This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Boot failure - Sophosed.sys corrupted

The Sophosed.sys file is corrupted causing a Windows 10 system boot failure.  This driver file is located in \Windows\System32\Drivers\.  Only the command prompt (not Safeboot) can be accessed.  I can access an external USB drive and can transfer files.  Where can I find a copy of this file?  Or is there anyway to uninstall/disable Sophos from a command line?



This thread was automatically locked due to age.
  • You might find a copy here:

    C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64

    This is the file downloaded by AutoUpate before being installed.

    I assume if you rename \Windows\System32\Drivers\sophosed.sys, the computer boots fine?

    Regards,

    Jak

  • Hi Jak,

    Thank you for the assistance.  On my system, the file was in a different location; however, I was able to retrieve it.  Unfortunately, it is still complaining about the driver but I now have an error code 0xc0000007 to work with.  Another step further.

    Additionally, the system will not enter SafeBoot or complete any of the other boot options.  Fortunately, I can access the command prompt which has allowed me to copy all my files but also limits what I can do.

  • Are you able to open the registry, navigate to: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense" and set the "Start" value to 4 and reboot.  This should disable the driver in question from starting at startup.

    From the command line, the following should do the same:
    REG.EXE ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /d "4" /t REG_DWORD /f

     

    That said, I would think that being able to rename the file would result in the same outcome.

    Regards,

    Jak

  • RegEdit does run (I was surprised); however, it appears to be looking at a temporary OS registry created for the Debug state boot prompt that is on a logical X: drive.  The directory is small and is missing entries for Sophos and other products (I tried looking for them).  I don't see how to redirect it to the registry on my C drive.  The "Hive" commands are greyed.  I haven't tried to see if the text editor will work.

    Brad

  • I had the same problem but in Windows Server 2008 R2. Renaming the file as Jak mentions solves it.

    Thanks.

  • Ran into boot failure for the same reason on a Server 2008 R2 x64 (not sp1) ESXi vm running Sophos Central Endpoint Agent 2.6.0 BETA.  Boot attempts resulted in Status: 0xc0000225 Info: The boot selection failed because a required device is inaccessible.  Same failure attempting boot into safe mode or repair from the OS boot menu.  Startup repair attempt from the 2008 R2 iso environment failed but the log from that indicated Boot critical file \windows\system32\drivers\sophosed.sys is corrupt.  Renaming that file as Jak pointed out has fixed the Windows boot failure.  After getting back into Windows the Sophos endpoint showed service failures due to Sophos Endpoint Defense Mini-Filter (SophosED) stopped that didn't resolve after manually updating or rebooting.  Renaming the file back and rebooting resulted in the same boot failure requiring renaming it again from the iso repair environment.  The sophosed.sys timestamp and size within \system32\drivers was identical to the one in C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\ - Sophos uninstall attempts from gui or cli or safe mode failed due to being unable to stop some services even with tamper protect disabled and service startup types changed to disabled.  Eventually got it uninstalled cleanly through some combination of manually disabling services, cli uninstallers, and reboots and was then fresh install succeeded.  This isn't SEC but the underlying component causing the problem seems to be related between the products and hopefully the keywords benefit others searching.

     

     

     

     

     

     

    EDIT: installing SP1 for 2008 R2 and latest windows updates resolves the problem and probably ties into this: https://community.sophos.com/kb/en-us/135504

  • Hi  

    Thank you for updating the steps you have performed to resolve the issue, just to add you can also take a look at Sophos ZAP tool if at all you are facing the issues while uninstallation. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids