Avast Antivirus Compatibility Issue With Windows Update for Storage Firmware

[Lenovo SSD Guy]

I work for Lenovo, and this is on behalf of one of our customers. We need some help here.  Our customer has Avast Free Antivirus for business with Windows 10 and Windows Cumulative Update KB4598242 installed. (The KB is important as the problem does not occur without it.)  They then install LenovoDiskExtnPackage.inf.  This package updates the firmware in an NVMe solid-state drive.  Per Microsoft, the extension driver creates an alternate node for the SSD, uninstalls and reinstalls the device drivers in the Disk Drive stack, including disk.sys, EhStorClass.sys, partmgr.sys, and Avast's aswArDisk.sys. The Avast aswArDisk.sys driver fails to reinstall with the error "Access Denied".  See except from setupapi.dev below:

dvi:                                    {Install DEVICE}
     inf:                                         {Install from INF Section - disk_install.NT} 11:46:28.768
     inf:                                              Flags         - 0x001005ee
     inf:                                         {Install from INF Section - exit(0x00000000)} 11:46:28.768
     dvi:                                         {Writing Device Properties}
     dvi:                                              Strong Name=disk.inf:6d166ee9677c725c:disk_install:10.0.19041.1:gendisk
     dvi:                                         {Writing Device Properties - Complete}
     inf:                                         AddService=disk,2,disk_ServiceInstallSection,disk_EventLog_InstallSection  (disk.inf line 133)
     dvi:                                         Add Service: Modified existing service 'disk'.
     inf:                                         {Install from INF Section - disk_ServiceInstallSection} 11:46:28.784
     inf:                                              Flags         - 0x00100004
     inf:                                         {Install from INF Section - exit(0x00000000)} 11:46:28.784
     inf:                                         {Install from INF Section - disk_EventLog_InstallSection} 11:46:28.784
     inf:                                              Flags         - 0x00100004
     inf:                                         {Install from INF Section - exit(0x00000000)} 11:46:28.784
     dvi:                                         Controlling Service: Service 'disk' is required at boot, modifying filter drivers.
     dvi:                                         Filter Service: Modified service 'EhStorClass'.
     dvi:                                         Filter Service: Modified service 'partmgr'.
!!!  dvi:                                         Filter Service: Failed to modify service 'aswArDisk'.
!!!  dvi:                                         Error 5: Access is denied.
!!!  dvi:                                         Error while installing services.
!!!  dvi:                                         Error 5: Access is denied.
...
     ump:           {Plug and Play Service: Device Install exit(00000005)}
!!!  dvs:           Device install failed for device.
!!!  dvs:           Error 5: Access is denied.
!!!  dvs:           Failed to install device instance 'SCSI\Disk&Ven_NVMe&Prod_SAMSUNG_MZVLB256\5&1c7a9c2f&0&000000'. Error = 0x00000005
     dvs:      {Driver Setup Update Device - exit(0x00000000)} 11:46:28.815
     dvs: {DrvSetupInstallDriver - exit(00000005)}
<<<  Section end 2021/01/29 11:46:28.815
<<<  [Exit status: FAILURE(0x00000005)]

Windows Plug-and-Play then assigns the "NULL" driver to the SSD, making it an unknown device, and the system Blue-Screens with the message "Inaccessible Boot Device".

     ump:           {Plug and Play Service: Device Install for SCSI\DISK&VEN_NVME&PROD_SAMSUNG_MZVLB256\5&1C7A9C2F&0&000000}
!    dvi:                Installing NULL driver!
     dvi:                {Core Device Install} 11:47:38.949
   ...

     dvi:                {Core Device Install - exit(0x00000000)} 11:47:39.246
     ump:           {Plug and Play Service: Device Install exit(00000000)}
!    dvs:           Reboot needed to complete driver update.
!!!  dvs:           Failed to install device instance 'SCSI\Disk&Ven_NVMe&Prod_SAMSUNG_MZVLB256\5&1c7a9c2f&0&000000'. Error = 0x00000005

The system is now toast; it can only be recovered by re-installing Windows.    We've engaged Microsoft, and after studying the log, they concluded that the Windows Update and PNP architecture is working as-designed.  We need some kind of software solution.  The full setupapi.dev log is too big for the forum tool, but I can make it and Windows Update Storage Firmware Update package available on request.  Can anybody help us out?

[gmer]

To properly uninstall aswArDisk.sys driver you have to remove service name from UpperFilters

Code: [Select]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}@UpperFilters

[Lenovo SSD Guy]

Thank you, gmer.  Since the drive is unbootable, I'll see if we can install it as a second drive in another system and edit the registry that way.

[Lenovo SSD Guy]

Microsoft provided this link for information on how the Storage Firmware Update works:

https://docs.microsoft.com/en-us/windows-hardware/drivers/sfu/storage-firmware-update-driver

[Lenovo SSD Guy]

Gmer, we tried the registry hack, and the drive still isn't bootable.  We may need to find a way to force Plug&Play to re-install the device as a "Disk Drive" again.  But hey, it was worth a shot. 

Any chance the Avast development folks could take a look at this?

[Spec8472]

Hi, is there any chance to use System restore to restore the OS to pre-KB4598242 state? I am afraid the aswArdisk filter should have been removed before KB4598242 installation. Now the problem is probably about installing proper disk device driver to offline system (instead of current NULL driver). The problem with aswArDisk was identified already. The problem is not in disk filter itself but its protection from modification. We will issue a update to prevent this.

[Lenovo SSD Guy]

Thank you, Spec8472.  It's really, really messy, but yes, we can get system restore to get to a pre-KB4598242 state.  According to my guy in Product Engineering:

"To reset your OS and keep your files:
After booting to the BSOD screen 3 times, your system will boot to the Automatic Repair screen.
1.   Select "Advanced options"
2.   On the "Choose an option" screen, select "Troubleshoot"
3.   On the "Troubleshoot" screen, select "Advanced options".
4.   On the "Advanced Options" screen, select "Uninstall Updates".
5.   On the "Uninstall Updates" screen, select "Uninstall latest quality updates".
6.   On the "Uninstall latest quality updates" screen select your account.
7.   On the next screen, enter the password to the account.
8.   On the "Uninstall latest quality updates" screen select "Done"
9.   When the system states "Uninstall complete", click Done.

The system will reboot and display the Inaccessible boot device BSOD again.
Let the system reboot and complete "Automatic Repair"
When the system repairs completes and reboots, I can boot to the desktop.
There is a popup that says 'We removed some recently installed updates to recover your device from a startup failure.'"

So, at least our customer can get his users' systems back.  That's a good thing.  A very good thing.

[Lenovo SSD Guy]

The problem with aswArDisk was identified already. The problem is not in disk filter itself but its protection from modification. We will issue a update to prevent this.

That's fantastic.  Thank you.  What kind of a time-frame are we looking at?

[Spec8472]

Probably tomorrow, worst case is start of next week. In form of micro-update (patch) for last released version of Avast Free 21.1.

[Lenovo SSD Guy]

Ooo, that would be outstanding.  If there is a URL where our customer(s) could get the patch (or whatever way you have for distributing patches), may I reference it in our own Knowledge Base?

[Spec8472]

This is automatic update for all Avast AV 21.1. versions. No user interaction is required to receive the patch.

[Lenovo SSD Guy]

Just checking to see if the patch went out as scheduled.

[Spec8472]

Yes, the patch was released Feb 18. Build version is >= 21.1.5968.635

[Lenovo SSD Guy]

On behalf of our mutual customers, thank you for your help!

[StuBox]

I am experiencing this same issue after the recent update(02/16/2022) with a new DeskTop I just received from Lenovo. Any help would be appreciated. I've got the 48 mos warranty but really don't want to deal with customer service. I am floored that this even happened. Haven't even gotten to use it yet? TIA stu

Looks like it happened to me exactly 1 year from the first incident (02/15/2021) ....... Hum??? reading the thread it looks like you found the fix? Why did this happen to a system that was just shipped by Lenovo??


Name
LevovoAIO5i
OS Edition
Windows 11 Professional
Version
2009
OS Build
10.0.22000.493
System type
F0FA008BUS
RAM
16 GB
Serial number
###GA2FM