back to article MS update gives some XP boxes the Blue Screen

Applying the latest patches from Microsoft can cause Windows XP machines to crash with the infamous blue screen of death. Updating systems with the MS10-015 bulletin, which addresses "important" vulnerabilities in Windows Kernel, can cause machines to lock up when restarted before falling into a never-ending reboot loop. The …

COMMENTS

This topic is closed for new posts.
  1. David Gosnell

    "booting from a Windows CD or DVD"

    If you're lucky enough to have one...

    Thankfully we do, though at least as equally thankfully we also managed to avoid this problem!

  2. Anonymous Coward
    Thumb Down

    This is why...

    ... this first thing I do after I've completed an XP setup is disable System Updates (after I've installed an AV/Firewall).

    I've been too often by "updated" that crash my PC.

    1. Tim Cook

      Yes, but

      That's kind of stupid. The chances of an unpatched machine getting nobbled (firewall or not) are probably far higher than one of these updates causing damage.

      1. Stephen 27
        Gates Horns

        But, yes

        I always disable automatic updates, but I always manually apply updates when the notification comes up.... except today when I had a chance to read this (and other ) article and now I can wait for M$ to fix the problem.

        Being up to date is very important, but it is even more important to make informed decisions on patch management. I don't have blind faith that every patch is safe.

      2. Number6

        That depends...

        Disabling them completely is not a good idea, but setting it to the option where it will notify you of the existence of updates without blindly installing them is sensible. Then you can install them when it's convenient for you.

        I've had a machine doing something overnight before now that I hadn't realised was set to install updates. Along comes an update, machine reboots on its own in the middle of the night, goodbye to what it was doing and I lose time because it failed to complete the test run.

        1. Anonymous Coward
          Gates Horns

          Auto-updates

          Probably just before that update came an update that turns automatic updating back on, even when you've expressly turned it off.

          Thankyou MS.

    2. Anonymous Coward
      WTF?

      Seriously?

      There are some things AV/Firewalls can't secure, and not all updates are security updates.

      Not updating because nothing has ever happened doesn't mean nothing ever will.

    3. N2

      Yes but

      Over the last 8 years, Ive personally had far fewer problems switching crap dates off than from any problems through not updating.

      It is after all, the fear of not updating that under pins Microsoft's business model which I dont subscribe to.

  3. Anonymous Coward
    Anonymous Coward

    RE: This is why...

    This is why as well as a "Good Microsoft" and an "Evil Microsoft" icon, we need El Reg to provide us with one that clearly indicates that MS have committed yet another technical blunder...!

    1. Bilgepipe
      Thumb Up

      FacePalm

      A Facepalm icon, perhaps with Gates' or Ballmer's face.

      1. Sparckus
        Happy

        Frank Ballmer?

        A merged image of Steve Ballmer and Frank Spencer would be much better :)

  4. Chris Mitchell

    Vista as well as XP

    Vista's also affected, at least on my wife's Vaio laptop...

    1. Al Jones

      What makes you think the problem is Vista, and not Vaio

      Given Sony's bizarre attitude to unstandardizing the Viao's, my first thought would be which bit of Sony cruft is breaking Windows.

      1. Chris Mitchell

        Nope, it's the updates and not the Vaio crap

        Because it was working, then the updates went live and it stopped. I removed the updates and it worked again. To check, I allowed Update to redo what it wanted and went through the whole cycle one more time.

  5. DarkElfa
    Thumb Up

    Its a conspiracy

    MS did it on purpose to try and convince people to upgrade yo 7 by making XP look unstable. ;)

  6. Andrew Bush
    Thumb Up

    Many thanks

    Thanks Guys, that update has been sitting there for a couple of days. Just excluded that particular patch (977165) from the process and perhaps saved a whole load of bother.

  7. Elmer Phud

    Fortunatley

    It's not done it to me so fa

    1. hplasm
      Happy

      Me too-

      My sofa is also unaffected.

    2. Anonymous Coward
      Joke

      Ditto

      It's not done it to my sofa either... :0)

  8. Annihilator
    Coat

    Advice

    No doubt the official support from Microsoft is "we recommend upgrading to Windows 7 for the best Windows experience"?

  9. Anonymous Coward
    Grenade

    Let's just check the release notes here:

    "MS10-015: addresses an issue where Windows XP fails to boot to the Blue Screen Of Death, potentially enabling authorised users to get some work done"

  10. Linbox
    FAIL

    Fantastic

    My mates work computer died this morning with BSoD, safe mode wouldn't work and a quick fixboot/fixmbr didn't fix it. Whole day wasted trying to rebuild another computer, copy backups and generally dick about.

    So who gets to pay the $$$ in maintenance charges?

    1. Crazy Operations Guy

      Fixboot and fixMBR

      They only fix Boot sector and boot file related issues, wouldn't help here. Last known good might work

  11. T.Omoto
    Gates Horns

    Not the first time...

    Around November, a patch was released that wouldn't bluescreen, but also put certain combinations of PC's in the never ending boot condition, making me a very busy person. Many people thought a "virus" broke their computers, and I'm somewhat tempted to agree. Haven't found a way out other than to revert the patch and stop windows updates altogether.

  12. Kristian B
    FAIL

    Microsoft killed our systems again!

    Just a couple of months ago, several of our Windows XP machines got screwed up by a false-positive antivirus alert which caused the antivirus service to delete critical system files. We couldn't believe it at first, all users login to limited accounts but the weak link was the antivirus service.

    The machines wouldn't boot normally but did boot into safemode. Unfortunately, the System Restore facility failed so we couldn't just roll back to a restore point. While manually restoring the system, Microsoft's anti-piracy subsystem kicked in, rendering the system useless as it disallowed safemode logins.. and the system wouldn't boot normally. So we were locked out because Windows didn't think its licence had been activated, but we couldn't login to register/activate it!

    Now just a couple of months later, this has happened.. an official Microsoft update has rendered the systems unusable again!

    We're now looking at deploying a Debian-based Linux distribution on all our desktops. Microsoft Windows is a far too unstable for serious business use!

    1. FlatSpot
      WTF?

      hmm

      or deploy a centrally managed decent AV product which would no doubt be a lot simpler and give a better ROI

    2. Anonymous Coward
      Anonymous Coward

      So...

      You work for a company who don't bother to test their AV releases before rolling them out, this then caused the AV software to kill the OS and you blame the OS' stabillity? Furthermore, you then decide that the easiest way to resolve this problem is to switch OS. Good luck with that.

  13. Pink Duck
    IT Angle

    Hm, which to do first... patch or back up?

    Makes me think that perhaps I should perform that monthly backup before patching :) Either that or wait until the Friday for the ill effects of those critical patches to be discovered.

  14. DEAD4EVER
    FAIL

    microsoft updates cause blue screen

    microsoft are doing this on purpose to get people away from xp altogether cause they know people wont move to vista or 7 because either they cant afford to move or there systems dont support the new os. chances are there system wont support it the drivers in particular my mothers laptop is over 4 5 years old it came preinstalled with xp home and ive tried 7 on it and straight away loads of features got disabled when i did so i solved buy moving back to xp using the recovery cd.

    1. Bilgepipe
      Thumb Up

      Deliberate

      You're right, I think this is deliberate. And because it's a Microsoft patch, it didn't work properly and a great deal fewer machines were affected than were intended. Even their malware sucks...

  15. KarlTh

    News I'm picking up

    is that the issue is affecting PCs which have been rootkitted and the rootkit is being hosed by the update.

    1. TeeCee Gold badge
      Happy

      Seems right

      The linked MS thread has info here. Seems that the problem may be due to the TDSS rootkit. Replacing the infected atapi.sys that this POS puts in place with a kosher one on affected machines seems to fix the problem (as does uninstalling the "dodgy" patch - for which instructions are provided).

      This would explain why those machines affected don't seem to have anything else in common by way of configuration.

      If this does turn out to be the root (hah) cause, I don't think we can blame MS......well, not for this particular cockup anyway. I'll keep the flamethrower on standby 'til a definitive answer turns up.

  16. Anonymous Coward
    Grenade

    BSOD's linked to r00t'd boxen ...

    Check the comments section after the SANS/ISC article:

    http://isc.sans.org/diary.html?storyid=8209

    Hmmm, Sony ... Vaio ... probably came with a root kit!

  17. SurvivalTime
    WTF?

    Ohh so I wasn't wrong in my thoughts...

    I just got settled into my new place, internet just tuned up after 3 days of withdrawl...Good Ol Microsoft Update! I went into reboot cycling, tried fixing it, spent 4 hours on the phone (mostly on HOLD) intermittantly interrupted by some thick indian accented individual NEVER mentioning.."Ohh that...we know about that" Even after describing my problem.

    Now they make the push to upgrade...the only thing I'm likely to upgrade to is LINUX (wonder how Mandrake is...haven't used that in a while). I just KNEW I was going to find this cheezy steamin pile of BAD NEWS!! I had a feelin this was the cause, now it's confirmed!

  18. Anonymous Coward
    Linux

    what, me worry?

    if this backfires, all i need to do is delete the virtualbox image and copy a backup image and i'm good to go.

    i have a basic + fully patched winXP/Office 2007 virtual machine used only when i need to do office work.

    tux because it was a better match to Alfred.

  19. tempemeaty
    Alert

    ...and Vista....

    Wandering around the internet looking at this wonderful new achievement from Microsoft I think it may not be just Win XP.

    Quote from "Ars Technica" dot com

    "The majority of users who are complaining about the issue are on Windows XP, but some users in the thread mention this occurs for them on Windows Server 2003 and Windows Vista."

  20. Crazy Operations Guy
    Alert

    AV or Drivers

    The update is supposed to fix certain kernel issues, many times such patches disable features and system calls that shouldn't be used in the first place, but some drivers use them anyway.

    I have dealt with similar problems involving Kernel updates not playing well with drivers

  21. N2

    Ho hum

    Good job I havnt 'upgraded' from Win 2K then

    :-D

  22. Steve Basford
    Terminator

    rootkit ahoy

    Systems with a rootkit seem to blue screen after the update:

    https://patrickwbarnes.com/blog/2010/02/microsoft-update-kb977165-triggering-widespread-bsod/

  23. Shane McCarrick

    Other issues introduced too

    I've noticed other issues on some machines I've updated- including previously stable machines dropping wireless connections, and any previous installed clients for managing connections (such as the MSI manager) being disabled in favour of allowing Windows manage connections. I've had to reinstall drivers and apps on 3 different systems thus far. I'm far from happy.......

  24. Anonymous Coward
    Thumb Up

    Nolthing new

    Once upon a time Windows XP SP2 when it first came out after installtion broke my firewire card driver from initialising properly. If you left the network enabled in windows it would not boot just a black screen. Had to pull the card out and disable it.

    Then with vista I did one of those "hiigh priority updates" which cause the machine to be stuck in a reboot loop, and the only way of fixing it was to plug the drive into a linux machine and delete the pending.xml file. On installing the update a second time it was fine.

    This is the crappiness you expect from Microsoft, learn to live with it.

  25. Mark Allen

    Thanks

    Ahh... perfect. This solved a puzzle I had with a Toshiba laptop. After following the instructions in the Microsoft post, the BSOD has gone.

    I had a different error number for the STOP, but fixed the same way by uninstalling that update.

    (Good to see MS put the answer at the TOP of that thread instead of having to wade through a discussion)

  26. Robert Carnegie Silver badge

    Back up first.

    My recipe: keep the Windows/applications system partition separate and small (15 GB plus hibernation file, page file 4000 MB on a separate volume), and back it up regularly, particularly before a Windows Update session. But do apply those updates promptly, because bad people examine them specifically to find out how to hack computers that haven't got 'em.

    Maybe a failed update will work when applied a second time - for instance if the order of different updates matters. If you leave an update off, note the description of the risk that it addresses, and avoid doing the risky thing e.g. clicking on hyperlinks in e-mail.

    I've been using Knoppix 6.2 Linux on bootable CD or USB stick, and specifically partimage, to make a single copy of volume C split into 333 MB files (which pack nicely onto CDs or DVD), but I'm planning to switch to ntfsclone because partimage apparently has a problem with volumes containing bad sectors(?) I had an unpleasant virus-type experience while using SystemRescueCD which may not have been its fault.

    If you don't use hibernation or if you disable it before backing up, a hidden file C:\hiberfil.sys equal to your RAM size is NOT included in the backed-up volume. If something goes wrong with Windows (and it has), you can just boot Linux and restore C to the way it was. (We don't need no steenking restore points!)

    Of course the saying applies "You only THINK you've got a backup" - it's better to have a fallback position in case your latest backup fails when you try to restore. Also, verify your CDs or DVDs, including by comparing files to the files on disk.

    Keeping your backups away from nosy people is an exercise you can work out for yourself!

  27. Anonymous Coward
    WTF?

    No Problems Here

    Here it's been pushed out by WSUS to over 200 PCs and I've had no problems...

  28. Anonymous Coward
    Go

    500 XP clients...

    patched so far and counting with NO problems, sounds like another mountain out of a mole hill to me. I suspect in the grand scheme of things the number of affected units will be very low, nothing to see here.

  29. Anonymous Coward
    Anonymous Coward

    I've heard...

    ... (but it may not be true) that it seems to be tied to certain device drivers or even perhaps device firmware. If so then MS testing probably wasn't as thorough as it should be. However, if this does turn out to be the case I'm willing to bet MS will manage to spin it that the drivers concerned did not comply with Windows standards.

    Of course it might not be the case at all, I don't think we've had a single BSoD reported out of over 4000 XP machines patched this week and that covers a huge variety of hardware.

  30. Doug Glass
    Go

    Why Not Just ....

    ...uninstall it via the Control Panel's "Add or Remove Programs"? Add a dheck to show updates and it's listed under Windows XP with a "Remove" button.

  31. Doug Glass
    Go

    Of Course ...

    ... if you can get to the Control Panel you're likely having no problems. Oh silly me!

  32. DougCuk
    Alert

    Malware can be the trigger

    I am dealing with this issue on a customers PC as I type. Having read many of the posts on this problem I would just give the following summary.

    The most common trigger for this issue appears to be a pre-existing malware infection - especially a Rootkit infection of the ATAPI.SYS file. The key givaway for this infection is that the infected ATAPI.SYS file has no Version Tab when you look at its properties panel. Replacing this file with a clean copy can be the start of the cleanup and often allows you to boot the system. The following link may be helpfull:

    https://patrickwbarnes.com/blog/2010/02/microsoft-update-kb977165-triggering-widespread-bsod/

  33. sgb
    Megaphone

    Ha.

    "It's still unclear why affected systems throw a wobbler while other near-identical Win XP PCs chug along quite happily after the updates are applied."

    If you can figure this one out, perhaps you can tell me why of 6 identical brand new XP latitudes we got in recently, two wouldn't run windows update and one was missing the 'RunOnce' reg key, meaning it wouldn't install VPN software.

    This happened me before with Thinkpads. Booted two brand new identical ones up, one bluescreened straight away

    It's not ones and zeros, it's blood and tears.

    Simon

    1. KarlTh

      Fucked Build

      As title

  34. kissingthecarpet
    Gates Horns

    How about Win2k?

    Because a non-techie mate phoned me last night gibbering about a BSOD on his ancient 450meg Packard-Bell (famed as possibly the worst consumer PC ever sold according to some).

    I told him to reboot it & heard nothing more......

  35. Anonymous Coward
    Anonymous Coward

    977165

    Methinks this was the one Windows kept asking me to download and install

  36. theblackhand

    Assuming this is caused by a rootkit...

    I wonder if anyone who has already posted wants to update their post?

    1. Anonymous Coward
      Anonymous Coward

      Rootkit

      Hello folks - as the man says....update your garbage !

    2. Usko Kyykka
      Grenade

      A worthy observation, no doubt

      As this begs the question: "How was the rootkit code injected into a device driver - running in the inner sanctum of the OS - in the first place ?" (atapi.sys: filename extension would imply that this is a device driver. If the rest of the name is as descriptive this would seem to be the driver responsible for a rather common physical disk interface, so being able to patch this is equivalent to full access to the raw disk devices under its control.)

      1. KarlTh

        How?

        User running as Admin (BAD BAD BAD BAD BAD but too many shops do it so they can put all the stuff that should be in startup scripts or managed properly in login scripts and so they can talk users through doing *anything*), directed to dodgy site which downloads .exe. .exe sets registry keys to copy new atapi.sys on next boot, just as if a windows update or service pack had done it. There's a writeup here http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html on how TDSS does it. I've found this on two or three machines where some support company from Hell thinks that the output from 'net localgroup administrators" should include the line "NT Authority\Authenticated Users" (I kid you not, bunch of fuckwits.

    3. Matt 53
      Stop

      4 customers with this so far...

      All 4 PCs riddled with viruses, including the virtually undetectable atapi.sys TDSS rootkit and koobface too.

      Repair all that with a Live CD / BartPE and the PC boots.

      Enough said.

  37. Cantankerous Old Buzzard
    Linux

    re: AC @ 12th February 2010 14:20 GMT

    No !!!

    I will definitely NOT learn to live with it. The shoddy "products" that Micro$lop has been putting out for the past 15 - 20 years made me move to Linux to get some stability and reliability back in the Nineties.

    I refuse to tolerate and/or pay for inferior quality workmanship ANYWHERE, including computers that I use and/or maintain. Therefore, since my most charitable interpretation of "MS" comes out as "Mediocre Software" I keep as far away from the Rubbish from Redmond as I possibly can.

    1. Mikey
      FAIL

      Mmmhmmm, thats lovely...

      So thats fine, you dont need to whine about it here. If you're having an issue caused by this on a machine running the afformentioned OS, then sure, whine all you like. But you have no case or point here, because you dont use XP, or Vista, or any MS product.

      And in general, the 'hilarious' misspellings and alterbate names for Microsoft havent been funny for what... 15-20 years now? If you would like to be critical about a piece of software, then please, adopt less of a whiny, adolescent tone about it.

      And for the record? An install of Xp has lasted me over 6 years now, through 2 system rebuilds, and has only ever bluescreened through wonky graphics card drivers on 3 occasions. So there, you see? Its only a crap OS if you treat it like one. Just like any system, in fact.

    2. Doug Glass
      Go

      Then Why The Attitude?

      If you're so happy with what you have, why write as if you're pi$$ed off? Methinks you feel a mite put upon. Which makes no sense since you are obviously divorced from the MS world.

  38. Estariel

    Virus?

    The SANS thread is now suggesting that the problem is caused by a virus infected atapi.sys which cannot tolerate a change introduced by this patch

  39. Robert Carnegie Silver badge

    I don't know so it must be a virus

    A virus interpretation of this is the sort of thing that could become a runaway rumour without foundation, or without in the majority of cases.

    I believe I can recall two separate cases where a story has been started that a normal file belonging to Microsoft Windows or to a common application is a virus and you must delete it, where this isn't the case at all. I think in at least one of these cases, deleting the file interferes with use of your computer.

    Then again, maybe you're right, and atapi.sys is infected. Or is a driver for out-of-date hardware in some cases. Or...

    If it is that - does that mean that your computer will boot if you remove the CD/DVD disc drive?

    Go on! It can't hurt!

  40. serendipity
    FAIL

    @Cantankerous Old Buzzard

    Oh Please, if you can't generally get a modern Windows installation to run with stability and reliability, I think it says more about your lack of technical competance!!

  41. Charles Smith
    Jobs Horns

    DNSAPI not found

    After the "fix" my XP PC would not load isasse.exe (i.e. wouldn't boot properly) because it could not find dnsapi.dll

    It looked like the directory structure was knackered. Eventually fixed it using dskchk from the install DVD. It may not have been directly linked to the MS patch, but the timing is distinctly suspicious. Previously the PC had been well behaved.

  42. Usko Kyykka
    Boffin

    The SANS Institute

    I suppose Windows is implied in the name ('sans Windows') as this is a computer security outfit ?

  43. Camilla Smythe

    Fuck

    Ubuntu updates at least twice a week with loads of apparently critical shit and I have zero cluebot about what the fuck it is doing. I just click the button and stick my password up its box. Sorted.

  44. John Fielder
    Headmaster

    strange windows updae

    Windows update has just installed Office 2007 SP1 and SP2 on my PC, and tried to install the Office Genuine Advantage bits as well (this failed)

    I find this odd as I do not have any version of Office installed, and have not had it installed since my last format and re-install.

    I have had to tell update to ignore this update in future, but the update web page still reminds me I have said to ignore it.

    Anyone else had a similar problem with recent updates?

  45. Doug Glass
    Go

    One More Reason ...

    ...to be responsible and run some AV with regularity and consistency. Not to mention actually understanding your computer even just a bit. Computers are like babies, you have to feed them the right stuff and wipe their smelly behinds periodically.

    The way I see it those that got the problem asked for it. Enjoy!!

  46. Anonymous Coward
    Paris Hilton

    Wax on, wax off.

    "It's still unclear why affected systems throw a wobbler while other near-identical Win XP PCs chug along quite happily after the updates are applied."

    At a plate of spaghetti for hours stare, you can. Learn you will not.

  47. El Cid Campeador
    Linux

    Works here

    I had already pushed it out (but not installed) when this news came up. Tested it on a number of systems one at a time, and none had any problems. Of course my systems are WAY locked down and my proxy has extensive block lists (thank God my boss is savvy and blows off all the complaints), so the systems are as likely to be clean as any Windows box is....

    I'm still installing it in waves just in case.

    Penguin cuz as a Windows sysadmin I know enough to refuse to allow it in my house.

  48. This post has been deleted by its author

  49. heyrick Silver badge
    Unhappy

    I dunno, has my kit been rooted?

    Avast has not flagged any issues recently. Scanning atapi.sys reports nothing. Using Sha1Sum on it reports the supposedly "good" result, plus there is a Version tab full of rubbish.

    Virustotal says the file is infected with eSafe Win32.Rootkit, gory info below:

    http://www.virustotal.com/analisis/b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9-1266022402

    (matching SHA1)

    HitmanPro scanned and reported nothing (it queried BeebEm but said no more so I guess that means it was okay). I ran it again and it said nothing at all.

    ComboFix did "a bunch of stuff" (that's the technical description <g>) which resulted in a few things being messed around, some minor config changes, but on the flip side the machine boots marginally faster.

    HitmanPro again, because I'm both slightly paranoid AND desperate.

    How accurate is virustotal? Is my atapi.sys infected or not? I won't be installing the update because recovery with an eeePC (no optical media) is less than pleasant. I'd still really like to know if I've been rootkitted or not. Do I trust a website I've only just found as a result of this problem, or do I trust a majority vote?

    BTW, for those of you not sure which update is the potential problem, as we would not normally see "MS10-015", it is the patch labelled "kb977165".

    1. Mr Grumblefish

      Same here

      However since only of the 40 odd scanners Virustotal uses only eSafe detects anything and then only a generic rootkit I'm calling a false positive. What is eSafe anyway?

  50. heyrick Silver badge
    Happy

    No bluescreen!

    I rebooted before intending to apply all of the updates except the troublesome one, when I noticed I had a boot menu - with a new Recovery Console option (thanks to Combofix). So I selected ALL of the updates (generally better safe than sorry, no) and upon the reboot prompt, I held a little piece of paper with the uninstall commands in my right hand, my left hand on my heart, eyes tightly closed, breath held...

    ...until, thirty six seconds later I heard the startup jingle. No blue screen, just Nyuu looking at me as the backdrop image.

    I hope Ms Bee posts both of these messages of mine as there is a kind of moral to this story. Fair enough, I *may* still be rootkitted (although the SHA1 matches that of a "good" atapi.sys and I'm not a crazy download-and-install-everything browser), but on the other hand the evidence is starting to suggest that the infection report is not entirely correct. Thus, the moral, is to take things like that with a pinch of salt. And a dash of wasabi. And a sprig of parsley just to be "posh".

    Smiley face, because...

  51. Pan Narrans
    WTF?

    *cough* Linux *cough*

    that is all

  52. kondor vlastos
    Linux

    Not only XP -

    The latest Defender update has destroyed two Vista machines, and one now claims that the OS installed by Dell OEM is not genuine. So, I sent an email to Microstuff asking for their assistance in a law suit against Dell. I had to call the Gujariati lady in Delhi to reactivate which is a delight.

    Of course Windows is crap. Their enterprise model is thievery negating any possibility that their software would be a quality offering. Is Ballmer looking more and more like Don Rickles, or is that just me?

    Makes one grateful for the Turkish government and Pardus 2009.1.

This topic is closed for new posts.

Other stories you might like