This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Boot failure - Sophosed.sys corrupted

The Sophosed.sys file is corrupted causing a Windows 10 system boot failure.  This driver file is located in \Windows\System32\Drivers\.  Only the command prompt (not Safeboot) can be accessed.  I can access an external USB drive and can transfer files.  Where can I find a copy of this file?  Or is there anyway to uninstall/disable Sophos from a command line?



This thread was automatically locked due to age.
Parents
  • You might find a copy here:

    C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64

    This is the file downloaded by AutoUpate before being installed.

    I assume if you rename \Windows\System32\Drivers\sophosed.sys, the computer boots fine?

    Regards,

    Jak

  • Hi Jak,

    Thank you for the assistance.  On my system, the file was in a different location; however, I was able to retrieve it.  Unfortunately, it is still complaining about the driver but I now have an error code 0xc0000007 to work with.  Another step further.

    Additionally, the system will not enter SafeBoot or complete any of the other boot options.  Fortunately, I can access the command prompt which has allowed me to copy all my files but also limits what I can do.

  • Are you able to open the registry, navigate to: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense" and set the "Start" value to 4 and reboot.  This should disable the driver in question from starting at startup.

    From the command line, the following should do the same:
    REG.EXE ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /d "4" /t REG_DWORD /f

     

    That said, I would think that being able to rename the file would result in the same outcome.

    Regards,

    Jak

  • RegEdit does run (I was surprised); however, it appears to be looking at a temporary OS registry created for the Debug state boot prompt that is on a logical X: drive.  The directory is small and is missing entries for Sophos and other products (I tried looking for them).  I don't see how to redirect it to the registry on my C drive.  The "Hive" commands are greyed.  I haven't tried to see if the text editor will work.

    Brad

Reply
  • RegEdit does run (I was surprised); however, it appears to be looking at a temporary OS registry created for the Debug state boot prompt that is on a logical X: drive.  The directory is small and is missing entries for Sophos and other products (I tried looking for them).  I don't see how to redirect it to the registry on my C drive.  The "Hive" commands are greyed.  I haven't tried to see if the text editor will work.

    Brad

Children
No Data