[German]The monthly KB4512506 Security Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 is experiencing issues. Some systems run into boot problems during installation. The machines refuse to start with error code 0xc0000225.
Advertising
The error description
Austrian blog reader Friedrich S., who runs an IT support company, contacted me by e-mail. He describes the error as follows::
after installation of 2019-08 – Monthly Security Quality Rollup for Windows 7 for x64-based Systems (KB4512506), Windows 7 no longer starts on some PCs. The error message:
Status: 0xc0000225
Info: The boot selection failed because a required device is inaccessible.
The blog reader writes that the safe mode of Windows 7 no longer works either. With a Linux USB stick he can start the systems and also access the partitions/data.
The blog reader is not alone; after I wrote the article Windows 7: SHA-2-Klippen am August-Patchday for German magazine heise, some readers left comments like the one, I've translated here:
KB4512506 causes a blackscreen with error 0xc0000225 (Win7 x64)
KB4474419 and KB4490628 are installed, but as soon as the 2019-08 monthly security quality rollup is installed, the Windows Boot Manager stalls with status 0xc0000225.
What I found so far was the suggestion to restore the winload.efi and winload.exe in system32 from an intact system, but I haven't tried it yet.
Has anyone else been able to observe this?
In the thread other users confirm this problem. Krebs on Security also has this user comment. Askwoody also has this forum entry, and Spiceworks also confirms the bug.
Advertising
Repair attempts of the user
The affected person then tried to boot the systems via Windows 7 DVD and get into Windows PE via the computer repair options. But he had no success there. After the start with the Windows 7 DVD he received this message during system restore
This version of the System Restore Options is not compatible with the version of Windows you are repairing. Use a disk that is compatible with this version of Windows.
FYI: Windows 7 x64 SP1 is installed on the computer, Windows 7 x64 SP1 is also installed on the DVD. If you use the Windows repair disk for starting, an error is found in the Windows boot manager.
Reparaturdetails: Die folgende Startoption wird repariert:
Name: Windows Boot Manager
ID: 9DEA862C-5CDD-4E70-ACC1-F328344D4795
After the repair has been carried out, the starting problem persists. The affected user writes to this:
We already have 5 systems where the problem occurs, 3 systems use a Samsung 860 Pro SSD, 2 systems have an HDD (Seagate/WD) built in.
and asks if others are affected and if there are any solutions. I had answered the question about the afflictions of other users in the text above with links to other sources.
Troubleshooting, some approaches
Ad-hoc I guess that the boot manager will be patched by the SHA-2 update in Windows 7. I had already published the blog post Windows hängt mit Boot-Fehler 0xC0000225 in December 2015, which deals with the error image. There was a tip to repair the UEFI files. But I am skeptical that it will help.
Patch KB3133977 is missing?
While writing the blog post something rang with me. A few days ago I published the article Windows 7: Reinstallation causes boot error 0xc0000428. Microsoft states that in certain situations a missing Bitlocker patch KB3133977 causes the stop error 0xc0000428.
Here it is recommended to read the support article 2019 SHA-2 Code Signing Support requirement for Windows and WSUS. Microsoft has added three entries to the August 17, 2019 article. The entries at the end of the article address issues related to the SHA-2 upgrade in Windows 7 SP1 and Windows Server 2008 R2.
At heise I had published the article Windows 7: SHA-2-Klippen am August-Patchday. There I mentioned the missing Bitlocker update KB3133977 may causes boot issues. Then I got an interesting user hint in the comment thread to my article.
It also bricked some of my computers. Fortunately they could be retrieved via restore points. After installing KB3133977 KB4512506 could be installed without any problems.
Be careful with the patch KB3133977 in connection with ASUS boards and Secure Boot. Be sure to read the KB article!
So the Bitlocker patch KB3133977 can solve the problem with the boot problems here as well. I therefore guess that the Windows 7 boot manager can no longer read the signatures without update KB3133977 due to the SHA-2 error and refuses to boot.
Microsoft wrote something about the ASUS board problem in KB article 3133977 that the patch on ASUS board prevents booting. ASUS has published this support article.
Perhaps the above information will help. If so, just leave a comment – thank you.
