Documentation for HLK test "Detect Malicious Software"

Hello,

Here are some ideas and thoughts that I would like to share and discuss with you.

The test case you mentioned may not have a detailed description. You can read the user guide of the HLK test.

URL: Windows Hardware Lab Kit User's Guide | Microsoft Learn

HLK Test Reference | Microsoft Learn

How to Debug "Detect Malicious Software" Test Failures

You can refer to the official troubleshooting guide and some of the following methods.

URL: Troubleshooting Windows HLK | Microsoft Learn

1. Check HLK Test Logs

• After the test fails, go to:

C:\ProgramData\Microsoft\Windows HLK\Results<ProjectName><TestName>\

• Review:

▫ WTTLogs (detailed execution logs).

▫ TestName.etl (Event Trace Logs, open with WPA/WPR).

2. Verify Test Prerequisites

• Ensure:

▫ The system is free of actual malware (could cause false positives).

▫ Real-time antivirus is temporarily disabled (may interfere).

▫ Test dependencies (e.g., Windows Defender) are running.

3. Reproduce Manually

• The test likely uses Windows Defender’s AMSI (Antimalware Scan Interface) or ELAM (Early Launch Antimalware).

• Simulate the test by:

• Running PowerShell scans:

Start-MpScan -ScanType QuickScan

• Checking Event Viewer (Windows Logs > Microsoft-Windows-Windows Defender/Operational).

4. Common Failure Causes

  Error	                                        Debugging Steps
"Malware not detected"	        Verify test malware sample is correctly injected.
"AMSI initialization failed"	Check if amsi.dll is loaded (Get-Process -Module amsi).
"Driver blocked by ELAM"	    Review %windir%\System32\drivers\elam.log.
"Access denied"	                Run HLK controller/test as Admin.

5. Use Sysinternals Tools

• Process Monitor (ProcMon): Filter for ACCESS DENIED or amsi.dll.

• Autoruns: Check for ELAM drivers blocking the test.

Regards,

Allison