[German]Users reinstalling Windows 7 SP1 may get the boot error 0xc0000428. This can be caused by a missing Bitlocker patch. Here is some information about the problem and why it might occur.
The error code 0xc0000428
The error 0xc0000428 stands for STATUS_INVALID_IMAGE_HASH – the hash of the image is invalid. The corresponding error text is:
"Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source."
An error occurred during signature verification of the boot files. The system refuses to boot because the hardware or software has been modified (something may have been damaged or overwritten by malware).
If you search for the error code, you will find it in the NeoSmart Knowledge-Base, for example. The causes mentioned there, such as outdated boot manager (BootMgr), wrong version of the boot disk, etc., have been known for years. In the current scenario, however, this is not the case.
Problem: New installation of Windows 7 SP1
Let's get to the issue, which is the subject of this blog post. Some users will reinstall systems with Windows 7 SP1 in the coming months. Problems are installation media that have been adapted using DISM and extended by SHA-2 support.
Background: Windows 7 SP1 installation image with SHA-2 support
Microsoft has changed the signing of update packages from August 2019 to SHA-2-only. The dual signing with SHA-1 and SHA-2 has expired. I had about blogged about that (see at the article end). Without SHA-2 support, Windows 7 SP1 will not be able to install new updates released after August 2019. In my blog post Windows Updates KB4512506/KB4512486 drops error 0x80092004 I pointed out that Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 and Windows Server 2008 Service Pack 2 must have the following SHA-2 updates installed.
- Update KB4474419 (SHA-2 code signing support update for Windows Server 2008 R2 and Windows 7: March 12, 2019) adds support for SHA-2 signature checks for the above operating systems.
- In addition, the Servicing Stack Update KB4490628 was published in March 2019. This fixes a problem in the Servicing Stack, which occurs as soon as packages are signed with SHA-2 only.
If you now want to reinstall Windows 7 SP1 (or one of the other server variants mentioned), it is recommended to use a customized installation image. The two updates mentioned above can be integrated into the installation image using dism.
Windows 7 New Installation: The Cause of Error 0xc0000428
Users who reinstall Windows 7 SP1 (or the server variants) via a customized installation image with SHA-2 support can now run into the boot error 0xc0000428. I had already seen it a few hours ago at Woody Leonhard, who also points out a trap in the following tweet.
Installing Win7 from a backup? If you're installing a customized image (e.g., from DISM), burning an image directly, or installing an up-to-date image that throws 0xc0000428, you need to install a BitLocker patch. Whether you use BitLocker or not. Gotcha. https://t.co/o8Zt6sah2e
— Woody Leonhard (@AskWoody) August 19, 2019
Also in this German comment the issue is mentioned, but there however with Windows Server 2008 R2. Microsoft has added three entries to the support article 2019 2019 SHA-2 Code Signing Support requirement for Windows and WSUS on August 17, 2019:
- I am using setup to perform a clean installation of Windows 7 SP1 or Windows Server 2008 R2 SP1. I'm using an image that has been customized with updates (for example, using dism.exe). How do I update to SHA-2 support?
- I am installing an image of Windows 7 SP1 or Windows Server 2008 R2 SP1 directly to the disk without running setup. How do I make this scenario work?
- I have installed an image of Windows 7 SP1 or Windows Server 2008 R2 SP1, which includes the SHA-2 support, directly to the disk without running setup and now the system does not boot and I receive error 0xc0000428 (STATUS_INVALID_IMAGE_HASH). How do I make this scenario work?
The first item deals with the question how to retrofit the SHA-2 support for Boot-Record. The second point deals with the question of what updates have to be installed and adapted for a new installation. And the third point deals with the problem that the boot process ends after the new installation with the error 0xc0000428.
The reason for this error is the missing Bitlocker patch KB3133977 (BitLocker can't encrypt drives because of service crashes in svchost.exe process in Windows 7 or Windows Server 2008 R2). This update was released on April 24, 2017 and addresses a problem that Bitlocker cannot decrypt encrypted files and the svchost.exe service crashes. This Bitlocker patch KB3133977 must be included in the boot image before installing any updates. Here are the steps to follow:
- Start the operating system with a recovery media. .
- Before installing additional updates, install KB3133977 with Deployment Image Servicing and Management (DISM) for Windows 7 SP1 and Windows Server 2008 R2 SP1.
- Restart the recovery media. This restart is required.
- Run bcdboot.exe at the command prompt. This copies the boot files from the Windows directory and sets up the boot environment.
For more information, see BCDBoot Command Line Options. Then restart the operating system.
SHA-2 patch for Windows 7 arrives on March 2019
Windows 7: From April 2019 'SHA-2-Support' is required
Windows 7: Updates for SHA-2 support
Windows Updates KB4512506/KB4512486 drops error 0x80092004
Windows Server 2008 R2 and a WSUS SHA-2 issue
Symantec/Norton blocks Windows Updates (SHA-2)
Cookies helps to fund this blog: Cookie settings
Would you clarify how to "install KB3133977 with Deployment Image Servicing and Management (DISM)" in windows 7.
Or it is "System Update Readiness tool" method applicable, as it is explained in:
One Source is How to use DISM to install a hotfix from within Windows (online)
The other source might be DISM Operating System Package (.cab or .msu) Servicing Command-Line Options (but I've never testet these offline options with Win 7). Hope that helps
Supplemental notes below that may help some.
The DISM command that worked for me was:
dism.exe /image:C: /Add-Package /PackagePath:E:\temp\KB3133977.msu
Where C: is the drive containing the damaged Windows, and E:\temp is the folder containing and patch downloaded in above.
The bcdboot command that worked for me was: