Earlier I got a notification that ESET needs a reboot to install it's new major update (to version 13). I wasn't able to reboot at that time because I was working on my computer, and since I always hibernate it to save time and the state of all the opened programs, I quickly forgot that I should reboot my PC.
Last week came the time that I needed to reboot my PC. Since that, I'm unable to boot into the system. I get a BSOD with the stop code of PROCESS1 INITIALIZATION FAILED every time. I don't get any dump files, probably because I set the pagefile to be on an other drive, but fortunately I'm able to start Windows with debugging enabled, and do debugging with WinDBG from my laptop through the network. More on the BSOD later.
Before continuing I want to let you know that I have backups which I can restore, but even the oldest one isn't old enough to be working. The point is, that the system can be restored to a point when it wasn't altered by my attempts to fix it. I regularly do that whenever I feel that that I'm in a dead end, to avoid the situation where more of my modifications are contributing to an ever worse problem
Back to the point:
I suspect it's ESET blocking file system access from the system for 2 reasons: first, if I enable boot logging then the ntbtlog.txt does not get created in C:\Windows\, neither if I do it temporarily from the special boot options, nor when I set bootlog to yes with bcdedit. and second, because there are files in C:\Program Files\ESET\ that are from an older version, like \Eset\Eset Security\Drivers\eelam\eelam.sys is a version of 10.0.9.0, according to the system's properties dialog, while most of the other files are from 10.13.*.*. However, I'm unable to boot even to safe mode, because the same error happens, so I'm unable to remove ESET with your tools. Also, I had such a problem a few years earlier too. I don't know how did I solve that, but I know that it wasn't an OS reinstallation.
At the moment I can only make complete memory dumps (in WinDBG), but I'll try to convince the OS to make kernel memory dumps
Details about the BSOD
STOP code: PROCESS1 INITIALIZATION FAILED
1st param: 0xFFFFFFFFC0000279 (STATUS_IO_REPARSE_TAG_NOT_HANDLED ?)
2nd param: 0x0000000000000002 (undocumented, but probably ntdll.dll being inaccessible, source is in a feedback of the STOP code documentation)
3rd param: 0x0000000000000000
4th param: 0x0000000000000000
The output of a few informative commands that I ran in WinDBG is attached to this post. It includes the output of !analyze -v, !analyze -hang, and lm
Later I'll include the kernel dump if I can obtain one
Both the output of the commands I ran in WinDBG, and that while booting, at one point the HDD led starts blinking not randomly, but periodically like retrying after a timeout, seems to confirm that the system may not be able to read ntdll.dll or an other such file.
Looking at the properties window of ntdll.dll and a few other related files (which were mentioned in the WinDBG output) shows that it's signature is valid, so if I'm not wrong, that should mean that the files are intact.
Could you help to identify and fix the problem? I can provide you with anything that you ask, but I feel that I'm too little to fix such a problem by myself. I have ideas on what to look into, but there's too much things, and even then I don't know how will I check if it's because of ESET or not, or what do I do if I find that the file that it tries to access is actually intact
Sorry if I've written a lot, I just wanted to give the related information that I've found to possibly boost finding a resolution. Maybe you see how desperate I'm to recover the system if I've gone to such lengths to obtain information.