lnet

Hello Vasily, can you please tell us how we can find out if one of our systems is affected and how we can make sure it will start correctly after a shutdown ? we have still many servers up since the problems arised since some did not start anymore. we need an urgent advice of how we can identify affected systems and how to solve if they are. Regards, Mike still no help for us from Kaspersky :-) this is so painful unsatisfying.

Hello Vasily, can you please tell us how we can find out if one of our systems is affected and how we can make sure it will start correctly after a shutdown ? we have still many servers up since the problems arised since some did not start anymore. we need an urgent advice of how we can identify affected systems and how to solve if they are. Regards, Mike

Hello, can you please tell us how we can make sure if a computer is affected and will start as soon we restart it ? We have many Servers (SBS 2011, Windows 2008R2, Windows 2016 Server, Windows 2019 Server) which have never been restarted since the problem arised. Please do respond soon to this urgent issue ! If somebody else has a definitive answer to this question i am happy to hear about. Regards, Mike

That’s normal for just the plain MMC. (You’d usually add snap-ins). On Windows 10 and Sever 2012 I never got it to run. Just gave an error that it wasn’t allowed to run. I asked myself this. I even have the full KART5 log where it show that it is looking at each file, but it does not say why it was deleted. Letting KART5 stay running is fine. The delete happens only at boot. If I copy all the files back to catroot they will stay there forever until the next reboot. Only deleted at reboot. For the files that remain in catroot, it is because they are also being used by another process and KART5 cannot delete them. Searching for only the specific “Critical Service Failed” led me to this article https://rquintino.wordpress.com/2017/05/11/recovering-from-windows-10-boot-blue-screen-critical-service-failed-disable-drivers-signature-enforcement-unsigned-drivers/ where it talks about an empty catroot folder. Very interesting. This does indeed look like a malicious or tampered Software trying to harm a system. The fact it does not happen immideatly but only at the next reboot makes sure it is found only after the system gets restarted which on server could be after only weeks/months. Cool u found the “Crititcal Service Failed” article. How did u make it to find out after that this folder is getting deleted by KART ? Did u do this on a VM ?

You can check after. It is NOT a requirement for boot. I was never able to reproduce this on a fresh install nor was I able to find the reason why KART5 started doing this. I played with a laptop for a long time, every reboot would delete the files. I would re-copy them and try various KART5 settings. After a reboot it would always delete them. I checked an old SBS2011 server I had here. It works fine. It only has 524 *.cat files and NO DriverStore folder (only an empty DRVSTORE folder which is normal) Hi @pdwk Thanks for your reply. I have few SBS 2011 servers. All of them have more than 1000 cat files and all of them do in fact have the DriverStore folders. Also the one where the cat folder is empty has had a DriverStore folder at least back in the registry Backup of January (unfortunately i cannot check the tape backup since it does not work anymore and i would need to restart with the filled catroot folder to get it back online. Now i am not sure if i should restart with the filled catroot folder and without a DriverStore folder or if i should use the DriverStore folder from the backup of January.

I think this is the same as the System Restore bug mentioned earlier by myself and a few others. Try the Registry fix AND a restart: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} UpperFilters REG_MULTI_SZ volsnap https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/ or https://www.sysnative.com/forums/threads/system-restore-not-working-error-0x81000203-kaspersky-removal-tool.28983/ Should i check in advance before i restart my still up servers if this Registry entry is correct/present ? i checked my servers in regarding this key (UpperFilters). It is not present on the one with the empty catroot folder and it is not present on the other servers (i everywhere uninstalled KART but did not yet restart the servers). Do i have to create this key ? is there a regfile file which does the work ?

Hi @pdwk pdwk. May i ask how u made it to find out initially that the BSOD was caused by missing *.cat files ? And thanks again for all your precious help !

Has anybody of you asked yourself how it is possible that a software which should prevent ransomevirus from encrypting files and folders is actually deleting important system files and in our case also folders (C:\Windows\System32\DriverStore completely missing) ? @pdwk did you test if you let KART run and delete files for longer if it completely deletes the folder DriverStore and if it deletes even more folders after emptying the catroot and Driverstore ?

@pdwk by the way: mmc is opening on the sbs 2011 with empty catroot but telling “There are no items to show in this view”

I just checked the folder C:\Windows\System32\DriverStore on the SBS 2011 machine which has an empty catroot folder. The folder C:\Windows\System32\DriverStore is completely missing. I will now restore the catroot folder and the diverstore folder from a backup and wait for your suggestions if i can than savely restart the server. Should i also check the registry for missing keys ?

Did somebody of you find out why certain machines are affected and others not ? I did not. There are Servers with SBS 2011 with exactly same configurations than others affected (empty catroot folder) and others are not. They were having the same KART installed.

I think this is the same as the System Restore bug mentioned earlier by myself and a few others. Try the Registry fix AND a restart: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} UpperFilters REG_MULTI_SZ volsnap https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/ or https://www.sysnative.com/forums/threads/system-restore-not-working-error-0x81000203-kaspersky-removal-tool.28983/ Should i check in advance before i restart my still up servers if this Registry entry is correct/present ?

I also wondered this. At first I thought it might be just the auto-update version “3660”. Our process has always been: 1) Install KART4 and let it auto-update. You mention that you install KART5 directly from the downloadable installer. I tested this and the version currently available is 3039. But it NEVER auto updates for me and stays are 3039. I thought maybe the auto-update 3660 was compromised but if you are experiencing the same problem from the direct download then I don’t know. I can say for certain that on the machines I was able to investigate it was always KART5 3660 that had the problem. Hey @pdwk ! I am unsure how i should go with my servers which i did not yet reboot since the problem arised on the windows 10 pcs. I have some servers with about 1000 catfiles, some with 3000, 6000 and 16.000 and one with an empty catfiles folder. I did not yet check the driverstore folder. The server with the empty catfiles folder is defiinately worring my the most since it is also the one having some services not working anymore and the OS has become very slow and slughish. I tried to connect a USB 3.0 hard drive to it but is not recognized by windows. Simply nothing happens when connecting it. So i assume this server for sure is one of the ones not starting anymore. I have some backups but i am not sure if i should copy the catfile and the driverstore folder over from the backups since i am not sure if i do not make things worst. Is it absolutely sure that an empty catroot folder is making sure the server/windows 10 pc will not start anymore ? Or does the Driverstore folder also at the same time has to be empty ? On the servers with catroot folder about 1.200 files how do i know if the folder is complete or half deleted and how can i be sure that if the folder was partly deleted that the server will not just start but also work correctly ? What do u suggest i should do on this servers ? Thanks again in advance !

I think this is the same as the System Restore bug mentioned earlier by myself and a few others. Try the Registry fix AND a restart: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} UpperFilters REG_MULTI_SZ volsnap https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/ or https://www.sysnative.com/forums/threads/system-restore-not-working-error-0x81000203-kaspersky-removal-tool.28983/ Hello Alsssandro, what was your exact problem and how did u solve it ? Hi Inet, The last weekend after a windows update big session, two of my servers (one server 2012 r2 and a 2016 one), where it was installed kaspersky antiransomware, during the sunday reboot, had a blue screen error with loop restart (error “Critical Service Failed”). The only way to access windows was to choice, pressing f8 during boot, “disable driver signing enforcement”, after reading this post, I’ve found that may CATROOT and DRIVERSTORE directories were blank (and a registry key deleted!!). So, following pdwk steps solved all the problems, and now the servers are working well. Hi Alios, tnx for your reply ! can u tell what exactly you did of these steps posted by @pdwk on the servers: 1) Copying all the *.cat files from c:\Windows\servicing\Packages\ into c:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ either via a command prompt. 2) That allows the computer to boot. THEN once the computer boots back up normally I need to find all the various files to refill the C:\Windows\System32\DriverStore folder. Either from a backup of that workstation or a donor computer with a similar configuration. The computer works ok without these files but you won’t be able to add new devices. 3) Final step is quickly reinstalling the VC++ runtimes from Microsoft. All that gets the computer back to a working state. I have also successfully done a different process of: 1) Copy *.cat files as above 2) Install or force re-install 20H2 via the MediaCreationTool20H2 and the option “Keep files AND apps”. This takes longer but makes me feel better about the system as a whole. Did u also need to do the registry fix ? I am still not sure how to find out if my servers will reboot after a restart. I have ony one server with an empty catroot folder whilst the others do have very different numbers of files in that folder (1.200, 3.000, 16.000) so i am unsure if i can try to restart them. Would it be save to copy the catroot from a (older) backup or is it better to copy them from c:\Windows\servicing\Packages\ ? In our case 1) Copying all the *.cat files from c:\Windows\servicing\Packages\ into c:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ either via a command prompt. did not bring the Windows 10 pcs back online. In regarding the Driverstore folder can i fill it up from a (older) backup before i reboot the server or should i do this after the cat folder copy ? Or should i refill the catroot folder and the driverstore folder from a backup before restarting the server ? If i do this is there any risk by doing this ? I am little confused now what is best to do on the servers which are up since weeks and which i am very worried about restarting them...

I think this is the same as the System Restore bug mentioned earlier by myself and a few others. Try the Registry fix AND a restart: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} UpperFilters REG_MULTI_SZ volsnap https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/ or https://www.sysnative.com/forums/threads/system-restore-not-working-error-0x81000203-kaspersky-removal-tool.28983/ Hello Alsssandro, what was your exact problem and how did u solve it ?