can't disable the service set it to manual
ASKER
They are already manual.
it looks like your AV of choice hasn't used the proper hooks to disable defender. Obviously there is a conflict somewhere
does it do a scan every 5 minutes?
Some sysinternal tools that might be helpful
resmon
procmon
does it do a scan every 5 minutes?
Some sysinternal tools that might be helpful
resmon
procmon
ASKER
Let me restate that. The services are indeed set to Manual. When this issue happens, it is at the exact time that the OS seems to try to start the AV service. You see it go into "Starting". Then at the end of the 5-10 second ordeal, it never starts, and is back to not running. This is when the files I mentioned get written.
So why is the service trying to start when the product is supposed to be disabled? How do I stop the OS from trying to start it?
So why is the service trying to start when the product is supposed to be disabled? How do I stop the OS from trying to start it?
ASKER
Everything looks correct in Security Control Panel. My AV is set as the one in control, Defender is disabled, and Defender periodic scans are disabled.
I CAN turn on Defender to do periodic scans, and it will!
We've also removed my AV, saw that Defender came back to life, and yes the problem goes away. But not because my AV is off the system but because MsMpEng.exe can now start and run.
Reinstalling my AV and we go right back to the same issue. I know you would assume MY AV doing this, but why only ONE site out of 40 sites, where I have thousands of PCs I manage; this is happening to about 15 at this one site. Only 21H2 systems. Only those with Magnetic HDD.
We've scrutinized onsite GPO, any third-party software they run that other clients don't. The closest we get to this is AutoDesk which is deployed on nearly all PCs at this site. As much as I'd love to blame on AutoDesk, I cannot. I have other clients running various AutoDesk products.
I CAN turn on Defender to do periodic scans, and it will!
We've also removed my AV, saw that Defender came back to life, and yes the problem goes away. But not because my AV is off the system but because MsMpEng.exe can now start and run.
Reinstalling my AV and we go right back to the same issue. I know you would assume MY AV doing this, but why only ONE site out of 40 sites, where I have thousands of PCs I manage; this is happening to about 15 at this one site. Only 21H2 systems. Only those with Magnetic HDD.
We've scrutinized onsite GPO, any third-party software they run that other clients don't. The closest we get to this is AutoDesk which is deployed on nearly all PCs at this site. As much as I'd love to blame on AutoDesk, I cannot. I have other clients running various AutoDesk products.
ASKER
I've now done some snooping with those tools, Procmon just shows MsMpMng.exe running for 5-10 seconds and consuming CPU and drive access. Then MsMpEng.exe suspends and goes away.
have you disabled tamper protection?
another route is group policy
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
enable Turn off Microsoft Defender AntiVirus
another route is group policy
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
enable Turn off Microsoft Defender AntiVirus
Take one of the problematic machines. Erase the drive. Clone the drive from a system that doesn't have this problem ("system U") onto the problem machine ("system A").
If the problem goes away, well and good. Solution found. Clone the problem machines (systems B, C, D, E, ...) from the System U drive. You can then chase the reason for the problem at your leisure if your manager finds it important enough to do so.
If the problem does not go away, then there may indeed be a hardware issue. I'd start by looking in the BIOS configuration for differences between the working system and the afflicted systems.
If the problem goes away, well and good. Solution found. Clone the problem machines (systems B, C, D, E, ...) from the System U drive. You can then chase the reason for the problem at your leisure if your manager finds it important enough to do so.
If the problem does not go away, then there may indeed be a hardware issue. I'd start by looking in the BIOS configuration for differences between the working system and the afflicted systems.
ASKER
David Johnson, I have already covered things like the Group Policys and Security Policies. The GPO is set to "enable" the "turning off" of the Defender. Defender does and has always reported from the get-go that it is off.
I should just state that I have already seen these suggestions in various forums which I have already considered. I would not clog up a site like this with questions where I can find the standard/basic answers to on any other google search. In general, if I am posting in Experts-Exchange, I am looking for the undocumented, elusive, "not found anywhere else" answers, the answer that one person somewhere on the planet has found is the true answer to this problem.
I should just state that I have already seen these suggestions in various forums which I have already considered. I would not clog up a site like this with questions where I can find the standard/basic answers to on any other google search. In general, if I am posting in Experts-Exchange, I am looking for the undocumented, elusive, "not found anywhere else" answers, the answer that one person somewhere on the planet has found is the true answer to this problem.
ASKER
Dr Klahn, the client will not be re-imaging these machines. There are too many with the issue. And they will scoff and look cross-eyed at me if I were to suggest it.
I believe this to be a configuration/software compatibility issue and not a hardware issue. It is happening to many different models of mostly Dell laptops or desktops (a few others exist too, there is at least one HP and Lenovo system exhibiting the issue). And again ... ONLY one of my 50 sites has 15 systems doing this. ONLY systems on 21H2. ONLY systems that have HDD drives.
I believe this to be a configuration/software compatibility issue and not a hardware issue. It is happening to many different models of mostly Dell laptops or desktops (a few others exist too, there is at least one HP and Lenovo system exhibiting the issue). And again ... ONLY one of my 50 sites has 15 systems doing this. ONLY systems on 21H2. ONLY systems that have HDD drives.
ASKER
Maybe I need to be asking the smaller question:
Since this pause happens when "something" that I have assumed to be MsMpEng.EXE is creating the files below, here's the simple question. What are these? What is their purpose?. A google search on the filename syntax arrives at very few hits on google (telling me this is a rare bird).
I do not see any trace of this behavior on other machines that are not having the issue. It is related, but I do not know how. Perhaps if we concentrate on why these files are being created, I'll find out how, and what is doing it.
C:\ProgramData\Microsoft\Windows Defender\Support\
MpWppTracing-20211204-182113-00000003-ffffffff.bin
164 kB
06:29:51 pm 04-Dec-21
MpWppTracing-20211204-183028-00000003-ffffffff.bin
221 kB
06:38:51 pm 04-Dec-21
MpWppTracing-20211204-194330-00000003-ffffffff.bin
25 kB
07:43:30 pm 04-Dec-21
MpWppTracing-20211204-194830-00000003-ffffffff.bin
16 kB
07:48:30 pm 04-Dec-21
MpWppTracing-20211204-195329-00000003-ffffffff.bin
16 kB
07:53:29 pm 04-Dec-21
Since this pause happens when "something" that I have assumed to be MsMpEng.EXE is creating the files below, here's the simple question. What are these? What is their purpose?. A google search on the filename syntax arrives at very few hits on google (telling me this is a rare bird).
I do not see any trace of this behavior on other machines that are not having the issue. It is related, but I do not know how. Perhaps if we concentrate on why these files are being created, I'll find out how, and what is doing it.
C:\ProgramData\Microsoft\Windows Defender\Support\
MpWppTracing-20211204-182113-00000003-ffffffff.bin
164 kB
06:29:51 pm 04-Dec-21
MpWppTracing-20211204-183028-00000003-ffffffff.bin
221 kB
06:38:51 pm 04-Dec-21
MpWppTracing-20211204-194330-00000003-ffffffff.bin
25 kB
07:43:30 pm 04-Dec-21
MpWppTracing-20211204-194830-00000003-ffffffff.bin
16 kB
07:48:30 pm 04-Dec-21
MpWppTracing-20211204-195329-00000003-ffffffff.bin
16 kB
07:53:29 pm 04-Dec-21
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Exclude files and folders:
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\ProgramData\Microsoft\M
Exclude processes:
MsMpEng.exe
exclude these in your AV as well.
as for the every 5 minutes check task scheduler
in services disable Windows Defender Advanced Threat Protection service helps protect against advanced threats by monitoring and reporting security events that happen on the computer. and