Forum Discussion
KB5041578 causing Windows Server 2019 to be unresponsive
In testing the August 2024 security update for Windows Server 2019 (KB5041578) we are finding the update causes some Windows Server 2019 servers to become unresponsive. There is also a thread on...
MNichols
I've found a "fix" that appears to do the job, it's not particularly graceful and is manual, but at least pretty quick and doesn't require a reboot or apparent roll-back of the update. You might need patience depending on how badly affected your system(s) are... Additionally if you have any kind of IOP-limited disks on affected servers this will make them even slower; if possible, remove any IOP limit and it should be less painful.
You'll need to launch (as admin) PowerShell or CMD, services.msc, Task Manager, and Windows Explorer. I put each in a corner of the UI for ease of navigation.
- In services.msc find Cryptographic Services and Disable it. You won't be able to stop it conventionally.
- In Task Manager/Services tab look for CryptSvc and note the PID.
- In Explorer, attempt to rename C:\Windows\System32\catroot2 to something else, doesn't matter what. It will fail, because it is in-use. Leave the pop-up open.
- In PowerShell/CMD, type "taskkill /F /PID <PID noted above>.
- Quickly flick back to the "Folder in Use" pop-up and hit Try Again, it should rename.
- In services.msc put Cryptographic Services back to Automatic, the process will restart automatically very quickly so you don't need to do that. The catroot2 folder will regenerate also, and apparently not look much/at all different from the old one.
Server should be response again...
This process worked great for me on one server. However, another server is so unresponsive that I cannot use this process. Can you please adapt this process so that the steps can be done via remote CLI to a server? Thank you.
- Heya Karen - This may be something of a catch-22 situation; I found scripting it myself was problematic for just such reasons. If you have a device which is borderline unresponsive locally then any commands passed over WinRM/remote PS will equally never complete. I don't even get eventual timed-out, just a locked-up script which would never move on to the next device in a text file fed to it.
For those ones that are really unresponsive I've found the only fix is patience unfortunately. You may also need to taskkill the PID (which will be different every time the process spawns) numerous times before you can rename or delete the catroot2 folder.- Thank you, guess I just try and be patient. If I do get this unresponsive server to process the commands you placed here, I will respond with a reply of success.
- Success, thank you.