MRH and Windows Defender Offline Scan


Author
Message
GWild
GWild
New Member
New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)
Group: Forum Members
Posts: 21, Visits: 38
Pretty sure it is a Reflect Home issue that the boot partition is modified in a way that Windows Defender can't run normally.  Seems Windows believes the sector is broken and goes directly to the recovery options with no attempt to let Defender run its scan.

Has anyone else encountered this and found a way to make it work?
dbminter
dbminter
Macrium Evangelist
Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)
Group: Forum Members
Posts: 4.8K, Visits: 51K
I have not seen this issue myself and I can't recall anyone else posting it on the forums here.  But, I haven't updated to the latest version released today, either.

GWild
GWild
New Member
New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)
Group: Forum Members
Posts: 21, Visits: 38
To clarify - this is not the basic Defender / MSE operation; this is the OFFLINE scan option that forces a reboot into a safe-like mode to perform a scan of the raw filesystem.
dbminter
dbminter
Macrium Evangelist
Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)Macrium Evangelist (7.7K reputation)
Group: Forum Members
Posts: 4.8K, Visits: 51K
Ah, I did fail to see that in the Topic initially.  I've never done that before, so I couldn't say how Reflect/Defender behaves with that.

Dan Danz
Dan Danz
Macrium Hero
Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)
Group: Forum Members
Posts: 1.2K, Visits: 9.5K
@GWild First, to correct a misconception:  Reflect does not modify the boot partition.   The most it does is to add some additional lines via BCDEDIT to create an entry for the Windows Boot Manager  so that it can offer an option to boot into normal Windows or Reflect via a boot menu option.  The code that this entry will execute is located in the Rescue Media (RM) staging area WIM (usually c:\boot\Macrium\.... ) which is where RM Builder creates it. 
But none of those are involved in running Windows Defender's Offline Scan.   To do that, when you invoke Windows Defender Settings -> Offline Scan, it tells Windows to reboot from the Windows Recovery partition, and passes the pathname of the Windows Defender Offline Scan program for the Recovery software to execute after it is up and running.  

I'm running Windows 11 23H2 223631.2715 and MR 8.1.7762 --- and I just invoked the offline scan; it took ~8 minutes, and didn't find anything before it rebooted itself.  The biggest pain was that I had to look up the Bit Locker Recovery key and enter it so the scan could work with an unencrypted disk.

I seem to remember from recent earlier posts that you have your recovery partition on a different disk than the OS, so I wonder if you made the same mistake that I did a while back. I had removed an obsolete Recovery Partition between the system partition and a new Recovery Parition.  I forgot that this would renumber the partions thus causing attempts to invoke the offline scan to fail.   The problem was ultimately remedied by updating the recovery information using the REAGNTC command -- in my case changing from parition 5 (now nonexistent) to paritition 4 (its new location). 

Right now, my system disk has 4 partitons:  EFI, MSR, System, and Recovery.   The REAGENC /INFO shows:
C:\Users\lwdan>REAGENTC /INFO
Windows Recovery Environment (Windows RE) and system reset configuration
Information:
  Windows RE status:   Enabled
  Windows RE location:   \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
  Boot Configuration Data (BCD) identifier: e172b973-f0da-11ed-b413-8dda56e918fb
  Recovery image location:
  Recovery image index:  0
  Custom image location:
  Custom image index:   0
REAGENTC.EXE: Operation Successful.

I'm wondering if your information is correct for the layout of your disks.


L.W. (Dan) Danz, Overland Park KS
Reflect v8.1.7847+ on Windows 11 Home 23H2 22631.3085+ | Reflect v8.1.7853+ on Windows 10 Pro 22H2 19045.3996+
Reflect v8.1.7784+ on 2 systems Windows 10 Home 22H2 19045.3803+

GWild
GWild
New Member
New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)
Group: Forum Members
Posts: 21, Visits: 38
Dan Danz - 23 November 2023 6:24 PM
@GWild First, to correct a misconception:  Reflect does not modify the boot partition.   The most it does is to add some additional lines via BCDEDIT to create an entry for the Windows Boot Manager  so that it can offer an option to boot into normal Windows or Reflect via a boot menu option.  The code that this entry will execute is located in the Rescue Media (RM) staging area WIM (usually c:\boot\Macrium\.... ) which is where RM Builder creates it. 
But none of those are involved in running Windows Defender's Offline Scan.   To do that, when you invoke Windows Defender Settings -> Offline Scan, it tells Windows to reboot from the Windows Recovery partition, and passes the pathname of the Windows Defender Offline Scan program for the Recovery software to execute after it is up and running.  

I'm running Windows 11 23H2 223631.2715 and MR 8.1.7762 --- and I just invoked the offline scan; it took ~8 minutes, and didn't find anything before it rebooted itself.  The biggest pain was that I had to look up the Bit Locker Recovery key and enter it so the scan could work with an unencrypted disk.

I seem to remember from recent earlier posts that you have your recovery partition on a different disk than the OS, so I wonder if you made the same mistake that I did a while back. I had removed an obsolete Recovery Partition between the system partition and a new Recovery Parition.  I forgot that this would renumber the partions thus causing attempts to invoke the offline scan to fail.   The problem was ultimately remedied by updating the recovery information using the REAGNTC command -- in my case changing from parition 5 (now nonexistent) to paritition 4 (its new location). 

Right now, my system disk has 4 partitons:  EFI, MSR, System, and Recovery.   The REAGENC /INFO shows:
C:\Users\lwdan>REAGENTC /INFO
Windows Recovery Environment (Windows RE) and system reset configuration
Information:
  Windows RE status:   Enabled
  Windows RE location:   \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
  Boot Configuration Data (BCD) identifier: e172b973-f0da-11ed-b413-8dda56e918fb
  Recovery image location:
  Recovery image index:  0
  Custom image location:
  Custom image index:   0
REAGENTC.EXE: Operation Successful.

I'm wondering if your information is correct for the layout of your disks.

Defender reboots the machine as expected, but the recovery screen that pops up is odd. Not even a Reflect Recover option on it. Just command prompt, troubleshooting, reset/reinstall the system OS, and another option that escapes me. So in my case the edits to the boot sector or boot control data that Defender does aren't surviving the reboot. But somehow - thankfully - another reboot proceeds normally.

As for physical locations, everything is on the same logical disk (RAID).

I'm thinking I might have set up to UEFI to protect the boot info --- I'll need to verify those settings in BIOS.


Dan Danz
Dan Danz
Macrium Hero
Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)
Group: Forum Members
Posts: 1.2K, Visits: 9.5K
GWild - 24 November 2023 9:45 AM
Dan Danz - 23 November 2023 6:24 PM
@GWild First, to correct a misconception:  Reflect does not modify the boot partition.   The most it does is to add some additional lines via BCDEDIT to create an entry for the Windows Boot Manager  so that it can offer an option to boot into normal Windows or Reflect via a boot menu option.  The code that this entry will execute is located in the Rescue Media (RM) staging area WIM (usually c:\boot\Macrium\.... ) which is where RM Builder creates it. 
But none of those are involved in running Windows Defender's Offline Scan.   To do that, when you invoke Windows Defender Settings -> Offline Scan, it tells Windows to reboot from the Windows Recovery partition, and passes the pathname of the Windows Defender Offline Scan program for the Recovery software to execute after it is up and running.  

I'm running Windows 11 23H2 223631.2715 and MR 8.1.7762 --- and I just invoked the offline scan; it took ~8 minutes, and didn't find anything before it rebooted itself.  The biggest pain was that I had to look up the Bit Locker Recovery key and enter it so the scan could work with an unencrypted disk.

I seem to remember from recent earlier posts that you have your recovery partition on a different disk than the OS, so I wonder if you made the same mistake that I did a while back. I had removed an obsolete Recovery Partition between the system partition and a new Recovery Parition.  I forgot that this would renumber the partions thus causing attempts to invoke the offline scan to fail.   The problem was ultimately remedied by updating the recovery information using the REAGNTC command -- in my case changing from parition 5 (now nonexistent) to paritition 4 (its new location). 

Right now, my system disk has 4 partitons:  EFI, MSR, System, and Recovery.   The REAGENC /INFO shows:
C:\Users\lwdan>REAGENTC /INFO
Windows Recovery Environment (Windows RE) and system reset configuration
Information:
  Windows RE status:   Enabled
  Windows RE location:   \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
  Boot Configuration Data (BCD) identifier: e172b973-f0da-11ed-b413-8dda56e918fb
  Recovery image location:
  Recovery image index:  0
  Custom image location:
  Custom image index:   0
REAGENTC.EXE: Operation Successful.

I'm wondering if your information is correct for the layout of your disks.

Defender reboots the machine as expected, but the recovery screen that pops up is odd. Not even a Reflect Recover option on it. Just command prompt, troubleshooting, reset/reinstall the system OS, and another option that escapes me. So in my case the edits to the boot sector or boot control data that Defender does aren't surviving the reboot. But somehow - thankfully - another reboot proceeds normally.

As for physical locations, everything is on the same logical disk (RAID).

I'm thinking I might have set up to UEFI to protect the boot info --- I'll need to verify those settings in BIOS.

No guessing needed. You didn't answer: what does REAGENTC /INFO show?  What you are seeing is the system trying to boot from the recovery partition (not the EFI partition) and failing.  Where is the recovery PARTITION for the system you are booting? WHAT PHYSICAL DISK AND WHAT PARTITION NUMBER?  Does that agree with REAGENTC /INFO on that same system?


L.W. (Dan) Danz, Overland Park KS
Reflect v8.1.7847+ on Windows 11 Home 23H2 22631.3085+ | Reflect v8.1.7853+ on Windows 10 Pro 22H2 19045.3996+
Reflect v8.1.7784+ on 2 systems Windows 10 Home 22H2 19045.3803+

GWild
GWild
New Member
New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)
Group: Forum Members
Posts: 21, Visits: 38
Reagentc shows recovery pointed to partition 3, the OS partition. There was no partition 4 dedicated to recovery. So I reinstalled a part 4 and marked it for recovery. Moved the wim there and that didn't change anything about how defender offline works. Still simply reboots the machine into recovery mode, sans the Macrium option.
Anyhow, something is broken with how defender is now working. Not too surprised, but really would prefer it worked as expected.  When I get bored I'll remove the Macrium boot option, and see if that makes any difference.

ps: now I'll need to go back and also move the wim back to the OS part and delete the unnecessary recovery part.
Edited 25 November 2023 12:09 AM by GWild
Dan Danz
Dan Danz
Macrium Hero
Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)Macrium Hero (2.7K reputation)
Group: Forum Members
Posts: 1.2K, Visits: 9.5K
GWild - 25 November 2023 12:06 AM
Reagentc shows recovery pointed to partition 3, the OS partition. There was no partition 4 dedicated to recovery. So I reinstalled a part 4 and marked it for recovery. Moved the wim there and that didn't change anything about how defender offline works. Still simply reboots the machine into recovery mode, sans the Macrium option.
Anyhow, something is broken with how defender is now working. Not too surprised, but really would prefer it worked as expected.  When I get bored I'll remove the Macrium boot option, and see if that makes any difference.

ps: now I'll need to go back and also move the wim back to the OS part and delete the unnecessary recovery part.

Did you use REAGENTC /setreinlmage (path) to update the path to use partition 4.  Hint: do /Info to see the existing full path to partition 3 ... Then set that same path but change the partition number. 
If it doesn't work, post your before and after /INFO and I'll try to help.  You're close to solving the problem.


L.W. (Dan) Danz, Overland Park KS
Reflect v8.1.7847+ on Windows 11 Home 23H2 22631.3085+ | Reflect v8.1.7853+ on Windows 10 Pro 22H2 19045.3996+
Reflect v8.1.7784+ on 2 systems Windows 10 Home 22H2 19045.3803+

GWild
GWild
New Member
New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)New Member (25 reputation)
Group: Forum Members
Posts: 21, Visits: 38
It all appears to be in order  ... can't easily see if the files are indeed on the recovery partition path shown, but Reflect shows the recovery partition is not empty with 600M used, so I have to assume the disable/enable did what it was supposed to do. Again, Reflect works as expected for boot and file recovery. It is only defender offline scan that seems to be broken.

C:\Windows\system32>reagentc /info
Windows Recovery Environment (Windows RE) and system reset configuration
Information:
  Windows RE status:   Enabled
  Windows RE location:   \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
  Boot Configuration Data (BCD) identifier: e4e7d963-b142-11ed-a1af-80615f0ea138
  Recovery image location:
  Recovery image index:  0
  Custom image location:
  Custom image index:   0
REAGENTC.EXE: Operation Successful.
C:\Windows\system32>


Edited 25 November 2023 12:43 PM by GWild
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search