Hitmanpro.alert service crashed login after Windows Update May

For a few days we have been receiving computers from our employees where the login no longer works:

When entering the user name, the keyboard hung or you couldn't get rid of the start image.
If I managed to log in, the screen remained black.

The "Hitmanpro.alert service" caused the problem: after disabling it in safe mode, everything worked fine again. There seems to be a connection with the Windows Update problems from May. We could no longer trace exactly which patches it was.

Maybe it help someone else

  • Thanks for reaching out to the Sophos Community Forum. 

    Could you try running the command "fltmc" in an Admin Command Prompt? This will display the drivers that are loaded into your system. I would like to see if there is anything additional loaded that may conflict. 

    If you haven't already, I recommend opening a support case with our team so that we can take a closer look into the issue with you. 

    After having removed Sophos from the affected devices, does re-deploying Sophos onto the system cause the issue to return? 

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Kushal, 

    thanks.
    here are the results from fltmc. Hitman service is deactivated her.
    We do not re-deploying Sophos until yet, because we had first to repair the 12 PC´s. 
    I will test redeploying Sophos soon and post results here

    C:\WINDOWS\system32>fltmc

     

    Filtername                     Anzahl von Instanzen    Höhe    Frame

    -----------------------------  --------------------    ----    -----

    bindflt                                 1       409800         0

    Sophos Endpoint Defense                 1       389220         0

    hmpalert                                0       345800         0

    SAVOnAccess                             4       324000         0

    storqosflt                              0       244000         0

    wcifs                                   1       189900         0

    CldFlt                                  1       180451         0

    FileCrypt                               0       141100         0

    luafv                                   1       135000         0

    npsvctrig                               1        46000         0

    Wof                                     2        40700         0

    FileInfo                                4        40500         0

     

    C:\WINDOWS\system32>

  • I suggest checking if signing in to a local account on one of the affected devices returns any different results. If roaming profiles are being used, there is a chance that the user profile is not being received successfully on the local device or is not loading up in time. 

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Looks like Windows updates are now also causing a similar problem with TrendMicro in connection with ransom protection.

    It really amazes me that the same thing happened to us with Sophos and I can't find anyone else. Am I always too early with Microsoft patches?