Jump to content

Windows 10 S mode: Glitchy startup and scrolling persistent through reset


Go to solution Solved by AdvancedSetup,

Recommended Posts

Good evening,

I have recently purchased a Microsoft Laptop Go which came with Windows 10 in S mode. Upon initial observation the windows version was labeled as 'core,' I believe it was 64bit. I have recently updated windows and since then, the startup process displays characteristics that cause me concern. First, the Windows logo flashes at least once, and sometimes more times on startup. Also, scrolling through the start menu and various web pages is not smooth. There are visual discrepancies that happen in both areas. When I try factory reset, there are cmd windows that briefly appear and then disappear during the recovery process; it leads me to believe something has embedded itself in my windows system files, and it is somehow immune to factory resets. I'm pretty sure when I first completed the setup process there was only an option for English, but now there are options for English, Spanish, and French. I have tried factory resets with cleaning the drive and reinstalling windows locally, as well as creating a recovery drive loaded with a Surface system image downloaded from Microsoft.com. The problem persists.

This Laptop performed amazingly when it was new out of the box, but now something seems to have created idiosyncrasies within the operating system that is immune to every tactic I have tried.

Please advise. 

Thanks for your help in advance.

Link to post
Share on other sites

  • Root Admin

Hello @thelastscion1 and :welcome:

Here is some information about the Widnows 10 S Mode. Basically this version will only run applications from the Microsoft Store on purpose to reduce the threat attack surface.

Unfortunately it also highly controls what can run on it. The choice is yours but basically once you take it out of S Mode you cannot put it back without doing a Factory Reset.

 

Windows 10 S Mode

https://www.hellotech.com/blog/what-is-windows-10-s-mode-and-how-to-turn-it-off

https://www.cnet.com/how-to/windows-10-vs-windows-10-s-whats-the-difference/

https://support.microsoft.com/en-us/windows/switching-out-of-s-mode-in-windows-10-4f56d9be-99ec-6983-119f-031bfb28a307

https://support.microsoft.com/en-us/windows/windows-10-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85

https://sportsclinictampico.com/life-hack/how-to-leave-windows-10-s-s-mode/

 

Have you removed it out of S Mode?

 

Link to post
Share on other sites

I was keen to give windows a chance with the S mode, however I am aware it would prevent the use of additional software to remedy a problem should something make its way into the operating system. 

If needed I can get back to the factory settings with a system image recovery, so I am going to take the computer out of S mode and go from there.

Link to post
Share on other sites

Okay I have removed S mode from the computer, however I am still concerned there is something not quite right with my Windows system; its as if drivers are updating and adding services without my permission.

I have made my primary local account a user account, while a tempADMIN account will have admin privileges. Is it possible for something to propagate within windows and disguise itself as utilities and system files? I guess I could be paranoid, but I can't shake the feeling that something has made its way into my machine, and is surviving through factory resets. 

Upon the most recent reset, there were still two cmd windows that appeared in the slightest instance in between recovery screens, like as in a silent or hidden install of something that is not factory. 

I've read about malicious code working its way into the UEFI/BIOS system, and short of taking the computer apart and finding a BIOS reset button or circuit, I wonder if there's a way to weed this bug out. Again I could just be paranoid I guess, but I'm trusting my instincts, and believe windows should be operating better than this.

Malwarebytes scan reveals no threats. Does anyone want to try and unearth this monster? I would understand if this request is too arbitrary to pursue. I've tried to reset this thing too many times, and am trying to find a manual way  extricate this specter from my Windows device. Again my feelers will not be hurt if someone said "If its not causing problems then why worry about it," but my position is this: if this thing is tainted it is untrustworthy, and should I create a trusted network in a new residence, this machine would be destined for the recycle center as is.

Lets call this a mechanics project of sorts, its not critical, but then again, if something is subliminally living in my machine, it kind of is. Thanks for any help, apologies for the convoluted and arbitrary description. 

Thanks for the welcome, I hope to contribute to the community!!

cheers

Link to post
Share on other sites

  • Root Admin

Windows 10 S mode does not have a ton of drivers and other features on purpose. Windows 10 full version is doing what it needs to get the system up to date. If it relied on you to fully update all drivers that would put quite a burden on people to all of a sudden know a lot about computers and drivers.

Once it's done its thing for a bit then restart the computer.

Then open an Elevated Admin Command Prompt and type in the following.

SFC /SCANNOW 

If that comes back with a Success then you're done with that. If it says it finds problems but cannot fix them then you'll need to run the following DISM command.

DISM.exe /Online /Cleanup-image /Restorehealth

Then afterward try running SFC /SCANNOW again.

Then you'll also want to run a Disk Check. In the Elevated Admin Command Prompt type in or copy / pate the following.

ECHO Y|CHKDSK C: /F

Then restart the computer and let it run

After it boots back up then click on the Start menu and type in "Check for updates" and then scan for Windows Updates again.

 

Link to post
Share on other sites

I would like to say that my issue is resolved, but I don't know if it is; I am still experiencing these problems:

My wifi menu is displaying differently at different times, sometimes everything is grey and others there is a black outline around the window displaying the network to which I am connected. Some notifications have two messages overlayed on top of eachother. (see picture) I have already activated windows yet this notification is here. 

The flashing windows icon on startup has gotten worse, it varies but flashes more than it did in S mode.

There are still inconsistencies in my display while scrolling in Edge. Some display inconsistencies are still present in the start menu. 

This seems wrong but any windows diagnostics doesn't register the problem.

windows inconsistancies.jpg

Link to post
Share on other sites

I will try and activate again, I am getting error (reads like a MAC: 0x)  (__)C004C003. Was a different code yesterday, and I activated, and updated. Although there was an Updated Microsoft Security update that didn't complete said it would do it later. 

I'm feeling a bit like a conspiracy theorist here, but I know just enough about this OS that I can tell something is off.

Link to post
Share on other sites

  • Root Admin

Since this is a recent purchase I would contact Microsoft Store and seek their assistance.

Let them know where you bought it and when. Then let them know you've done a System Restore and have taken it out of S mode and you're now getting this error trying to activate.

Let them know you're  getting an activation error:  0xC004C003

Yes, without it being activated there are numerous programs that will not function properly on purpose.

 

Microsoft Corporation/Customer service

United States (English)
1-877-696-7786

 

https://support.microsoft.com/en-us/account-billing/contact-microsoft-store-support-4f615f2a-6bbd-fd69-6695-ae213d63eef0

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

Okay, update:

I have contacted Microsoft support and was deferred to help.microsoft.com. As per instructions I rolled-back the recent updates. My activation problem comes from a discrepancy between the 1904 and 20H2 updates in Windows. I have not yet figured out why the security updates were not applied when I updated everything after switching from S-mode.

I have been curious, though, and I searched problems that occurred with imposter driver updates, and found this page:

Malware in Disguised Installed Automatically without Prohibition - Microsoft Community (this is an answers.microsoft.com webpage so I am relatively sure it is safe, but if you are able to use a quarantined method for opening links please do; I am using the computer I believe to be infected with, something.)

I have found this Goodix biometric scanner driver among my updates at one point, even though I definitely do not posses or utilize this hardware. This is the type of idiosyncrasies I have found with windows updates that creates a level of doubt regarding my windows machine and the update process.  

In the attached picture is a list of the latest updates that loaded to my Windows yesterday, notice the difference in the Intel updates where some have the trademark icon, and the other that do not (Intel - net - 22.20.0.6) 

The Windows system, system32, and sysWOW64 files are wrought with things that make me uneasy. Like a whole list of PFRO logs that list system and .exe files that can only be defined as variables: \MpKsl2d6871a0.sys What is that even?

Problems are continuing, and I'm concerned.

updatelist.PNG

Link to post
Share on other sites

  • Root Admin

Yes, invalid updates have been known to get out and be released to the public but that is true for Apple, Windows, and Linux all three of the major operating systems.

It is rare and when it is found it quickly curtailed.

Microsoft often uses a generic driver that applies to the type of device. In many cases if you were to visit the manufacturer site you may find a newer better driver.
Don't forget that Microsoft is not writing most of these drivers and the main program or driver may be signed but often many files within the installer are not signed and typically is not considered a threat.

 

The main issue though is, is Windows activated now or not?

We can check for issues once the computer is activated and updated.

 

Did the Microsoft Store or Support say that the 20H2 version is NOT supported on your device at this time?

 

Link to post
Share on other sites

  • Root Admin

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin
  • Solution

Thank you for the logs @thelastscion1

 

The Volume Shadow Copy Service (VSS) appears to have some issues. Please follow the directions below and see if this corrects the issue.

 

Application errors:
==================

Error: (04/08/2021 08:28:25 PM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} [0x80040154, Class not registered
].


Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Delete Shadow Copies

Context:
   Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}
   Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (04/08/2021 08:28:25 PM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} and Name SW_PROV is [0x80040154, Class not registered
].


Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Delete Shadow Copies

Context:
   Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}
   Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (04/08/2021 08:28:25 PM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} [0x80040154, Class not registered
].


Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Get Shadow Copy Properties
   Delete Shadow Copies

Context:
   Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}
   Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator
   Execution Context: Coordinator

 

 

 

Please download and run the following  Volume Shadow Copy Service (VSS), Diagnostic Tool, from Acronis

Acronis VSS Doctor

Free tool for diagnosing and repairing Volume Shadow Copy Service issues. Download link on the bottom of the page.
Download - Acronis VSS Doctor

In many cases, it can correct the issues on its own. If not, then it will give details on what may be causing the issues. Please save the report in text format and post back that log on your next reply.


You can also try the tool from Macrium Reflect if the Acronis tool did not work.

Macrium Reflect Volume Shadow Copy Service (VSS) Repair Tool


Once you've run the repair tool you need to restart your computer.
Then check your Event Logs to see if the error was corrected. You can post new logs from FRST which will also show the Event Log entries 

If you don't have System Restore enabled then please take this time to enable it. If possible choose 5% of your C drive to store Restore Points.

System Restore disabled or greyed out? Turn On System Restore in Windows 10
 

Please note the following

ATTENTION: System Restore is disabled (Total:57.17 GB) (Free:24 GB) (42%)

 

 

 

Once you've gotten the above resolved please run the following fix below.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Good morning,

Beginning the process lined out, these are the steps I have taken in chronological order.

The Acronis VSSDoctor Scan found some errors in VSS Providers Configuration. There was an unknown entry in addition to the verified Microsoft entry. I tried saving the report which registers in my file explorer, but upon opening the file there is nothing except for the location and name, file explorer asks if I would like to create a file, I decline.

In the VSSDoctor program, clicked the fix issues button once, was given a prompt detailing the consequences of fixing the issue, agreed to the prompt, and then received no indication of anything happening afterward. 

Downloaded the VssFixx64 and tried to run, a dialogue box appears and then nothing happens. 

Restarted computer, and ran VSSDoctor Scan again, this time no inconsistencies were found with the VSS Providers Config like before. Still no .txt logs are saved properly.

Have enables System Restore as per instructions, with the proper amount of drive space allocated for storage. I am not keen as to what I am looking for in my Windows event logs, there are a few events from today, in addition to the events from yesterday and day before. 

As per instruction, I disabled real-time security and ran FSRT with fixlist.txt file in the same location. The process was rather quick, and I have attached the Fixlog.txt file.

Much appreciate the help here.

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Very odd. The FRST program could not elevate to Admin. First time I've seen that in a long time.

Please double check that your account has Admin rights. The original FRST log you posted before showed that you had Admin rights, but this time FRST does not think so.

 

 

Link to post
Share on other sites

Okay, that is correct I completed this process with my user account instead of my admin account; my mistake.

Although, it may have worked in my favor because shortly afterward I received a facebook message from "Facebook login security" citing a possible illegitimate login and absent-mindedly I clicked on it. I don't know if this had an effect on my computer.

After this, I signed out of my user account and signed into my admin account. I reapplied all of the instructions and ran FSRT fix again with the Fixlist, this time it took much longer, and ran the disk scan upon restarting.

Here is the Fixlog, from the FSRT fix ran from my account with admin privilege. 

Thanks for the quick response

Fixlog.txt

Link to post
Share on other sites

New logs from FSRT scan are attached. 

I don't think I disabled the malware security when I ran the FSRT scan from my admin account however, would it hurt anything to run the fix again? The issues I had before are mostly resolved, however I did click on an unknown link, and ran the fix without security disabled as advised. It would make me feel better if I could try again with a revised fixlist. If running a diagnostic and fix again is not advised, I will leave well enough alone. 

Thanks again for the support, I certainly appreciate greatly everything. 

FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

The logs look pretty good overall. I don't see any reason at the moment for any new fix.

Let me have you run a 3rd party antivirus scan. I don't expect it to find anything but perhaps make you feel more comfortable 😃

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

 

 

The same with this scan. As this is a new computer I don't expect to find stuff out of date, but we'll check none the less

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current-security-update status of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Link to post
Share on other sites

Hello again!

I have been continuing to experience problems with my Windows 10 after receiving help with some various issues in the OS. Instruction received here has been top-notch, but, as I continue to work with my computer, the issues I've been facing are not all gone. 

Some research and and lots of perusing the interwebs has led me to believe something has loaded an impostor bootloader into my UEFI, or something; I'm not for sure on the details but I feel like I'm close to eradicating this issue. 

For his Windows problem, I believe something had altered the boot manager and boot loader processes in my machine, which maybe is flying under the radar of OS diagnostics, and remaining persistent through system resets and recovery image reinstall. 

I have reached the limit of my knowledge regarding how to continue so I have come back here, the land of big brains know-how. This is where I'm coming from: 

 

https://apps.badjoerichards.com/apps/developerhack/how-to-fix-broken-or-corrupted-bcd-causing-windows-10-to-be-unable-to-boot-after-windows-updates/

 

This information lead me to PowerShell to mess around with the Bcdedit and DiskPart to determine what is really going on. I got this far (see image) but couldn't complete the editing of bootloading processes because I think the directory has been modified. It's mostly speculation now, but hopefully this serves as a proper starting point to find, and ruthlessly destroy, this errant code which is plaguing my Surface Laptop. 

Appreciate you, and any help in advance.

Cheers.  

UEFIbootloader config.PNG

Edited by AdvancedSetup
disabled live hyperlink
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.