Forum Discussion

David Weston's avatar
David Weston
Copper Contributor
Aug 23, 2023

Faulting application name: SenseNdr.exe

We have several systems (Server 2019, Windows 10, Windows 11) that are getting Event ID 1000 in Application log twice per day:

 

Faulting application name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee Faulting module name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee Exception code: 0xc0000409 Fault offset: 0x000000000071f9c1 Faulting process id: 0xd9c Faulting application start time: 0x01d9d532b71623c9 Faulting application path: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe

 

These started with the July monthly updates. Apparently we are not the only ones. See Windows Defender SenseNdr.exe Application Crashing Events - Microsoft Q&A.

 

Anyone have a clue?

    • David Weston's avatar
      David Weston
      Copper Contributor
      Yes, I did. I waited for those to come out before raising the issue.
      • eliekarkafy's avatar
        eliekarkafy
        MVP
        try to offboard and re-onboard one of your machines and check the logs. if your issue persists, I suggest opening a case with MS so they can check as it might be a bug with the latest release.
  • C00kieMonster's avatar
    C00kieMonster
    Brass Contributor
    We're also seeing an exponential increase in SenseNdr.exe faults (specifically version 2.3.1.0) that started in early September, but has exponential increased just this month.
    I'm talking from a few hundred per day throughout September to now over 5,000 per day in October.
    • David Weston's avatar
      David Weston
      Copper Contributor
      From the comments in my originally cited Q&A post, the following from Microsoft:

      Summary
      After further engineering investigation, we came into a conclusion that with the current information that we have from a few customers, APPCRASH event (event 1000 for SenseNDR.exe with exception code 0xc0000409) is generating, this behavior is known to us and will be fixed in upcoming OS Patch that including improvements for MDE agent.

      This behavior was started since OS patch update of June 27th as optional and 14th of July as mandatory.

      Note:_
      The behavior that you are currently see (Event 1000 and exception code 0xc0000409) is not affecting any SenseNDR functionality SenseNDR has a mechanism to start automatically after stopping._

      The fix for this behavior will be introduced in OS patch of October (as optional) and November as mandatory.

Resources