Restore Windows 8 Windows Defender Files with Full System Restore


Windows 8 (and later) Live, Full System Restores, Restore Windows Defender


When performing a full system restore to  live Windows 8 (or later) systems, the user may encounter an error during the restore that notes the state of the operation as follows:

Exit Status....: Disk write error
----- Error Messages -----

BP: Cannot create C:/Program Files/Windows Defender/MpClient.dll
BP: Cannot create C:/Program Files/Windows Defender/MpRtp.dll
BP: Cannot create C:/Program Files/Windows Defender/MpSvc.dll
BP: Cannot create C:/Program Files/Windows Defender/MsMpEng.exe
BP: Cannot create C:/Program Files/Windows Defender/NisIpsPlugin.dll
BP: Cannot create C:/Program Files/Windows Defender/NisLog.dll
BP: Cannot create C:/Program Files/Windows Defender/NisSrv.exe
BP: Cannot complete file restore. . Access is denied. (5).
----- End Error Messages ----- 



For File level recovery:  

It is advisable when performing full restores to a running system that several directories be expicitely excluded from  restoration.

·  Exclude the following directories from the boot volume (where Windows lives):
 \Program Files\Windows Defender
 \Program Files\WindowsApps
 ·  Exclude the system volume (shown under the UnMountedVol:\ volume on the Unitrends UI). 
 This volume contains the boot and BCD directories)


OS Level Restore:

If the systems boot volume has been corrupted beyond repair and is in need of a full restore, consider using the 'Windows Integrated Bare Metal Restore' feature, or, Windows instant Recovery. 
This will re-image the boot/system volumes using a chosen restore point without affecting other volumes on the disk.

After recovering the OS, some applications that depend on windows protected files may not function.  Microsoft includes a tool to detect and replace these missing files.  Most commonly this will be seen with Windows Defender not functioning after recovery and this process will correct that state:

sfc /scannow



These errors occur because not even a process running with elevated Administrative rights can overwrite certain files and directories on an operational system.  Windows Protected Files, which may include Windows Defender or other programs, cannot be directly recovered using file level recovery.  This will effect every backup vendor who performs system recovery using file based backups (block image backups like legacy BareMetal or VM backups do not have this limitation, but Legacy Block Baremetal is unlikely to be compatible with Windows 8 or higher due to dependencies on either GPT or EUFI support).  


Microsoft discusses this issue in more depth in this KB:

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section