Windows 10: Defender Offline Scan boot loop – Part 2

[German]In part 1 I've discussed, what's causing error code 0x80070578 in Windows Defender. In part 2 I will discuss, how to fix Windows Defender Offline boot loop, that prevents Windows 10 start.


Advertising

What's Windows Defender Offline (WDO)?

Microsoft provides Windows Defender Offline (WDO), to scan systems in an offline mode against malware. WDO has been integrated in Windows 10 since Anniversary Update (Version 1607). Here are the steps to use this mode.

Start01

1. Click to Start and then select the Settings icon to invoke the Settings app.

2. Within the Settings app go to Update & security and then to sub category Windows Defender.

WDO


Advertising

3. Scroll down in the right pane and click the button Scan Offline (only available for administrator accounts).

Windows 10 will reboot and you may see the Please wait message.

Booten in Windows Defender Offline

The Windows Defender Offline will be loaded – you will see a progress bar.

Windows Defender Offline laden

If WDO is ready, you will see the Windows Defender GUI and a Defender scan runs in offline mode.

Windows Defender Offline Scan

Windows Defender Offline uses always a quick scan. There is also an Update tab (see screenshot below), where you are able to load new definition file updates via Internet.

Windows Defender Offline Update-Infos

For previous Windows versions Windows Defender Offline (WDO) may be launched from USB sticks or optical media. Microsoft has described the procedure here. This Microsoft site provides download links for 32- and 64-Bit-ISO files for WDO.

A problem with Windows Defender Offline scan in Windows 10

Windows 10 comes with a build-in WDO mode (see above), that bears the risk of a boot loop (see Windows 10: Windows Defender drops error 0x80070578 – Part 1). There is a possible scenario, where WDO tries to scan the disks during boot, but can't finish that. The user is advised to restart its machine. But after a restart the WDO scan starts again and ends in a reboot – the system is trapped in a boot loop. After I stumbled upon this error, I started searching the web. Here are a few hits from English Microsoft Answers forum.

My computer won't boot to windows from windows defender offline
My Windows 10 is not able to Login Due to Defender
Windows Defender Offline for Windows 10
How do I get my computer to boot up regularly after running the WDO scan?

Then I tried to provoke this behavior within a virtual machine – but I failed. I terminated the scan, did multiple hard reset of my VM and also installed a third party AV software. Nevertheless Windows 10 was able to boot.

What could be the reason for the boot loop?

Within part 1 (see Windows 10: Windows Defender drops error 0x80070578) I mentioned Windows Defender error 0x80070578, that is based on outdated Windows Defender signature files. As mentioned above, Windows Defender Offline (WDO) is able to load new signature filtes via internet. I suppose, that third party antivirus software (Mc Afee, Norton, Kaspersky and so on) deactivates Windows Defender. So WDO isn't able to update his signature files. Maybe non compatible versions of antivirus software are responsible.

If the user tries a WDO scan in Windows 10, the system is at risk for the boot loop. But my experience made within a virtual machine stands in contradiction to my first theory. First, I thought, it's a kind of "broken by design" WDO issue – but there is an option in WDO to terminate offline scan. Gladly I stumbled upon another scenario, that could explain the behavior. The German user facing the problem with WDO scan boot loop tried to do a Windows 10 reinstall and ended with a "hard disc locked" error. So the explanation is simple: A damaged system/boot structure causes the boot loop – because WDO can't reset the boot option to a Windows 10 boot.

First step: Safe important data

My first recommendation is to safe important data, before trying to repair the system. It's possible to use an offline backup software (like Paragon Disk Director Suite 15) and boot the machine with an emergency media (DVD, USB stick). Then create a system image backup and safe important user files.

An alternative is: booting the machine in Windows PE (using a system repair disk, CD, as recovery drive, USB stick, or a Windows 10 install media and entering computer repair option). In Windows PE it's possible to copy user files via command prompt windows from the Windows disk to an external media (USB stick or USB drive).

Tip: You can launch notepad.exe via command prompt window in Windows PE. Go to File – Open and use the Open dialog box als a mini file manager. Set the file type filter in Open dialog box to All files (*.Ü). Then you may the dialog box to navigate to your Windows drive and use context menu commands to copy files to an external drive. But note, that the "file manager" don't automatically refresh – so it seems, that file operations wasn't successful. Just press F5, to refresh the content of the dialog box. Also hidden files won't be shown.

Fix #1: Try an automatic startup repair

Interrupt the system boot process for 3 times (remove batteries from a notebook, switch power off), The the machine shall switch to Windows PE environment and tries to do a startup repair.

Startreparatur

If the automatic repair message occurs, just follow the instructions given on the screen. In some forums I found the suggestion to keep the shift key pressed during forcing the system into a restart. This should force the system into Windows PE with its extended start options.

If automatic startup repair isn't invoked, you can try to boot the machine using an install or recovery media. If an install media is used, try Computer repair option, offered in the 2nd setup screen to enter Windows PE. You need to select the language settings (below is the dialog box from a German install media).

Windows Setup Sprache auswählen

Then use the hyperlink Repair your computer shown in setup dialog box (see also).

Computerreparaturoptionen auswählen

Then you will see the Windows PE environment – where you will see the page Chose an option.

Click Troubleshoot and go to Advanced options in the next page. Within the Advanced options page select the Startup Repair tile and let Windows PE try to repair your start configuration (see also Windows 10 hangs with error code 0xc0000034).

If it goes well, this repair is successful and your machine will boot into Windows 10.

Fix #2: Try a system restore

If fix #1 didn't work, boot your system into Windows PE and go to Advanced options (see above). Select the tile System Restore. Maybe Windows System restore is able to fix the issue and the machine will boot Windows 10 again. But I'm not too optimistic that fix #1 and fix #2 will cure the system.

Fix #3: Try to repair the boot environment

In some cases the boot environment (BCD store) is damaged or not accessible. Try to boot the system with Windows PE (see Fix #1). Then use diskpart to set partition with \boot folder as active. In a last step populate BCD store with necessary entries. According to this forum thread it could help. Have a look at the MS Answers thread Issue with updating BCD(Boot Configuration Data) in Windows 8.1 for details how to rebuild BCD store.

Fix #4: Try a System Image Recovery

If you have a system backup, boot into Windows PE and go to Advanced options (see above). Select the tile System Image Recovery and reload the system image backup. All data on your machine are lost.

Fix #5: Reinstall Windows 10

If the fixes mentioned above won't help, grab a Windows 10 install media and try to re-install the operating system. All your data and installed programs are lost, but your machine should be back to life.

Fix #6: Repair a Hard Disk Lock error

If you try to reinstall Windows 10, perhaps a "Hard Disk Lock" error is reported, and setup refuses to install. This was the case within the German MS Answers-thread. This is also an explanation, why Windows Defender Offline can't terminate and a boot loop occurs.  It you are facing this scenario, use my blog post How to fix Windows-Setup Hard Disk locked error to cure your system.

Ok, I hope, one of the fixes proposed above will help to end the Windows Defender Offline boot loop. If you come across another solution/root cause, please feel free to left a comment.

Articles:
Windows 10: Windows Defender drops error 0x80070578 – Part 1
Windows 10: Defender Offline Scan boot loop – Part 2

Similar articles
Win10 Wiki
Windows 10: Open command prompt window as administrator
Trick: How to upgrade to Windows 10 using a clean install
Microsoft Windows and Office ISO download tool
Windows 10 Version 1511 via Media Creation Tool "is back"
How to fix Windows-Setup Hard Disk locked error
Windows 10: System restore fails with error 0x81000203


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in issue, Windows and tagged , , , , . Bookmark the permalink.

6 Responses to Windows 10: Defender Offline Scan boot loop – Part 2

  1. bodmer manuel says:

    Actually i just solved wdo loop by disable csm and change hd from raid to ahci. Alot simpler no? I ended up in the wd loop after switching grafic cards and changing my bios from normal to asus. Well bios popped up from alone after switching grafic cards and asus optimized said its more silent…so i tried. On first startup it said my grafic card doesbt support uefi and thus csm is activated. Btw same grafic card i used before oO but the trigger might be the anti spy ware like u said because since today my adaware tries to update and it cant. So maybe it locked the hd? Not sure what led to the wd loop but the fix i found is pretty simple so i thought i let u know :)

    • guenni says:

      Thx – computers are nasty things – a lot of voodoo. Hope the information collected here help other users.

  2. Wayne Ruppersburg says:

    My Windows Defender Offline Scan button is non-functional….when double clicked it simply states, "Something happened. Try again later." scan is not initiated! I'm running 1607 OS Build 14393.953. Any body got a clue?

  3. A says:

    Born,

    Unfortunately I had the windows defender offline (WDO) boot loop too. The computer was unusable. The files were saved, the bios was set to UEFI native without CSM, also using the bios the internal hard drive was sanitized, the windows 10 was reinstalled along with drivers, files and applications.

    Also unfortunately multiple computers have been exposed to WDO and are now at risk for WDO blue screen boot loops.

    To see if the WDO blue screen boot loop was reproducible I went through the steps that I had performed on the first computer. On the second computer is went again into the WDO blue screen boot loop.

    These are the steps that I used to reproduce the WDO boot loop:

    1) test the drivers on your computer using windows driver verifier
    2) this is a microsoftanswers WIKI on steps to use windows driver verifier
    https://answers.microsoft.com/en-us/windows/wiki/windows_10-update/driver-verifier-tracking-down-a-mis-behaving/f5cb4faf-556b-4b6d-95b3-c48669e4c983
    3)all of my computers immediately produced windows driver verifier blue screens with stop code: windows driver verifier detected violation
    There may or may not be additional information that my display the problematic driver. It typically ends with .sys
    4) if you want to fix the drivers you can record the driver and then uninstall and reinstall the driver. Some additional ways to get blue screen information are to the change the settings to get minidump and memory.dmp files. This information is available in this microsoftanswers wiki: https://answers.microsoft.com/en-us/windows/wiki/windows_10-update/bsod-finding-and-fixing-them/1939df35-283f-4830-a4dd-e95ee5d8669d
    5)once you have experienced on driver verifier produced blue screen then exit windows driver verifier using the troubleshooting menu choice start up options. Of the 9 listed choices choose choice 6 safe mode with command prompt. There you enter verifier /reset and then reboot to the desktop.
    6) When you are back on the desktop open windows defender. In the right upper corner click on settings. And in the pop up windows click windows defender offline (WDO).
    7) Upon reboot WDO will load and then run a quick scan offline. Then reboot to the desktop
    8) So far everything should be back to normal and you should be on the desktop. You have run windows driver verifier once and it has produced a blue screen. You have exited windows driver verifier and returned to the desktop. You have run windows defender offline once and have also returned to the desktop. Both windows driver verifier and windows defender offline have each required reboots.
    9) this is the step that has reproduced the WDO blue screen boot loop. You now run windows driver verifier a second time.
    10) no longer can you get to the advanced troubleshooting options. No longer can you turn off windows driver verifier. You are now stuck in a windows defender offline blue screen boot loop. All power ons lead to a windows icon with rotating dots and blue screen with stop code driver verifier detected violation. Then all power off followed by power ons again lead to windows icon with preparing automatic repair followed by WDO load then WDO quick scan. The scan can be canceled or the scan can run to completion however it results in another blue screen.

    This is a one drive zipped video of the WDO blue screen boot loop: https://1drv.ms/u/s!AhdfDD74t_q2ixVTJLjNCz06mvjB

    To break the blue screen boot loop and return to the desktop I have tried using a windows 10 bootable iso: https://www.microsoft.com/en-us/software-download/windows10

    All of the troubleshooting steps failed. Unfortunately the windows 10 bootable iso does not have the same troubleshooting menu as your computer. The start up options are missing. There is no safe mode with command prompt.

    At first I wondered whether WDO was like Norton or Mcafee and other antivirus programs where any residual software after control panel uninstallation could interfere with other software programs. As far as I know there is no software to uninstall WDO like the other antivirus programs. And at first I thought that windows driver verifier had found a residual file of WDO to make the boot loop.

    When attempting repairs with reset there is an option for keep my files and a second option for remove everything. The displays for each are notable and may lead to a fix of the WDO blue screen boot loop.

    The attempted reset with keep my files displayed:

    The drive where windows is installed is locked. Unlock the drive and try again.

    The attempted reset with remove everything displayed:

    Unable to reset your PC. A required drive partition is missing.

    It appears to me that the windows defender offline could be damaging the partition.

    A google search for locked drive lead to youtube videos where they used diskpart to unlock the drives. They essentially created a partition.

    These are some of the videos that I had viewed but have not yet tried any of the steps.:

    computers with bios in UEFI:   
    https://www.youtube.com/watch?v=zXsXNZHRC8U&list=PLNnHaPo-NFYzB-1woVaxLIcQ3ugC4EXoE
    https://www.youtube.com/watch?v=kyBrjDpsXGc

    computers with bios in Legacy: 
    https://www.youtube.com/watch?v=zXsXNZHRC8U
    https://www.youtube.com/watch?v=kyBrjDpsXGc

    I've not yet used diskpark.

    Let me know if you are able to use windows driver verifier to reproduce the WDO boot loops. For me all of the computers had an initial blue screen. I don't know if the WDO boot loop will occur if the first windows driver verifier does not produce a blue screen.
    And let me know if you can fix the boot loop by using diskpark.

    • guenni says:

      My experience was "never to use driver verifier, because it produces blue screens and an unuseable OS".

      Concerning your last question "And let me know if you can fix the boot loop by using diskpark" – unfortunately I'm currently not in a position to assist (an emergency case within the family has grounded my activities since a week and will continue).

      • Riot says:

        Driver verifier can be disabled easily booting into safe mode, i use it quite often during diagnostics of bluescreen issues and have never had an issue disabling it, helps in finding drivers having issues.

Leave a Reply to guenni Cancel reply

Your email address will not be published. Required fields are marked *