Windows Start Menu Locked Up, unable to restart machine.

Have a situation where installing SOPHOS causes the Start Menu of Windows 10 1709 to stop working, also seems to stop all "User Experience" things, such as Settings Page etc. When you try to restart, you get the error:

task host is stopping background tasks windows 10 Device install reboot required

You have to hard kill it to reboot/shutdown the machine. 

This is a fresh installation of USB
Installed Acrobat Reader, Media Player classic, Irfran View, GreenShot, Chrome and Java.

Used the new Deployment from SOPHOS MSP Admin Console and the "Download Complete Windows Installer"

Used the following command to install:
SophosSetup.exe --customertoken="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --mgmtserver="dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com" --products="antivirus;intercept" --quiet

I seem to be able to "jostle" the start menu by right clicking on the start button.  

At this stage, I am unable to install SOPHOS AV

  • In reply to JordanM:

    Hi JordanM and All,

    I did some more testing today here are my findings:

    1. On two test systems I removed the  windows password same as Jordan, the "sign-in info"  switch was disabled, windows defender all enabled I did 12 reboot tests on both systems 0 failures
    2. This time I enabled the "sign-in info" switch, No login Password, windows Defender enabled and did 12 reboot tests and 0 failures on both test systems.
    3. I then added a login password on both systems, I also enabled the "sign-in info" switch. windows Defender enabled and both systems failed, one failed 3 out of 6, the other 4 out 6 reboot failures.
    4. Last test, I disabled the "sign-in info" switch, still with a login password,  windows Defender enabled and both systems were successful with 8 out 8 reboot and no failures.

    It seems to me each of us are experiencing different results of what works and what does not. Removing the Windows password does have an effect regardless of the "sign-in info" switch setting. I can't explain why disabling the "sign-in info" switch works for me... I have now tested this on 6 different failing systems and it solves the problem for me on all of them. Burt has found disabling Windows Defender works for him on his systems. The only other explanation is we are looking at two separate issues? In my case when the problem shows. Start, Edge and settings do not work and the overall system performance is noticeably slower. After I have clicked on Edge and then right click start to either reboot or shutdown, edge seems to start in a fashion although not responsive which can be said for other applications which are slow to start.

    I can only suggest for those who have not logged a case to Sophos then it is in your best interest to do so as I think the more cases they see adds weight to the problem. I still have my case open ( #7862295) and it is escalated. If I see the issue re-occurring when I have the "sign-in info" switch disabled, I'll for sure be in contact with them, but right now they have given me a solution which seems to work for me.

    Regards
    Kevin

  • In reply to kevin clarke1:

    Hi All,

    One other point I forgot to mention was prior to Sophos communication about disabling "sign-in info" switch, they had me run with only Endpoint Advanced and not with Intercept X installed as well. This did work without any problems.

    Kevin

  • In reply to kevin clarke1:

    On my same problem computer, I installed Norton Internet Security and didn't see the issue happen yesterday.  Today, I rebooted it a few times and was able to trigger the same issue.  Now it's making me wonder if it relates to security vendors that utilize exploit protection, or if it is in fact unrelated to security software altogether. 

    In my scenario today, the Windows sign-in option was enabled and I was using a login account with a password.

    Logging out of the computer and logging back in restores functionality (no need for reboot).

    I'll try disabling that Windows sign in option again and will continue using a login password and see if it reduces my symptoms.

  • In reply to kevin clarke1:

    I have the same Problem...

    My case #7887075

    Hope to hear something from Sophos

  • In reply to Martin Frey:

    Hi Martin and All,

    Just to let you know Sophos got back to me and as far as they are concerned this is now a known issue, that is the "Use my sign-in info..." switch and there development team are working on this with MS. They did not make me aware of any other issues causing this problem. Clearly this solution is not working for many in this forum so I guess lets see what they have to say about this.

    Regards
    kevin

  • In reply to kevin clarke1:

    We were able to confirm on two machines...

     

    Install Windows, update to latest, use username with password, disable sign in option, install IX and it seems to work. With that said we may not have an exact control environment because we noticed on the download this is a different version of IX.

     

    We can also confirm even with the new version the updating of Visual Studio was a shot in the dark, it did not work.

     

    Still have not heard anything back on our ticket and its been well over a month.

  • In reply to DBASQL:

    I also have the Start Menu locked up issue.  It is on Windows 1703 and 1709 computers.  I started with a fresh 1703 version and went through the following on clients domain.

     

  • In reply to Gregg Michalski:

    You have to open the Windows Defender Security Center

    and disable Virus & threat protection.

  • In reply to Martin Frey:

    Martin,

    Disable everything before installing Sophos?  I tried the reg change to disable Windows Defender Security Center and looked to have worked.  I have WDSC enabled again and see Virus & threat protection, SmartScreen and Exploit Protection.

    Do you know if these have to be disabled before installing or can you turn them off after Sophos is installed?

     

    Thank you.

  • In reply to Gregg Michalski:

    First disable WDSC and then Install Sophos. Thats it

  • In reply to Martin Frey:

    Thanks.  I have many computers to fix.

  • Thank you for contacting Sophos Technical Support. Please see below summary of our investigation:
    On a test Remote session we have replicated the issue and verified that by uninstalling interceptX and rebooting the endpoint issue was resolved. This verifies that its related to the known issue in the article below provided to you previously:
                "https://community.sophos.com/kb/en-us/124988#Windows 10 RS3 - Start UI fails to run during first login session"
    As per article:

    This issue occurs on computers not joined to a domain. Investigation has shown to be a possible Microsoft issue. A reboot may resolve the issue. The following two options will also prevent the issue from occurring:

    • Locally, under User Accounts logon settings, by disabling the setting Use my sign-in info to automatically finish setting up my device after an update or restart.

    The setting for  'Use my sign-in info to automatically finish setting up my device after an update or restart' was still turned ON on the endpoint in question. The workaround is to turn it off.

    This is a known issue and is being investigated by our Dev team and Microsoft. Any further details will be updated in the known issues article.

  • In reply to BrianClark:

    This could be related:

    https://twitter.com/markloman/status/967066016135172096

    https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-40#post-2740104

    "Fixed an issue with the Windows 10 Start Menu".

    For those that have seen it.  I assume it's all Intercept X installs, I.e. those with HMPA installed.

  • In reply to jak:

    Woohoo!!  I see it's beta though...  I hope this will be considered high priority for Sophos, so we won't have to wait another 3+ months for this fix to be released to Sophos Intercept and Home Premium users.

  • In reply to JordanM:

    I guess it would be interesting to see if this fixes it?  Can you reproduce the issue reliably to know it helps?

    As a test (ideally on a test computer but this should all be pretty safe) I would do as follows:

    1. Check you don't have a pendingfilerenameoperation value under:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
    If you do, reboot until it is gone.

    2. Download http://test.hitmanpro.com/hmpalert3b734.exe to say C:\hmpatest\ but it doesn't really matter, I will just reference this location for guidance.

    3. Open an Admin prompt in C:\hmpatest\ and run:
    hmpalert3b734.exe /upgrade

    4. The following location should be now populated with the new files:
    C:\Program Files (x86)\HitmanPro.Alert\Update Files\

    5. The registry key in step 1 will also be created with the entries to put the new files in place at restart.

    I would then suggest moving the C:\Program Files (x86)\HitmanPro.Alert\Update Files\ directory to C:\hmpatest\ and delete the pendingfilerenameoperation key.

    Essentially up until now, this is just extracting the files from the installer and moving the files and deleting the registry key responsible for making the switch from the old to new files on restart.

    If this is just a test computer/snapshot you're happy to blow away if it all goes wrong you could just reboot and "all" the new files will be put in place.  I.e. the service, the driver, the dlls.

    If you're being more cautious and interested which file specifically may have fixed it, you could replace each file as a test.

    For example - If it's the DLL file that is significant, i.e the file injected into each process, you could rename: C:\Windows\System32\hmpalert.dll to C:\Windows\System32\hmpalert.dll.orig and copy in the new C:\hmpatest\Update Files\hmpalert_x64.dll and rename it to C:\Windows\System32\hmpalert.dll.  Is this enough, etc...

    Maybe replace the driver, service exe, next etc...

    Hopefully this makes sense.

    Regards,

    Jak