The other day, I had Windows Defender scan all of my disk drives. This action artificially provoked a performance alert on one of my Lenovo laptops. While it was running it reported 8 malware items on my D: (Data) drive. Please note: all of these are categorized as “HackTool” items. MS correlates them with specific malware items and known exploits.  After overcoming my initial alarm, I looked where those items were found. All resided under parent directory D:\NirLauncher. Immediately, certain things became clear. Every one of the suspect elements is a password sniffing and capture tool in Nir Sofer’s collection of Windows Utilities. In fact, he’s got a category within that collection of 200-plus tools called “Password Recovery Utilities,” which comprises 20 items (see below). All of them popped up here. Aha!

Once it found these items, Defender forced me to have it ignore these threats to retain access to them.
[Click image for Full-Sized View.]

If Certain Legit Tools Generate Windows Defender False Positives, Then What?

Once Defender finds something suspect, you must remove that item from its clutches before you can use it again. That meant I had to open Windows Security → Virus & threat protection, then click on each item it found. Next, I clicked “See details,” and then explicitly told it to ignore each threat one at a time.

As you might expect, there’s a better way to deal with this kind of thing if you prepare in advance. If you click “Manage settings” inside the Virus & Threat protection pane, you’ll find an Exclusions setting right below Controlled folder access. Click “Add or remove exclusions” and you can instruct Defender to bypass specific files or folders. I simply added an exclusion for the D:\NirLauncher folder and it will now be ignored in future complete system scans (the Quick Scan option only accesses the Windows C: drive anyway).

Pre-emption Beats Reaction Whenever Possible

Currently, I use several utilities that Defender flags as threats. In addition to NirSoft’s password utilities (which NirLauncher includes amidst its collection of tools), I’ve had to exclude Gabe Topala’s System Information for Windows (siw.exe). In days of yore, before I started using Superfly’s ShowKeyPlus, I used a tool called Magic Jelly Bean Finder that likewise got flagged. I excluded it, too.

The moral of the story is this: if you’re planning to install (or copy standalone) tools that find passwords or keys, chances are pretty good that Defender will flag them as Hacktools. If you take steps to exclude them in advance, you can avoid having to “Ignore” them later on. But please: make sure you run any such software through VirusTotal to be doubly darn sure it’s safe before allowing it to take up residence on your PC. Such tools can indeed be used for malefic purposes, as well as legitimate ones. Be safe out there!

You know, there are more benefits to keeping software up-to-date than just avoiding security vulnerabilities. They even go beyond the pleasures of good housekeeping. When I couldn’t run Albacore’s excellent Disk Cleanup reaplacement (mdiskclean.exe) on my Lenovo X220 Tablet this morning, I started troubleshooting. Along the way, I found it ran just fine on my X380 Yoga (my other Fast Ring test machine). “Hmmm,” I said to myself, “let me compare the file dates.” And sure enough, I was running an April 2019 version of the project. However, the X380 was running a newer, May 2019 version. A quick online check confirmed that May 2019 is the latest and greatest version. Thus, I concluded that old MDiskClean.exe throws System.InvalidOperationException error. Those details appear in the lead-in graphic above.

If Old MDiskClean.exe Throws System.InvalidOperationException Error Then Update!

Indeed, my next move was to grab a copy of the current version. I replaced the old, outdated April 2019 version with the current May 2019 version. Then I ran the program again. This time, it worked like a charm. There was nary a trace in the Reliability Monitor of its passing, either. Sometimes, the easy fix is also the right fix. I’m glad to report that this is one of those times. The problem is solved.

With the current (05.2019) version running and working, mdiskclean.exe looks exactly like Disk Cleanup, except it lets you show all available selections at the same time.

Disk Cleanup limits the display area to 5 items, so you have to scroll like mad to get through a big list.

If you should run into application level errors in Reliability Monitor, it’s smart to check the application itself first before taking troubleshooting further. In this case, that was as far as I needed to go. Had that not helped, my next move would have been to run the system file checker (sfc /scannow) and to perform a DISM componentstore health check (dism /online /cleanup-image /checkhealth). Normally, that would be as far as one would need to go at the application level. Beyond that, though, comes an in-place upgrade repair install (TenForums Tutorial) and finally a clean (re)install (TenForums tutorial). Glad I didn’t have to break out any of that heavy artillery. Cheers!