Jump to content
Kaspersky Support Forum

Any connection between KART 5 (3660) and BSOD Critical Service Failed

pdwk

By pdwk
in Kaspersky Anti-Ransomware Tool

 Share

Recommended Posts

  • Replies 132
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

lnet

lnet

Posted
Posted

@pdwk which version of KART does delete the files and if u let it run does it delete all files or only in the specified folders ?

what if some installations get a malicious update which does all this deletions ?  i do not believe a non malicious software would ever delete system files.

Has KART been compromised in some way ?

That would also explain the confusing version numbers...

Link to comment
Share on other sites
vjk

vjk

Posted
Posted

Hi guys,

i’m a victim too of KART 5 BSOD Critical Service Failed, several pc’s at my job including my house pc.

At the third “strike” i found out that KART was the guilty program…. luckily for my pc i had a full backup image to restore but at the pc’s at work i had to reformat to be sure!

 

I’ve uninstalled it out of all my pc’s and in some cases after uninstallation it corrupts the registry and VSS/System Restore  don’t work anymore. After a little search here i found the fix for VSS.

 

Very dissapointed from Kaspersky

Link to comment
Share on other sites
vjk

vjk

Posted
Posted

Anyone found out how to know in advance if a online machine is having the issue and will therefore not boot on next restart ?

 

In my experience some network services stop to work and connected devices. Like Remote desktop, Web cameras.

Link to comment
Share on other sites
Intrepid

Intrepid

Posted
Posted

The recent kaspersky Anti-Ransomware Tool UPDATE left twelve Windows 8.1 and Windows 10 workstations unbootable with bluescreens requiring backup image restoration.  In those that would boot, the update broke Shadow Copies leaving System restore unusable and Image backup programs like Macrium Reflect broken.

Symptoms: Blue Screen, Windows Unbootable, System Restore Broken within Windows (See: https://www.thewindowsclub.com/system-restore-error-code-0x81000203 ), corrupt critical system files and services (digital signature errors:   XXX service which failed to start because of the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.)

Resolution:  System Restore using a bootable USB such as Windows Recovery Drive.
Resolution:  Restoring Backup Images

WE WILL NEVER TOUCH ANOTHER KASPERSKY PRODUCT!

And as you can see, Kaspersky hasn’t commented and doesn’t care business machines are left in an unbootable state.  Discraceful.


BTW, you should be creating a backup image on a nightly basis. I recommend Macrium Reflect.  Even the free version works great.

Link to comment
Share on other sites
lnet

lnet

Posted
Posted

@pdwk Hello. I have different servers where i uninstalled kart. Some have about 3.000 catroot files, some 16.000, some 6.000, one has the folder catroot empty.

Till now i did not restart no one of them. 

On the one with empty cart i noticed some services ((Symantec backup, Easeus Todobackup cannot be opened anymore (this could be like vik forum user told about some services not working anymore)).

What do u think, i have a backup of the catroot folder from 31.01.2021. This actually does not help i assume, right ?

On other servers (also VMs) i have backups of the catroot from day before.

 

I found this:

https://www.majorgeeks.com/content/page/catroot_and_catroot2_folder_explained.html

 

As of how i understand from this article it could be the solution to empty the carrot2 folder on the pcs which do not start anymore from command prompt in startup repair console and then restart again ?

Link to comment
Share on other sites
pdwk

pdwk

Posted
  • Author
Posted

@pdwk Hello. I have different servers where i uninstalled kart. Some have about 3.000 catroot files, some 16.000, some 6.000, one has the folder catroot empty.

Till now i did not restart no one of them. 

On the one with empty cart i noticed some services ((Symantec backup, Easeus Todobackup cannot be opened anymore (this could be like vik forum user told about some services not working anymore)).

What do u think, i have a backup of the catroot folder from 31.01.2021. This actually does not help i assume, right ?

On other servers (also VMs) i have backups of the catroot from day before.

 

I found this:

https://www.majorgeeks.com/content/page/catroot_and_catroot2_folder_explained.html

 

As of how i understand from this article it could be the solution to empty the carrot2 folder on the pcs which do not start anymore from command prompt in startup repair console and then restart again ?

 

The catroot folder contains the “catalog” of digital signatures and certificates used by Windows. In my understanding you are correct. Without these files there is no way for Windows to “verify” that certain programs are allowed to run. We also noticed that a machine suffering with this problem cannot run “mmc”. Again, you’ll need to refer back to a few of my initial posts where I talk about copying the *cat files from the Packages folders right back into the catroot sub folder “{F750E6C3-38EE-11D1-85E5-00C04FC295EE}”.

copy /y c:\Windows\servicing\Packages\*.cat c:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}

The catroot folder shouldn’t change much so copying from the January backup should also be good. Since you have a backup from January, you should also copy all the contents of the DriverStore folder from the backup onto the live machine. In one of my first few posts I discovered that the 

C:\Windows\System32\DriverStore\en-US

and

C:\Windows\System32\DriverStore\FileRepository

were missing MANY files as well. (Those two folders are protected so you’ll have to take ownership of them and give your user account Full Access to them).

Emptying the catroot2 folder has not helped us. catroot2 is automatically rebuilt by Windows, not catroot.

Link to comment
Share on other sites
pdwk

pdwk

Posted
  • Author
Posted

We face the same problem. Can't copy files back to catroot as windows say that we don't have permissions on this folder.

Please can you elaborate on how exactly did you copy the files?

Pardon my late reply. 

For us the catRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} folder was not protected so there was no issue copying. Are you logged in as an Admin? Are you running a cmd prompt as Admin? Maybe try taking ownership of the folder and giving your user account full access to the folder.

Link to comment
Share on other sites
pdwk

pdwk

Posted
  • Author
Posted

Anyone found out how to know in advance if a online machine is having the issue and will therefore not boot on next restart ?

 

In my experience some network services stop to work and connected devices. Like Remote desktop, Web cameras.

Same. We also noticed that we cannot run mms. It seems like the catroot folder contains the digital signatures for many Windows drivers. Without the digital signature, Windows will not allow programs and services to run. The DriveStore also gets deleted so we noticed that on machines where we recovered the catroot folder we could not add new devices and most printers were corrupt. This is where either a copy-from-backup DriverStore helped OR reinstalling the Windows 10 20H2 update using the Media Creation Tool rebuilt the DriverStore folder.

Link to comment
Share on other sites
pdwk

pdwk

Posted
  • Author
Posted

@pdwk which version of KART does delete the files and if u let it run does it delete all files or only in the specified folders ?

what if some installations get a malicious update which does all this deletions ?  i do not believe a non malicious software would ever delete system files.

Has KART been compromised in some way ?

That would also explain the confusing version numbers...

I also wondered this. At first I thought it might be just the auto-update version “3660”. Our process has always been: 1) Install KART4 and let it auto-update. 

You mention that you install KART5 directly from the downloadable installer. I tested this and the version currently available is 3039. But it NEVER auto updates for me and stays are 3039.

I thought maybe the auto-update 3660 was compromised but if you are experiencing the same problem from the direct download then I don’t know. I can say for certain that on the machines I was able to investigate it was always KART5 3660 that had the problem.

Link to comment
Share on other sites
Intrepid

Intrepid

Posted
Posted

The recent kaspersky Anti-Ransomware Tool UPDATE left twelve Windows 8.1 and Windows 10 workstations unbootable with bluescreens requiring backup image restoration.  In those that would boot, the update broke Shadow Copies leaving System restore unusable and Image backup programs like Macrium Reflect broken.

Symptoms: Blue Screen, Windows Unbootable, System Restore Broken within Windows (See: https://www.thewindowsclub.com/system-restore-error-code-0x81000203 ), corrupt critical system files and services (digital signature errors:   XXX service which failed to start because of the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.)

Resolution:  System Restore using a bootable USB such as Windows Recovery Drive.
Resolution:  Restoring Backup Images

WE WILL NEVER TOUCH ANOTHER KASPERSKY PRODUCT!

And as you can see, Kaspersky hasn’t commented and doesn’t care business machines are left in an unbootable state.  Discraceful.

Link to comment
Share on other sites
alios

alios

Posted
Posted

@pdwk 

Thank You for your solution, following your steps solved my BSoD problem (Kaspersky antiransomware was the culprit) on my Windows Server 2016, thank You a lot.👏

I have only a question: did You find the shadow copy service not working? ie, if I right click on my C disk… Shadow Copies tab… blank with “NO VOLUME IS ELIGIBLE FOR SHADOW COPIES” notice?

Thank You,

Alessandro

Link to comment
Share on other sites
pdwk

pdwk

Posted
  • Author
Posted

@pdwk

Thank You for your solution, following your steps solved my BSoD problem (Kaspersky antiransomware was the culprit) on my Windows Server 2016, thank You a lot.👏

I have only a question: did You find the shadow copy service not working? ie, if I right click on my C disk… Shadow Copies tab… blank with “NO VOLUME IS ELIGIBLE FOR SHADOW COPIES” notice?

Thank You,

Alessandro

 

I think this is the same as the System Restore bug mentioned earlier by myself and a few others. Try the Registry fix AND a restart:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}
UpperFilters        REG_MULTI_SZ     volsnap
 

https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/

or 

https://www.sysnative.com/forums/threads/system-restore-not-working-error-0x81000203-kaspersky-removal-tool.28983/

Link to comment
Share on other sites
lnet

lnet

Posted
Posted

@pdwk

Thank You for your solution, following your steps solved my BSoD problem (Kaspersky antiransomware was the culprit) on my Windows Server 2016, thank You a lot.👏

I have only a question: did You find the shadow copy service not working? ie, if I right click on my C disk… Shadow Copies tab… blank with “NO VOLUME IS ELIGIBLE FOR SHADOW COPIES” notice?

Thank You,

Alessandro

 

I think this is the same as the System Restore bug mentioned earlier by myself and a few others. Try the Registry fix AND a restart:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}
UpperFilters        REG_MULTI_SZ     volsnap
 

https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/

or 

https://www.sysnative.com/forums/threads/system-restore-not-working-error-0x81000203-kaspersky-removal-tool.28983/

Hello Alsssandro, 

 

what was your exact problem and how did u solve it ?

 

Link to comment
Share on other sites
alios

alios

Posted
Posted

@pdwk

Thank You for your solution, following your steps solved my BSoD problem (Kaspersky antiransomware was the culprit) on my Windows Server 2016, thank You a lot.👏

I have only a question: did You find the shadow copy service not working? ie, if I right click on my C disk… Shadow Copies tab… blank with “NO VOLUME IS ELIGIBLE FOR SHADOW COPIES” notice?

Thank You,

Alessandro

 

I think this is the same as the System Restore bug mentioned earlier by myself and a few others. Try the Registry fix AND a restart:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}
UpperFilters        REG_MULTI_SZ     volsnap
 

https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/

or 

https://www.sysnative.com/forums/threads/system-restore-not-working-error-0x81000203-kaspersky-removal-tool.28983/

Thank You for that, the .reg  fix (as recommended in the links) did not solved. But adding it manually worked. 

No more “K“ in my life.

Thank You again. Have a nice day.

Link to comment
Share on other sites
alios

alios

Posted
Posted

@pdwk

Thank You for your solution, following your steps solved my BSoD problem (Kaspersky antiransomware was the culprit) on my Windows Server 2016, thank You a lot.👏

I have only a question: did You find the shadow copy service not working? ie, if I right click on my C disk… Shadow Copies tab… blank with “NO VOLUME IS ELIGIBLE FOR SHADOW COPIES” notice?

Thank You,

Alessandro

 

I think this is the same as the System Restore bug mentioned earlier by myself and a few others. Try the Registry fix AND a restart:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}
UpperFilters        REG_MULTI_SZ     volsnap
 

https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/

or 

https://www.sysnative.com/forums/threads/system-restore-not-working-error-0x81000203-kaspersky-removal-tool.28983/

Hello Alsssandro, 

 

what was your exact problem and how did u solve it ?

 

Hi Inet,

The last weekend after a windows update big session, two of my servers (one server 2012 r2 and a 2016 one), where it was installed kaspersky antiransomware, during the sunday reboot, had a blue screen error with loop restart (error “Critical Service Failed”). The only way to access windows was to choice, pressing f8 during boot, “disable driver signing enforcement”, after reading this post, I’ve found that may CATROOT and DRIVERSTORE directories were blank (and a  registry key deleted!!). So, following pdwk steps solved all the problems, and now the servers are working well.

Link to comment
Share on other sites
lnet

lnet

Posted
Posted

@pdwk

Thank You for your solution, following your steps solved my BSoD problem (Kaspersky antiransomware was the culprit) on my Windows Server 2016, thank You a lot.👏

I have only a question: did You find the shadow copy service not working? ie, if I right click on my C disk… Shadow Copies tab… blank with “NO VOLUME IS ELIGIBLE FOR SHADOW COPIES” notice?

Thank You,

Alessandro

 

I think this is the same as the System Restore bug mentioned earlier by myself and a few others. Try the Registry fix AND a restart:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}
UpperFilters        REG_MULTI_SZ     volsnap
 

https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/

or 

https://www.sysnative.com/forums/threads/system-restore-not-working-error-0x81000203-kaspersky-removal-tool.28983/

Hello Alsssandro, 

 

what was your exact problem and how did u solve it ?

 

Hi Inet,

The last weekend after a windows update big session, two of my servers (one server 2012 r2 and a 2016 one), where it was installed kaspersky antiransomware, during the sunday reboot, had a blue screen error with loop restart (error “Critical Service Failed”). The only way to access windows was to choice, pressing f8 during boot, “disable driver signing enforcement”, after reading this post, I’ve found that may CATROOT and DRIVERSTORE directories were blank (and a  registry key deleted!!). So, following pdwk steps solved all the problems, and now the servers are working well.


Hi Alios,

tnx for your reply !

can u tell what exactly you did of these steps posted by @pdwk on the servers:

 

1) Copying all the *.cat files from c:\Windows\servicing\Packages\ into c:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\  either via a command prompt.

2) That allows the computer to boot. THEN once the computer boots back up normally I need to find all the various files to refill the C:\Windows\System32\DriverStore folder. Either from a backup of that workstation or a donor computer with a similar configuration. The computer works ok without these files but you won’t be able to add new devices.

3) Final step is quickly reinstalling the VC++ runtimes from Microsoft. 

All that gets the computer back to a working state. I have also successfully done a different process of:
1) Copy *.cat files as above
2) Install or force re-install 20H2 via the MediaCreationTool20H2 and the option “Keep files AND apps”. This takes longer but makes me feel better about the system as a whole.

 

Did u also need to do the registry fix ?

 

I am still not sure how to find out if my servers will reboot after a restart. I have ony one server with an empty catroot folder whilst the others do have very different numbers of files in that folder (1.200, 3.000, 16.000) so i am unsure if i can try to restart them.

Would it be save to copy the catroot from a (older) backup or is it better to copy them from c:\Windows\servicing\Packages\ ?

In our case

1) Copying all the *.cat files from c:\Windows\servicing\Packages\ into c:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\  either via a command prompt.

did not bring the Windows 10 pcs back online.

 

In regarding the Driverstore folder can i fill it up from a (older) backup before i reboot the server or should i do this after the cat folder copy ?

 

Or should i refill the catroot folder and the driverstore folder from a backup before restarting the server ? If i do this is there any risk by doing this  ?

 

I am little confused now what is best to do on the servers which are up since weeks and which i am very worried about restarting them...

 

Link to comment
Share on other sites
lnet

lnet

Posted
Posted

@pdwk which version of KART does delete the files and if u let it run does it delete all files or only in the specified folders ?

what if some installations get a malicious update which does all this deletions ?  i do not believe a non malicious software would ever delete system files.

Has KART been compromised in some way ?

That would also explain the confusing version numbers...

I also wondered this. At first I thought it might be just the auto-update version “3660”. Our process has always been: 1) Install KART4 and let it auto-update. 

You mention that you install KART5 directly from the downloadable installer. I tested this and the version currently available is 3039. But it NEVER auto updates for me and stays are 3039.

I thought maybe the auto-update 3660 was compromised but if you are experiencing the same problem from the direct download then I don’t know. I can say for certain that on the machines I was able to investigate it was always KART5 3660 that had the problem.


Hey @pdwk !

I am unsure how i should go with my servers which i did not yet reboot since the problem arised on the windows 10 pcs.

I have some servers with about 1000 catfiles, some with 3000, 6000 and 16.000 and one with an empty catfiles folder.

I did not yet check the driverstore folder.

 

The server with the empty catfiles folder is defiinately worring my the most since it is also the one having some services not working anymore and the OS has become very slow and slughish.

I tried to connect a USB 3.0 hard drive to it but is not recognized by windows. Simply nothing happens when connecting it. So i assume this server for sure is one of the ones not starting anymore.

 

I have some backups but i am not sure if i should copy the catfile and the driverstore folder over from the backups since i am not sure if i do not make things worst.

Is it absolutely sure that an empty catroot folder is making sure the server/windows 10 pc will not start anymore ? Or does the Driverstore folder also at the same time has to be empty ?

 

On the servers with catroot folder about 1.200 files how do i know if the folder is complete or half deleted and how can i be sure that if the folder was partly deleted that the server will not just start but also work correctly ?

 

What do u suggest i should do on this servers ?

 

Thanks again in advance !

 

Link to comment
Share on other sites
pdwk

pdwk

Posted
  • Author
Posted

Hi again @Inet

I’m no expert but I’ll try to offer my opinion on your situation and what I would do.

The empty catroot subfolder is definitely a problem. 
The external hard drive that isn’t recognized is because of the empty DriverStore folder. All the built-in Windows drivers are in that folder. You’ll find that different USB mice, keyboards and USB sticks all will not work. 

If you plug the external hard drive into one of the other servers (with 1000 files, 3000 or more) does it get recognized ?

As Windows does updates and gets new system files it adds more and more *cat files therefore the number can change over time and also why I’m worried about copying *cat files from older backups. My experience is that all important *cat files are duplicated in the Packages folder and that’s why I recommend copying all of them from there into the {F750E6C3-38EE-11D1-85E5-00C04FC295EE} folder. If you copy *cat from Packages on the server with empty catroot folder, do the services start ?

HOWEVER files from the DriverStore folder should be perfectly good to copy from an older backup since the DriverStore files do NOT change that often.

My testing indicates that KART5 deletes all the catroot files at boot and stops. It does not keep deleting. That and the fact that most of my servers have between 1000 - 3000 *cat files seem to indicate that those servers will be fine for reboot. Have you compared the number of files in the catroot folder from current servers to older backups? Are they approximately the same count ?

 

I am absolutely sure that it is only a catroot folder with less than 100 *cat files that will prevent a server or workstation from booting. Driverstore didn’t stop my computers from booting. They booted but I could *not* add devices and the printers were corrupted. Copying DriverStore from a backup helped solve that on a server.

Link to comment
Share on other sites
lnet

lnet

Posted
Posted

@pdwk

Thank You for your solution, following your steps solved my BSoD problem (Kaspersky antiransomware was the culprit) on my Windows Server 2016, thank You a lot.👏

I have only a question: did You find the shadow copy service not working? ie, if I right click on my C disk… Shadow Copies tab… blank with “NO VOLUME IS ELIGIBLE FOR SHADOW COPIES” notice?

Thank You,

Alessandro

 

I think this is the same as the System Restore bug mentioned earlier by myself and a few others. Try the Registry fix AND a restart:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}
UpperFilters        REG_MULTI_SZ     volsnap
 

https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/

or 

https://www.sysnative.com/forums/threads/system-restore-not-working-error-0x81000203-kaspersky-removal-tool.28983/


Should i check in advance before i restart my still up servers if this Registry entry is correct/present ?

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing


×
×
  • Create New...