Jump to content

Bluescreen: INACCESSIBLE_BOOT_DEVICE with KIS 21.3.10.391 and ELAM Turned On


Piyi Zu
Go to solution Solved by Piyi Zu,

Recommended Posts

Piyi Zu

My computer is running Windows 11 23H2 22631.3155 Professional (x64) and has Kaspersky Internet Security 21.3.10.391 (patch k) installed. 

After a quick scan of kaspersky, I restarted my computer but failed with a bluescreen. It said the OS ran into some problem and the error code was INACCESSIBLE_BOOT_DEVICE. After a forced reboot, the same bluescreen appeared again. I tried Windows boot repaire but it didn't work. I couldn't start the computer until I disabled the Early-Launch-AntiMalware on the boot option menu, which resulted in KIS not loaded. I thought the bluescreen must have something to do with KIS.

To prevent rootkits and other unknown drivers from being loaded when the system boots, just after I had installed my OS, I turned on the Boot-Start Driver Initialisation Policy in Group Policy and set the policy to only allow "good" drivers to be initialised. I changed the policy to allow "good and unknown" drivers and restarted the computer, there was no bluescreen and KIS started normally like before. I changed the policy back to only allow "good" drivers and restarted the computer, the bluescreen came again. 

Just before this bluescreen accident happened, I updated database of KIS, and I ran a quick scan (NOTHING detected). I installed Qt 6.5.3 several days ago, but nothing went wrong these days. Even earlier, I installed a driver for Lenovo Hotkey on Lenovo System Update, which is an official driver updater and the installation was fully monitored by Kaspersky Internet Security.

I think the problem may be due to KIS incorrectly classifying some important driver to be unknown during the ELAM stage. But I could not find anything about it: no related event logged, no KIS report and even no dump file for the bluescreen. The compromise in ELAM policy is just a workaround. Could anyone give more help?

2024-03-03 205415.png

屏幕截图 2024-03-03 205546.png

屏幕截图 2024-03-03 205711.png

屏幕截图 2024-03-03 210207.png

Link to comment
Share on other sites

harlan4096

Also, migrate Your KIS 21.3 to the new Kaspersky Standard 21.16

  • Like 2
Link to comment
Share on other sites

So first solve problem please with version 21.3. We wanted know what was caused this bsod. 

  • Like 3
Link to comment
Share on other sites

Piyi Zu
2 hours ago, Berny said:

@Piyi Zu Welcome.
 

For BSOD’s caused by Kaspersky  please contact Kaspersky Technical Support
https://support.kaspersky.com/b2c/ 

Thanks. I'll contact the tech support if updating KIS to Kaspersky Standard cannot solve the problem. 

 

2 hours ago, harlan4096 said:

Also, migrate Your KIS 21.3 to the new Kaspersky Standard 21.16

I just updated KIS to Kaspersky Standard 21.16 by directly running the online installer from My Kaspersky, but unfortunately my key has reached its activation limit... I am waiting for the reply from the tech support.

 

1 hour ago, nexon said:

So first solve problem please with version 21.3. We wanted know what was caused this bsod. 

That's OK. 21.3 is too old. Maybe the problem was caused by incompatibility. However, there're still some regions in the world where the newest easy-to-get version is 21.3. This problem happened too suddenly, with no sign and little information on "google"s, so I posted it here to share my workaround and to see if anyone has a solution.

  • Like 2
Link to comment
Share on other sites

But i wanted know where is problem. If you update to newest your problem will be solved but without solution....

Link to comment
Share on other sites

Piyi Zu

I tried to figure out why. But I found nothing in the "Event Viewer", "Security and Maintenance" and minidump folder. I checked the digital signatures for every driver before installing. The driver installation packages were scanned by Microsoft Defender before KIS was installed. All drivers, including the firmware are up-to-date.

I thought it were a hardware problem, but that couldn't explain why I can still start Windows after shutting down ELAM. I thought it were caused by corrupted system file, but after executing

dism /online /cleanup-image /scanhealth

dism /online /cleanup-image /restorehealth

sfc /scannow

no integrity variation was found. I thought it were caused by virus, but I ran a quick scan just before the failed reboot.

Those are what I did and saw before updating KIS.

ELAM stage is a very early boot stage. It's like when a baby having just learnt to say mummy. To debug the OS may find the cause, but it's beyond my time, energy and ability. If the bsod were caused by KIS, the most possible "solution" would still be to update it. If it were caused by some damn driver, then updating KIS would have no help. 

Link to comment
Share on other sites

@Piyi Zu

On 3/3/2024 at 7:05 PM, Piyi Zu said:

I found nothing in the "Event Viewer"

Did you check with BlueScreenView  (NirSoft) ?

  • Like 1
Link to comment
Share on other sites

Piyi Zu

@Berny Nothing on bluescreenview and no failed boot was recorded in the event viewer as if the computer never started then. 

@harlan4096 Updating to 21.16 didn't work. The bluescreen came as expected. I tried to change the pagefile size and dumpfile options, but no dump file was generated. 

However, I have some findings.

I found that if I replaced all .sys files in C:\Windows\System32\drivers\wd with older versions in C:\Windows\System32\drivers\, the system would boot with ELAM "only good" drivers initialised and Kaspersky Standard 21.16 started.  These .sys files are WdBoot.sys, WdDevFlt.sys, WdFilter.sys and WdNisDrv.sys. What's more, the boot log said successful boots all didn't load these drivers:

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\bindflt.sys

\SystemRoot\System32\drivers\wd\WdFilter.sys

One failed boot happened to have a single line of boot log in ntbtlog.txt which said only  \SystemRoot\System32\drivers\MSKSSRV.sys was loaded.

To replace the drivers was not a solution bacause the system would update those files automatically and even those not updated, the system failed to boot after a second restart.

I thought the bsod would be related to a Microsoft Defender platform update on 28 Feb. (KB4052623 version 4.18.24010.12). This update seemed to change the four .sys files in ...drivers\wd folder and after that update I did not restart my computer until Sunday(3 Mar.) --- the day the bsod occured. There was no way to remove this update.

I wonder if Kasperaky's drivers started earlier than Windows Defender drivers. I also wonder if Windows Defender blocked Kaspersky. These are all I can do for this problem. I will reinstall my OS soon for it now runs very slowly and becomes messy.

@nexon The cause of the problem is still a mystery: unpopular configurations of ELAM, sudden bsod with no dump files, bad design of Windows making details of boot hard to get. But I think Microsoft Defender's silent update was to blame.

 

  • Like 2
Link to comment
Share on other sites

  • Solution
Piyi Zu

@harlan4096 @Berny @nexon

 I am now FULLY SURE that Microsoft Defender platform update (KB4052623 version 4.18.24010.12) released in February is the cause of the bsod problem. I reproduced the bsod by the following steps:

1. Reset Windows (deleting all files)

2. Turn Boot-Start Driver Initialisation policy on and set the policy to allow "only good" drivers to be initialised.

3. Restart Windows: nothing happened.

4. Install Kaspersky Free 21.3. Restart Windows: nothing happened.

5. Restart Windows again: nothing happened.

6. Download the update from Windows Update Catalog website (see the picture), install it and restart Windows: BSOD appeared with code Inaccessible_Boot_Device.

PS: There was nothing in C:\Windows\System32\drivers\wd before installing the platform update. But after installation, the four .sys files I showed in the last post appeared (see the picture).

 There are only two ways to solve this bsod:

1. Do not change the Boot-Start Driver Initialisation Policy ( leave it unconfigured). Or downgrade this policy from "only good" to "good and unknown".

2. Do not install the Microsoft Defender platform update (KB4052623 version 4.18.24010.12).

 

Thank you all for focusing on this uncommon problem. Contacting Microsoft is beyond my time. I hope the reproduction of the bsod would do some help if you want to further invesigate the problem.

 

IMG_20240306_213940.jpg

IMG_20240306_220301.jpg

  • Like 2
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...