This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 94%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Faulting application name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee
Faulting module name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee
Exception code: 0xc0000409
Fault offset: 0x000000000071f9c1
Faulting process id: 0x0x3354
Faulting application start time: 0x0x1D9C47608FFF825
Faulting application path: C:\Program Files\Windows Defender Advanced Threat Protection*SenseNdr.exe*
Faulting module path: C:\Program Files\Windows Defender Advanced Threat Protection*SenseNdr.exe*
Report Id: 72c0afd6-c3ba-4311-83bb-db1790785f0a
Faulting package full name:
Faulting package-relative application ID:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 25%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Aternity has identified the following health events:
Process: SenseNdr.exe 2.3.1.0
Dll: SenseNdr.exe 2.3.1.0
Dll: Dll Version:SenseNdr.exe, 2.3.1.0
Exception: c0000409
Fault Offset: 000000000071f9c1
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 25%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
I recently installed the Crowdstrike Falcon sensor on all of my Windows servers and started getting errors about the SenseNdr.exe app crashing. The errors are displaying in the Event Viewer around the same time every morning, between 7:00am and 8:00AM CST. We are using XYMON for monitoring Windows Event Viewer messages and after 30 minutes or so the errors go away. The Windows servers don't seem to be affected by the errors. error - 2023/08/07 07:50:11 - Application Error (1000) - Faulting application name: SenseNdr.exe, version: 2.3.1.0
Not sure really sure if the Falcon sensor is causing the issue or not. I haven't been able to find much about this event.
Thank you Cliff McManus for highlighting\mentioning this, it may be true condition. CS Falcon sensor can create this situation. In our scenario continuously it's crashed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 67%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMQ%3C/text%3E%3C/svg%3E)
We face the same error for quite some days now on multiple servers. It's the same SenseNdr.exe version and time stamp (SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee). There seems to be no problem on the server themselves. We don't know what's causing this - we do NOT have any Crowdstrike sensors installed! And we can't find any clues on the internet on what's going on here beside this question.
Does anybody has an idea what's this all about? Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 67%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETC%3C/text%3E%3C/svg%3E)
We are running into this same issue. It started directly after July's cumulative updates were installed for us. We also are using Crowdstrike's EDR sensor similar to others. I feel this is related to the July 2023 cumulative update though. This is consistent across all of our servers. Same date and same pattern following the cumulative update.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 30%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGH%3C/text%3E%3C/svg%3E)
We have also been seeing the same issue for a couple months now on many of our Azure virtual machines. Not seeing this issue on non-Azure VMs. This is a constant daily occurrence. I have been searching for answers for some time now without any resolution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 79%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
We're seeing this issue too and am not sure when it started. Anyone have any leads? I see mention of Crowdstrike and the July 2023 updates.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 24%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
Was there ever a solution proposed? I have noticed several servers (Windows 2022 and 2019) that have Windows Defender installed and also crowdstrike falcon service giving the same error.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 10%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
Same issues here, started after July rollups on all 2019 servers we have (no crowdstrike here):
Faulting application name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee
Faulting module name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee
Exception code: 0xc0000409
Fault offset: 0x000000000071f9c1
Faulting process id: 0x1dc8
Faulting application start time: 0x01d9d2f4914a2b8f
Faulting application path: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe
Faulting module path: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe
Report Id: 75eb9bfa-753e-4da3-b197-0c254ac94e7e
Tried to install the august rollups, no change, error still there... seems to happen roughly every 12h after a reboot:
hopefully we see an answer soon...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 51%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Same issue here, does anyone have a solution for it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 38%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
We have aternity as well and are reporting the exact same thing from the exact same time
I opened a case with Microsoft support on this issue and got the following response:
Summary
After further engineering investigation, we came into a conclusion that with the current information that we have from a few customers, APPCRASH event (event 1000 for SenseNDR.exe with exception code 0xc0000409) is generating, this behavior is known to us and will be fixed in upcoming OS Patch that including improvements for MDE agent.
This behavior was started since OS patch update of June 27th as optional and 14th of July as mandatory.
Note:_
The behavior that you are currently see (Event 1000 and exception code 0xc0000409) is not affecting any SenseNDR functionality SenseNDR has a mechanism to start automatically after stopping._
The fix for this behavior will be introduced in OS patch of October (as optional) and November as mandatory.
My recourse at this point is to wait for the security updates to roll out and install. Since this is not impacting anything, we are just filtering this alert out in our SCOM monitoring so we aren't being nagged with incidents we can nothing about. Hope this helped you all!
Thank you so much for sharing!
Thanks Douglas!
Thank you for posting this info. This is most helpful and I'm glad to see there is light at the end of the tunnel.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 8%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Thank you so much for sharing!
Thank you for sharing! Safed a lot of time.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 40%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBF%3C/text%3E%3C/svg%3E)
Any update on this?
For us, I believe the cumulative update cleared up the issue for our servers. I am still seeing this daily on my Windows 10 machine though.
We have been running into this issue for quite some time as well on only one of our RDS, which makes it a little unusual.
I had a reply from Microsoft similar to that above. It doesn't help much as the crash happens constantly, and the server cannot be used for its intended purpose.
My name is <removed> and I am the Support Professional from the MDE team.
I've was looking into the SenseNDR.exe crashing issue and found that this is a known issue.
The engineering team is working on the APPCRASH event (event 1000 for SenseNDR.exe with exception code 0xc0000409) that is generating, it will be fixed in upcoming OS Patch that including improvements for MDE agent.
This behavior was started since OS patch update of June 27th as optional and 14th of July as mandatory.
Note:
The behavior that you are currently see (Event 1000 and exception code 0xc0000409) is not affecting any SenseNDR functionality SenseNDR has a mechanism to start automatically after stopping.
The fix for this behavior will be introduced in OS patch of October (as optional) and November as mandatory
Editing my previous double post today, date 12/10/2023
I spoke with my Microsoft support, who advised that the Defender patch was not included or finished completion yet.
They cannot give me a KB or date at this stage. And advised to lodge another ticket for the MDE team to try to get further details; it may get deployed as an emergency patch or something.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 47%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGB%3C/text%3E%3C/svg%3E)
does anyone know how the patch fixes this problem?
which patch number fixes this bug
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 25%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
November update does not fix the problem, it just starts a new version of crashes. The new version of SenseNdr.exe 2.4.0.7 just started the same trend.
Event: Application Crash
Details: Process: SenseNdr.exe 2.4.0.7
Dll: SenseNdr.exe 2.4.0.7
Dll; Dll Version: SenseNdr.exe,2.4.0.7
Exception: c0000409
Fault Offset: 0000000000983e25
Hi, we see the same crashes as you on several devices with W10 22H2 CU November and W11 22H2 CU November. So not fixed again...
Name der fehlerhaften Anwendung: SenseNdr.exe, Version: 2.4.0.7, Zeitstempel: 0x7821f2a7
Name des fehlerhaften Moduls: SenseNdr.exe, Version: 2.4.0.7, Zeitstempel: 0x7821f2a7
Ausnahmecode: 0xc0000409
Fehleroffset: 0x0000000000983e25
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 45%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGT%3C/text%3E%3C/svg%3E)
In our ticket, here's what the engineer said:
We just got an update from our product team, and they mentioned that the fix for SenseNDR crash is being released as the following:
And you will start to see decreasing with SenseNDR crash in the following week as long as the above are verified.
March 26, 2024—KB5035941 (OS Build 19045.4239) Preview - Microsoft Support
However, this has not stopped the issue. Since we first started seeing this, we're seeing other random stuff, with apps not working (VMware Horizon, R Studio), and also weird network issues where the clients have their DNS set manually even though they get it from DHCP. Anyone else seeing weird side effects?
They closed the original case (2401250030001757), but if you have access to free support, tag along on my new case I opened:
SenseNdr.exe crashing (#2404300030007485)
It's nice that someone said that the amendment will appear in October or November, but which amendment number will fix this error on the other hand, microsoft once again shows how unreliable its products are and how much time it needs to correct its mistakes
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 49%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
Any News???
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 8%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Description: You need to set ‘GroupIds’ registry string to ‘ZeekOff’ in key: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" Once done, the configuration will apply within ~5 minutes and then you can test if issue is mitigated
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
2 deleted commentsComments have been turned off. Learn more
We also continue to have crashing with the new version of sensendr.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 75%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
We also are having this same issues with version 2.4.0.7 and the older version 2.3.1.0 (some systems have not update yet). I presume that the Windows Updates update the sensendr.exe.
Has anyone created a ticket with MS for this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 11%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKC%3C/text%3E%3C/svg%3E)
Hi @Randy_Duren
I have created a ticket for this issue but they closed by saying out of scope, since I'm from the defender team they asked me to raise a Paid ticket and mentioned this is a Windows-related issue or else I can raise a concern in the Microsoft forum. So I think the fixes are only released for Windows servers and there are no official updates for Windows 10 and Windows 11 from the Microsoft side.
We have opened a case:
2401250030001757 Trying to figure out what the go is. Doesn't seem to be any commonality? Anyone running VMware Horizon Client or R Studio? Any changes to your host files?
We don't have VMware Horizon or R Studio. We do have a script that modifies our hosts file. C:\Windows\System32\drivers\etc
Also have been running the sfc scannow and DISM /Online /Cleanup-Image /CheckHealth /RestoreHealth; thinking it was the OS. Of course, 80%+ that the sfc will find corruption. This seems to have resolved that particular issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 55.00000000000001%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA3%3C/text%3E%3C/svg%3E)
2024/03/04 still happening as well every 5 minutes, on the dot 😐
Faulting application name: SenseNdr.exe, version: 2.4.0.9, time stamp: 0xd6fa2ba6
Faulting module name: SenseNdr.exe, version: 2.4.0.9, time stamp: 0xd6fa2ba6
Exception code: 0xc0000409
Fault offset: 0x0000000000985075
Faulting process id: 0x2974
Faulting application start time: 0x01da6e7c68b18d6e
Faulting application path: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe
Faulting module path: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe
Report Id: bf8faef6-c5fa-4b96-8bf7-9223a2fb1e8b
Faulting package full name:
Faulting package-relative application ID:
I found that running the sfc /scannow and DISM /Online /Cleanup-Image /ScanHealth and /RestoreHealth if needed, seems to have resolved our issue.
In my case, after being notified of your comment I decided to do the same just for general health and now I see two command prompt/console windows quickly flash in succesion every 5 mins or so so kind of made it worse lol.