It's nice that someone said that the amendment will appear in October or November, but which amendment number will fix this error on the other hand, microsoft once again shows how unreliable its products are and how much time it needs to correct its mistakes
Windows Defender SenseNdr.exe Application Crashing Events
Faulting application name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee
Faulting module name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee
Exception code: 0xc0000409
Fault offset: 0x000000000071f9c1
Faulting process id: 0x0x3354
Faulting application start time: 0x0x1D9C47608FFF825
Faulting application path: C:\Program Files\Windows Defender Advanced Threat Protection*SenseNdr.exe*
Faulting module path: C:\Program Files\Windows Defender Advanced Threat Protection*SenseNdr.exe*
Report Id: 72c0afd6-c3ba-4311-83bb-db1790785f0a
Faulting package full name:
Faulting package-relative application ID:
Microsoft Defender for Cloud
-
Stojsavljevic Branko 5 Reputation points
2023-08-04T07:21:28.4966667+00:00 Aternity has identified the following health events:
Process: SenseNdr.exe 2.3.1.0Dll: SenseNdr.exe 2.3.1.0
Dll: Dll Version:SenseNdr.exe, 2.3.1.0
Exception: c0000409
Fault Offset: 000000000071f9c1
-
Cliff McManus 5 Reputation points
2023-08-07T13:27:18.97+00:00 I recently installed the Crowdstrike Falcon sensor on all of my Windows servers and started getting errors about the SenseNdr.exe app crashing. The errors are displaying in the Event Viewer around the same time every morning, between 7:00am and 8:00AM CST. We are using XYMON for monitoring Windows Event Viewer messages and after 30 minutes or so the errors go away. The Windows servers don't seem to be affected by the errors. error - 2023/08/07 07:50:11 - Application Error (1000) - Faulting application name: SenseNdr.exe, version: 2.3.1.0
Not sure really sure if the Falcon sensor is causing the issue or not. I haven't been able to find much about this event.
-
Vrindavan Patange 130 Reputation points
2023-08-07T15:16:53.4633333+00:00 Thank you Cliff McManus for highlighting\mentioning this, it may be true condition. CS Falcon sensor can create this situation. In our scenario continuously it's crashed.
-
Markus Quirmbach 41 Reputation points
2023-08-10T13:22:22.4566667+00:00 We face the same error for quite some days now on multiple servers. It's the same SenseNdr.exe version and time stamp (SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee). There seems to be no problem on the server themselves. We don't know what's causing this - we do NOT have any Crowdstrike sensors installed! And we can't find any clues on the internet on what's going on here beside this question.
Does anybody has an idea what's this all about? Thanks!
-
Tyler Courtney 15 Reputation points
2023-08-10T20:54:41.01+00:00 We are running into this same issue. It started directly after July's cumulative updates were installed for us. We also are using Crowdstrike's EDR sensor similar to others. I feel this is related to the July 2023 cumulative update though. This is consistent across all of our servers. Same date and same pattern following the cumulative update.
-
Gary Herbstman 11 Reputation points
2023-08-11T12:47:03.1833333+00:00 We have also been seeing the same issue for a couple months now on many of our Azure virtual machines. Not seeing this issue on non-Azure VMs. This is a constant daily occurrence. I have been searching for answers for some time now without any resolution.
-
Raven Benson 5 Reputation points
2023-08-14T18:09:03.81+00:00 We're seeing this issue too and am not sure when it started. Anyone have any leads? I see mention of Crowdstrike and the July 2023 updates.
-
Bartolowits, Douglas 120 Reputation points
2023-08-18T14:47:05.97+00:00 Was there ever a solution proposed? I have noticed several servers (Windows 2022 and 2019) that have Windows Defender installed and also crowdstrike falcon service giving the same error.
-
Reto Gloor 6 Reputation points
2023-08-21T05:28:05.69+00:00 Same issues here, started after July rollups on all 2019 servers we have (no crowdstrike here):
Faulting application name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee
Faulting module name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee
Exception code: 0xc0000409
Fault offset: 0x000000000071f9c1
Faulting process id: 0x1dc8
Faulting application start time: 0x01d9d2f4914a2b8f
Faulting application path: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe
Faulting module path: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe
Report Id: 75eb9bfa-753e-4da3-b197-0c254ac94e7eTried to install the august rollups, no change, error still there... seems to happen roughly every 12h after a reboot:
hopefully we see an answer soon...
-
Tiba Stefan 0 Reputation points
2023-08-24T14:38:39.3133333+00:00 Same issue here, does anyone have a solution for it?
-
Rosen, Amy 0 Reputation points
2023-08-24T14:47:24.56+00:00 We have aternity as well and are reporting the exact same thing from the exact same time
-
Bartolowits, Douglas 120 Reputation points
2023-08-24T17:21:58.65+00:00 I opened a case with Microsoft support on this issue and got the following response:
Summary
After further engineering investigation, we came into a conclusion that with the current information that we have from a few customers, APPCRASH event (event 1000 for SenseNDR.exe with exception code 0xc0000409) is generating, this behavior is known to us and will be fixed in upcoming OS Patch that including improvements for MDE agent.This behavior was started since OS patch update of June 27th as optional and 14th of July as mandatory.
Note:_
The behavior that you are currently see (Event 1000 and exception code 0xc0000409) is not affecting any SenseNDR functionality SenseNDR has a mechanism to start automatically after stopping._The fix for this behavior will be introduced in OS patch of October (as optional) and November as mandatory.
My recourse at this point is to wait for the security updates to roll out and install. Since this is not impacting anything, we are just filtering this alert out in our SCOM monitoring so we aren't being nagged with incidents we can nothing about. Hope this helped you all!
-
Raven Benson 5 Reputation points
2023-08-24T17:51:05.1733333+00:00 Thank you so much for sharing!
-
Reto Gloor 6 Reputation points
2023-08-25T05:46:00.6666667+00:00 Thanks Douglas!
-
Gary Herbstman 11 Reputation points
2023-08-25T12:20:49.05+00:00 Thank you for posting this info. This is most helpful and I'm glad to see there is light at the end of the tunnel.
-
Satbeer Saini 0 Reputation points
2023-08-28T07:42:17.75+00:00 Thank you so much for sharing!
-
BerndA 5 Reputation points
2023-09-08T05:30:09.4633333+00:00 Thank you for sharing! Safed a lot of time.
-
Bram Frishert 0 Reputation points
2023-09-20T07:24:16.02+00:00 Any update on this?
-
Tyler Courtney 15 Reputation points
2023-09-20T15:06:12.1066667+00:00 For us, I believe the cumulative update cleared up the issue for our servers. I am still seeing this daily on my Windows 10 machine though.
-
Daniel Akinin 15 Reputation points
2023-09-21T21:55:11.8733333+00:00 We have been running into this issue for quite some time as well on only one of our RDS, which makes it a little unusual.
I had a reply from Microsoft similar to that above. It doesn't help much as the crash happens constantly, and the server cannot be used for its intended purpose.
My name is <removed> and I am the Support Professional from the MDE team.
I've was looking into the SenseNDR.exe crashing issue and found that this is a known issue.
The engineering team is working on the APPCRASH event (event 1000 for SenseNDR.exe with exception code 0xc0000409) that is generating, it will be fixed in upcoming OS Patch that including improvements for MDE agent.
This behavior was started since OS patch update of June 27th as optional and 14th of July as mandatory.
Note:
The behavior that you are currently see (Event 1000 and exception code 0xc0000409) is not affecting any SenseNDR functionality SenseNDR has a mechanism to start automatically after stopping.The fix for this behavior will be introduced in OS patch of October (as optional) and November as mandatory
-
Daniel Akinin 15 Reputation points
2023-09-21T21:56:41.8666667+00:00 Editing my previous double post today, date 12/10/2023
I spoke with my Microsoft support, who advised that the Defender patch was not included or finished completion yet.
They cannot give me a KB or date at this stage. And advised to lodge another ticket for the MDE team to try to get further details; it may get deployed as an emergency patch or something.
-
Grzegorz Brzeczyszczykiewicz 15 Reputation points
2023-11-07T13:41:08.8166667+00:00 does anyone know how the patch fixes this problem?
-
Grzegorz Brzeczyszczykiewicz 15 Reputation points
2023-11-07T13:45:52.5366667+00:00 which patch number fixes this bug
-
Maethee 5 Reputation points
2023-11-21T04:16:15.66+00:00 November update does not fix the problem, it just starts a new version of crashes. The new version of SenseNdr.exe 2.4.0.7 just started the same trend.
Event: Application CrashDetails: Process: SenseNdr.exe 2.4.0.7
Dll: SenseNdr.exe 2.4.0.7 Dll; Dll Version: SenseNdr.exe,2.4.0.7 Exception: c0000409 Fault Offset: 0000000000983e25
-
BerndA 5 Reputation points
2023-11-21T10:31:57.41+00:00 Hi, we see the same crashes as you on several devices with W10 22H2 CU November and W11 22H2 CU November. So not fixed again...
Name der fehlerhaften Anwendung: SenseNdr.exe, Version: 2.4.0.7, Zeitstempel: 0x7821f2a7
Name des fehlerhaften Moduls: SenseNdr.exe, Version: 2.4.0.7, Zeitstempel: 0x7821f2a7
Ausnahmecode: 0xc0000409
Fehleroffset: 0x0000000000983e25
-
Glenn Turner 10 Reputation points
2024-05-01T22:25:29.8633333+00:00 In our ticket, here's what the engineer said:
We just got an update from our product team, and they mentioned that the fix for SenseNDR crash is being released as the following:
- Capability was already prepared in Windows OS latest patches
- To enable the capability (and to mitigate the issue, MDE machines need to receive a SenseConfiguration (via CnC channel), this was started to release last week gradually. So the related machines need to be in "active" mode and connected to our service.
And you will start to see decreasing with SenseNDR crash in the following week as long as the above are verified.
March 26, 2024—KB5035941 (OS Build 19045.4239) Preview - Microsoft Support
However, this has not stopped the issue. Since we first started seeing this, we're seeing other random stuff, with apps not working (VMware Horizon, R Studio), and also weird network issues where the clients have their DNS set manually even though they get it from DHCP. Anyone else seeing weird side effects?
They closed the original case (2401250030001757), but if you have access to free support, tag along on my new case I opened:
SenseNdr.exe crashing (#2404300030007485)
Sign in to comment
4 answers
Sort by: Most helpful
-
Grzegorz Brzeczyszczykiewicz 15 Reputation points
2023-11-07T10:57:41.4033333+00:00 -
Ralf Luchsinger 0 Reputation points
2023-11-24T15:15:40.63+00:00 Any News???
-
Roche, Mike 0 Reputation points
2024-02-29T19:43:31.0833333+00:00 Description: You need to set ‘GroupIds’ registry string to ‘ZeekOff’ in key: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" Once done, the configuration will apply within ~5 minutes and then you can test if issue is mitigated
Sign in to comment -
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
2 deleted comments
Comments have been turned off. Learn more
-
Rosen, Amy 0 Reputation points
2023-11-29T19:36:53.44+00:00 We also continue to have crashing with the new version of sensendr.
-
Randy_Duren 5 Reputation points
2023-12-01T13:51:54.8333333+00:00 We also are having this same issues with version 2.4.0.7 and the older version 2.3.1.0 (some systems have not update yet). I presume that the Windows Updates update the sensendr.exe.
Has anyone created a ticket with MS for this?
-
Kapildev Chandrasekaran 11 Reputation points
2023-12-11T16:38:04.78+00:00 Hi @Randy_Duren
I have created a ticket for this issue but they closed by saying out of scope, since I'm from the defender team they asked me to raise a Paid ticket and mentioned this is a Windows-related issue or else I can raise a concern in the Microsoft forum. So I think the fixes are only released for Windows servers and there are no official updates for Windows 10 and Windows 11 from the Microsoft side.
-
Glenn Turner 10 Reputation points
2024-02-29T06:12:11.8933333+00:00 We have opened a case:
2401250030001757 Trying to figure out what the go is. Doesn't seem to be any commonality? Anyone running VMware Horizon Client or R Studio? Any changes to your host files?
-
Randy_Duren 5 Reputation points
2024-03-04T14:45:43.9366667+00:00 We don't have VMware Horizon or R Studio. We do have a script that modifies our hosts file. C:\Windows\System32\drivers\etc
-
Randy_Duren 5 Reputation points
2024-03-04T14:58:34.2433333+00:00 Also have been running the sfc scannow and DISM /Online /Cleanup-Image /CheckHealth /RestoreHealth; thinking it was the OS. Of course, 80%+ that the sfc will find corruption. This seems to have resolved that particular issue.
-
Andrs-3137 0 Reputation points
2024-03-04T22:11:23.7533333+00:00 2024/03/04 still happening as well every 5 minutes, on the dot 😐
Faulting application name: SenseNdr.exe, version: 2.4.0.9, time stamp: 0xd6fa2ba6 Faulting module name: SenseNdr.exe, version: 2.4.0.9, time stamp: 0xd6fa2ba6 Exception code: 0xc0000409 Fault offset: 0x0000000000985075 Faulting process id: 0x2974 Faulting application start time: 0x01da6e7c68b18d6e Faulting application path: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe Faulting module path: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe Report Id: bf8faef6-c5fa-4b96-8bf7-9223a2fb1e8b Faulting package full name: Faulting package-relative application ID:
Sign in to comment -
-
Randy_Duren 5 Reputation points
2024-03-04T15:04:15.2533333+00:00 I found that running the sfc /scannow and DISM /Online /Cleanup-Image /ScanHealth and /RestoreHealth if needed, seems to have resolved our issue.
-
Andrs-3137 0 Reputation points
2024-03-04T22:13:03.9733333+00:00 In my case, after being notified of your comment I decided to do the same just for general health and now I see two command prompt/console windows quickly flash in succesion every 5 mins or so so kind of made it worse lol.
Sign in to comment -