Question Have you ever seen anything like this "RolledbackPlatformHealthData" turn up in the registry or events for Windows Defender?

[Eric642]

Any ideas what these entries could be refering to?

There are intriguing key entires on a Windows 10 PC in the registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft Defender\Diagnostics.

For example:

RollbackToPlatformVersion        REG_BINARY    00 00 00 00 00 00 00 00
RolledbackPlatformHealthData     REG_SZ        <OVERALL>:<BAD>,<AGE>:<14>,<DIRTY_SHUTDOWNS>:<5>

What do you think could be occuring, any theorys?

Sounds like the Windows Defender platform rolled back, but it is reporting the latest platform is active, in the Defender event ID 1150 & 1151.

A couple of the keys regularly turn up in 5007 events for Windows Defender, including the one that says "Dirty Shutdowns".

I have another Windows 10 PC that doesn't have these.
Have you ever seen anything like it?

 

[COLGeek]

Likely auto-generated as the result of a failed update at some point.

 

[Eric642]

Thank you I shall look at that and try reproduce the counter going up.


What's interesting is, I've found that on start-up the registry values are gone. One hour later they are back, just after events 1150 & 1151 show up. The numbers continue where they left off. (The fact it says "Overall Bad" is a bit unnerving!)

Three things happened that it might be, I updated the defs, did a Full Scan, and Offline scan. So, I've just updated the definitions again, restarted, and am waiting an hour.


Edit following day:
No change to the count for Dirty Shutdowns, after I've updated Defender definitions, done Full scan & Offline scan.
Checked: Updates & Security - Update History, there are no failed updates.

I presume "Dirty Shutdown" means something stopping is mid track?
Wish I knew what it might be referring to! (Or even better how to fix it!)


Any ideas what else to look for or check out?