I have seen big problems with KB5041578 on Windows 2019 causing disk i/o issues with massive writes to c:\windows\catroot2\edb.log.
In the beginning, we noticed SAN i/o issues, so it took a few hours to identify the root-cause why VMs were sending massive writes to storage.
Impacted servers throws an JET error -1811 in the bottom of file c:\windows\system32\catroot2\dberr.txt.
CatalogDB: 09:39:40 16-08-2024: catdbsvc.cpp at line #7085 encountered JET error -1811
CatalogDB: 09:39:40 16-08-2024: catdbsvc.cpp at line #4876 encountered JET error -1811
CatalogDB: 09:39:40 16-08-2024: catdbsvc.cpp at line #3779 encountered JET error -1811
CatalogDB: 09:39:40 16-08-2024: catdbcli.cpp at line #624 encountered JET error -1811
CatalogDB: 09:39:40 16-08-2024: catadnew.cpp at line #2481 encountered JET error -1811
You can also see if you are impacted by using resource monitor as shown in the picture below.
Solution
Delete the folder C:\windows\system32\catroot2, which will reset the management database. You need to stop the Cryptographic service.
You can boot the server into Safe Mode and delete the files.
If you have enough resources to run Powershell session, you can also run this:
Set-service CryptSvc -StartupType Disabled
Stop-service Wuauserv -Force
Stop-service cryptsvc -Force
Stop-service bits -Force
Remove-Item -Path C:\windows\system32\catroot2 -Recurse -Force
Set-service CryptSvc -StartupType Automatic
Start-service Wuauserv
Start-service cryptsvc
Start-service bits
$Dependencies = Get-service CryptSvc | select -expand DependentServices
$Dependencies | ForEach-Object { start-service -Name $_.Name -PassThru }
More info from Microsoft
The issue is now mentioned in the known issues in the release info
Example of how to apply the KIR (Known Issue Rollback) is commented here.
Personally I have not tried KIR. I don’t feel confident WHAT the goal is for this KIR. Does it uninstall the impacted hotfix and block it in the future ? Or is the better approach to reset the db by deleting CATROOT2-folder and then apply the update if removed.
I feel the last method is better for the future, as the machine stay protected of the vulnerabilities included in the patch. Removing the update puts the server both in unnecessary risk but also a odd support situation, where servers are not patched to the same level.
Thanks for this! It brought our DC to its knees. Once I got the cryptographic service into a stopping state, the server became responsive again and I could uninstall the update.
As the update will re-apply next month, I encourage you to fix the JET database as well. I know Microsoft will release more info on this issue very soon. Stay tuned !
This also kill one of our DC’s and a few other servers. On our systems it caused Windows Defender to crash constantly. I was able to stop defender from running a GPO to disable it and then test and find that it was this update. Once I removed the update and re-enabled Defender all was OK.
I am supprised nobody looked what is actually causing the increase of logging of the cryptsvc,l everybody just seem to be focussed to remove the directory and get IO in normal ranges.
I have just updated the blog-post adding more info on this issue. Microsoft has acknowledged the issue in the Known Issues and issued a KIR (Known Issue Rollback). See more details in the blog-post – you can jump directly to the ‘more info’ section following this link – https://mortenknudsen.net/?p=3200#moreinfo
I think they do it again with the new version of Windows 11 24H2.