Jump to content

Tamper Protection disabled - Semi-Fresh Windows 11 Install


Recommended Posts

Hi there! I fear I may have a virus of some sort.

I recently replaced my storage drive to an nvme SSD and did a fresh install of Windows 11 Pro - version 22H2/Build 22621.1413. This is a stand-alone home system.

I was reviewing my Windows defender settings and saw that 'Tamper Protection' was greyed out with the error message "This setting is managed by your administrator" displayed. I did a scan using MalwareBytes, including root kit scanning, but no threats were found. I did some Google searching and found the registry keys associated with this setting (attached), but I don't see anything out of place.

Is this a virus? How can I enable this setting?

 

 

image.png

image.png

Link to post
Share on other sites

@Tamper1

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

Hello @Tamper1 I will guide you. My name is Maurice. Thanks for the support-zip report. Please run this MS tool. Please stay out of Regedit.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Launch MSERT.exe
Accept the agreement terms of Microsoft
Select QUICK scan

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites

13 minutes ago, Maurice Naggar said:

Hello @Tamper1 I will guide you. My name is Maurice. Thanks for the support-zip report. Please run this MS tool. Please stay out of Regedit.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Launch MSERT.exe
Accept the agreement terms of Microsoft
Select QUICK scan

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

 

Thank you. The Quick scan ran and a "The scan completed successfully and no viruses, spyware, and other potentially unwanted software were detected" screen appeared. Attached is the log file

image.png

msert.log

Link to post
Share on other sites

That report is excellent ! I would be curious as to whether this machine had another branded-antivirus other than Microsoft Defender antivirus ? 

Do a custom scan with Microsoft Defender Antivirus 

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

Link to post
Share on other sites

8 minutes ago, Maurice Naggar said:

That report is excellent ! I would be curious as to whether this machine had another branded-antivirus other than Microsoft Defender antivirus ? 

Do a custom scan with Microsoft Defender Antivirus 

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

This Windows installation is only about 2 weeks old. I got rid of all old storage drives after I discovered a virus and purchased a new nvme SSD to use as the only drive in the system. Since installing Windows, I have used MalwareBytes AntiMalware and Windows Defender only.

Interestingly enough, the 'Local Security Authority Protection' section was turned to 'ON' but a message "This change requires you to restart your device" is presented (I did not make any changes).

During the Windows Defender scan, my CPU was pegged at 100% utilization and other apps became laggy on the computer. The result of the scan (0 threat(s) found) is attached as a picture. No items found in the Protection history page either.

image.png

image.png

image.png

image.png

Link to post
Share on other sites

Please do what follows below. Keep going down the list.
( 1 )
Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select ViewShowFile name extensions
( 2 )
Next first step, is to "Turn OFF ( to DISABLE) the "fast starup" of Windows 11
See https://www.windowscentral.com/software-apps/windows-11/how-to-enable-or-disable-fast-startup-on-windows-11

When that is done, be sure to do ( from Start menu) one Power >> Shutdown >> Restart.
Having "fast startup" can complicate our efforts to make adjustments.

NOTE: I have seen no indicators that there is a "infection or malware" on this machine.

( 3 )

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program :  is FRSTENGLISH.exe which is already on Downloads

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt < - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This script will remove a couple of settings that are "windows policy restrictions" that may likely be what trigger the unsettling display-message about "managed by your administrator". It will also attempt to have normal preferences set for Microsoft Defender.
The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.
After this has completed, I would suggest to go to Windows Settings >> Windows Security and then look at the entire status screen display.

Link to post
Share on other sites

26 minutes ago, Maurice Naggar said:

Please do what follows below. Keep going down the list.
( 1 )
Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select ViewShowFile name extensions
( 2 )
Next first step, is to "Turn OFF ( to DISABLE) the "fast starup" of Windows 11
See https://www.windowscentral.com/software-apps/windows-11/how-to-enable-or-disable-fast-startup-on-windows-11

When that is done, be sure to do ( from Start menu) one Power >> Shutdown >> Restart.
Having "fast startup" can complicate our efforts to make adjustments.

NOTE: I have seen no indicators that there is a "infection or malware" on this machine.

( 3 )

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program :  is FRSTENGLISH.exe which is already on Downloads

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt 8.36 kB · 1 download  < - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This script will remove a couple of settings that are "windows policy restrictions" that may likely be what trigger the unsettling display-message about "managed by your administrator". It will also attempt to have normal preferences set for Microsoft Defender.
The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.
After this has completed, I would suggest to go to Windows Settings >> Windows Security and then look at the entire status screen display.

 

Tamper Protection is now showing on, but a similar error in yellow text is still present on "Local Security Authority protection". This message persisted even after the reboot and FRST script.

image.png

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Excuse the interruption

Please go ahead and restart the computer again at this point.

Then please gather some new logs

You should already have the tool downloaded, but if not the directions are posted again below. @Tamper1

 

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

Please do go ahead and run the support-tool report as per AdvancedSetup so he can rewview.
It seems to me that you have strayed onto other Windows settings, other than the first original "issue".
Here is why I know that this Microsoft Defender antivirus is in good state. I am going to list a few reported aspects abour MS Defender.
AMEngineVersion                  : 1.1.20200.4
AMProductVersion                 : 4.18.2303.8
AMRunningMode                    : Normal
AMServiceEnabled                 : True
AMServiceVersion                 : 4.18.2303.8
AntispywareEnabled               : True
AntispywareSignatureLastUpdated  : 4/12/2023 6:59:44 AM
AntispywareSignatureVersion      : 1.387.808.0
AntivirusEnabled                 : True
AntivirusSignatureLastUpdated    : 4/12/2023 6:59:44 AM
AntivirusSignatureVersion        : 1.387.808.0
BehaviorMonitorEnabled           : True
DefenderSignaturesOutOfDate      : False
IoavProtectionEnabled            : True
IsTamperProtected                : True
NISEnabled                       : True
NISEngineVersion                 : 1.1.20200.4
NISSignatureLastUpdated          : 4/12/2023 6:59:44 AM
NISSignatureVersion              : 1.387.808.0
OnAccessProtectionEnabled        : True
RealTimeProtectionEnabled        : True

Link to post
Share on other sites

I followed the steps and generated a new set of logs.

The "Local Security Authority protection" has the same type of error text above it, albeit with a different wording that requests a reboot vs "controlled by your administrator". This error text has persisted through multiple reboots.

mbst-grab-results.zip mbst-grab-results.zip mbst-grab-results2.zip

Link to post
Share on other sites

  • Root Admin
6 hours ago, Tamper1 said:

I recently replaced my storage drive to an nvme SSD and did a fresh install of Windows 11 Pro - version 22H2/Build 22621.1413. This is a stand-alone home system.

 

The Windows Search service is faulting

Error: (04/12/2023 02:55:54 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Please review the following and try to repair Windows Search

Fix problems in Windows Search
https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/fix-problems-in-windows-search

 

 

The logs also indicate that the system is having issues activating which I'm sure is due to the SSD change and new install.

Do you have a valid Certificate of Authenticity (COA) for Windows and the activation key it comes with?
https://www.microsoft.com/en-us/howtotell/software-packaged

 

Application errors:
==================
Error: (04/12/2023 03:23:21 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x803F7001

Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable


 

 

Link to post
Share on other sites

  • Root Admin

You can review the following for methods to Activate Windows

Please see the following, but do not download anything from the site. Simply read the provided information.

https://www.minitool.com/news/0x803f7001.html

 

Get help with Windows activation errors
https://support.microsoft.com/en-us/windows/get-help-with-windows-activation-errors-09d8fb64-6768-4815-0c30-159fa7d89d85

 

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • Root Admin

Once the computer is Activated, please see the following ( reminder from @Porthos )


Enable or Disable Local Security Authority (LSA) Protection in Windows 11
https://www.elevenforum.com/t/enable-or-disable-local-security-authority-lsa-protection-in-windows-11.11104/

 

 

 

Link to post
Share on other sites

16 hours ago, AdvancedSetup said:

Once the computer is Activated, please see the following ( reminder from @Porthos )


Enable or Disable Local Security Authority (LSA) Protection in Windows 11
enable-or-disable-local-security-authori

 

 

 

Thank you! Entering the license/windows activation # from the sticker on the computer tower and following this link appears to have resolved the LSA issue, but the Tamper Protection issue has reappeared. Could it be malware causing this setting to repeatedly disable itself?

image.png.86170bce44affab2b7fbda02b92a576d.png

Link to post
Share on other sites

Hello, Tamper1. What follows is a report tool to check key applications & their update / version status. Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.