detection.wiki

Microsoft-Windows-Windows Defender › Event 5017

Event ID 5017 — Product Name service feature has encountered an error and failed.

Provider
Microsoft-Windows-Windows Defender
Channel
Operational
Level
Informational

Description

Product Name service feature has encountered an error and failed.

Message #

%1 service feature has encountered an error and failed.
 	Feature: %3
  	Failure Reason: %5
 	Recommended Mitigation: %6
 	Error Code: %7
 	Error description: %8

Fields #

NameDescription
Product Name
Product Version
Feature Name
Failure Id
Failure Reason
Recommendation UnicodeString
Error Code
Error Description
ProductName UnicodeString
ProductVersion UnicodeString
FeatureName UnicodeString
FailureId UnicodeString
FailureReason UnicodeString
Known values
%%2304
An Error occured during Logon.
%%2305
The specified user account has expired.
%%2306
The NetLogon component is not active.
%%2307
Account locked out.
%%2308
The user has not been granted the requested logon type at this machine.
%%2309
The specified account's password has expired.
%%2310
Account currently disabled.
%%2311
Account logon time restriction violation.
%%2312
User not allowed to logon at this computer.
%%2313
Unknown user name or bad password.
%%2314
Domain sid inconsistent.
%%2315
Smartcard logon is required and was not used.
ErrorCode UnicodeString
ErrorDescription UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 5017,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-06T19:18:49.882801+00:00",
    "event_record_id": 1270,
    "correlation": {},
    "execution": {
      "process_id": 3940,
      "thread_id": 4856
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.26010.5",
    "Feature Name": "MDE AV Configurations",
    "Failure Id": "0x00000003",
    "Failure Reason": "Group Policy hive was not ready when MDE AV service started and AV configurations might be not as expected.",
    "Recommendation": "Investigate recent changes in Group Policy server settings and reboot the device.",
    "Error Code": "0x80070002",
    "Error Description": "The system cannot find the file specified. "
  },
  "message": ""
}

References #