Kaspersky
Question

Any connection between KART 5 (3660) and BSOD Critical Service Failed


Userlevel 2
  • Silver Theorist
  • 32 replies

Has anyone else noticed a connection recently between the upgrade to KART5 and some BSOD errors stating “Critical Service Failed” ?
I’m asking for input. I’ve witnessed this exact same error on 8 computers ,so far, that I help maintain. The only connection between all of them was KART4 > KART5 upgrade. At first I thought it was related to the new Win10 update but I’ve ruled it out as its not the same BSOD. Other Win10 computers that had other or no protection did not have any issues. 

The BSOD results from the complete deletion of the contents of Catroot, DriverStore and some runtimes from System32. There are only a few processes that have access to these folders.

I’m grateful for any other input.


This topic has been closed for comments

133 replies

Userlevel 1

Has anyone else noticed a connection recently between the upgrade to KART5 and some BSOD errors stating “Critical Service Failed” ?
I’m asking for input. I’ve witnessed this exact same error on 8 computers ,so far, that I help maintain. The only connection between all of them was KART4 > KART5 upgrade. At first I thought it was related to the new Win10 update but I’ve ruled it out as its not the same BSOD. Other Win10 computers that had other or no protection did not have any issues. 

The BSOD results from the complete deletion of the contents of Catroot, DriverStore and some runtimes from System32. There are only a few processes that have access to these folders.

I’m grateful for any other input.

 

Hi pdwk,

we also have such a similar problem. Many of our client’s PC’s were stuck in a boot loop after a windows update restart. We first thought that was the already known issue with the KB500802/KB500808 update. But in our case all of the affected Pcs had to be reinstalled from scratch - no recovery option was working.

The BSOD error was: CRITITCAL SERVICE FAILED. 

All of those computers had Kaspersky 5.0.0.0 installed. We noticed that Kaspersky was showing a pop up windows a few times during the day then after a restart they crashed.

We had this issue on 9 computers.

 

Were you able to restore those affected PCs?

 

Another strange thing: Since we suspected a buggy windows update causing those problems, we installed Kaspersky again on the freshly installed PC’s. We downloaded the latest Kaspersky Antiransome Tool for Business from the webpage “KART_5.0.0.92320-Business.exe” - after installing that exe, I checked the version in the Control Panel and there the version number is 3.0.1.3039 whereas in the Kaspersky Tool under settings- Get Support its shown 5.0.0.3039.  Very confusing!!!

 

Best regards lnet

Userlevel 2

Hi Inet,

On a few computers where I reinstalled KART the version remains at 5.0.0.3660. That is after I installed KART4 and let it auto-update. I have not tried the KART5 direct install package. I stopped installing it though.

As for recovery, yes. The first few were complete reinstalls but after some testing I discovered that the BSOD was caused by all the missing *.cat files. My fix involves
1) Copying all the *.cat files from c:\Windows\servicing\Packages\ into c:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\  either via a command prompt.

2) That allows the computer to boot. THEN once the computer boots back up normally I need to find all the various files to refill the C:\Windows\System32\DriverStore folder. Either from a backup of that workstation or a donor computer with a similar configuration. The computer works ok without these files but you won’t be able to add new devices.

3) Final step is quickly reinstalling the VC++ runtimes from Microsoft. 

All that gets the computer back to a working state. I have also successfully done a different process of:
1) Copy *.cat files as above
2) Install or force re-install 20H2 via the MediaCreationTool20H2 and the option “Keep files AND apps”. This takes longer but makes me feel better about the system as a whole.

 

I have been trying to recreate the exact scenario that causes this by setting up various virtual machines but so far they are working great.

Userlevel 1

Hi Inet,

On a few computers where I reinstalled KART the version remains at 5.0.0.3660. That is after I installed KART4 and let it auto-update. I have not tried the KART5 direct install package. I stopped installing it though.

As for recovery, yes. The first few were complete reinstalls but after some testing I discovered that the BSOD was caused by all the missing *.cat files. My fix involves
1) Copying all the *.cat files from c:\Windows\servicing\Packages\ into c:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\  either via a command prompt.

2) That allows the computer to boot. THEN once the computer boots back up normally I need to find all the various files to refill the C:\Windows\System32\DriverStore folder. Either from a backup of that workstation or a donor computer with a similar configuration. The computer works ok without these files but you won’t be able to add new devices.

3) Final step is quickly reinstalling the VC++ runtimes from Microsoft. 

All that gets the computer back to a working state. I have also successfully done a different process of:
1) Copy *.cat files as above
2) Install or force re-install 20H2 via the MediaCreationTool20H2 and the option “Keep files AND apps”. This takes longer but makes me feel better about the system as a whole.

 

I have been trying to recreate the exact scenario that causes this by setting up various virtual machines but so far they are working great.

Hi pdwk,

Thank you for the hints - we will test them tomorrow - so until now you where not able to recreate this bug? Can you tell us when exactly your crashes happen? Where there any signs for a crash?

 

Userlevel 2

Hi Inet,

Correct. I have NOT been able to recreate the bug. The only common item between all the computers that experienced this bug was KART. We have identical computers with identical software except for another AntiVirus solutions and they have been working perfectly fine throughout this. Heck, maybe it was a bug that was fixed in KART before anyone noticed.

As for what happens its hard to say. Seems to happen shortly after a reboot. Many users reported seeing the KART update message (Agree to the terms / Activate) and either ignored or Agreed. There was also multiple reports of the screen going black for 10 seconds or longer. However at that point the computer still works fine and can keep working fine. So it’s possible the files were erased days before and no one noticed as they didn’t reboot their computer. 

I know the computer keeps working fine as I was able to save a computer before a reboot. A user reported they could NOT print. I went to the computer and found that the files (as mentioned above) were all deleted. At that point I immediately copied the *.cat files while still in Windows and then tested the reboot. The computer rebooted fine. I also noticed that while the *.cat files are missing I cannot open Services or run MMC. I receive a security error.

In one case while I was still diagnosing, I copied the *.cat files as stated, restarted. KART remained installed. Computer rebooted fine, files then disappeared. Copied them again, rebooted, files disappeared. Removed KART, copied them again, rebooted… files stayed there.  This is what pointed me towards KART. I wish I had payed more attention to the KART version and kept that workstation for more testing. 

Finally I am exploring other possibilities. There are previous reports of the built-in Windows Disk Cleanup erasing those files by mistake so I have also tried adding that to my testing. Have you ever used Windows Disk Cleanup on your workstations ?

Userlevel 1

Hi peek,

 

thanks again for your precious hints and experiences.

 

We are at the same point.

The only common item between all the computers that experienced this bug was KART.

 

Interesting many users on your side reported seeing the KART update message. Actually this and the fact KART was the only item between all the computers that experienced this bug was what made me think KART was involved. Also others users reported they only had BSOD when printing but then PCs started normal whilst ours did not start.

Very cool u found that the *.cat files were all deleted. How did u find out this ?

Perfect u did test copying the cat files than removing KART and testing again. It would have been the final solution if we would know which KART version is the cause. 

We have many PCs we did not yet shut down for some days. We will do a check if all of them have the cat files and will check the KART version if we find one without the cat files.

 

Did you uninstall KART on all your PCs or is there one specific version or minimum version up which are safe ?

We still do not know if uninstalling KART would be the best solution to make sure the problem does not arise again (and first checking on the same ones if cat files are there). Would disabling KART services be the way to go. Or completely uninstalling after checking cat files are there ?

 

To which version does KART automatically update right now ? the different version number under control panel and KART itself are very confusing. 

 

Not sure yet how all of this is influenced by the buggy windowsupdate, printing operations and printing errors and/or if only the fact windows reboot was initiated.

I guess windows update in combination with one specific KART version creates the problem. Not sure if all KART are auto updating to that one after some time.

That would mean more PCs affected in the next days after the next reboot.

 

Unfortunately Windows lokal Restore with option keeping files deleted the program files folder so we cannot check which exact KART version the affected PCs had.

The file appearing on the desktop after windows restore  “removed apps on Windows refresh” does state:

Kaspersky Anti-Ransomware Tool for Business    Kaspersky Lab    5.0.0.0

 

We did not start the build-in Windows Disk Cleanup on this workstations. Maybe back in time on some we did but surely not on all affected ones up to now.

 

Is there any Kaspersky Support reading our post ?

 

Are we both the only ones having KART installed and having this problems ? Don't find other infos in internet in regarding. 

 

Userlevel 1

Yesterday we had 2 PCs with Windows with 20H2 and Windowsupdate KB5000802 installed (not sure since when they had this installed) where we installed the Hotfix KB5001567. On the next reboot they did not start anymore.

Could be caused by KART having in the meantime updated or emptyed the folders and therefore Hotfix influencing it only because it's requested restart of Windows...

Userlevel 2

 Hi Inet

 

I have found only one other mention of this problem on a Polish news site. I have tried to msg the authoer and tried to post a comment asking for info or asking about Kaspersky. No response so far. 
Link: https://www.dobreprogramy.pl/Microsoft-sa-problemy-z-marcowa-aktualizacja-Windows-10.-Nasz-czytelnik-tez-ucierpial,News,113843.html
It is mentioned in the last paragraphs of the news article.

As for the *.cat solution, I found this article that lead me to that discovery:
https://rquintino.wordpress.com/2017/05/11/recovering-from-windows-10-boot-blue-screen-critical-service-failed-disable-drivers-signature-enforcement-unsigned-drivers/

and
https://rquintino.wordpress.com/2017/05/19/disk-cleanup-and-windows-10-boot-blue-screen-critical-service-failed-disable-drivers-signature-enforcement-unsigned-drivers/

Extra note. That first news article mentions that System Restore gives an error. This was true for us too. It can be fixed with a quick regedit and a restart.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}
UpperFilters        REG_MULTI_SZ     volsnap
I found this cause and solution was related to another Kaspersky product.

https://www.reddit.com/r/GoroHome/comments/c9i6rl/kaspersky_removal_tool_kavremover_chkdsk_volume/

To answer some of your questions.
We have removed KART on all our PCs for now. Our process involves installing KART4 and letting it auto update itself to 5. You cannot stop the auto-update so there is no way to stop at any specific version. So we completely removed it to be safe.

I agree about the Windows Update needing a reboot and then users noticed the problem and thus blame the update.

 

Userlevel 2

I now have another laptop from a client with the same issue and again KART5 installed. I am doing some extra testing with it to try and get more exact information.

Userlevel 1

I now have another laptop from a client with the same issue and again KART5 installed. I am doing some extra testing with it to try and get more exact information.

Hi pdwk,

Unfortunately your solution to copy the *.cat files did not work for us (tried it on 3 different Pcs). I also tried to copy the *.cat files from a working pc and this didn’t work as well. 

In your case - was the folder you specified above in the CatRoot empty? Could you tell in advance which Pc will have the issue after a reboot?

Do you think removing the KART tool on an already affected pc works? 

The issue is somehow connected to printing files and/or opening pdf files - a client told me that after opening a pdf file an error occurred (unfortunately we have no picture of the error) and after printing that pdf the computer crashed.

 

Userlevel 2

I now have another laptop from a client with the same issue and again KART5 installed. I am doing some extra testing with it to try and get more exact information.

Hi pdwk,

Unfortunately your solution to copy the *.cat files did not work for us (tried it on 3 different Pcs). I also tried to copy the *.cat files from a working pc and this didn’t work as well. 

In your case - was the folder you specified above in the CatRoot empty? Could you tell in advance which Pc will have the issue after a reboot?

Do you think removing the KART tool on an already affected pc works? 

The issue is somehow connected to printing files and/or opening pdf files - a client told me that after opening a pdf file an error occurred (unfortunately we have no picture of the error) and after printing that pdf the computer crashed.

 

 

That’s unfortunate. So far all of my workstations with this problem have been recovered with the cat copy. 
To specify further, the c:\windows\system32\catroot folder contains 2 folders with specific GUIDs.  The important one is named “{F750E6C3-38EE-11D1-85E5-00C04FC295EE}” . It is within THAT folder that I copy the *cat files. I will include the exact command line we have been using below:

copy /y C:\Windows\servicing\Packages\*.cat  C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\

Translation: Copying all the *.cat files from c:\Windows\servicing\Packages\ into c:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\

I will add this printing PDF test to my VMs in the hopes if re-creating the problem. Thank You,

Userlevel 2

I now have another laptop from a client with the same issue and again KART5 installed. I am doing some extra testing with it to try and get more exact information.

Hi pdwk,

Unfortunately your solution to copy the *.cat files did not work for us (tried it on 3 different Pcs). I also tried to copy the *.cat files from a working pc and this didn’t work as well. 

In your case - was the folder you specified above in the CatRoot empty? Could you tell in advance which Pc will have the issue after a reboot?

Do you think removing the KART tool on an already affected pc works? 

The issue is somehow connected to printing files and/or opening pdf files - a client told me that after opening a pdf file an error occurred (unfortunately we have no picture of the error) and after printing that pdf the computer crashed.

 

I forgot to add: Removing KART on an already effected PC will not help. Removing it will not replace the deleted files. I’m wondering if running some form of file-undelete might help.

Userlevel 2

I am now 100% positive that it is KART causing this. But I don't know why. I have used the laptop and copied the *cat files over and over again.
- I used a program named ProcMon to log all processes at boot. It shows that KART tried to delete every file in the 'catroot' folder and then tries to delete the folder (fails as the folder isn't empty).  Screenshots: https://ibb.co/2jmkZbJ   and  https://ibb.co/B6qgJjQ
- Disabling KART service from Safe Mode stops the file deletion. Starting it again causes the files to delete.
- Changing ANY setting in KART (user mode, protection, malware, etc) does NOT help. Files are still deleted. 
- Accepting or reading the new license agreement does NOT help. Files are still deleted.
- My version is KART 5.0.0.3660    (aka 3.0.1.3660) Screenshot https://ibb.co/5sry0Rf

Userlevel 1

thanks for your feedback.

strange the copy of the cart is not making our pcs boot again whilst on yours  they did with the same copy syntax.

how can we identify if a windows is already affected ?

 i tried to compare the cat files before restarting some working windows pcs after uninstalling kart and they were the same in both folders but still some of them did not restart.

 

i also did write to Kaspersky in regarding. did u as well ?

 

so u found out that KART 5.0.0.3660  (aka 3.0.1.3660)  is causing the problem ? Is this the version all Windows update to automatically ?

Userlevel 1

i have kart installed on Windows Servers as well. 

 

Did not uninstall/restart them by now. 

 

Do u have it installed on Servers as well ? Did u uninstall them ?

 

What would be another valuable Antiransome to install in the meantime ? Tested some but any convinced me.

I activated folder protection in Windows Antiransome by now...

Userlevel 2

Hi again Inet. Thank you for all your input.

-We’ve been lucky that copying the *cat files always works. We identify affected PCs simply by that. IF the c:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ has less than 100 files in it, the PC will not boot.

-I have heard in other (unrelated) BSOD that turning OFF “Disable drivers signature enforcement” allows the PC to boot but that did not work in our case. Do some of your PCs have that permanently turned off for other reasons?

-I did not write to Kaspersky. I guessed because it was a free product there would be no support. I wish you luck. Please let me know if they respond.

-Yes. ALL our Windows KARTs update to 5.0.0.3660 but some PCs with that version work fine and never experience the problem.

-We do not have it on our servers. We do pay for another product for our small amount of servers. We have many workstations so a free option was the best choice.

-I have not found any other product as small, simple and free as KART. It was great for years until this problem. We have also added the folder protection in Windows Defender Antivirus.

Userlevel 1

Hi again pdwk. Thanks again to you !

 

-very strange the cat copy did boot ours up again and that even both folders where the same same before restart workstations did not boot after.

-disable drivers signature did not work for us. very strange indeed no recovery option did work. i don't know about some of our pcs having drivers signature off. should i check out if the ones not affected do have this disabled ? how ?​​​​​​​

-let´s see if kaspersky responds. i also left feedback on kart uninstall dialog.

-i am very concerned about the servers. also i am very concerned leaving all pcs and servers without antiransome. i tried Sophos but i never had Sophos finding a ransome whilst kart did stop some of them. KART was good because we were able to use server specific antivirus and microsoft antivirus on windows 10 + kart. do you use other antivirus on client than the microsoft one ?

​​​​​​​-unfortunately i had the same experience: no one as simple as KART, Acronis, cyberransome and Bitdefender not anymore available, the others still available are or in beta, not simple, only folder protection or not starting the service

-we have more than 1000 files in the cat folder​​​​​​​​​​​​​​

-i found this: 

indeed this is very simular if not exactly the same we are experiencing now...

Userlevel 1

I just found a Windows PC with Windows 1909 which has Kaspersky 4.0.0.1003(b). Does this version of KART not automatically update or does the autoupdate of KART not work because of the older Windows 10 Version 1909 ?

Would it be an option to install this older Kaspersky and to not update it or is this to risky because i noticed KART 5.0.0 does state  is the first compatible with Windows 10 20H2

Userlevel 2

I had also seen that forum post.  I feel it is exactly the same. But why Kaspersky would cause this? Sadly that user also had to do a full reinstall.

I also talked about this problem and forum discussion when uninstalling KART. Hopefully they read it and take it seriously.

It is very strange that even with all the *cat files your computer won’t boot. I was very happy when that simple solution worked for us. I’m sad that it didn’t help you.

To check the driver signing on a working PC. Use cmd prompt , Run As Admin, then type:

bcdedit

IF it is disabled on the working PC you will see a row for nointegritychecks ON. Screenshot: https://ibb.co/XJw7rZ9

On important laptops we pay for ESET ( about 12 laptops). We were using KART to help with less-important laptops. We are in the process of KART removal and trying to encourage backup to either Google Drive or OneDrive. Not sure what the next steps will be.

 

Userlevel 2

I just found a Windows PC with Windows 1909 which has Kaspersky 4.0.0.1003(b). Does this version of KART not automatically update or does the autoupdate of KART not work because of the older Windows 10 Version 1909 ?

Would it be an option to install this older Kaspersky and to not update it or is this to risky because i noticed KART 5.0.0 does state  is the first compatible with Windows 10 20H2

Interesting. I don’t no for sure. Possibly KART will not update since it is 1909. BUT if the computer updates to 20H2 then KART will probably auto-update to version 5 then.

Having the same issue on multiple machines. Restoring .cat files as suggested did not work. Do we also need to copy over the .MUM files by chance from the Windows\Servicing\Packages folder?

Userlevel 2

Having the same issue on multiple machines. Restoring .cat files as suggested did not work. Do we also need to copy over the .MUM files by chance from the Windows\Servicing\Packages folder?

 

I’m sorry to hear that. I was hoping my solution would be able to help others. 
No, for us it was only the *cat files. On a fresh Win10 install the {71a27cdd-812a-11d0-bec7-08002be2092f} folder only contains *cat files

Has there been any response from Kaspersky support regarding this issue  or do they not provide any support for this product since it is free?

Userlevel 1

hello Dtech99,

i got any response in regarding till now.

I suggest all of us writing them again to make sure there is a response ?

 

Userlevel 1

Has anybody any experience with server os in regarding ?

 

I did not yet do any restart of them but one is showing KART as a white task logo which does not mean any good :-(

 

So how do we contact support? I tried and it asked for a company account which then asked for an activation code and I do not have one since it is a free product.