Jump to content

Windows Security Center Service unable to load instances of AntiVirusProduct from datastore.


Zardoc

Recommended Posts

3 hours ago, Pete12 said:

After these modifyings , still got errors ; id=16 ( SECURITY_PRODUCT_STATE_ON.) and id=18 ( not possible to load from Firewall-product from datastore ) 

Worked of me. After deleting @Marcos specified reg keys and performing a system restart, new Win Event log Security Center errors are not generated.

I also checked WSC and everything is as it should be; Eset registered as active AV and firewall.

Edited by itman
Link to comment
Share on other sites

followed your solution , still no luck !

Strange in the AV-key , three keys noticed , two from ESET ( did not noticed difference between them ) and the other from Windows Defender.

In the Fw-key , two keys noticed , both from ESET ( again , no difference between them )

So, looks like a few keys too much , what to do .........?

Removed a Fw-key ( after copy ) ...

Link to comment
Share on other sites

Why (??) so many keys in AV and Fw , only ESET is anti-virus/firewall ......

Which one should I keep........??

Link to comment
Share on other sites

20 minutes ago, Pete12 said:

Why (??) so many keys in AV and Fw , only ESET is anti-virus/firewall ......

After running the recommended reg key deletions, the only keys remaining on my Win 10 x(64) Pro 22H2 build are those shown in the below screen shot. The only key related to Microsoft Defender is the one highlighted. The other two keys are for Eset;

Eset_WSC.thumb.png.799d2f83b9dbc9f5342dc31d44dbd7da.png

Edited by itman
Link to comment
Share on other sites

Just now, Pete12 said:

keysinAVandFw.thumb.png.ff91fb2867f7da282bea77f486d16bf2.png

These keys are in the AV and Fw , while only ESET and Windows Firewall is present on my Win11 ( latest version ).

Which one to remove/keep ??

Copied them all , so restoring no problem.

After updating from 16 to latest 17 , and following your tips , got id=16 and 18 and 19 in the eventlogs still...........

Link to comment
Share on other sites

  • Administrators
10 hours ago, Pete12 said:

After updating from 16 to latest 17 , and following your tips , got id=16 and 18 and 19 in the eventlogs still...........

Obviously HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Fw\{E7B06BEE-DEA6-20D2-58F2-0EB69C7B826D} and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{DF8BEACB-94C9-218A-73AD-A78362A8C516} keys are still there. They must be removed and the machine rebooted.

Those will be removed automatically during a product upgrade in the future. The name of the value is based on the hash of the certificate used to sign the binary so after a certificate change after the original one expired the redundant key caused the above mentioned errors to be logged.

Link to comment
Share on other sites

Well ,tried several times by following your instructions , though the eventview-errors still coming back , after each reboot .

Had to roll-back ,several times, to ESET16-version ( with no errors at all !) 

My machine is not getting better , thinking of waiting for a real working solution , untill the support of the 16-version will end ...........

Anyway , thanks for your help , and if you have other ( better ) solution(s), then ,please, let us know ........

Link to comment
Share on other sites

  • Administrators

The error is not reported with v16 because it's an older version signed with the previous Entrust certificate and having only one entry in the above Provider registry keys for the AV and FW. Unlike the older versions, v17 is signed using an ACS certificate (the Entrust cert. expired last year in December) and therefore WSC created a new key under the Provider key. Since the original key related to ekrn signed by the expired Entrust certificate was not removed (it's undocumented by MS as far as I understood), WSC started reporting the errors. If v17 was installed on a vanilla system where v16 or older was never installed, the errors are not logged. Therefore the solution is to remove the redundant Provider keys related to the previous versions of ekrn.

Link to comment
Share on other sites

So, HOW(?) many keys should we have after update to 17 ( 2 in AV , 1 in Fw ?) 

Which one to remove , after installing 17 ?

Is there another way of not showing id=16 in eventviewer (  "Sec.center could not load database, etc " ) ?

Link to comment
Share on other sites

Ok , 26E0861C ( AV) and 1EDB0739 (Fw) will be present after the update to17 , and the other keys will be removed ( or can I remove myself ?) , after the update .......??

And this will be the fix for id=16 , 18, 19  ?

Link to comment
Share on other sites

3 minutes ago, Pete12 said:

Ok , 26E0861C ( AV) and 1EDB0739 (Fw) will be present after the update to17 , and the other keys will be removed ( or can I remove myself ?) , after the update .......??

And this will be the fix for id=16 , 18, 19  ?

Should I take ownership before or after the update , and should I remove the keys for/after update ( and reboot )    ??

Link to comment
Share on other sites

4 hours ago, Marcos said:

The strikethrough keys should be removed:

image.png

Marcos , thank you very much , removing the wrong keys is the solution in my Win11 !! 😃

Did not seen any eventlog-errors anymore ( after some reboots also OK ! ) 

My ESET 17.0.16 works fine , no errors anymore !!!

Very good , while you should update your protection always !!

Again , thanks a lot , buy you a beer in Holland ...........🙋‍♂️

Link to comment
Share on other sites

On 2/16/2024 at 10:35 AM, Marcos said:

You can install v17 and then:

  1. Take ownership of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Fw\{E7B06BEE-DEA6-20D2-58F2-0EB69C7B826D}
  2. Grant full control to you
  3. Delete the key
  4. Take ownership of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{DF8BEACB-94C9-218A-73AD-A78362A8C516}
  5. Grant full control to you
  6. Delete the key

Please modify the registry with care since deleting incorrect keys or values may render the machine unbootable or cause other issues. Create a restore point first.

Hello Marcos,

How do you take ownership of the key and grant full control?

 

 

Link to comment
Share on other sites

On 2/17/2024 at 5:00 PM, Pete12 said:

Marcos , thank you very much , removing the wrong keys is the solution in my Win11 !! 😃

Did not seen any eventlog-errors anymore ( after some reboots also OK ! )  This problem is solved , for me !!

My ESET 17.0.16 works fine , no errors anymore !!!

Very good , while you should update your protection always !!

Again , thanks a lot , buy you a beer in Holland ...........🙋‍♂️

 

Link to comment
Share on other sites

  • 3 weeks later...
  • 3 weeks later...
  • Administrators

Please remove:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{DF8BEACB-94C9-218A-73AD-A78362A8C516}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Fw\{E7B06BEE-DEA6-20D2-58F2-0EB69C7B826D}
Link to comment
Share on other sites

  • Administrators
7 hours ago, Zardoc said:

There is a new version 17.1.9.0 Is there a download link plz ?

It has not been released yet but it's available on the pre-release update channel already.

Link to comment
Share on other sites

4 hours ago, Marcos said:

It has not been released yet but it's available on the pre-release update channel already.

Thanks Marcos. don't have a link by any chance ?

Link to comment
Share on other sites

Hi!

I updated today to 17.1.9.0, but the error code still appears in the event log.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...