Win7 Boot Error - aswrvrt.sys

[Callender]

Well I've posted a similar reply to another user before but I'll outline the solution that worked for me again.

The aswrvt.sys driver isn't digitally signed by microsoft and windows 7 doesn't like it.

What works for me is:

Boot to safe mode advanced options the scroll down to "disable driver signature enforcement" and select that option.

If boot continues and is successful then you'll need to either:

Permanently disable driver signature enforcement (although this lowers system security it's still possible to run other software that warns if an unsigned file attempts to run).

or

Manually sign the Avast driver using a certificate that you created locally.

If the safe boot "driver signature enforcement" disabled works - post back here and I'll ad more detail. In the meantime if you get up and running I'd suggest a safe mode boot followed by a disk check using the command

chkdsk /f /r

from the run dialog box (in safe mode).

[magna86]

Hi Callender, thanks for input.

The aswrvt.sys driver isn't digitally signed by microsoft and windows 7 doesn't like it.

Hm..I didn't think of it. This should been reported to avast team. Also, they should have some information about this.
Yes, it is possible and gives an nice explanation why many users here does complaining about the same or simular error, but something bothers me in this theory.
Have you tried this in filed? Is it truly solve the problem?

If aswrvt.sys isn't signed by Microsoft then Driver Signing Policy wouldn't even allow this driver to be loaded.
How is avast installed then? As upon the installation and mashines reboot, avast drivers been loaded into the windows kernel.
Otherwise the avast's GUI should report to user that something is wrong.

And yet, in the event that all other signed drivers succeeded to load in the kernel and only aswrvt.sys isn't, then the user should immediately after the installation of the avast got an error. And this is not the case.

Also, FRST does own some might rootines and does shows the complete list of services and drivers (FRST has whitelist) that are loaded into kernel.
My tools doesn't shows aswrvt.sys in driver list.

Second, avast need to pay Microsoft for signature. In this case, it's Microsoft's fault then. When avast was paying to Microsoft for signature, I doubt they are skipped that one driver.

But it's worth a try
-----------------------------------------



@Etos
We'll try the Callender advice, this may solve the problem. Are you still with me?

 Start FRST in a similar manner to when you ran a scan earlier, in Recovery Environment but this time when it opens ....

1. Search ...

• Type aswrvrt.sys into the Search: field in FRST then click the Search File(s) button.
  
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  
• Please attach it to your reply.

2. Also, create and post me fresh FRST.txt log report.
The only difference in creating FRST is that this time before you hit Scan button you'll remove in Whitelist section, hook from checkbox for Drivers option.
Now hit Scan button and post me fresh FRST.txt logreport.




If aswrvrt.sys is out there somewhere, FRST's search shall tell us so. Then we can kill it. This shall confirm Callender's theory.
Also at this time, FRST shall show fully list of all drivers files (avast including) no exceptions.
Also, If you are here I would like to get copy of Minidump folder that may tell us what is couse of problem.

[Callender]

In response all I can say is that I had boot issues with aswrvt.sys and after test signing the driver manually using third party sofware the issue was resolved and has never resurfaced. It used to happen on a regular basis and I would restore my windows partition from backup but that meant losing recent work as I only make system image backups every week or so. It might be worth noting that there are other unsigned drivers on my machine including one from Softperfect RAMdisk. I had boot problems so often that in addition to manually signing drivers I resorted to permanently disabling driver signature enforcement and all has been well since I took that step. I use the application whitelisting component of Secure Aplus (no AV) to provide some protection against unsigned files and potentially harmful scripts as obviously security would be lessened otherwise.

In addition aswVmm.sys also appears to be unsigned.

[Callender]

I can't explain how the driver gets installed or why it sometimes appears to load successfully. Perhaps it's do do with users who have admin accounts rather than limited user accounts.  I'd admit that I don't know enough to work out why!

[magna86]

...there are other unsigned drivers on my machine...

There are ways for non-signed driver to be loaded in kernelspace on x32bit masine. But in the x64bit machine is impossible (for now) as Driver Signing Policy and Kernel Patch Guardl will not allow. Use google for thouse tearms for understanding.

Perhaps it's do do with users who have admin accounts rather than limited user accounts.

This can't applies due to the nature od kernelspace. For understanding, search google for kernelspace, userspace and Rung (CPU).


There is no theoretical possibility for avast driver to be unsignet. These drivers are the force and power of avast. But it may be that some other kernel driver influences with avast's driver. Guessing ...

However, we will examine your theory in this or in case that follows.

[magna86]

Update:

I'll overview with more detail first posted FRST log. Your theory seems accurate.

S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65336 2013-08-30] ()
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [204880 2013-08-30] ()

These entrys tell's me with there drives status that these driver shall attempt to be loaded at boot and they are non-signed. 
But as I didn't pay attention to it and considered impossible, I've somehow skipped that.

However, there is one problem. I've removed all avast files (aswRvrt.sys and aswVmm.sys + related drivers in registry) in one of FRST Fixes.

aswRvrt => Service deleted successfully.
aswVmm => Service deleted successfully.
C:\Windows\System32\Drivers\aswRvrt.sys => Moved successfully.
C:\Windows\System32\Drivers\aswVmm.sys => Moved successfully.

These avast drivers files are no more, we where removed them and the problem still remains.


Edit: These both drivers are for avast! self defence related.

[Callender]

Well I'd suggest that a user should try using advanced boot options then disabling driver signature enforcement for the next boot only. If the machine boots - it's definitely a driver issue. If it doesn't boot my solution is to restore a system image back up. As for start up repair or repair install - I've never bothered with either, preferring to reinstall windows from scratch even though it's a lot of hassle.

[magna86]

Well I'd suggest that a user should try using advanced boot options then disabling driver signature enforcement for the next boot only. If the machine boots - it's definitely a driver issue. If it doesn't boot my solution is to restore a system image back up. As for start up repair or repair install - I've never bothered with either, preferring to reinstall windows from scratch even though it's a lot of hassle.

Hi,
Your suggest sounds good but for trying at next case. As in this case, I have been remove all avast driver files ( + OP  doesn not respond ) therefore there is nothing from Avast to load in the kernel as I removed by force. I am familiar with disabling driver signature but there are no more of these 'avast'.sys drivers. They are in FRST Quarantine now.

Related to re-installation Windows, you can't know whether the user has the OEM license (which is bound for MBR) or not. By re-installation, MBR shall be overwritten and OEM shall be lost.

[Callender]

My machine had an OEM installed copy of windows 7 but I downloaded the iso from Digital River and clean installed. The license key was accepted. The installation also detected the OEM recovery partition that I had deleted. I've since deleted it again!

[Callender]

Had another idea. I've used this one before just once. I had a non booting Windows 7 machine so I booted into a Macrium Reflect recovery USB that I created using another machine and chose the "fix boot problems option". It worked.

Here's the info:

http://kb.macrium.com/KnowledgebaseArticle50168.aspx

The only drawbacks are that it needs to be created on a machine running the same version of Windows 7 ie 64bit for a 64bit machine and also requires a huge (around 1Gb) download to create the recovery USB.

[Callender]

Okay so I admit that my technical knowledge isn't great but I did a little research. People are posting that boot hangs on aswRvt.sys but according to the thread here:

http://superuser.com/questions/559923/windows-7-is-stuck-at-starting-windows-when-i-attempt-to-boot-computer

It would seem that the last driver displayed in the list is the last driver to load correctly and isn't the cause of the problem. I ran Load Order from SysInternals on my Windows 7 machine and the load order shows that aswvmm.sys is the one that is loaded after aswVrt.sys.

However I can't explain how or why boot hangs on the same driver if it's been removed.