Cannot turn Windows 11 real time protection back on

Brian_E · 2022-06-21T08:23:34-0400

I don't know how long this problem has been on my Windows 11 computer as I only noticed it this morning after I had uninstalled Kaspersky Security Cloud. I noticed that the Windows Security icon at the bottom of the screen had a little red cross on it, instead of the usual green tick. I've tried several suggestions I've found on various web site, but none has worked so far.

This is waht I have done (the list below is in no particular order):-

Run repairs with tweaking.com utility
Run scannow (from within tweaking.com)
Run DISM.....RestoreHealth
Run Kaspersky Removal Tool

If I try to restart the security, nothing happens. Also, and I can't remember how I got to the relevant page, I noticed that all the security settinsg toggles were turned off, but if I tried to tuen them on, they immediately turned themselves off again. Can anyone help me with this problem please?

Corday · 2022-06-21T08:38:24-0400

In Windows updates, have you been receiving daily Definition Updates?

Brian_E · 2022-06-21T10:14:43-0400

Corday said:
In Windows updates, have you been receiving daily Definition Updates?

I've just checked and yes I have.

Gary R · 2022-06-21T10:15:26-0400

Sounds like Kaspersky may not have been fully uninstalled. If Windows "thinks" you have a 3rd party AV installed then it automatically disables Windows Security to prevent conflicts.

Also some malwares will disable Windows Security.

So let's see if we can find out which it is.
Download FRST64 to your Desktop.

Double click Frst.exe to launch it.
FRST will start to run.
- When the tool opens click Yes to disclaimer.
- Press the Scan button.
- When finished scanning 2 logs will open on your Desktop, FRST.txt and Addition.txt
- Please post them in your next reply.

Next ...

Double click Frst64.exe to launch it.
FRST will start to run.
- When the tool opens click Yes to the disclaimer.
- Copy/Paste or Type the following line into the Search: box.
Searchall: Kaspersky

Click to expand...
- Press the Search Files button.
- When finished searching a log will open on your Desktop ... Search.txt
- Please post it in your next reply.

Brian_E · 2022-06-21T10:29:01-0400

Here's the first two files.

Brian_E · 2022-06-21T10:29:44-0400

Only one uploaded for some reason (the other had a line through the name when I tried to upload it).

Brian_E · 2022-06-21T10:31:28-0400

It still won't let me. Should I copy and past the contents into this message?

Brian_E · 2022-06-21T10:38:17-0400

Here's the results of the Kaspersky search.

Gary R · 2022-06-21T10:45:07-0400

If you can't attach FRST.txt then do the following ...

Right click on it, and select Compress to zip file.

A folder FRST.zip will be created ..... please attach that.

Brian_E · 2022-06-21T10:46:37-0400

OK, here goes...

Gary R · 2022-06-21T10:47:28-0400

Thanks, got them all now.

Seems there's quite a few Kaspersky orphans in the Search.txt, so I'll have to create a script to remove them, which will take a while.

Back as soon as I've finished.

Brian_E · 2022-06-21T10:48:21-0400

Thank you Gary. Much appreciated.

Gary R · 2022-06-21T12:21:44-0400

OK, you've got some restrictions on Windows Security that need removing, so we'll do those first, and see whether that resolves the problem or not.

If it does, then I don't see any point in removing the Kaspersky orphans, if it doesn't, then I've prepared a script for removing the orphans that we can run.

So ....

Start FRST.
Hit your Windows Key + R to open a Run window
Type Notepad then click OK
This will open an empty Notepad document
Copy/Paste the following into it (don't include Code: ) .....

Code:

HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

Save it as fixlist.txt to the same location as FRST (must be in this location)
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
Now press the Fix button once and wait.
FRST will process fixlist.txt
When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
Please post me the log

Now, reboot your computer and see whether Windows Security is now enabled.

Brian_E · 2022-06-21T12:27:01-0400

Here it is. I haven't rebooted my computer yet.

Brian_E · 2022-06-21T12:33:04-0400

Gary, you're a genius. Thank you so much for sorting out this problem for me. I'll make a new Macrium Reflect disc image now, so I've got a fresh backup of a fully-working laptop.

Gary R · 2022-06-21T12:37:17-0400

Glad it worked.

I guess we can leave the orphans in place then, since they're not causing the problem.

Since we don't really know what created those restrictions, I suggest you now run a scan with Windows Security, to make sure that there's nothing malicious on your machine.

If there is, or if you have any more problems, then please get back to me.

Brian_E · 2022-06-21T12:38:50-0400

Gary R said:
Glad it worked.

I guess we can leave the orphans in place then, since they're not causing the problem.

Since we don't really know what created those restrictions, I suggest you now run a scan with Windows Security, to make sure that there's nothing malicious on your machine.

If there is, or if you have any more problems, then please get back to me.

Hi Gary, there's just one thing. I'm now getting a few messages pop up about programs being blocked (see examples).

Gary R · 2022-06-21T13:29:24-0400

OK, that's due to a setting in Windows Security, that is meant to prevent Ransomware from installing. It does it by blocking any requests to make changes to particular System resources.

If you're sure that the programs trying to make these changes are legit, then you can disable the setting in Windows Security that is doing the blocking by doing the following ....

Click on Search
Type Controlled Folder Access
Click on the related Icon when it appears
Set Controlled folder access to OFF

Brian_E · 2022-06-21T13:59:55-0400

Gary R said:
OK, that's due to a setting in Windows Security, that is meant to prevent Ransomware from installing. It does it by blocking any requests to make changes to particular System resources.

If you're sure that the programs trying to make these changes are legit, then you can disable the setting in Windows Security that is doing the blocking by doing the following ....

Click on Search

Type Controlled Folder Access

Click on the related Icon when it appears

Set Controlled folder access to OFF

Thanks Gary. I did manage to find out something about this afterwards by clicking on one of the alerts. I found out that it's also possible just to allow some programs through. Phew - what a day! My Macrium Reflect backup is running now, so all is well. Once again, thank you so much for your help with this.

Gary R · 2022-06-21T14:57:04-0400

You're welcome.

Cannot turn Windows 11 real time protection back on

Registered

Team Manager, Microsoft Support

Registered

Moderator , Security Team

Registered

Attachments

Registered

Registered

Registered

Attachments

Moderator , Security Team

Registered

Attachments

Moderator , Security Team

Registered

Moderator , Security Team

Registered

Attachments

Registered

Attachments

Moderator , Security Team

Registered

Attachments

Moderator , Security Team

Registered

Moderator , Security Team