Microsoft Update bug breaks Server Essentials restore

by Alex Kuretz on March 13, 2015 · 3 comments

in News

The following is a guest post written by Matthew Sawyer (forum member msawyer91) of Dojo North Software, developer of the popular and useful Home Server SMART Add-In for WHS and WHS 2011.

As many of you already know, the second Tuesday of each month is Patch Tuesday for Microsoft. On the second Tuesday you’ll often find the little yellow shield sprouting up announcing there are updates waiting to be installed, or that the updates were already installed and a reboot is in order. For me, Patch Tuesday this past February passed like any other. A bunch of patches were installed, complete with the obligatory reboot. Little did I know a seemingly innocent patch, KB3023562, was going to pose a problem. The title is MS15-010, “Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution.” The most severe vulnerability relates to an attacker luring you to a maliciously-crafted website with embedded TrueType fonts.

So what do fonts have to do with Server 2012 Essentials and Server 2012 R2 Essentials? Quite a lot, actually!

Last week I needed to restore an important file. I launched the Windows Server 2012 R2 Dashboard from my Windows 7 laptop, selected the computer to restore, then selected the particular backup date, and finally selected the volume from which to restore. That’s when things started to go wrong. Windows promptly told me the restore wizard quit working. I tried again, but got the same error. OK, so perhaps a reboot was in order. But the crash returned. So I tried the restore from my daughter’s Windows 7 laptop. Same crash. My son’s laptop, also Windows 7. Crash City! I dug out my work-issued laptop, running Windows 8.1, and I still wasn’t feeling the love. Crash in the exact same spot. Obviously something was wrong.

Thankfully, Windows writes out the fault to the Application event log. And with a close friend like Google, I have something to troubleshoot. If you look in the Application event log, you’ll see a stack trace similar to:

Application: MountBackupWizard.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Reflection.TargetInvocationException
at System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[])
at System.Delegate.DynamicInvokeImpl(System.Object[])
at System.Windows.Forms.Control.InvokeMarshaledCallbackDo(ThreadMethodEntry)
at System.Windows.Forms.Control.InvokeMarshaledCallbackHelper(System.Object)
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Windows.Forms.Control.InvokeMarshaledCallback(ThreadMethodEntry)
at System.Windows.Forms.Control.InvokeMarshaledCallbacks()
at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef)
at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef)
at System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr, Int32, Int32)
at System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
at System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
at Microsoft.WindowsServerSolutions.DataProtection.UI.Program.Main(System.String[])

You’ll also see another Information entry with a source of Windows Error Reporting, which gives a problem signature like this:

Problem signature:
P1: MountBackupWizard.exe
P2: 6.3.9600.16384
P3: 5215cf3c
P4: BackupClientProvider
P5: 6.3.9600.16384
P6: 5215cf38
P7: 33
P8: 174

The key lies in P3, the 0x5215cf3c error code. If you Google that, you’ll find plenty of articles and forum posts about people trying to restore their data, but are unable to do so. And nearly every single one of them pins the blame solely on Microsoft’s update KB3023562. Thankfully, they all say, you can uninstall the update.

And so I tried. I uninstalled KB3023562, which requires a reboot, and then tried my restore. Voila! I got my much-needed file back, but that left me with a dilemma. KB3023562 allegedly fixes six total vulnerabilities—one public and five privately-disclosed Windows vulnerabilities. So while I now have one laptop, my son’s, that can restore files again, that laptop is supposedly vulnerable without the update.

I suppose the safest course of action would be to re-download and install KB3023562 again. This would protect you from the vulnerabilities. But it would also prevent you from restoring your data again in the future.

This morning I had over thirty March 2015 updates waiting for me. Granted a bunch of these were Office 2013, I was still hoping that one of these would fix what KB3023562 broke. I was met with resounding disappointment. And so my recommendation to you is this. Install KB3023562 – it’s better to keep vulnerabilities at bay. If it turns out you need to restore some files, you can always uninstall the patch, restore your files and then reinstall the patch. It’s a pain in the butt, but it’s the best way to get your data back while still keeping vulnerabilities at bay. And let’s hope Microsoft will catch enough heat from their users that they need to fix what they broke in the first place!



Article by

I'm Alex Kuretz, and I'm the founder of I was the Lead Test and Integration Engineer at HP for the MediaSmart Server until April 2008 when I moved on to other opportunities outside HP. I've kept active in the Windows Home Server community, creating several add-ins and helping users make the most of their Home Servers.


Joe March 14, 2015 at 3:09 pm

I uninstalled that patch last month on Feb 21. Then I noticed that my Server would shutdown every other day. I thought it was the power supply. To make a long story short, as they say, it turned out when I uninstalled the patch it set my server to go to sleep in power options. I know this for a fact because I did a full image system restore of the server to Feb 20 and it was set to never sleep. So pay attention to that issue if you uninstall the patch. Thanks.

Matthew Sawyer March 16, 2015 at 8:31 am

Joe, sorry for the frustration. I went back and reviewed what I sent to Alex for posting, and I guess I was a little ambiguous. The update only needs to be uninstalled from one client…the one being used to perform the restore. The update can remain on the server.

In my case, my son’s laptop was used as the guinea pig. I uninstalled the update from his, and his alone. I was able to restore the files I wanted.

That’s interesting about the power policy. The “meat and potatoes” of this patch was to deal with fonts, so I find it intriguing that removing it from the server alters the power policy settings.

Paul Braren March 14, 2015 at 10:59 pm

Had a file I needed to restore, went through same frustration as you, for my WS2012R2E box. Thanks for pulling this info together, hoping it gets truly resolved soon!

Comments are closed, visit the forums to continue the discussion.

Previous post:

Next post: