Guest Chris Carver Posted May 23, 2018 Posted May 23, 2018 I discovered a severe bug in the Windows 10 April 2018 update that will cripple the workstation. I have not tested this on anything except Windows 10 Home, Pro, & Enterprise (before and after the April 2018 update). This seems to only effect the latest April 2018 update. Do not make these changes on a workstation that you intend to keep using. This will prevent you from using Safe Mode in all conditions. YOU HAVE BEEN WARNED! Once these changes are made, the first reboot will result in a black screen that inevitably leads to a hard reboot. After the next reboot, you will not be able to make it past the "Welcome" screen under any circumstances. This includes rebooting into Safe Mode with or without Networking and or Command Prompt. Attempting to repair the computer will fail (chkdsk, scandsk, revert to restore point, etc...) under every condition. Assuming this is a brand new installation of Windows: Configure Windows 10 auditing Go to the "Local Group Policy Editor" Computer Configuration -> Windows Settings -> Advanced Audit Policy Configuration -> System Audit Policies Turn on enough policies to generate enough log event data (turning on everything under "Object Access", "Logon/Logoff", and "Privilege Use" will suffice) [*]Once auditing is configured, configure the event viewer to archive log data Go to the "Event Viewer" Windows Logs -> Right click Security -> Properties Set log size to 1028 (this is a critical step) Select the "Archive the log when full, do not overwrite events" (this is a critical step) [*]Reboot the Windows workstation You may run into a black screen at first (nothing will happen, I have let it sit for 30 minutes) Hard reboot and attempt to log in. You will be stuck at a "Welcome" screen. Reboot into advanced settings. Repairing will fail, reverting to restore point will fail, etc... This could severely impact large organizations relying on Active Directory. If an intruder accesses the domain controller, a policy could be deployed to the domain that will break all Windows workstations on the network. I believe I know what the issue is. When Windows goes to archive the Security.evtx file during the Windows boot sequence, it breaks the workstation. If you manage to get to the log on screen before the event log attempts to archive the log, you will succeed logging into the workstation. This is why setting the the size of the log to only 1028 is important. The boot sequence will generate enough data to cause an archive to occur, breaking the system before the user has time to log in. Again, I have emailed a few times explaining the bug and have heard nothing back from Microsoft. Continue reading... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.