Sophos Cloud Optix
Microsoft has advised all users of Windows 7 (and the server version, Windows Server 2008) who installed a security update on Tuesday to uninstall it, after some customers found their computers would not restart or applications would not load.
Users who experienced problems described how they saw fatal system errors like the following:
STOP: c000021a {Fatal System Error}
The Session Manager Initialization system process terminated unexpectedly with a status of 0xC000003a (0x00000000 0x00000000).
The system has shutdown.
The problem appears to be connected with Update 2823324 in Microsoft Security Bulletin MS13-036, a security update for the Windows file system kernel-mode driver (ntfs.sys).
In a blog post on the Microsoft Security Response Center, the company blamed the problem on conflicts with third-party software:
We are aware that some of our customers may be experiencing difficulties after applying security update 2823324, which we provided in security bulletin MS13-036 on Tuesday, April 9. We’ve determined that the update, when paired with certain third-party software, can cause system errors. As a precaution, we stopped pushing 2823324 as an update when we began investigating the error reports, and have since removed it from the download center.
Contrary to some reports, the system errors do not result in any data loss nor affect all Windows customers. However, all customers should follow the guidance that we have provided in KB2839011 to uninstall security update 2823324 if it is already installed.
According to media reports, computers in Brazil have been particularly badly hit – with machines continually rebooting.
Microsoft’s knowledgebase article on this issue, explains that one symptom of the bug can be that Kaspersky Anti-Virus for Windows may display a message claiming its license is invalid, and that as a consquence it may no longer provide anti-malware protection.
Microsoft has already acknowledged the issue and said that it’s working on a fix. Yes, that’s right. Some people had problems with the Patch Tuesday update, so there will be an update. But in the meantime, don’t update the bit that’s broken.
Users are recommended to block the 2823324 security update or uninstall it if its already present. More information on how to do this is detailed in this Microsoft knowledgebase article.
What about people who have installed the update, restarted and everything 'seems' to be working ok?
Microsoft appears to confirm that the issue is only affecting *some* users. My guess is that if you’re not using one of the offending third-party products then you may not be impacted by the problem.
However, the official recommendation from Redmond is to uninstall the patch. I can understand why they’re showing an abundance of caution, as no-one likes a computer that isn’t booting properly or has had its anti-virus disabled.
Seems strange to me to tell people to remove a security patch on systems that are functioning properly. The idea of decreasing my computer's security because some other users might be having issues related to software that I never use seems silly to me.
I for one am glad I installed the patch on my Windows 7 machines and have no intention of uninstalling it, since my systems are functioning perfectly fine!
it has affected my video driver on my thinkpad it caused an error with my extended monitor could not figure out what was going on till reading this article uninstalled the security update and presto no more problem with monitor . but what was the security update for ?
Hi shaine,
This security update contains an updated ntfs.sys driver and a win32k.sys driver. Both of these are kernel mode drivers.
It is the new NTFS driver that is causing the issue. This update was designed to address an issue when the NTFS driver improperly handles a Null pointer that has been not been de-referenced correctly.
Microsoft has removed the download links for update kb2823324 since for an attacker to use this flaw they need to have physical access to your computer and so you are at much less risk because of this fact. The attacker would first need to be in front of your computer. This updates is still available via Windows Update.
This is mentioned in the following Microsoft blog post:
http://blogs.technet.com/b/msrc/archive/2013/04/1…
Full details on this update are provided in the Microsoft Security bulletin mentioned by Graham (above). Here is the direct link:
http://technet.microsoft.com/en-us/security/bulle…
I hope this helps. Thank you.
So how do I go about uninstalling it if I’ve already restarted and I don’t seem to be experiencing any problems? Unless I’m missing something, my computer doesn’t fit into either of the scenarios Microsoft are offering assistance for. I’ve already restarted and my computer isn’t failing to start either.
I'm in the same position. I managed to uninstall the update by following the instructions for scenario A – "computers that have installed security update 2823324 but have not yet restarted" – and then restarting.
Hi Deg,
If you are not experiencing any issues but still wish to uninstall, you can follow these steps to remove the update:
1.In Control Panel, open Programs, and then click View Installed updates.
2.Select Security Update for Microsoft Windows (KB2823324), and then click Uninstall to uninstall the security update.
These steps come from the knowledge base article linked to by Graham at the end of his blog post. That knowledge base article also describes how to uninstall the update if your computer will not start.
I installed this update on Tuesday evening and have routinely restarted my PC several times since then. I have not experienced any issues thus I am going to leave the update installed. If Microsoft release a new version of the update and I am offered it via Windows Update again, I will install it only then.
I hope this helps. Thank you.
We are NOT all administrators, Deg.
Move the world to running as standard user and when people offer advice they'll eventually realise that they have to point out the need for admin rights in their answers.
Directions to uninstall the update are provided in the KB article that is linked above:
http://support.microsoft.com/kb/2839011
What is unclear here is whether you can remove the update in safe mode if it starts affecting you. If you can it's no big deal, just continue working, and if the bug hits later, remove the update.
If on the other hand you can't remove the update once the s*t hits the fan, then we'd better all renove the update now.
The MS KB luckily tells us that the former is the case; the update can be removed from the command prompt *if you have an install disk".
I Updated my Dell Laptop but I never found the update I guess microsoft removed it before I updated.
Don't you just love how well 'tested' the software is these days?
Glad we have a System Restore feature as that seems to be the only saving grace in this saga.
Try to imagine how expensive software would be if every program writer had to staff sufficiently to test EVERY possible combination of software and hardware. If testing seems poorer today than it did 10yrs ago, it might have something to do with the shorter acceptable dev time tables and a much larger number of software writers all dumping their application onto systems with 30 other software writers.
I uninstalled the update, restarted, then went out to Windows Update. Sure enough, there's the same update waiting to be installed! If this is such a concern to MS, then why didn't they pull the Windows Update after they've told users to uninstall it?
I did not have an issue here, but we are not taking the chance of issues cropping up, so we've pulled it from our WSUS server.
If it ain't broke don't fix it. I just removed it and had trouble restarting windows 7 after ….
how to start a computer which can not start any more ?
Hi toto,
I am sorry to hear that you are experiencing an un-bootable computer.
As AJA mentioned in their comment above, the instructions on how to remove this update when your PC is unbootable is provided at the following link:
http://support.microsoft.com/kb/2839011
If you require any further advice, please let us know. Thank you.
You will probably need something like a Windows 7 recovery disk. The Windows 7 install disc might let you boot up into recovery mode, I am not sure. Either way, once there, there is an option to use Windows 7's system restore. Before installing Windows patches, Windows usually makes an automatic system restore, unless system restore was otherwise disabled before hand. In a situation like this, a bootable disk and a Windows 7 restore can be a life saver.
Simplest method to use system restore in a non-bootable machine that recently installed the security patch:
Option 1: Recover the last Restore Point
Restart by using the F8 key.
Select Repair your Computer.
Select the language, and then log on to the computer.
Note If you do not know the local password, you must start by using a Windows 7 DVD or USB bootable media. Then, access System Recovery Options.
Select System Restore from the menu:
Restore the last restore point. This uninstalls security update 2823324.
Restart the computer into normal mode.
@ Deg,
Go into control panel/programs/view installed updates…Find Update 2823324 (easiest to refer to the date you did this month's update), uninstall, restart.
Do they say what the third party software is? Is it just Kaspersky or are there other products?
it also affected bitdefender internet security 2013
I had problems with XP computers running an old version (5) of Avast (the free version). An XP machine running Avast 8 and a Windows 7 64-bit laptop running Avast 6 have been fine. I fixed my problem by updating to Avast v8 on one computer and uninstalling Avast and using Microsoft Security Essentials on the other one.
I had it installed and had no issues with rebooting, but went in and found it anyway, which wasn't as easy as I thought as the first batch of 4/10 updates didn't have it listed and I thought they were in date order, but scrolled down and found it anyway. Uninstalled and rebooted, and here I am. But here is what is funny, and annoying. Windows update is offering me the same dang patch again! If I hide that patch, will the ultimate fix ever be visible to me?
I have the same issue, Gene. I thought it was being removed from the update links?
Hi Beatlefan,
You are correct, the update remains available for download via Windows Update but the links for the kb2823324 update in the Security bulletin no longer work.
http://technet.microsoft.com/en-us/security/bulle…
This is mentioned in the following Microsoft blog post:
http://blogs.technet.com/b/msrc/archive/2013/04/1…
@Gene: I would set the Windows Update settings to:
Check for updates but let me choose whether to download and install them
Or
Download updates but let me choose whether to install them
This way when the revised update is made available you can download it then (this is a pre-caution only as you should in theory be able to un-hide any update you have previously hidden) but the above approach works around that issue.
I hope this helps. Thank you.
one word.. LINUX!
The most singularly perfect word I know and so – yes, get LINUX…!!!
I'm a little torn about uninstalling a security patch when my system is still working. Once the security patch is released, the "bad guys" can start analyzing it to figure out what the problem was in the first place, and devise an attack for unpatched systems. If everyone removes the patch, well, that attack is likely to be pretty successful.
This issue may go further back then what Microsoft is saying. I am dealing with an issue with some Patches that attempted to install back in February and did not install properly. These patches were Security patches for Win 7 64 bit systems that worked with the kernal and changed the system configuration preventing the system from booting correctly and causing the system not to allow new secuirty patches to install. Microsoft while they are aware of the issue, because I have spent a lot time trying to various steps to fix the problem none of the steps actually works. The MS Office Patches install correctly, but not the O/S patches or the IE Patches. The only work around that I have been able to get to work correctly is to tell the system to go back to the last known good configuration and to turn off Microsoft updates because the updates do not install properly. Other updates like Java, Flash, Adobe, Antivirus, continue to update correctly.
My computer will not power up at all. Now what?
Hi Michele,
Sorry to hear that.
Please follow the advice provided in the following knowledge base article by Microsoft (see the Resolution section) and/or see the advice provided by the commenter named Scott (above):
http://support.microsoft.com/kb/2839011
If you require any further advice, please let us know. Thank you.
Check if it is plugged in an outlet
I uninstalled it, but when windows checks for updates it is back on the list. I thought it was removed from the update links?
Hi Beatlefan,
Please see the clarification that I provided in my response to your comment above (in your response to gene's comment). It should answer your question. If not, I will be happy to provide any further assistance that I can.
Thanks.
Just uninstalled 2823324. I then checked for any available updates and 2823324 is NOT offered.
Hi Basil,
That's interesting. Perhaps Microsoft have decided to take it down from Windows Update to avoid any further disruption/inconvenience.
Thanks for this information.
Removed and then it download and installed straight away
Kaspersky played up, so I uninstalled 2823324, restarted the PC and things are ok now.
Sounds more like they are trying to get users to migrate to linux, lol.
Easy to fix for a tech but not for the majority of Windows' users. With all the money that Microsoft cashes in from software vendors who need to have verified and approved their drivers, that should have never happened.
I installed this on April 12. Was this a corrected version?
Hi Rod,
Microsoft have not announced any revised/corrected version of this update yet.
You can monitor the Microsoft MSRC blog and their Twitter feed for any progress updates that they wish to provide:
http://blogs.technet.com/b/msrc/
https://twitter.com/msftsecresponse
I hope this helps. Thank you.
The news comes a bit too late unfortunately :/
Mine failed to restart the first time and jammed up but after forcing it to power off it restarted on the second try.
How do I uninstall it and how do I ever check whether I have that update installed?
I went to control panel, add/remove programs, then choose the updates and found it in there, it's still available as a download though, so i choose whether or not i install now from microsoft.
the update went through fine, however, when i'd leave my computer running for an hour….it took awhile to bring it out of the mode it was in, enough to make me worry something was wrong.
I updated with no problem.
Microsoft announces that the best way to avoid problems with Windows 7 is to purchase and install Windows 8.
I had several issues after installing the 9 patches on 4-9 Patch Tuesday. Did not even think of the patches as possible cause of issues. Here were some of the issues I experienced: fingerprint reader would not function to start up, had to use other credentials; some desktop icons moved on screen upon restart after installing updates; security zone on AV product (not Kaspersky) changed, preventing wireless from working.
The first two were inconveniences, the third was a frustrating couple hours of rebooting modem and router without resolution and digging around to discover the issue. Thank you Microsoft! I've put less maintenance into a truck I've owned for 35 years than I've had to put into the 4 computers with MS OS I've owned over the last 12 years. Isn't technology wonderful?
Uninstalling it caused me further problems. My computer wouldnt boot. Started it in Safe Mode and it is working OK now but update still there – can't get rid of 2823324
I uninstalled on laptop and laptop booted back OK but when I look in update list – it is still there! I don't intend to do any more until Microsoft know what they are about as uninstalling is causing me more problems than the update being there!
Hi Lynn,
Since you laptop is once again working, you are correct, leaving the update installed is definitely the best course of action.
If at any time you wish to uninstall it, there are alternative methods to uninstall it as described in the following Microsoft Knowledge base article (see the Resolution section) or you can also follow the advice provided by the commenter named Scott (above):
http://support.microsoft.com/kb/2839011
———————————————————–
Scenario B: Recovery steps for computers that have installed security update 2823324 and are now failing to start
Option 1: Recover the last Restore Point
Option 2: Recover the last Restore Point
Option 3: Uninstall security update 2823324 at the command prompt
———————————————————–
If you require any further advice, please let us know. Thank you.
Ignore my previous post above – KB2823324 has gone from Laptop and Desktop. I was looking at update history instead of installed updates.
Did have trouble uninstalling on Desktop though but not on laptop.
Get a Macintosh! 🙂
I've read this only affects 32-bit systems.
Is that correct?
On phone with ms now. Because i did everything to recover from black screen, per their instructions, no change. They toldd me i need to upgrade from vista and when i told them no i am not the only person that still cant use compter a week after theirr error …. they hung up on me !!! Am now on hold for a supervisor. Oh, they are emailing directions for me to read from phone. Yippee. Not. I told them i already followed their online diections. I bet they just sent me same. Is it possible to find anyone that gives a crap?
Hi Mary,
I am sorry to hear about the issues you have been facing.
Microsoft have now replaced the defective update kb2823324, with kb2840149 which should work without issues.
This is now available via Windows Update. I installed it on my PCs a few minutes ago and everything remains normal.
In the FAQ of the following security bulletin, Microsoft provides a link to an ISO file that can be used to create a bootable disc to recover your PC and repair it to a working state:
https://technet.microsoft.com/en-us/security/bull…
Full details are provided in the Update FAQ within the above link.
This ISO is available from the following link:
http://www.microsoft.com/en-us/download/details.a…
Please note that is has the following limitations:
1) This will not run on old hardware (pre 2004) that does not support NX (i.e. DEP).
2) This will only run on Windows 7 32 bit installations.
3) It will not work if BitLocker is enabled.
Further steps to repair your PC are available in the following knowledge base article:
http://support.microsoft.com/kb/2839011
The Microsoft Support staff are only trying to assist you. While it is a frustrating situation, please try to work with them as best as you can.
If I can assist any further, please let me know and I will be happy to do so.
I hope this helps. Thank you.
The only reason I found out about this was because Windows Update popped up saying there was an important update to be installed a few minutes ago, so I Googled it wondering why when the next patch Tuesday isn’t for a while yet. Glad I found out before anything happened to my computer.
Hi, i got windows update on the 13th of April. It was successful but i didn't try to re-open my laptop. I went out of town for a month and left my laptop in our office. When i got back, tadaaaaa . . . It turned on eventually, tried to boot up at windows and goes to HP diagnostics window.
I patiently tried a couple of times (10x) but the same occurs.
I tried system restore on the last restore point. That time i saw the last update for windows. I tried to click the last restore point prior to the update. Unfortunately, nothing happened. It's been 4 days now and i am thinking of going to any computer shop that would do something. But i guess they'll just reformat my HDD and re-install the OS.
Is there other option other than reformatting my HDD? Badly needs advice. 🙁
The update was tranfering all my system files to another drive. Previously, all my system files was on C:. Now, i used a 2.5HDD adapter and checked the contents of my affected laptops HD, it is already on drive D:. C: is empty. All my files are intact in D: and i guess that's the reason why all affected PC's are rebooting. Not unless it's not the same case.
Can i just remove C: and rename drive D? Any inputs guys? Badly needed help before doing last option >>> reformat… grrrr
f8 on startup. run safe mode, msconfig in windows, turn of antivirus on startup, restart and/or delete antivirus.
It crashed BOTH of my computers!! I had to completely reformat my laptop. GRR. And my desktop fixed itself, but now it says it has no boot drive! I will never use IE again.
My computer was at my summer home. Emachine, 1 year old. I hooked up a new wireless router to it, ran the startup disc, and then once connected to internet BAM! I got the fatal error then my pc shut down. I cannot get it back on! What do we do once this happens? How do we uninstall something if we can't get into our pc?
Well I uninstalled it and my laptop continues to stop responding, nothing will load up,or at least if it does it just stops responding. Anything anyone could advise that I should do?
Mistakely i have installed Windows XP Servicepack 3 in my windows 7 computer.
now my computer is not starting.i want to uninstall Windows XP Servicepack 3 from my
computer.
when i am starting my computer it is showing following option
option I.
launch startup repair (recommended) after i click on this option windows load some files but doesn't move further.{this is due to some changes in hardware or software this is shown in first line of window)
option II.
start normally after i click on this option windows load some files but doesn't move further.
please suggest me how to solve this problem
thanks in advancs
I am so pI$$ed off with windows malfunctioning, that I am seriously thinking of dumping Windows altogether and getting an An Apple Mac. The latest malfunction fiasco is around two or three time an hour I get flags up saying my Kaspersky, and internet security is turned off, Apparently this is a known fault, but along with several others Microsoft/ Windows couldn't give a $hy- te!!
Precisely why my next machine will be a Mac. This is my last MS machine. Apparently musicians are also not that important as customers to MS as well since much of my recording and sequencing software doesn't work anymore with Win 7 due to removal of key architecture involved. Such BS should not be tolerated!
Done with MSBS