locked
KB2393802 - may be causing severe problems RRS feed

  • Question

  • Windows update applied KB2393802 around 03:00 and my system no longer boots. I recovered using System Restore in Safe Mode. We've had one other report of this inside IBM, but it's early in the day yet.

    It may not be KB2393802; here is my list of fixes applied:

    KB2393802
    KB2478960
    KB2476687
    KB2482017
    KB890830
    KB2483185
    KB2479628
    KB2485376
    KB2492441
    KB2478971

    Forgive me if there is a better place that this; I rarely come here.


    Steve Swift
    Wednesday, February 9, 2011 6:12 AM

Answers

  • I found this article which references PGP (which isn't important).  However, it does give a GREAT explanation at the end for why this patch is causing this problem...why it doesn't happen on all machines...and why it isn't easily reproducible:

    http://www.symantec.com/connect/forums/pgp-wde-blue-screen-after-kb2393802

     

    (P.S.) - It also explains why removing Turbo Tax fixed the problem for that one guy :)

    • Proposed as answer by JasonD-KC Wednesday, February 16, 2011 9:54 PM
    • Marked as answer by Lawrence Garvin Thursday, February 17, 2011 6:40 PM
    Wednesday, February 16, 2011 7:49 PM

All replies

  • Oh, I'm still in shock. My system is XP SP3 with all critical fixes applied automatically by Microsoft Update. You can contact me via Steve.J.Swift@gmail.com or Swifty@uk.ibm.com for more details.

    Steve Swift
    Wednesday, February 9, 2011 6:14 AM
  • I concur - we're having the same problem. Our PCs installed these patches last night through WSUS:

    2393802
    2478960
    2476687
    2483185
    2479628
    2485376
    2492441 outlook
    2478971

    Uninstalling KB2393802 and KB2478960 appears to resolve the issue. Sadly, we appear to have rolled these patches out to 1700+ clients! It's going to be a fun day. :-|

    Edit: I Binged this article here http://searchenterprisedesktop.techtarget.com/tip/Rolling-back-patches on rolling back security patches. Our only apparent options are to roll back each patch manually by browsing to the %SYSTEMROOT%\$NTUninstallKB2393802$\ and %SYSTEMROOT%\$NTUninstallKB2478960$\ folders, then executing spuninst.exe in each.

    Any other automated methods out there for rolling back patches?

    Wednesday, February 9, 2011 2:35 PM
  • Our only apparent options are to roll back each patch manually by browsing to the %SYSTEMROOT%\$NTUninstallKB2393802$\ and %SYSTEMROOT%\$NTUninstallKB2478960$\ folders, then executing spuninst.exe in each.

    Any other automated methods out there for rolling back patches?


    The EminentWare Extension Pack has a utility that can be used for rollling back spuninst.exe based updates.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Wednesday, February 9, 2011 3:04 PM
  • Thanks Lawrence. As it turns out, the scope of our problem so far appears to be limited to only a few clients and not the entire 1700 computers which received the patches, so manual uninstallation shouldn't be too much of a chore.

    Dustin W

    Wednesday, February 9, 2011 3:16 PM
  • Check and make sure your antivirus is up to date on those PCs.
    Wednesday, February 9, 2011 4:35 PM
  • I just went to a clients because after installing the updates below on their server (Server 2k3 R2 SP2), none of the workstations (XP Pro, Windows 7) could not connect to the internet via NAT RRAS. I started uninstalling them one-by-one until I uninstalled kb2485376  and restarted. After that the workstations could connect again. I reinstalled the other updates I had removed and still had connection. so I think this one is a problem for many of us.

    kb2482017
    kb2476687
    kb2393802
    kb2478960
    kb2483185
    kb2479628
    kb2485376
    kb2478971
    kb2478953

    Wednesday, February 9, 2011 7:01 PM
  • Which one?  2393802 or 2485376? 

    Try installing it again, a font patch doesn't make sense to block Internet connecitivity. 

    This isn't a SBS 2003 by any chance is it?

    Wednesday, February 9, 2011 7:07 PM
  • ALL important updates refuse to install, automatic and manually, including 2485376, 2482017, and 2467023 on a Windows-7 32-bit machine (passed WGA again). However, optional updates, like the ones for Security Essentials install fine. Un-installing 2393802 did not solve the issue thus far, and the other suggested ones are not installed. Any other options?

    Update: manual updates refuse to install, but automatic even refuses to download them. Started rolling back all past updates one-by-one now. Will report back in a few hours.

    Update-2: 976902 does not allow un-installing, and update 2479628 repeatly fails to un-install; problem persists.

     

    Wednesday, February 9, 2011 7:32 PM
  • I'm Having a similar problem related to KB23939802. windows update freezes and short after that, my entire system hangs.

    Wednesday, February 9, 2011 7:40 PM
  • This is Server 2003 R2 SP2 Standard, not SBS 2003. I'm not there anymore but I called them and had them reinstall 2485376 and there is connectivity now. Maybe there was some conflict when installing multiple updates along with this one? They have never had any issues with updates so far, all are installed and none are hidden

    Wednesday, February 9, 2011 8:52 PM
  • You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037):
    http://support.microsoft.com/kb/956188

    It could be that if it's a DC.  Random reboots will nail it.  Boot again and it's fine.

    Wednesday, February 9, 2011 8:58 PM
  • ALL important updates refuse to install, automatic and manually, including 2485376, 2482017, and 2467023 on a Windows-7 32-bit machine (passed WGA again). However, optional updates, like the ones for Security Essentials install fine. Un-installing 2393802 did not solve the issue thus far, and the other suggested ones are not installed. Manual updates refuse to install, but automatic even refuses to download them. Update 976902 does not allow un-installing, and update 2479628 repeatly fails to un-install.

    Rolled-back all updates one-by-one till 2010 (except the two listed above), but problem still exists. Any clues?

    Wednesday, February 9, 2011 10:34 PM
  • I will look into that next time I go there, than you and I will let you know what I find out.
    Thursday, February 10, 2011 6:11 AM
  • i installed these updates today and my pc no longer works,i am unable to format, unable to set it to a time it worked as all it does is constantly flash a muticolour screen, can only turn it off at the button on the front of the cpu.totally messed up for me,managed to return the pc to a time it worked on my wifes pc.but mine has no hope looks like i am gonna have to take it in to be fixed!!! edit the pc worked perfectly before i installed these updates
    Thursday, February 10, 2011 7:26 PM
  • This is a fix which I've used for 5 machines. Load up the computer in safe mode. Go to "Add Remove Programs". Click "Show Updates" in the top right. Locate KB2393802" and click remove. Restart your computer.. Go to microsoft update. Select "Custom". Expand "KB2393802". Uncheck it from the update list and also check "dont show this update again". This will prevent the problem reoccuring. Sam
    Friday, February 11, 2011 2:17 PM
  • Hey guys. Glad you have identified KB2393802 as the culprit for the BSOD. We have also rolled this update out (automatically) through WSUS and it produced the same results. If a user had IE loaded, left their workstation for a few minutes and attempted to use the PC it would blue screen and crash.

    Just found out we cannot uninstall KB239380 from clients via WSUS as it does not support automatic uninstall. Any ideas for scripting this task? Do not fancy going around over 100 PCs over 2 sites manually!

    Thanks again for the posts. It helped!

    Friday, February 11, 2011 4:34 PM
  • DJ?  Can I have copies of that  bsod?  Send a copy to susan-at-msmvps.com

    Microsoft can't always repro these crashes.

    Please?  I need your help.

    Friday, February 11, 2011 4:51 PM
  • Susan, I have sent a copy of the dump files to your email. Thanks.
    Friday, February 11, 2011 5:08 PM
  •  I think that this uninstall task can be done remotely by using "%SystemRoot%\$NtUninstallKB2393802$\spuninst\spuninst.exe" together with PSEXEC and the appropriate switches...

    I have not tested yet in my environment, because we are trying to verify what specific hardware is getting this errors, but just to give you an Idea...

     

    Regards

    Thiago Tietze

    Friday, February 11, 2011 5:17 PM
  • Do not download Microsoft Security Update KB2393802! 

    My computer automatically installed the following updates which resulted in a continual reboot sequence.  I resolved this by entering safe mode and rolling the computer back to the previous day's restore point.  I then began reinstalling the security updates one by one to find out which one was the "culprit".  Needless to say the continual reboot issue began again after installing KB2393802.  So after re-rolling back my computer once more and installing all updates BUT KB2393802 things are fine.  It was very frustrating.

    These are the updates that my computer originally installed and the order in which they were listed on the update screen:

    KB2482017

    KB2393802--THIS IS THE BAD UPDATE--DON'T DOWNLOAD IT!

    KB2476687

    KB2478960

    KB2478971

    KB2479628

    KB2483185

    KB2485376

    KB2492475

    KB890830

    I then went back to the update list and unchecked KB2393802 from the update list and checked the don't show this update again box.  I hope this message helps someone else and that Microsoft fixes future updates so this will not happen again.

    Sincerely,

    Okibrat

    Sunday, February 13, 2011 1:46 PM
  • HI Steve, all,

    Just adding another example to the list.

    For me, KB2393802 is also a problem. Perhaps it's unsurprising this update (of all those released this month) is causing the issue, as it is patching ntoskrnl and other critical, core elements of the OS.

    BSOD with generic kernel trap 0x0000007F (bizarrely recorded in the System Event Log as 0x1000007f; bitwise operation gone wrong?) following install.

    The common denominator I'm noting between myself and other reports is PGP Whole Disk Encryption (from PGP Desktop 9.10.0).

    [Hopefully you clever folks at Microsoft can figure this out sooner rather than later, Sue :)]

    (Apologies in advance if this "double-posts, our ISA 2006 box does that, never been solved...)

    Stevie Lamb


    Stevie Lamb
    Monday, February 14, 2011 9:35 AM
  • Our fleet of 159 laptops just recently installed KB2393802along with 7 other updates and started immediately received BSOD at shut down, boot up, normal operation, etc. Users are also being innundated with the popup "Windows has recovered from a serious error".

    I'm also desperately looking for a new KB fix or a command line method of silently uninstalling this KB so that I can roll that out to my fleet using my software distribution package.

    Monday, February 14, 2011 3:46 PM
  • Can you email me at susan-at-msmvps.com and send me a .dmp file?
    Monday, February 14, 2011 5:18 PM
  • As was posted earlier... you'll need to script this.  " I think that this uninstall task can be done remotely by using "%SystemRoot%\$NtUninstallKB2393802$\spuninst\spuninst.exe" together with PSEXEC and the appropriate switches..."

    Can you email me at susan-at-msmvps.com and send me a .dmp file?
    Monday, February 14, 2011 5:19 PM
  • @Swiftie: Why did you abandon your related (IMHO) 18 Dec-10 thread in IE (Consumer) forum?...

    Upgraded IE6 to IE8 now neither IE8 nor Internet Options start/run
    http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/cfb83c57-5606-49df-a19d-0fe1ff90e387/


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    Monday, February 14, 2011 5:48 PM
  • What's old is new?...

    Alureon/TDSS Rootkit and Restart Issues After Installing MS10-015 [1]
    http://securitygarden.blogspot.com/2010/02/alureontdss-rootkit-and-restart-issues.html

    Update - Restart Issues After Installing MS10-015 and the Alureon Rootkit [1]
    http://blogs.technet.com/b/msrc/archive/2010/02/17/update-restart-issues-after-installing-ms10-015-and-the-alureon-rootkit.aspx

    ===============================
    [1] MS11-011 (AKA KB2393802) replaced MS10-047 which replaced MS10-021 which replaced MS10-015


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    Monday, February 14, 2011 5:49 PM
  • Not caused by a rootkit or other malware as it happens on a fresh load.
    Monday, February 14, 2011 11:16 PM
  • What's the specs of the PC?  Can you try installing the latest driver from the pc manufacturer for the video card?
    Monday, February 14, 2011 11:19 PM
  • In my particular situation in my fleet of 159 laptops (HP 8440P) those who had received and installed KB2393802 are receiving the random BSOD issues reporting pysical memory dumps, etc. Susan helped me yesterday work through the minidump files of a few computers I had immediately at my disposal and on each and every one of the minidump files they reported the same root cause of the BSOD issues.

    A fault with core video card drivers.

    ==================================================================

    BugCheck 1000007F, {8, ba350d70, 0, 0}


    Unable to load image igxpmp32.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for igxpmp32.sys
    *** ERROR: Module load completed but symbols could not be loaded for igxpmp32.sys
    Unable to load image igxpdx32.DLL, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for igxpdx32.DLL
    *** ERROR: Module load completed but symbols could not be loaded for igxpdx32.DLL
    Probably caused by : igxpmp32.sys ( igxpmp32+44124 )

    ==================================================================

    Now of course my scenario is specific to my model laptop and does not necessarily apply to you but it is something you can look at. Right now we're at a cross-roads waiting to see if another KB update will address this issue, if we need to remove the KB through automated scripting, or if we need to look at the daunting task of video driver updates on all effected laptops. Something of a nightmare given that our fleet is spread out across the entire northern half of my state.

    Please continue to share your experiences however. Any new information can potentially help.

    Tuesday, February 15, 2011 3:37 PM
  • Certainly not conclusive by any means but...

    QUOTE: IGXPMP32.SYS has been seen to perform the following behavior:

    • Uses rootkit techniques to conceal its presence, interrogation or removal
    • Uses low level functions to hide itself from the user and from system/security processes

    Source:  http://www.prevx.com/filenames/X1888060650351155745-X1/IGXPMP32.SYS.html


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    Tuesday, February 15, 2011 3:45 PM
  • TC_BokBok:

     

    I am having the exact same problem as you. So far I've only seen it on two of our Lenovo ThinkPad T400 laptops running WinXP SP3, but the error and analysis is the same.

    What is the version of your Intel display driver? Here's the version information from my affected T400s:

    Driver Date: 1/15/2010

    Driver Version: 6.14.10.5220

    and

    Driver Date: 8/18/2010

    Driver version: 6.14.10.5294

     

    I'm going to try get the latest drivers from Intel or Lenovo (whichever is newer) and see if that makes any difference and I'll report back when I find out something.

     

    Jim

    Tuesday, February 15, 2011 4:15 PM
  • This morning I was alerted to a handful of machines exhibiting the same random reboot behavior described by TC_BokBok and temporalshadows.  Our machines are Lenovo M58p desktops running WinXP sp3 and our memory dumps also point at igxpmp32.sys as the faulting module. 

    We tried loading the latest version of the video driver from Lenovo (v6.14.10.5212 from 1/8/2010) this morning but the user reported another BSOD within 90 mins.  We've now removed the KB 2393802 update and are waiting for a better solution. 

     

     

    • Proposed as answer by Jerrae Tuesday, February 15, 2011 8:03 PM
    Tuesday, February 15, 2011 6:03 PM
  • Here is what is currently installed on all 159 of my fleet of HP 8440P's. We use a standardized image I built that receives very little modification. The fact that Windows Automatic Updates was somehow re-enabled is what has our organization in the bind we're in right now. I'll be deploying an update soon to all of my fleet to re-disable the automatic updates.

     

    Current Driver:

    HP 8440P Intel Graphics Media Accelerator (HD) v6.14.10.5179

    Potential New Driver:

    HP 8440P Intel Graphics Media Accelerator (HD) v6.14.10.5303

     

    With the information here I'm thinking we may need to deploy a scrip to automate the removal of this KB after disabling automatic updates. I'd much rather have a new KB from Microsoft to address this but I'm uncertain of the outlook there considering the history around these kernel updates that I'm becoming more familiar with day-by-day.

    Feel free to contact me if you like as well.

    rseely-at-mhc.net

    • Edited by TC_BokBok Tuesday, February 15, 2011 6:39 PM Format
    Tuesday, February 15, 2011 6:37 PM
  • [post withdrawn]

    Tuesday, February 15, 2011 7:14 PM
  • Our company has been having the same type of issues with Win XP SP3 laptops.  The BSOD are random but seem to be connected to certain websites that are visited.  We also have the driver version that is listed above on the affected laptops.  We have been trying the driver updates but it is too early to tell if it is working.  If need be I can send over the DMP file of our machines that are experiencing the problem. 

    Tuesday, February 15, 2011 7:16 PM
  • WyseCitrix,

    I'd love to look at them personally to compare them with ours.

    rseely-at-mhc.net

    Tuesday, February 15, 2011 8:02 PM
  • Do you have any idea what websites or what sort of content those sites contain? 

    Our memory dumps showing iexplore.exe as the faulting process.  Additionally, I was present during one BSOD and it occurred while closing an oracle forms web app.  The folks that have reported seeing this problem so far are heavy oracle forms users.  We would expect this to be wider spread (or that it will be wider spread) than has so far been reported because we have a lot of machines using the Intel Graphics driver and have already installed the update in question.

    For the others that have dug into their mem dumps, what processes were involved in the crashes?

    Tuesday, February 15, 2011 10:56 PM
  • http://www.techrepublic.com/forum/discussions/102-341122-3418020  "Thanks, I experienced the exact same issues with systems using Oracle forms clients running jinitiator, and as you described the issue here was when the screensaver password was envoked." Like that?
    Tuesday, February 15, 2011 11:35 PM
  • I can report that we have the same problems at our school after this update This happened to 300+ HP 4320s with Intel HD graphics card All minidump files shows that igxpmp32.sys is to blame for the bluescreens but, since the bluescreens happened on all the laptops after recieving the updates from wsus, I don't think it's the driver? updating the driver doesn't help, I have allready tried that. I just found this thread, so I'm going to start uninstalling the patch from the laptops now, hopefully that will help -fendel
    Wednesday, February 16, 2011 9:59 AM
  • +1
    Wednesday, February 16, 2011 10:54 AM
  • No you are exactly correct. I was pushed the very same series of updates last night, and after rebooting for the updates to install I was unable to boot. My computer (an HP Envy 15 1050 ca, Core i7 720, 6GB Ddr3, Windows 7 Ultimate X64 ) just kept BSOD'ing. I performed a system restore via f8, and confirmed by downloading every update EXCEPT KB2393802, and my system booted just fine. I then created a restore point, and installed KB2393802 and yup, you guessed it a BSOD. 

     

    I don't have any integrated Intel Graphics BTW, I have an ATI Mobility Radeon HD 4830. Funny thing though, is that when Windows tried to fix the problems via repair your computer function, it detected a memory error, and rebooted to run memtest (Windows Memory Diagnostic/Whatever it's called now?) which detected nothing wrong... 

    [edit]

    While I have Bitlocker available, I do not have it enabled in any way, so whom ever suggested that is incorrect, at least in the case of my system. 

    [edit 2]

    Through searching, I've found some blaming it on certain anti-virus apps, I just thought I would add that I have Avira Classic, and Comodo Internet Security -the anti-virus module of it.

    Wednesday, February 16, 2011 12:07 PM
  • On our systems we do not use anything Oracle based. We do use some SQL products and Citrix products as well. My users are reporting to me that they see their BSOD errors happening mostly while trying to turn the computer off or while performing a reboot. But that is not the case for all. Some get them randomly while documenting on the laptop or worse, immediate and instantaneous reboot. Neither of which is good because they are documenting medical patient data.

     

    I have a user testing new Intel Graphics Media Accelerator (HD) drivers and also a handful of users testing the stability of the OS with this KB removed. I'm waiting to hear back from everyone today on the progress of these changes.

     

    Microsoft, please release a new KB to address these issues...

    Wednesday, February 16, 2011 1:57 PM
  • We do have jinitiator installed but the oracle forms app in question is running with the standard JRE.  Additionally, I haven't heard anything from users about screensavers or screensaver passwords being related to the crashes.  Instead, they've said it happens as they switch between Outlook and IE.
    Wednesday, February 16, 2011 2:57 PM
  • Unless they get dumps and repros they can't release a new KB.

    They aren't seeing it internally.  It's something you have in your systems.  Guys, rule of fixing is they have to repro.  If they can't repro they can't fix.

    Call Microsoft.  It's a security patch issue, it's a free call.

    Wednesday, February 16, 2011 3:13 PM
  • Exactly same issue here.

    We have the Intel gfx driver on the machines with the bluescreen but we also have the jinitiator installed for Oracle Forms which we open with Internet Explorer 7. All in Windows XP.

    One user has reported that the bluescreen happened when the screensaver came up.

    Maybe the issue is "having Oracle Forms open and the screensaver comes up" ??

    No idea, just a guess. Also don't know yet in which way (and if at all) the gfx driver has anything to do with it.

    Wednesday, February 16, 2011 3:30 PM
  • The faulting process on one of the laptops was TurboTax. That user had no problems all day (actively using the computer) until she tried to use TurboTax again, and then she got a BSOD again (that was at 2:08pm). I also see crash dumps from 10:01pm, 10:15pm, 11:23pm, 11:44pm, and 12:13am. The faulting module in each instance was TurboTax, and the user said that it happens at the same point in the process every time. She's trying to submit an Alabama return, and every time she checks an employer checkbox and clicks on Next, it blue screens. Every single time at that point in the process. So, I uninstalled the patch and I'm going to see what happens.

    The other laptop that was having the problem hasn't blue screened since Monday. The faulting process there was Jing.exe every time. That program is from jingproject.com and it's some sort of screen capture/sharing program. I installed it on a test laptop with the same configuration and have had no problems, so I'm not able to reproduce the issue.

    Wednesday, February 16, 2011 4:01 PM
  • After removing KB2393802 TurboTax no longer causes a crash in the graphics driver. 
    Wednesday, February 16, 2011 4:59 PM
  • It looks to me right now that the solid solution (for the time being) is to remove this KB. I'll use some of the info posted earlier in the thread to script the uninstallation.
    Wednesday, February 16, 2011 5:27 PM
  • ...and call into Microsoft.  If they cannot repro it, they cannot fix it.  This is a security patch that you'll ultimately want on the box.
    Wednesday, February 16, 2011 5:29 PM
  • I found this article which references PGP (which isn't important).  However, it does give a GREAT explanation at the end for why this patch is causing this problem...why it doesn't happen on all machines...and why it isn't easily reproducible:

    http://www.symantec.com/connect/forums/pgp-wde-blue-screen-after-kb2393802

     

    (P.S.) - It also explains why removing Turbo Tax fixed the problem for that one guy :)

    • Proposed as answer by JasonD-KC Wednesday, February 16, 2011 9:54 PM
    • Marked as answer by Lawrence Garvin Thursday, February 17, 2011 6:40 PM
    Wednesday, February 16, 2011 7:49 PM
  • http://blog.sharpesecurity.com/2011/02/17/analyzing-kernel-stack-crashes-related-to-microsoft-february-2011-kb2393802-patch/
    Thursday, February 17, 2011 10:28 AM
  • @Nicholas Crain

    Interesting.. similar setup.. same problem

    - ATI Radeon HD5450

    - Avira AntiVir Premium

    - Comodo Firewall

     

    Thursday, February 17, 2011 10:50 AM
  • Same problem with the KB2393802 on a HP Probook 4520s!

    I had a bluescreen when i started "Autocad 2009 LT". After uninstalling the KB2393802, the problem was solved!

    I checked the minidump on the probook:

    UNEXPECTED_KERNEL_MODE_TRAP (7f)

    .....

    Probably caused by : igxpmp32.sys

     

     

    Thursday, February 17, 2011 1:03 PM
  • It looks like this is mainly an XP issue, but I thought I'd point out, at least for the people who have W7, that KB2393802 is included in W7 SP1, despite the fact that it was finished in November. It's listed in the spreadsheet of fixes for SP1 that MS released today (though until Tuesday, SP1 itself is still only on MSDN/Technet/Volume). It would be interesting to see if a BSOD attributable to KB2393802 happens to you under SP1.
    Thursday, February 17, 2011 8:19 PM
  • What we found is the KB2393802 patch is conflicting with certain versions of an older video driver on Dell computers, specifically with the Optiplex 980 and the Latitude E6410.   Both these computers have the Intel Q57 DT Gfx  - Intel GMA HD video card.  We use approximately 15 to 20 different models of Dell computers and was installed to most of these models and the only ones affected were these two I've listed.

    We down loaded the latest drivers dated 7/10/2010 for this card we were able to install the KB2393802 without any additional problems.

    Hope this help!

    Thursday, February 17, 2011 9:41 PM
  • It's been a few days since my last post but I followed the advice by Thiago to use PSEXEC to script a mass uninstall of KB2393802. It took a while to get the switches right so the following shows how I did it across the whole domain using a domain admin account...

    psexec \\* -d "%SystemRoot%\$NtUninstallKB2393802$\spuninst\spuninst.exe" /quiet

    Be careful as this will reboot the clients unless you add the /norestart switch. With psexec you can reference a text file with a list of clients instead of using the wildcard for the whole domain.

    Since uninstalling the update we have no more BSOD issues. If anyone is interested we are running HP desktops with built-in Intel graphics display. The drivers are a couple of years old but I didn't fancy updating the display drivers on 100+ PCs!

    Friday, February 18, 2011 2:25 PM
  • Since uninstalling the update we have no more BSOD issues. If anyone is interested we are running HP desktops with built-in Intel graphics display. The drivers are a couple of years old but I didn't fancy updating the display drivers on 100+ PCs!

    And yet, updating those old, inefficient drivers is probably the better solution, eh? :-)
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, February 18, 2011 5:17 PM
  • KB2393802 caused my OWA VM to black screen.  Restored from AM backup then tested the 8 patches issued creating snapshots between reboots. I was able to identify this patch as the cause of the blackscreen on my VM. The only server it has affected so far is my OWA running W2K3 Server SP2 Version 5.2 Build 3790.srv03_sp2_gdr.100216-1301. Thankfully I had a complete backup of my server from the morning I patched the server.

    Hope this information helps others and maybe someone will post the fix.

    Carmen

    Sunday, February 20, 2011 4:42 AM
  • I'm honestly not seeing 'a' fix. I'm seeing it's related to resources on the machine and video cards. Unless you provide dmp files and call into Microsoft, other than checking out IBM video card updates, I'm honestly not seeing a fix coming from Microsoft on this one.
    Sunday, February 20, 2011 6:59 AM
  • Replying to Susan just becouse it is the last post...

    Patching with KB2393802 then Exchange server 2010, causes mail delay to outlook clients from 30 minutes to several hours in our environment.

    OWA seems NOT to be affected. New mail appears in OWA almost instantly.

    Regards
    Herbert Knavs

    UPDATE: I can confirm that KB2393802 is the cause.

    • Edited by Herbert Knavs Monday, February 21, 2011 6:44 AM UPDATED
    Sunday, February 20, 2011 8:24 PM
  • I have seen this kb2393802 issue on my HP 6320 running windows 7, but not the BSOD, just when i c-a-d type in my password the screen did nothing - just never logged me in. The same model of laptop with win7 on as well didnt have the issue and they only difference i could see was i use the HP credential manager and fingerprint reader to login, av, patches etc all the same. after and number of tries - including manual download and install rather than WSUS all failed, windows 7 autoinstalled the patch when i shutdown and it booted up and be ok ever since. I havent released this patch to our computer estate until a solution appears, which doesnt seem likely at this current point. 

     

    Monday, February 21, 2011 12:47 PM
  • KB2393802 - Works fine if you do the install whilst shutting down Windows.
    Monday, February 21, 2011 6:56 PM
  • I've not seen this reported anywhere else.  Please call Microsoft.
    Tuesday, February 22, 2011 6:29 PM
  • KB2393802 - Works fine if you do the install whilst shutting down Windows.


    Probably because sufficient kernel stack space has been freed up by processes that are shutdown before the update installation is initiated.

    Now, why it doesn't manifest after the system is restarted and all of those processes start back up might be a useful question. It may also be that simply starting up doesn't exhaust the kernel stack, but at some point after the restart that stack will be consumed, and the blue screen will occur.

    Fundamentally, at least to me, it seems in every case I've read about the ultimate culprit is a poorly written kernel-mode driver, which in most cases appears to have been updated, but the update has not been installed. So, ultimately, the correct fix is not to uninstall this update, but rather to update the appropriate driver(s) -- most notably in these cases, it appears to be video drivers.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, February 22, 2011 8:35 PM
  • In my case 2 computers (Windows XP Pro SP3) are hit after KB2393802 install. BSOD occurs only if USB printer is connected at boot time and only for computers with Gigabyte G41M-ES2L motherboards. Printers are complete different. UNEXPECTED_KERNEL_MODE_TRAP 0x1000007f 0x00000008 0x80042000 0x00000000 0x00000000 ntoskrnl.exe ntoskrnl.exe+4ae50 In this case nothing points to video driver.
    Wednesday, February 23, 2011 8:47 AM
  • With updating to the newest Intel graphics driver we could solve the issues in our systems.
    Thursday, February 24, 2011 10:37 AM
  • This patch keeps showing up as needing to be installed every time I check for updates; it installs successfully over and over every time.

     

    What's up with that?

    Wednesday, April 6, 2011 10:46 AM
  • This patch keeps showing up as needing to be installed every time I check for updates; it installs successfully over and over every time.


    Is KB2393802 listed in View installed updates (Vista & Win7) or Add/Remove Programs (WinXP)?

    How about KB981852?


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    Wednesday, April 6, 2011 2:26 PM
  • Nope, no siree...   last one listed is KB2524375 and the last one starting with a 9 is KB971029.

    Thanks.

    JHK

    Wednesday, April 6, 2011 11:44 PM
  • @Aries only: The OP of this thread was running WinXP SP3.

    Always state your full Windows version (e.g., WinXP SP3; WinXP 64-bit SP2; Vista SP1; Vista 64-bit SP2; Win7; Win7 SP1; Win7 64-bit; Win7 64-bit SP1) when posting in a forum (espcially when you're making a "Me, too" post in someone else's thread). Please do so in your next reply.

    Depending on your Windows version, chances are you're seeing the effects of a W32/Alureon-variant rootkit infection, one that's been present on the system since Aug-10 or even Apr-10, if neither KB981852 nor KB979683 is installed.

    Thursday, April 7, 2011 12:28 AM
  • Yes I have Windows XP3   I am also using Microsoft Security Essentials.     So what do I do about the rootkit infection?  Is there any way to remove it?    THANKS

    JHK

    Thursday, April 7, 2011 10:13 AM
  • @Aries only: I'll need to know more about this WinXP SP3 computer. Please answer all of the following diagnostic questions by number in your next reply (no need to quote this post):

    1. When (approx. date) did you install Microsoft Security Essentials (MSE) and was the computer fully-patched at Windows Update at the time?

    2. What anti-virus application was installed before you installed MSE, was your subscription still current, and did you uninstall it before you installed MSE?

    3. Has a(nother) Norton application or a McAfee application ever been installed on the computer?

    4. Did a Norton free-trial or a McAfee free-trial [pick one] come preinstalled on the computer when you bought it? (Doesn't matter if you never used or Activated it.)

    5. Has MSE been auto-updating itself roughly once every 24 hours AND can you successfully update it manually via the Update tab?

    6. Is Security Update for Windows XP (KB979683) listed in Add/Remove Programs?


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    Thursday, April 7, 2011 1:49 PM
  • 1-3.  As far as I know my PC was completely patched and up to date.  I did have McAfee long ago but I switched to Windows Live OneCare.  When WLOne Care was no longer available that's when I switched to MSE.  Each older one was uninstalled correctly - new ones wouldn't work if they weren't.

    4. Yes

    5. I always manually update the MSE, successfully.

    6.  No.

    THANKS AGAIN

     

    JHK

    Thursday, April 7, 2011 6:17 PM
  • @Aries only: Assuming (a) your McAfee subscription had not expired by the time you replaced it with OneCare and assuming (b) your OneCare subscription had not expired by the time you placed it with MSE:

    1. Did you (a) uninstall theMcAfee application AND THEN (b) download/run the McAfee Consumer Products Removal Tool & reboot (c) BEFORE you installed OneCare?

    2. And did you (a) uninstall OneCare AND THEN (b) download/run the OneCare cleanup utility & reboot (c) BEFORE you installed MSE?

    Thursday, April 7, 2011 6:51 PM
  • yes to both questions
    Saturday, April 9, 2011 3:17 AM
  • Let's double-check: Open Add/Remove Programs & this time make sure the 'Show Updates' box at the top is enabled/checked. Then scroll down & tell me which, if any, of the following updates ARE listed?

        • (a) KB2483185 and/or KB2286198; 

        • (b) KB2393802 and/or KB981852 and/or KB979683;

        • (c) KB2479628 and/or KB2436673 and/or KB981957 and/or KB2160329


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    Saturday, April 9, 2011 7:06 AM
  • a. yes AND yes

    b. yes  AND yes  AND yes

    c.  yes  AND yes AND yes AND yes

    Saturday, April 9, 2011 7:55 PM
  • PS   Now the KB2393802 is listed as being installed on 2-9-11.  Previously it was not listed.  Since I replied to the original post I have done a CCleaner registry scan and I need to do something more because my WLM is really not working well at all.  In fact my whole system is slow now.   Maybe you can tell me more about getting rid of the rootkit - I have not done a Microsoft updates since I replied to this post.

    THANKS

     

    JHK

    Saturday, April 9, 2011 8:14 PM
  • but I have done the MSE updates daily
    Saturday, April 9, 2011 8:14 PM
  • Sometimes mse isn't enough.  I'd download www.malwarebytes.org and run it.

    That said, I've seen where just slight mangled os's don't get this update installed and it's not due to a rootkit.  Some have reported booting into safe mode and manually downloading the update and installing it there.

    But it wouldn't hurt to run malwarebytes.org on your system.  It's a good tool.

    Saturday, April 9, 2011 8:22 PM
  • [1] Now the KB2393802 is listed as being installed on 2-9-11.  Previously it was not listed...Maybe you can tell me more about getting rid of the rootkit - I have not done a Microsoft updates since I replied to this post

    [2] Since I replied to the original post I have done a CCleaner registry scan and I need to do something more because my WLM is really not working well at all.  In fact my whole system is slow now.

    @Aries only:

    A1. Since I didn't know your Windows version when I replied to your first "Me, too!" post in this thread, I didn't mention anything about making sure the 'Show Updates' box was enabled. If it wasn't enabled when you looked in Add/Remove Programs the first time, Security Update for Windows XP (KB2393802) would not have been listed (displayed).

    Since it's listed now, I'd doubt you have any sort of infection, let alone a rootkit infection. That being said, let's run some additional checks:

    => Open Internet Explorer (only) to http://windowsupdate.microsoft.com | Select CUSTOM and run a scan.

    • Is KB2393802 still offered? [yes/no]

      Note: If it is offered, uncheck it then hide it ("Don't show me this update again") for now.

    • If any other updates are offered, write down each of the KB numbers & post them in your next reply.
    • If a Root Certificates update is listed (possibly in the Optional Software updates category on the left-hand side of the scan results window), go ahead & install that one to take full advantage of IE's enhanced security.

    => Now click on/open Show update history in the left-hand menu on the Microsoft Update page: Can you confirm that it lists Security Update for Windows XP (KB2393802) as being installed on 09 February 2011? [yes/no]

    A2. Please answer the following questions:

    1a. When you run CCleaner's Registry Integrity component & choose to "fix" anything a scan finds, you're prompted to save a back-up of the changes you're about to make. Do you have back-ups of ALL the changes you've ever made using CCleaner's Registry Integrity component? [yes/no]

    1b. Do you use or have you used any other kind of "Registry cleaner" (e.g., Registry Mechanic; RegCure; Advanced SystemTools; Registry Optimizer)? If so, do you have back-ups of ALL the changes you've made using these utilities?

    2a. Open "WLM" & click on HELP | ABOUT: What version is displayed here (e.g., v14.0.8117.0416)?

    2b. How long has "WLM" been "not working well at all?" Can you explain what you mean by "not working well at all," please?

    2c. Does "WLM" = Windows Live Mail or Windows Live Messenger?

    3. What else is "slow" on your WinXP SP3 computer (e.g., IE8, Firefox or any other browser; searching in Windows Explorer [WinKey+F]; opening a program)?

    4. Do you primarily see this "slow" behavior just after you Start the computer and/or when Microsoft Security Essentials is auto-updating itself?

    5. Right-click on My Computer & select Properties. Once the resulting General tab fully loads, look at the very bottom of the tab: How many MB of RAM is displayed here?

    PS: If you haven't done so already, please hold off on running MalwareBytes Anti-Malware (MBAM) for the time being. It's generally best not to run such powerful tools without guidance from an expert in such matters. Thanks.

    Saturday, April 9, 2011 11:59 PM
  • Thanks.

    I will have to run the Microsoft Updates later tonight due to my work schedule, but in the meantime I will repeat that the last time I checked my update history, it was telling me that KB2393802 was installed many times, successfully.  That's what prompted my reply to this post in the first place.

    So, when I come back, I will run the updates manually again, and let you know the results.  I always back up my registry after running CCLeaner but I must admit I have deleted some from way back. 

    And the problem with my WLM is that when I open it, it seems to hang and never completely open.  I can also hear the computer when this is happening, and I have to exit out either by pressing the x at the top right many times, or by ending the wlmail.exe process.  This never happened to me before, until coincidentally I noticed this KB2393802 issue. 

    Will reply more later.

    Have a great one!

    JHK

    Sunday, April 10, 2011 12:16 PM
  • No problem, take your time. But please be sure to answer all of the questions in section A2 by number in your next reply (even though you've kinda answered a few of them in your post above).
    Sunday, April 10, 2011 6:04 PM
  • KB2393802 has appeared in the updates to be installed again.So I installed it.  Successfully.

    Yesterday I did chkdsk at startup, disk cleanup, and my WLM opened more easily, also the whole system is running much faster now, like normal.

    Will come back later today to answer other questions.

     

    Monday, April 11, 2011 9:32 AM
  • KB2393802 has appeared in the updates to be installed again.  Do you think I should uninstall it and then run microsoft updates again?  It seems pointless to install it over and over.

    JHK

    Wednesday, April 13, 2011 12:17 AM
  • If you want to pursue this further, I'll need you to answer all of the questions in my previous, long post.

    Otherwise...

    OPTION A: Uninstall KB2393802 via Add/Remove Programs & reboot, then run another CUSTOM scan at Windows Update & see if it and all other updates offered [1] successfully install. Assuming they do, run another CUSTOM scan & see if KB2393802 is still being offered.

    OPTION B: For home users, [2] no-charge support is available by visit the Microsoft Virus Solution and Security Center for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit Support for Microsoft Update for resources and tools to keep your PC updated with the latest updates. 

    Or you can...

    Start a free Windows Update support incident email request
    https://support.microsoft.com/oas/default.aspx?gprid=6527

    Customers who experience issues installing Microsoft security updates also can visit the following page for assistance:  https://consumersecuritysupport.microsoft.com/

    ============================================
    [1] e.g., KB2497640, KB2508272, KB2489979, KB2509553, KB2507618, KB2506223 & our friend KB2393802

    [2] This really isn't a home user/Consumer support forum. In the future, post about your Windows Update issues in this forum instead: http://answers.microsoft.com/en-us/windows/forum/windows_update


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    • Edited by Elytis Cheng Friday, April 6, 2012 5:45 AM PCSafety Center update
    Wednesday, April 13, 2011 1:26 AM
  • Wednesday, April 20, 2011 3:19 PM
  • Stop Error 0x0000007F or 0x1000007F after installing MS11-011 (KB2393802)

    http://blogs.technet.com/b/asiasupp/archive/2011/03/23/stop-error-0x0000007f-or-0x1000007f-after-installing-ms11-011-kb2393802.aspx

    Did you happen to notice that the cited blog post references THIS THREAD as it's reference source? ;-)

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Wednesday, April 20, 2011 5:22 PM
  • <VBEG>
    Wednesday, April 20, 2011 9:13 PM
  • Do not download Microsoft Security Update KB2393802! 

    KB2393802--THIS IS THE BAD UPDATE--DON'T DOWNLOAD IT!

     

    it's definitely the cause of my bsod on windows 7 x64

    what amazes me is how microsoft still manage to leave it on update scan after reading so many complaints about this update?

    does Service Pack 1 include KB2393802? if so, I would avoid install SP1 until this problem is fixed at their end

    Thursday, May 5, 2011 11:15 AM
  • Because not everyone is having this issue and the underlying trigger has been identified.  The issue is not the patch.  The issue is video drivers that are not well coded and are taking more room in the kernel stack than they should.

    Update your video drivers.

    Thursday, May 5, 2011 1:49 PM
  • tried last night, updated nVidia driver to the latest, then after install this evil KB2393802, went to bed with computer on

    the next day: computer hang at start up menu

    the issue is definitely more than just video driver

    Friday, May 6, 2011 6:56 AM
  • I uninstalled the video driver before a fresh installation (rather install and overwriting pre existing one) and did a registry cleaning and defragmentation

    It's my 2nd day running without any problem

    hope this info help those still struggle

    Saturday, May 7, 2011 11:31 PM
  • Hi everyone,

    I have this problem with my laptop HP EliteBook 8730w with XP on it. But the problem discribed above occures when I download and install KB2393802 but also when I install the update KB956572.

    Is there anyone who has the same problem?

    @Not again how did you clean your registry? (Which tool did you use? I have tried everything this is my last option. Although I doubt if it is gonna work because I use a clean ghost to install my pc. So also a clean registry.)

    Kind regards,


    I noticed yesterday evening that KB 981852 also gives this problem.
    Sunday, May 15, 2011 12:57 PM
  • Is anything has changed regardles this subject ? We have laptops with intel graphics and our users suffer BSODs while work with AutoCADs.
    It seems that the "evil" KB2393802 is behind this issues but our IT policy makes security patches mandator and we can't uninstall them.

    Any advice ? (the drivers were updated)

    Thanks

    Thursday, August 4, 2011 12:52 PM
  • Is anything has changed regardles this subject ?
    According to the notes in KB2393802 the resolution is to install the updated video drivers.

    We have laptops with intel graphics and our users suffer BSODs while work with AutoCADs.

    Is your AutoCAD software at the latest revision level?
    It seems that the "evil" KB2393802 is behind this issues but our IT policy makes security patches mandatory

    Any advice ? (the drivers were updated)

    Open a FREE support incident with Microsoft. If you have the latest video drivers installed, AND your BSODs are being caused by this update (and not because of inherently defective video drivers), or not by some other (unidentified) cause -- then Microsoft needs to know about this, and that's likely the only way you will get a solution.

    Otherwise it might be time to reevaluate an IT policy that makes **ALL** security patches mandatory. (Sometimes there are necessary exceptions, and the risk of not applying the patch must be properly weighed against the impacts (including recurring BSODs) of applying the patch.

    Thanks



    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, August 4, 2011 2:49 PM
  • If you have a SW deployment system like SMS, Altiris or LANDesk, then you could point to the spunist and run that with silent switches possible.
    Monday, October 29, 2012 3:43 PM