[SOLVED] Win10-22H2 Security Update(KB5027215) installs to 90+% and "rolls back": System is a Win10-22H2-OSbuild 19045.2913

[Gary R]

There are a large number of Kaspersky "orphans" showing in your latest FRST.txt and Addition.txt logs, that suggest that Kaspersky did not uninstall cleanly, so we'll have to remove the remnants, and search for others, but we won't do that until we've investigated the disappearance of your Thunderbird folders.

Don't recall scripting the removal of anything related to Thunderbird, and can't find anything in your Fixlog that would suggest that FRST has removed anything related to Thunderbird either.

Let's see if we can find if your missing Thunderbird profile is still present ...

• Start FRST.
• Hit your Windows Key + R to open a Run window
• Type Notepad then click OK
• This will open an empty Notepad document
• Copy/Paste the following into it (Don't include the word Code: ) .....

Folder: C:\Users\JK\AppData\Roaming\Thunderbird\Profiles

• Save it as fixlist.txt to the same location as FRST (must be in this location)
• NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
• Now press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
• Please post me the log

 

[Jay11]

@Gary R OK, First, I did a search for Kaspersky & found remnant files related to Kaspersky Security Cloud... I used the Kaspersky Removal Tool in Safe Mode & removed it (I also used BC Uninstaller to search for leftover files/folders — All the was found and that I removed was:

1. Kaspersky_Upgrade_Launcher_{278ADC42-419D-4547-A6CA-5B74BE0AD901} | | "C:\Program Files\Common Files\AV\Kaspersky Lab\upgrade_launcher.exe" /waitUpgrade

I believe Kaspersky Secure Connection was part of the package Kaspersky Security Cloud - my oversight. I should've remembered this fact as I installed Kaspersky Security Cloud and never installed a standalone Kaspersky Secure Connection

Re. Thunderbird email data:
The profile folder location is d:\Users\TB-AppData-Roaming\Thunderbird\
Before your response I had already started with the recovery process (Note: I use IMAP so hopefully "ALL" mails are back. It's still busy "rebuilding/populating/syncing" the data.

Issue NOW: This issue I have now seems to be related to Kaspersky Secure Connection - it was somehow "involved" in the network traffic/connection management and since it was removed as a separate part to the whole Kaspersky Security Cloud package it seems to have had an adverse effect on my connectivity. I've reset TCP/IP by using the NetShell utility and my internet connectivity seems "stable" now.

Current:
I've rerun the FRST scan (with List BCD enabled). Please find log files "FRST.txt and Addition.txt" attached/zipped. I see that the log files still "mention" Kaspersky entries... above my "pay grade"... LOL
Let me know what you see/find. Thanks.

 

[Gary R]

Glad you were able to recover your Thunderbird data.

Still a few Kaspersky remnants to take care of, plus a few driver remnants from NoMachine ....

• Start FRST.
• Hit your Windows Key + R to open a Run window
• Type Notepad then click OK
• This will open an empty Notepad document
• Copy/Paste the following into it (Don't include the word Code: ) .....

Edge Extension: (Kaspersky Protection) - C:\Users\JK\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ahkjpbeeocnddjkakilopmfdlnjdpcdm [2023-06-28]
VIV Extension: (Kaspersky Protection) - C:\Users\JK\AppData\Local\Vivaldi\User Data\Profile 1\Extensions\ahkjpbeeocnddjkakilopmfdlnjdpcdm [2023-04-19]
U4 nxdm; no ImagePath
U4 nxfs; no ImagePath
U4 nxpcap; no ImagePath
U4 nxsshd; no ImagePath
U4 nxtun; no ImagePath
U4 nxusbd; no ImagePath
U4 nxusbh; no ImagePath
U4 nxusbs; no ImagePath
S3 klids; \??\C:\ProgramData\Kaspersky Lab\AVP21.3\Bases\klids.sys [X]
C:\ProgramData\Kaspersky Lab
AV: Kaspersky Security Cloud (Enabled - Up to date) {4F76F112-43EB-40E8-11D8-F7BD1853EA23}
AV: Kaspersky Security Cloud (Enabled - Up to date) {0AB30972-4BAC-7BEE-CBCA-B8F9E68797D8}
AS: Kaspersky Security Cloud (Enabled - Up to date) {B1D2E896-6D96-7460-F17A-838B9D00DD65}
FW: Kaspersky Security Cloud (Disabled) {774D7037-0984-41B0-3A87-5E88E680AD58}

• Save it as fixlist.txt to the same location as FRST (must be in this location)
• NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
• Now press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
• Please post me the log

 

[Jay11]

@Gary R attached is the fixlog.txt you requested.

 

[Jay11]

@Gary R I took the liberty of performing the following... In case.
After "fixlog.txt" procedure I ran a new scan with FRST (Included the List BCD) — Find attached FRST.txt and Addition.txt logs (zipped)

 

[Gary R]

Looks like you'll have to uninstall the Kaspersky extensions in Edge and Vivaldi manually. FRST used to be able to do it if they were scripted, but changes to both browsers now means that extensions can only be removed using the broswers' inbuilt tools.

Add, turn off, or remove extensions in Microsoft Edge - Microsoft Support
Using Extensions in Vivaldi | Vivaldi Browser Help

Other than that, the other remnants appear to have been removed.


So, back to your updating problem.

It's not entirely clear what is causing the rollbacks, we have a number of theories, but we'd like to gather a bit more information to dtermine which (if any) are applicable.

So, first I'd like you to create a bootlog, so we can see what (if anything) may be causing problems when Windows re-boots to install an update.

• Download Process Monitor to your Desktop.
• Launch the program.
• Click on Options and then select Enable Boot Logging
  • When prompted, do not check Generate thread profiling events, just click OK
• Close Process Monitor

Next ...

• Reboot your computer, and when fully booted ... launch Process Monitor
• You will be prompted with "A log of boot-time activity was created by a previous instance of Process Monitor" and asked if you want to save the collected data now. Click Yes
• Save the log created ... Bootlog.pml ... to your Desktop.
• Close Process Monitor

Next ...

Upload the log to a file sharing service ...

• Provide the link to Bootlog.PML
• Examples of services to upload to are WeTransfer and TransferKit and SendFileOnline

Next ....

I'd now like you to try updating your computer with ProcessMonitor running whilst you do ....

• Run Process Monitor
  • Leave this running while you perform the next steps.
• Try updating the system just like you have in the past.
• Stop Process Monitor as soon as it fails.
  • You can simply do this by clicking the "Square" icon on the toolbar (third one from the left) or by hitting Ctrl+E
• Select the File menu ... Save ... and save the file to your Desktop.
  • The name will be LogFile.PML.
• Zip the file, and upload to a file sharing service.
• Provide the link to LogFile.PML
• Examples of services to upload to are WeTransfer and TransferKit and SendFileOnline

Also attach a copy of your ... C:\Windows\Logs\CBS\CBS.log ... with your reply.

 

[Jay11]

@Gary R OK, the extensions are a bit of a mystery. I searched the extensions in both browsers AND NOTHING FOUND! I even tried installing it again so that I could uninstall them, but they're not even listed in the extension stores?

Here's the link to the "Bootlog.pml" file so long. I'll get to the next process of running "Process Monitor" whilst updating OS as soon as I have more time to spare.
A quick query: Must I enable boot logging in "Process Monitor" again before I start the Windows update, seeing that the "unable to complete update" usually occurs after Windows restarts and just around 90+% completion, at which point Windows rolls back the update and restarts again and only then boots to the Windows login screen.

• weTransfer (zipped): Procman - Bootlog.pml

 

[Gary R]

Yes, if the updates only fail when windows reboots, then please enable boot logging on Process Monitor.

What I'm trying to catch, is what process fails and triggers the rollback, because so far it's not been clear exactly what that is, we've just been "fixing" things as they show in the various CBS logs, which is analagous to treating the symptoms rather than the cause.

Looking over your first bootlog now, which should give me a "normal" datum line to compare things against.

 

[Jay11]

@Gary R Hi. Done the below as requested... See link (weTransfer) AND Attached: CBSlog (zipped) + a screenshot of update window post update failure.

• weTransfer (zipped file): Procman Bootlog files (x2) (Procman Bootlog files (x2))

"Next ....I'd now like you to try updating your computer with ProcessMonitor running whilst you do ...."

• Run Process Monitor
  • Leave this running while you perform the next steps.
• Try updating the system just like you have in the past.
• Stop Process Monitor as soon as it fails.
  • You can simply do this by clicking the "Square" icon on the toolbar (third one from the left) or by hitting Ctrl+E
• Select the File menu ... Save ... and save the file to your Desktop.
  • The name will be LogFile.PML.
• Zip the file, and upload to a file sharing service.
• Provide the link to LogFile.PML
• Examples of services to upload to are WeTransfer and TransferKit and SendFileOnline

Also attach a copy of your ... C:\Windows\Logs\CBS\CBS.log ... with your reply.

 

[Jay11]

@Gary R Oh, FYI there were two updates that ran: .NET 4.81 update and the 2023-06 Cumulative Update for Windows 10 Version 22H2 for x64-based Systems Security Update(KB5027215

 

[Gary R]

Latest CBS.log does not show what I need to see, can you please post your whole CBS folder.


Can you also do the following please ....

• Open the Start menu of Windows and type CMD.
• When you see Command Prompt on the list, select the option Run as administrator.
• An Administrator Command Pompt window will open
• Copy and paste the command below into the command prompt and press enter, to load your DRIVERS hive.

reg load HKLM\DRIVERS C:\Windows\System32\Config\DRIVERS

Next ...

• Double click Frst64.exe to launch it.
• FRST will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Copy/Paste or Type the following line into the Search: box.

  fvevol

  • Press the Search Registry button.
  • When finished searching a log will open on your Desktop ... SearchReg.txt
  • Please post it in your next reply.

Next ...

Export registry key as hive file.

• Open the Start menu of Windows and type CMD.
• When you see Command Prompt on the list, select the option Run as administrator.
• Copy and paste the following command into the command prompt and press enter.

reg save "HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}" "%userprofile%\Desktop\Class.hiv"

• Once done, a file will appear on your desktop, called Class.hiv.
• ZIP this file and attach it to your next reply.

 

[Jay11]

@Gary R OK, herewith CBS folder (zipped).
I seem unable to "pause" updates and the OS keeps on trying to install "Quality Updates". The last one got to 100% and then the "couldn't install message appeared... undoing updates... and rebooted to login screen. I managed to start Procman with boot logging enable.
Please see link > weTransfer: Procman Bootlog_9-Jul

I've also included a screenshot of post windows update fail as well as system's update history FYI.

 

[Gary R]

I've added some extra instructions to my previous post .... Win10-22H2 Security Update(KB5027215) installs to 90+% and "rolls back": System is a Win10-22H2-OSbuild 19045.2913 .... please follow them, and post the logs required.

No need for any further ProcMon logs, we already have what we need for the present. It's not entirely clear yet what's causing the rollbacks, but the earlier ProcMon logs have given us some avenues for further investigation (hence the added instructions in my previous post).

 

[Jay11]

@Gary R OK, done

• After CMD (admin) command: reg load HKLM\DRIVERS C:\Windows\System32\Config\DRIVERS I executed FRST and searched for fvevol
• Attached is the ... SearchReg.txt

THEN...

• Again CMD (admin) command: reg save "HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}" "%userprofile%\Desktop\Class.hiv"
• I had to modify the command slightly - see attached image and zipped file attached

 

[Gary R]

Thanks. Going to have to consult on what the latest logs show, may take a while. Will get back to you ASAP.

 

[Gary R]

Can you post me a copy of your latest CBS hive please ...

• Click on the Start button and in the search box, type regedit
  • When you see regedit on the list, right-click on it and select Run as administrator
• When regedit opens, using the left pane, navigate to the following registry key and select it by clicking on it once.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing

• Once selected, click File > Export....
  • Change the Save as type: to Registry Hive Files (.)
  • Name this file ComponentBasedServicing (with no file extension) and save it to your Desktop.
• Right-click on the saved file and choose Send To -> Compressed (zipped) Folder.
• Attach the .ZIP file to your next post.
• If the file is too large to upload here, please upload to a file sharing service.
• Examples of services to upload to are WeTransfer and TransferKit and SendFileOnline

 

[Jay11]

@Gary R Hi. Copy of latest CBS hive attached (zipped).

 

[Gary R]

Thanks.

Just want to check on something reported in your ProcMon logs, because it doesn't match with what I can see in your previous CBS Hive export. Most probably me misinterpreting something, but always best to check.

Update ... new CBS Hive has unfortunately not resolved the matter I was investigating, so at the moment I'm consulting with my more experienced colleagues to see if we can work out what's causing your rollbacks.

Probably going to take quite some time, but I will get back to you as soon as I can.

 

[Gary R]

The procedure I'd like you to follow next does contain an element of risk, so I strongly recommend you backup your system before proceding any further.

The risk element isn't a particularly great one, but it does exist, and it would therefore be foolish not to take precautions.

So once you've created your backup .....

• Start FRST.
• Hit your Windows Key + R to open a Run window
• Type Notepad then click OK
• This will open an empty Notepad document
• Copy/Paste the following into it (Don't include the word Code: ) .....

cmd: sc stop fvevol
cmd: sc config fvevol start= disabled
cmd: sc stop iorate
cmd: sc config iorate start= disabled
cmd: sc stop rdyboost
cmd: sc config rdyboost start= disabled
cmd: sc stop volsnap
cmd: sc config volsnap start= disabled

• Save it as fixlist.txt to the same location as FRST (must be in this location)
• NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
• Now press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
• Please post me the log

Next ....

Please reboot your computer

Next ....

• Start FRST.
• Hit your Windows Key + R to open a Run window
• Type Notepad then click OK
• This will open an empty Notepad document
• Copy/Paste the following into it (Don't include the word Code: ) .....

cmd: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} /v LowerFilters /t REG_MULTI_SZ /d fvevol\0iorate\0rdyboost /f
cmd: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} /v UpperFilters /t REG_MULTI_SZ /d volsnap /f
cmd: sc config fvevol start=boot
cmd: sc config iorate start=boot
cmd: sc config rdyboost start=boot
cmd: sc config volsnap start=boot
cmd: sc start fvevol
cmd: sc start iorate
cmd: sc start rdyboost
cmd: sc start volsnap

• Save it as fixlist.txt to the same location as FRST (must be in this location)
• NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
• Now press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
• Please post me the log

Next ....

Please reboot your computer again to finalise the changes made.

 

[Jay11]

@Gary R OK. I do need my laptop daily, so any length of downtime is not ideal for me. However, what level of risk are we talking about:

• Would restore point backup be enough, or not;
• Would a system's recovery disk be enough, or not;
• Would I need to do a full disk/partition backup?