206546-microsoft-security-essentials_originalWe have recently started to see some systems come in where Microsoft Security Essentials is damaged by a virus infection to the point it cannot be reinstalled. Yes, MSE has gotten some bad press lately due to their performance in AV-TEST.org’s evaluations, though Microsoft has published some interesting data trying to map out the real world impact of what they missed.

But the troubling issue we are seeing is MSE being damaged beyond repair, even for what seem to be minor infections. You can’t uninstall it, and when you try to manually remove it, the reinstall will still fail with a variety of errors.

The first system (Windows XP) MSE was turned off and would not turn back on. When you tried to change any settings, you got ‘Class Not Registered’. Attempts to uninstall it failed. Tried to use FixIt 50535 from KB2435760, even though this was for v1.x. Didn’t work. Tried FixIt 50692 from KB2483120 but being for v2.x, I didn’t expect that to work either. I ran the MATS tool for Install/Uninstall problems, but it could not see MSE to uninstall. Revo didn’t help since it did not see MSE as installed. I figured it was a file or registry permissions problem, so I tried running the Windows All In One Repair from tweaking.com, but it didn’t help. At this point I moved on to other more pressing systems, figuring I’d reinstall Windows on this one. Of course it had like 6 user accounts, and since Windows XP easy transfer is limited to the active account – was going to have to do a manual copy or 6 transfers. Blech.

Then I got another system in where MSE was acting strangely. It was still listed as installed, but was not running. Attempts to uninstall it failed, but it seemed partially uninstalled. Remove Programs kept offering to remove it from the list since it was already uninstalled. Installing MSE kept saying it was already installed. Great. I tried the same things as above. No luck. One forum post talked about trying to run “setup.exe /u” from the C:\Program Files\Microsoft Security Client\Backup directory. I tried to access that directory, but kept getting ‘Directory Cannot Be Accessed’. I checked the file attributes – nothing out of the ordinary, but I could NOT get into ANY subdirectory. My guess was the uninstaller (or installer) could not either. So I renamed it to ‘Microsoft Security Client OLD’ and tried to install MSE again.

This time it progressed and allowed me to start the installer – but it failed when it started the ‘Removing Components’ step with an 0×80070780 error.

During my research into this, I came across a very helpful article from Stephen Boots that gave some insights into how to manually remove MSE. The BAT script was clearly not  designed for Windows XP – but that was mainly for the program directories. I ran the script anyway to try and clean the registry. Still no luck

Since the Uninstall FixIt allows you to try to uninstall via Product ID, I gave that a try. Here is how you reach that part:

  • Run the FixIt for Install and Uninstall
  • Select the option to choose what to fix
  • It will display a list of installed programs. Click ‘Not Listed’
  • Now you get prompted for the Product ID of what you want to install. Enter each of these (you’ll have to ‘re-run’ the FixIt for the 2nd one)
    • {774088D4-0777-4D78-904D-E435B318F5D2}
    • {77A776C4-D10F-416D-88F0-53F2D9DCD9B3}

This actually got me closer – but now I was getting an error 0×80070645. More research turned up this post which referred to a fix by user GuillaumeGabard. As I was reading it, I realized he was talking about the same registry key (HKEY_CLASSES_ROOT > Installer > UpgradeCodes > 1F69ACF0D1CF2B7418F292F0E05EC20B) that many of the others had talked about. But he also listed this one for Windows 7: HKEY_CLASSES_ROOT > Installer > UpgradeCodes >26D13F39948E1D546B0106B5539504D9

On a hunch, I searched for 26D13F39948E1D546B0106B5539504D9 and found the following two keys:

HKEY_CLASSES_ROOT > Installer > UpgradeCodes > 26D13F39948E1D546B0106B5539504D9
HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Installer > UpgradeCodes > 26D13F39948E1D546B0106B5539504D9

I backed up my registry and removed those. Security Center popped up saying the firewall was not turned on. Knowing MSE ties into the firewall, I worried I may have screwed up the firewall, but I tried to reinstall MSE and it worked!

The one odd thing is real time protection would NOT turn on. But when in doubt – restart. Voila! MSE was green and active and working great. I was able to install the latest version of the virus definitions and make settings changes.

On one system, the only hiccup was Security Center would not detect that MSE was active and installed. It kept saying MSE was turned off. The other system did not have this problem. I’ve found often this problem can be fixed by uninstalling and reinstalling MSE. With a bit of hesitation, I uninstalled MSE and it succeeded. Security Center flipped to ‘No antivirus is installed’. I restarted and installed MSE from Windows Update. It worked! Security Center now properly detected Microsoft Security Essentials.

Much of this was trial and error. The post from Stephen includes the bulk of what needed to be removed, but obviously it won’t all work for Windows XP (takeown doesn’t exist and the paths are different). But it will help you trudge through it. But the key thing is to include the two 26D13F39948E1D546B0106B5539504D9 keys as well. Then MSE should see that it is really ‘uninstalled’ and allow you to reinstall it. If you have trouble removing directories, do so with a tool like System Rescue CD or just rename it and leave the ‘OLD’ version hanging around.

Microsoft really needs to release a universal removal tool for all versions of Security Essentials like most other AV vendors have.

Of course on a whim I searched for that other key and found a Windows XP MSE cleanup script that includes the elusive key and would have worked the first time. No clue why I didn’t come across it before. These scripts are going onto my tool USB drives…

UPDATE: The link above to the scripts has unfortunately gone dark. It had so many useful HOWTO’s and procedures – sad to see it go. Anyway, here are the scripts:

Save them and rename them with .bat extensions before executing in an Admin level console window (I’ve had the best luck running the script in ‘Safe Mode Command Prompt’. I’ve found the Vista/Win7 is plagued by Access Denied errors, even in an Admin console window. The registry keys seem locked. Your milage may vary. Also – Internet Explorer may not allow you to save the file – it is flagged as a virus (since it has code to disable/remove MSE). You may have to Select All and paste it into a text file in Notepad to get it on the computer.

I’ve also noticed that some virus infections manage to get some of the directories related to MSE corrupted to where you simply cannot delete them. takeown & icacls have no effect. So the reinstallation of MSE will still fail. In cases like this I’ve had to boot into System Rescue CD

UPDATE Aug 2013: I’ve tweaked the scripts a bit to add a couple keys and fix a few other odd quirks. They work much better now.