Forum Discussion
KB5041578 causing Windows Server 2019 to be unresponsive
MNichols
I've found a "fix" that appears to do the job, it's not particularly graceful and is manual, but at least pretty quick and doesn't require a reboot or apparent roll-back of the update. You might need patience depending on how badly affected your system(s) are... Additionally if you have any kind of IOP-limited disks on affected servers this will make them even slower; if possible, remove any IOP limit and it should be less painful.
You'll need to launch (as admin) PowerShell or CMD, services.msc, Task Manager, and Windows Explorer. I put each in a corner of the UI for ease of navigation.
- In services.msc find Cryptographic Services and Disable it. You won't be able to stop it conventionally.
- In Task Manager/Services tab look for CryptSvc and note the PID.
- In Explorer, attempt to rename C:\Windows\System32\catroot2 to something else, doesn't matter what. It will fail, because it is in-use. Leave the pop-up open.
- In PowerShell/CMD, type "taskkill /F /PID <PID noted above>.
- Quickly flick back to the "Folder in Use" pop-up and hit Try Again, it should rename.
- In services.msc put Cryptographic Services back to Automatic, the process will restart automatically very quickly so you don't need to do that. The catroot2 folder will regenerate also, and apparently not look much/at all different from the old one.
Server should be response again...
- This process worked great for me on one server. However, another server is so unresponsive that I cannot use this process. Can you please adapt this process so that the steps can be done via remote CLI to a server? Thank you.
- Heya Karen - This may be something of a catch-22 situation; I found scripting it myself was problematic for just such reasons. If you have a device which is borderline unresponsive locally then any commands passed over WinRM/remote PS will equally never complete. I don't even get eventual timed-out, just a locked-up script which would never move on to the next device in a text file fed to it.
For those ones that are really unresponsive I've found the only fix is patience unfortunately. You may also need to taskkill the PID (which will be different every time the process spawns) numerous times before you can rename or delete the catroot2 folder.- Thank you, guess I just try and be patient. If I do get this unresponsive server to process the commands you placed here, I will respond with a reply of success.
- Another way using posh.
set-service CryptSvc -StartupType Disabled
stop-service Wuauserv -Force
stop-service cryptsvc -Force
stop-service bits -Force
remove-item -Path C:\windows\system32\catroot2 -Recurse -Force
set-service CryptSvc -StartupType Automatic
start-service Wuauserv
start-service cryptsvc
start-service bitsstop-service cryptsvc -Force
This step fails due to other dependent processes. What can be done about this?
Thank you.
- Heheh this would work nicely, when I'm lucky enough to be able to do PS.
A strange side-effect which could be cause, effect, or something in-between seen on a lot of affected servers is that no form of PowerShell CLI, ISE will launch. This would appear to be as a result of something in Windows Defender locking-up, and with Tamper Protection via the XDR agent enabled, it's impossible to work-around.
