Kaspersky remover may triggers VSS error 0x81000203

Just a short note – the tool KAVREMOVER, provided from Kaspersky to clean up an antivirus install, may cause side effects. It seems that some users of Windows 10 (V1607) are receiving error 0x81000203 after executing this tool – so system restore can’t be used anymore.


Advertising


System protection can’t turned on

System protection is a feature that regularly creates and saves information about your computer’s system files and settings. This tenforums.com article explains, how to turn on system protection for a drive. But some users are facing error 0x81000203 after trying to activate system protection for a drive.

In event log a VSS error with event id 12293 (IVssSnapshotProvider::IsVolumeSupported() failed with 0x8000ffff [hr = 0x8000ffff) is shown. If a users invokes an administrative command prompt window and enters the command:

vssadmin list volumes

no result will be returned. The volume shadow service (VSS) can’t find the VSS provider (see this MS Answers forum post).

#1: TuneUp turbo modus is a cause

Searching the web brought me to this post, where TuneUp turbo mode has been mentioned blocking VSS provider. If TuneUp is installed, deactivate turbo mode – and then uninstall TuneUp.

#2: KAVREMOVER may cause this issue

If a Kaspersky anti virus product is uninstalled (to switch to another product), it’s recommended to use a clean tool to remove install files left on the system. Kaspersky provides KAVREMOVER to clean a system.

Unfortunately in some cases, KAREMOVER is causing damages on a Windows system. I’ve published the German blog post Tastatur und Maus nach Deinstallation von Kasperky tot, where the tool removed USB 2.0 support for mouse and keyboard.

A reader of my German blog came with a comment, pointing out, that KAREMOVER may remove during cleaning the UpperFilters registry entry too many values. The UpperFilters entry is used from virus scanners to add their own filter drivers, which will be used to scan accesses to drives. The Class-ID code:

{71a27cdd-812a-11d0-bec7-08002be2092f}

also contains Windows storage volumes entries. KAREMOVER seems to delete within:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\
{71a27cdd-812a-11d0-bec7-08002be2092f}

the whole UpperFilters entry with values fltsrv and volsnap. This removes Kasperky’s filter driver and also the VSS provider – which is required to store VSS copies. This is causing error 0x81000203 during an attempt to activate computer protection.

There is a German thread Nach Benutzung vom KAVRemover ist die Systemwiederherstellung defekt from August 2016 for Windows 10 within Kaspersky forum, where this issue has been discussed. The blog reader wrote: After restoring the registry entry UpperFilters (REG_MULTI_SZ) with values volsnap and fltsrv, removed from KAVREMOVER, in

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}

computer protection works again. This blog post (see also) describes the registry entries required to restore VSS provider.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}]

„UpperFilters“=hex(7):76,00,6f,00,6c,00,73,00,6e,00,61,00,70,00,00,00,00,00

Some forum entries reported that the KAVREMOVER issue has been fixed since December 2016 – but II ‘ve seen further  discussion in Kaspersky’s forum until April 2017. Perhaps it helps, if you are affected.


Advertising

This entry was posted in issue, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *