J
John W
Hello,
The 'system' process is constantly writing to c:\windows\temp\MpSigStub.etl (15MB/s) using all I/O bandwidth on the C drive. The only way to stop this is to disable Windows Defender real time protection. Let it finish it's signature update and restart it. But it will happen again at the next update… My C drive is an SSD and will probably get a shorten life span because of this bug. I have this problem on two brand new HP Z8 G4 workstations...
I have tried sfc /scannow, windows update trouble shooter, disk cleanup, checkdisk of C...
I've also tried adding c:\windows\temp\MpSigStub.etl to windows defender's exclusion, it seemed to have worked at first but this morning the problem was back...
Here are the last signature update log run found on one of the workstation that was completely unresponsive this morning (while it's disk access LED was blinking very fast) :
MpCmdRun.log
-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1810.5-0\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate
Start Time: jeu. nov. 08 2018 22:04:07
MpEnsureProcessMitigationPolicy: hr = 0x1
Start: Signatures Update Service
Update Started
Search Started (MU/WU update) (Path: https://fe2.update.microsoft.com/v6/)...
Search Completed
Download Started...
Download Progress-
Update Index:0 of 1 - 0%
Download Progress-
Update Index:0 of 1 - 0%
Download Progress-
Update Index:0 of 1 - 100%
Download Progress-
Update Index:0 of 1 - 100%
Download Progress-
Update Index:0 of 1 - 100%
Download Completed
Download Completed
Installation Started...
Time Info - jeu. nov. 08 2018 23:34:07 ERROR: Signatures Update Service hanged! - timeout 3600000
Here we can see that the installation starts but never ends (except if I disable windows defender realtime protection, then the install would continue successfully)
MpSigStub.log extract:
--------------------------------------------------------------------------------
Start time: 2018-11-08 21:04:11Z
Process: 35c.1d477a698fe62ea
Command: /stub 1.1.15400.2 /payload 1.279.1442.0 /MpWUStub /program C:\windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.279.1380.0.exe WD /q
Administrator: yes
Version: 1.1.15400.2
================================ ProductSearch =================================
Microsoft Windows Defender (RS1+):
Status: Active
ProductGUID: 77BDAF73-B396-481F-9042-AD358843EC24
Engine: 6bc9976a337d31e9d6641d99cda991854a88457289f1106b0b35eddbae719c9d 1.1.15400.4
AS base VDM: 15a62d26bcdbbf084440e2fcfab4bdeefb4755d057b925b23d5be4a36d270bc7 1.279.0.0
AV base VDM: 14ec71b3c60c6da9c519e80739e86a05cf6bbe50f308d778555944bc1368836d 1.279.0.0
AS delta VDM: e09ea90cb3ac61d3c9f4917bf6ef03c4dfdf769b919997fdf1824cf00f9e4558 1.279.1380.0
AV delta VDM: 04cbec3542722b0ff522afb5fd545ede667e3e680e741a998897844ae03eb1e4 1.279.1380.0
NIS engine:
NIS base VDM:
NIS full VDM:
Platform: 24d1a33ee40c1f4038ace180919454901267c3d243607b13546bd0ff0bf8f7fa 4.18.1810.5
============================== AccumulatePackages ==============================
PackageName:*C:\windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.279.1380.0.exe
=============================== PackageDiscovery ===============================
Package files discovered:
Directory: C:\windows\Temp\F7E73B2B-094C-4EE6-89C7-23FAF62B603535c.1d477a698fe62ea
1.279.1380.0_to_1.279.1442.0_mpasdlta.vdm._p: 6982e6af4a6171f9afdaeeb6bf14591bec7dc61255411a626b42b7ed83adfee4
1.279.1380.0_to_1.279.1442.0_mpavdlta.vdm._p: d454927ad22ae5d73f9f68a35f4d6523ba2bce4ec5982e234158181f9ee6711b
AM BDD:
Engine: Not included
AS base VDM: Not included
AV base VDM: Not included
AS delta VDM: 1.279.1442.0
AV delta VDM: 1.279.1442.0
=============================== PatchApplication ===============================
Patched mpasdlta.vdm to 1.279.1442.0
Patched mpavdlta.vdm to 1.279.1442.0
==================================== Update ====================================
Product name: Microsoft Windows Defender (RS1+)
Package files:
Directory: C:\windows\Temp\F7E73B2B-094C-4EE6-89C7-23FAF62B603535c.1d477a698fe62ea
1.279.1380.0_to_1.279.1442.0_mpasdlta.vdm._p: 6982e6af4a6171f9afdaeeb6bf14591bec7dc61255411a626b42b7ed83adfee4
1.279.1380.0_to_1.279.1442.0_mpavdlta.vdm._p: d454927ad22ae5d73f9f68a35f4d6523ba2bce4ec5982e234158181f9ee6711b
mpasdlta.vdm: fc64740b1ae826c22e2099e0a5aba44c7b7d67c5155ec42b4dd3be2b0d17e0b7 1.279.1442.0
mpavdlta.vdm: 44b509c1b1a67b1ff877c6b49dd6926fe528785a36852566316aed5b24564969 1.279.1442.0
There are no other antivirus installed on these machines.
Has anyone observed this behavior, is it a known issue?
Thank you!
Continue reading...
The 'system' process is constantly writing to c:\windows\temp\MpSigStub.etl (15MB/s) using all I/O bandwidth on the C drive. The only way to stop this is to disable Windows Defender real time protection. Let it finish it's signature update and restart it. But it will happen again at the next update… My C drive is an SSD and will probably get a shorten life span because of this bug. I have this problem on two brand new HP Z8 G4 workstations...
I have tried sfc /scannow, windows update trouble shooter, disk cleanup, checkdisk of C...
I've also tried adding c:\windows\temp\MpSigStub.etl to windows defender's exclusion, it seemed to have worked at first but this morning the problem was back...
Here are the last signature update log run found on one of the workstation that was completely unresponsive this morning (while it's disk access LED was blinking very fast) :
MpCmdRun.log
-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1810.5-0\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate
Start Time: jeu. nov. 08 2018 22:04:07
MpEnsureProcessMitigationPolicy: hr = 0x1
Start: Signatures Update Service
Update Started
Search Started (MU/WU update) (Path: https://fe2.update.microsoft.com/v6/)...
Search Completed
Download Started...
Download Progress-
Update Index:0 of 1 - 0%
Download Progress-
Update Index:0 of 1 - 0%
Download Progress-
Update Index:0 of 1 - 100%
Download Progress-
Update Index:0 of 1 - 100%
Download Progress-
Update Index:0 of 1 - 100%
Download Completed
Download Completed
Installation Started...
Time Info - jeu. nov. 08 2018 23:34:07 ERROR: Signatures Update Service hanged! - timeout 3600000
Here we can see that the installation starts but never ends (except if I disable windows defender realtime protection, then the install would continue successfully)
MpSigStub.log extract:
--------------------------------------------------------------------------------
Start time: 2018-11-08 21:04:11Z
Process: 35c.1d477a698fe62ea
Command: /stub 1.1.15400.2 /payload 1.279.1442.0 /MpWUStub /program C:\windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.279.1380.0.exe WD /q
Administrator: yes
Version: 1.1.15400.2
================================ ProductSearch =================================
Microsoft Windows Defender (RS1+):
Status: Active
ProductGUID: 77BDAF73-B396-481F-9042-AD358843EC24
Engine: 6bc9976a337d31e9d6641d99cda991854a88457289f1106b0b35eddbae719c9d 1.1.15400.4
AS base VDM: 15a62d26bcdbbf084440e2fcfab4bdeefb4755d057b925b23d5be4a36d270bc7 1.279.0.0
AV base VDM: 14ec71b3c60c6da9c519e80739e86a05cf6bbe50f308d778555944bc1368836d 1.279.0.0
AS delta VDM: e09ea90cb3ac61d3c9f4917bf6ef03c4dfdf769b919997fdf1824cf00f9e4558 1.279.1380.0
AV delta VDM: 04cbec3542722b0ff522afb5fd545ede667e3e680e741a998897844ae03eb1e4 1.279.1380.0
NIS engine:
NIS base VDM:
NIS full VDM:
Platform: 24d1a33ee40c1f4038ace180919454901267c3d243607b13546bd0ff0bf8f7fa 4.18.1810.5
============================== AccumulatePackages ==============================
PackageName:*C:\windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.279.1380.0.exe
=============================== PackageDiscovery ===============================
Package files discovered:
Directory: C:\windows\Temp\F7E73B2B-094C-4EE6-89C7-23FAF62B603535c.1d477a698fe62ea
1.279.1380.0_to_1.279.1442.0_mpasdlta.vdm._p: 6982e6af4a6171f9afdaeeb6bf14591bec7dc61255411a626b42b7ed83adfee4
1.279.1380.0_to_1.279.1442.0_mpavdlta.vdm._p: d454927ad22ae5d73f9f68a35f4d6523ba2bce4ec5982e234158181f9ee6711b
AM BDD:
Engine: Not included
AS base VDM: Not included
AV base VDM: Not included
AS delta VDM: 1.279.1442.0
AV delta VDM: 1.279.1442.0
=============================== PatchApplication ===============================
Patched mpasdlta.vdm to 1.279.1442.0
Patched mpavdlta.vdm to 1.279.1442.0
==================================== Update ====================================
Product name: Microsoft Windows Defender (RS1+)
Package files:
Directory: C:\windows\Temp\F7E73B2B-094C-4EE6-89C7-23FAF62B603535c.1d477a698fe62ea
1.279.1380.0_to_1.279.1442.0_mpasdlta.vdm._p: 6982e6af4a6171f9afdaeeb6bf14591bec7dc61255411a626b42b7ed83adfee4
1.279.1380.0_to_1.279.1442.0_mpavdlta.vdm._p: d454927ad22ae5d73f9f68a35f4d6523ba2bce4ec5982e234158181f9ee6711b
mpasdlta.vdm: fc64740b1ae826c22e2099e0a5aba44c7b7d67c5155ec42b4dd3be2b0d17e0b7 1.279.1442.0
mpavdlta.vdm: 44b509c1b1a67b1ff877c6b49dd6926fe528785a36852566316aed5b24564969 1.279.1442.0
There are no other antivirus installed on these machines.
Has anyone observed this behavior, is it a known issue?
Thank you!
Continue reading...