Windows 10: is alot of event id 5007's normal for defender?

hi; just wanted to ask as i have seen alot of event 5007's in event viewer and it's alittle...worrying, it says it could be malware tampering with it.

:)

 

Event ID 5007 for Windows Defender

Hi everyone, I was trying (unsuccesfully) to clear the history for Controlled Folder Access.

After erasing the content of "Operational" in the event log followig this guide posted on this community, I rebooted the PC.

From my interpretation, the confguration basically change to a new state and then change another time to the old one? It is right? ServiceStartStates 0x0 to 0x1, and 0x1 to 0x0 with the only difference in the path. Default to HKLM and then default again? Is this something normal?

The ProductAppDataPath also changes but without reverting back. The path is the same: C:\ProgramData\Microsoft\Windows Defender

But in the old valie we have Default, while the new value start with HKLM, without then rechange to default like the other two entries before.

Is this normal and happen to every reboot? was triggered by me cleaning the event log when I was trying to clean the Controlled Folder Access history?

Thanks

In the new Operational event log now I've found something strange (all with code 5007):

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: Default\ServiceStartStates = 0x0

New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1

New value: Default\ServiceStartStates = 0x0

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender

New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender

I tried an offline scan and something similar happens:

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: N/A\Scan\OfflineScanRun =

New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\OfflineScanRun = 0x0

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: Default\IsServiceRunning = 0x0

New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: Default\ServiceStartStates = 0x0

New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1

New value: Default\ServiceStartStates = 0x0

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender

New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender

 

Event ID 5007 for Windows Defender

Ok, I've tried a simple reboot without changing anaything and without deleting the log. Even after a normal reboot I found in the log this entries (newer to older):

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender

New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1

New value: Default\ServiceStartStates = 0x0

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Old value: Default\ServiceStartStates = 0x0

New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1

So immediatly after a reboot, in the log was only ServiceStartStates 0x0 to 0x1. Strange. But I check again and the other two entry load: 0x1 to 0x0 and then the ProductAppDataPath thing.

Basically one second between the older one (0x0 to 0x1) and the other two.

So I think this is actually normal after every reboot, and not because I deleted the Operational log.

By the way, even after deleting the operational log as other commenter in this community suggested, the History for Controlled Folder Access is still there... Online this seems a recurrent problem...

 

Windows 10 Event Error ID 10016 & 5007

Hi Eileen,

Thanks for the inputs. I tried to execute recommended steps & here is what i need more information on:

Error-1: Event ID: 10016, Source: DistributedCOM

I am good till step 3 but in step 4 'Customize' option is grey & i am not able to edit it.

Error-2: Event ID: 5007 , Source: Netwtw04

In step 2 i selected Network adapters > the network adapter name, i see 3 names
: a> Bluetooth Device (Personal Area Network), b> Bluetooth Device (RFCOMM Protocol TDI), c> Intel(R) Dual Band Wireless-AC 8260

Which one or all should i select & uninstall/reinstall?