Faulting application name: SenseNdr.exe

Copper Contributor

We have several systems (Server 2019, Windows 10, Windows 11) that are getting Event ID 1000 in Application log twice per day:

 

Faulting application name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee Faulting module name: SenseNdr.exe, version: 2.3.1.0, time stamp: 0x7484efee Exception code: 0xc0000409 Fault offset: 0x000000000071f9c1 Faulting process id: 0xd9c Faulting application start time: 0x01d9d532b71623c9 Faulting application path: C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe

 

These started with the July monthly updates. Apparently we are not the only ones. See Windows Defender SenseNdr.exe Application Crashing Events - Microsoft Q&A.

 

Anyone have a clue?

7 Replies
did you apply august monthly updates to check if your issue will persists
Yes, I did. I waited for those to come out before raising the issue.
try to offboard and re-onboard one of your machines and check the logs. if your issue persists, I suggest opening a case with MS so they can check as it might be a bug with the latest release.
Tried this. Offboarding does not remove the C:\Program Files\Windows Defender Advanced Threat Protection folder or make any change to the files within. Events stopped while offboarded but started again when onboarded again.
We're also seeing an exponential increase in SenseNdr.exe faults (specifically version 2.3.1.0) that started in early September, but has exponential increased just this month.
I'm talking from a few hundred per day throughout September to now over 5,000 per day in October.
From the comments in my originally cited Q&A post, the following from Microsoft:

Summary
After further engineering investigation, we came into a conclusion that with the current information that we have from a few customers, APPCRASH event (event 1000 for SenseNDR.exe with exception code 0xc0000409) is generating, this behavior is known to us and will be fixed in upcoming OS Patch that including improvements for MDE agent.

This behavior was started since OS patch update of June 27th as optional and 14th of July as mandatory.

Note:_
The behavior that you are currently see (Event 1000 and exception code 0xc0000409) is not affecting any SenseNDR functionality SenseNDR has a mechanism to start automatically after stopping._

The fix for this behavior will be introduced in OS patch of October (as optional) and November as mandatory.

Fantastic news! Thank you so much for sharing!