pdwk

Hi pdwk, Unfortunately your solution to copy the *.cat files did not work for us (tried it on 3 different Pcs). I also tried to copy the *.cat files from a working pc and this didn’t work as well. In your case - was the folder you specified above in the CatRoot empty? Could you tell in advance which Pc will have the issue after a reboot? Do you think removing the KART tool on an already affected pc works? The issue is somehow connected to printing files and/or opening pdf files - a client told me that after opening a pdf file an error occurred (unfortunately we have no picture of the error) and after printing that pdf the computer crashed. I forgot to add: Removing KART on an already effected PC will not help. Removing it will not replace the deleted files. I’m wondering if running some form of file-undelete might help.

Hi pdwk, Unfortunately your solution to copy the *.cat files did not work for us (tried it on 3 different Pcs). I also tried to copy the *.cat files from a working pc and this didn’t work as well. In your case - was the folder you specified above in the CatRoot empty? Could you tell in advance which Pc will have the issue after a reboot? Do you think removing the KART tool on an already affected pc works? The issue is somehow connected to printing files and/or opening pdf files - a client told me that after opening a pdf file an error occurred (unfortunately we have no picture of the error) and after printing that pdf the computer crashed. That’s unfortunate. So far all of my workstations with this problem have been recovered with the cat copy. To specify further, the c:\windows\system32\catroot folder contains 2 folders with specific GUIDs. The important one is named “{F750E6C3-38EE-11D1-85E5-00C04FC295EE}” . It is within THAT folder that I copy the *cat files. I will include the exact command line we have been using below: copy /y C:\Windows\servicing\Packages\*.cat C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ Translation: Copying all the *.cat files from c:\Windows\servicing\Packages\ into c:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ I will add this printing PDF test to my VMs in the hopes if re-creating the problem. Thank You,

I now have another laptop from a client with the same issue and again KART5 installed. I am doing some extra testing with it to try and get more exact information.

Hi Inet I have found only one other mention of this problem on a Polish news site. I have tried to msg the authoer and tried to post a comment asking for info or asking about Kaspersky. No response so far. Link: https://www.dobreprogramy.pl/Microsoft-sa-problemy-z-marcowa-aktualizacja-Windows-10.-Nasz-czytelnik-tez-ucierpial,News,113843.html It is mentioned in the last paragraphs of the news article. As for the *.cat solution, I found this article that lead me to that discovery: https://rquintino.wordpress.com/2017/05/11/recovering-from-windows-10-boot-blue-screen-critical-service-failed-disable-drivers-signature-enforcement-unsigned-drivers/ and https://rquintino.wordpress.com/2017/05/19/disk-cleanup-and-windows-10-boot-blue-screen-critical-service-failed-disable-drivers-signature-enforcement-unsigned-drivers/ Extra note. That first news article mentions that System Restore gives an error. This was true for us too. It can be fixed with a quick regedit and a restart. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} UpperFilters REG_MULTI_SZ volsnap I found this cause and solution was related to another Kaspersky product. https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/ To answer some of your questions. We have removed KART on all our PCs for now. Our process involves installing KART4 and letting it auto update itself to 5. You cannot stop the auto-update so there is no way to stop at any specific version. So we completely removed it to be safe. I agree about the Windows Update needing a reboot and then users noticed the problem and thus blame the update.

Hi Inet, Correct. I have NOT been able to recreate the bug. The only common item between all the computers that experienced this bug was KART. We have identical computers with identical software except for another AntiVirus solutions and they have been working perfectly fine throughout this. Heck, maybe it was a bug that was fixed in KART before anyone noticed. As for what happens its hard to say. Seems to happen shortly after a reboot. Many users reported seeing the KART update message (Agree to the terms / Activate) and either ignored or Agreed. There was also multiple reports of the screen going black for 10 seconds or longer. However at that point the computer still works fine and can keep working fine. So it’s possible the files were erased days before and no one noticed as they didn’t reboot their computer. I know the computer keeps working fine as I was able to save a computer before a reboot. A user reported they could NOT print. I went to the computer and found that the files (as mentioned above) were all deleted. At that point I immediately copied the *.cat files while still in Windows and then tested the reboot. The computer rebooted fine. I also noticed that while the *.cat files are missing I cannot open Services or run MMC. I receive a security error. In one case while I was still diagnosing, I copied the *.cat files as stated, restarted. KART remained installed. Computer rebooted fine, files then disappeared. Copied them again, rebooted, files disappeared. Removed KART, copied them again, rebooted… files stayed there. This is what pointed me towards KART. I wish I had payed more attention to the KART version and kept that workstation for more testing. Finally I am exploring other possibilities. There are previous reports of the built-in Windows Disk Cleanup erasing those files by mistake so I have also tried adding that to my testing. Have you ever used Windows Disk Cleanup on your workstations ?

Hi Inet, On a few computers where I reinstalled KART the version remains at 5.0.0.3660. That is after I installed KART4 and let it auto-update. I have not tried the KART5 direct install package. I stopped installing it though. As for recovery, yes. The first few were complete reinstalls but after some testing I discovered that the BSOD was caused by all the missing *.cat files. My fix involves 1) Copying all the *.cat files from c:\Windows\servicing\Packages\ into c:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ either via a command prompt. 2) That allows the computer to boot. THEN once the computer boots back up normally I need to find all the various files to refill the C:\Windows\System32\DriverStore folder. Either from a backup of that workstation or a donor computer with a similar configuration. The computer works ok without these files but you won’t be able to add new devices. 3) Final step is quickly reinstalling the VC++ runtimes from Microsoft. All that gets the computer back to a working state. I have also successfully done a different process of: 1) Copy *.cat files as above 2) Install or force re-install 20H2 via the MediaCreationTool20H2 and the option “Keep files AND apps”. This takes longer but makes me feel better about the system as a whole. I have been trying to recreate the exact scenario that causes this by setting up various virtual machines but so far they are working great.

Has anyone else noticed a connection recently between the upgrade to KART5 and some BSOD errors stating “Critical Service Failed” ? I’m asking for input. I’ve witnessed this exact same error on 8 computers ,so far, that I help maintain. The only connection between all of them was KART4 > KART5 upgrade. At first I thought it was related to the new Win10 update but I’ve ruled it out as its not the same BSOD. Other Win10 computers that had other or no protection did not have any issues. The BSOD results from the complete deletion of the contents of Catroot, DriverStore and some runtimes from System32. There are only a few processes that have access to these folders. I’m grateful for any other input.

I’m also experiencing this problem.