When trying to update Windows 10 (x64) from 1809 to 1903 (using Windows Update Assistant as was not being offered 1903 automatically and got fed up with waiting) I got a BSOD on the first phase of the update (i.e. before any reboots).
Tried several times to get to root cause (each time restored an image in order to reset to known state). BSOD either showed “SYSTEM THREAD EXCEPTION NOT HANDLED” or “KERNEL MODE HEAP CORRUPTION”.
Eventually established (by trial and error) that Comodo HIPS was objecting to something. HIPS had been running in Safe Mode & set to not create rules for safe applications.
So turned off HIPS whilst 1903 was being installed. Then turned back on.
So seems to me HIPS objected to something that was part of the update.
Anyone like to comment / shed some further light?
Machine concerned is a DELL Inspiron 15 3580 (Intel mobo I guess)
When carrying out a major update for Windows, the standard advice is to uninstall CIS after saving your Configuration; do the Windows update and then re-install CIS.
As far as I’m aware, that’s the advice from most of the major security providers
Is this stated anywhere on the Comodo site / documentation - if so, please could you provide a link?
This is the first time that I’ve done one of these major W10 updates, and had expected that it would (in due course) just be downloaded and applied in the background like more run-of-the-mill updates (in fact I’m still of the impression that that is what is supposed to happen). If that is the case, how does one get the opportunity to do as you have suggested (without interrupting the whole process, which seems unwieldy, to say the least).
Would also be interested to hear of the experience of others. For example is it common practice to do as Ploget has suggested?
I agree with Ploget’s advice. Removing the AV (or COMPLETELY disabling it - I’ve been able to upgrade Windows 10 feature builds eg 1809 → 1903 this way) during the OS update is sensible for two reasons:
The AV and/or HIPS and/or Behaviour blocker should not be interfering with whatever low level tweaks the upgrade process is carrying out, otherwise you could potentially end up with a system that is not configured as the OS installer is expecting/intended, if some of the changes have been intercepted or blocked.
It saves a lot of time. A Windows 10 OS upgrade touches a LOT of files (not just the system files, it touches installed programs, user profiles etc) - potentially causing an AV to scan a huge proportion of your disk contents.
The safest option is to save your settings, uninstall, update the OS and then reinstall the AV and restore settings.
Note: I’m talking about the big feature upgrades here - you shouldn’t need to do the uninstall of the AV during a normal monthly “patch Tuesday patch” (though personally I disable Comodo while they occur, and re-enable afterwards).
“This is the first time that I’ve done one of these major W10 updates, and had expected that it would (in due course) just be downloaded and applied in the background like more run-of-the-mill updates (in fact I’m still of the impression that that is what is supposed to happen). If that is the case, how does one get the opportunity to do as you have suggested (without interrupting the whole process, which seems unwieldy, to say the least).”
That’s true for the monthly cumulative patches, but the big updates (e.g. 1809->1909) are basically a full OS upgrade - it backs up your existing system and then installs the new OS over the existing OS and then restores settings etc (which is why on my 2 slow PCs, they can take up to 8 hours!)
I couldn’t do the update, it didn’t even start until I allowed the update through my specially created configuration. My question: Wouldn’t Windows report that the update wasn’t successful or couldn’t be completed completely?
I have done numerous windows upgrades and service pack installs over the years (up to Windows Insider builds in the fast track up to twice a week sometimes) with CIS installed with HIPS enabled that never failed because of CIS that I am seriously doubting that CIS with HIPS enabled is the cause here.
The BSOD’s are pointing to driver or hardware but a software conflict is also possible.
Since you restored an image each time we are without HIPS logs which makes it impossible to do a “post mortem”. That leaves us with speculation and conjecture. :-\
I forgot to mention that I had loaded my own configuration that made problems with Windows updates.
At the moment windows is loading updates (KBxxxx) without problems with the cofiguration comodo - internet security activated. So no update as posted by eBatch at the beginning.
My apologies for delay in responding (ill-health I’m afraid).
Thanks for all the comments - all very interesting.
And I should have made it clear that I am using Comodo Free Firewall (FW, HIPS, Containment, Virusscope and Website Filtering enabled) alongside Windows Defender for anti-virus purposes (and the vestiges of Windows Firewall that are still left active in Win10 when one has a 3rd party FW installed).
[at]Prodex: You say " I use a minimal configuration (not an open one)", please could you explain what you mean by this?
[at]MikeDiack: Sounds like good advice, but a bit of a pain. I strongly believe it should not really be necessary to do this. And yes, I now realise that these 6 monthly feature updates are more like a new OS version install. So MS say that there won’t be another version of Windows after Win10 (but in reality we’re gonna dump one on you every 6 months regardless). Thanks a bunch MS.
[at]EricJH: Not entirely sure I agree. Disabling HIPS avoids the issue, so HIPS must be doing or causing something that gets in the way, even if indirectly. If I ever get the time I might do a restore, try again, and get the HIPS logs (but don’t hold your breath).
Thank you very much for your replies. I am sorry to hear your struggling with your health and would like to thank you very much for taking the effort needed to post.
I see Dharshu is also on it. Since you’re resources are scarce I’d say use them to connect with Dharshu. That way your findings are seen by Comodo. I expect he will ask you to produce a log with the in house reporting tool and might also ask to produce a BSOD for further investigation.
If resources allow it’d be nice to hear from you but your health comes first of course.
I’m afraid I have not had the time to go back in time and restore the old image as I’d suggested.
However I have a pretty good ideas as to what may be the root cause of the issue.
The laptop concerned uses Intel UHD Graphics 620 and I strongly suspect that the 1903 Win10 update included an update to the drivers for this.
Even doing a standalone install of updated drivers for the graphics needs Comodo Containment and HIPS to be disabled. For example there are a couple of batch files, C:\Intel\GfxCPLBatchFiles{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat and C:\Intel\GfxCPLBatchFiles{EC94D02F-D200-4428-9531-05AF7F9799CB}.bat, that the install runs and Containment always contains them, but I get the impression that there are other items in the install that HIPS / Containment take exception to as well.
I went down the standalone route as the Jan 2020 Windows Update included a couple of updates to the graphics drivers which fell foul of this issue, so I restored to just before the Windows Update and downloaded the latest graphics driver from DELL and did it standalone (with Containment and HIPS disabled) before running Windows Update - all OK then.
I believed those two batch files are Intel’s crude attempt to do with a tidy up of registry keys as part of the install.
The laptop concerned uses Intel UHD Graphics 620 and I strongly suspect that the 1903 Win10 update included an update to the drivers for this.
Just for me personally. I always worry about generic drivers like from Microsoft update or from 3rd party driver update software. What I like to do is this. example: Since I have intel drivers I go to
https://www.intel.com/content/www/us/en/support/detect.html
Intel® Driver & Support Assistant
Of course when I'm done with it I uninstall the driver support assistant software
I let intel decide on what drivers should and/or could be updated. I think that's better then any 3rd party driver updater software, including windows updates for drivers
Since the computer im on right now is a HP laptop, I check for updated drivers from HP website.
If its a amd chip, I go to AMD web site and let them find it for me
This HP laptop still doesnt like windows version 1903, I have another HP laptop thats on windows version 1909 :o :o. Dont ask me why it works that way. It just does
Thanks for your comment, but as far as I’m aware the drivers being supplied via Windows Update were drivers sourced from Intel (i.e. not generic MS).
In any event the ones I downloaded and installed from Dell (so that I could control the install more tightly and circumvent the issue) were Intel drivers. Even with this, if I didn’t disable HIPS and Containment I would run into the same issue (I know, 'cos I’ve tried it).
It just does