[German]Has a KMODE_EXCEPTION_NOT_HANDLED Blue Screen recently appeared on your Windows systems? Could have something to do with the June 2018 patchday and the Spectre NG update.
Advertising
On June 12, 2018, Microsoft also distributed a patch to close the Speculative Store bypass, spectre and meltdown vulnerabilities (CVE-2018-3639, CVE-2017-5715 and CVE-2017-5754) with its security updates. I had mentioned this in my patchday blog posts (see links at the end of the article).
For the updates to take effect, however, an administrator must set certain registry entries. Microsoft gives in KB articles KB4073119 (Clients) and KB4072698 (Server) hints on how to set certain registry entries to make the patches work at all.
Blue Screens before installing updates?
But today I stumbled upon a strange information concerning the Microsoft June 2018 patchday. I came across a case where Windows systems had boot issues hours before security updates were installed. The whole post can be found at administrator.de within the German thread MS Patchday Juni 2018 – BSOD, obwohl noch kein Patch freigegeben. Since it's not April Fools Day, I don't think it's a fake or an April joke. The poster describes a very strange scenario.
- An employee at the company reports on patchday that his Windows computer did not start but stopped with a KMODE_EXCEPTION_NOT_HANDLED. The BlueScreen indicates that an unhandled exception occurred in kernel mode.
- What looked like an isolated case grew into a series – out of 140 computers, 35 to 40 machines were affected by the error at the end of the next day (in German, patches are arriving on 7 AM).
- The error occurred during boot – a system restore helped to enable a system boot. Unfortunately not memory dump is created (according to the admin who posted this case at administrator.de)
When analyzing the affected systems, the administrator found that the registry values FeatureSettingsOverride and FeatureSettingsOverrideMask on the machines have set the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Advertising
according to this article, to protect the system against the new Spectre Next Generation patches. The strange thing about this case: The updates were not yet installed and the thread opener swears that they did not set the registry entries. After the values were removed from the registry, the machines booted again.
Addendum: The person who posted at administrator.de has added some additional details:
The error only appears if the FeatureSettingsOverride value is 00000008 (Hex), as intended by Microsoft for SpectreV2 and SpectreV4 and the June 2018 update is NOT installed. If the value is 00000003 (Hex), the computer boots up perfectly, but only the SpectreV2 protection is active.
I was able to simulate this on a test system with Windows 10 1703, but I also assume that 1607 and 1709 are also affected, as in our company. If the June 2018 update is installed, you can set the value to 00000008 and everything runs fine.
This error is well known and will also occur again and again in 2018. Here is an older hint how to fix the BSOD. I can't really explain the current case. But perhaps the information helps other administrators, who gets an KMODE_EXCEPTION_NOT_HANDLED error on machines.
Addendum: According to a comment to my German blog post, update KB4078130 added the registry entries mentioned above. Also the tool InSpectre offers an option to alter the registry settings. But both topics are not applicable to the case reported above.
Similar articles
Patchday: June 2018 Updates for Windows 7/8.1/Server
Patchday: Windows 10 updates June 12, 2018
Advertising
Günter the first bit mask of the memory management parameters have to be changed to dword 0x8 for any systems (client and server) was 0x0 for Intel (server) and 0x64 for AMD (client and server) to enable protection against the spectre v2.
Let's hope Microsoft tested the behavior with the old bitmasks too.
In your article the values of the customer are missing.
Please don't hesitate to contact me if you have any further questions.
Without the dword 0x8 store bypass protection will not be effective.
Small joke: Microsoft introduced a security patch to keep Windows S mode users forced to use the store. A Windows 10 store bypass "vulnerability" has been closed.