The boot selection failed due to missing or corrupted SymELAM.sys error after uninstalling Endpoint Protection and rebooting.
Article ID: 218274
Updated On:
Products
Issue/Introduction
When rebooting the client after uninstalling SEP, the following error shows on the Client screen:
Windows failed to start. A recent hardware or software change might be the cause.
Info: The operating system couldn’t be loaded because a critical system driver is missing or contains errors.
Status: 0xc000000f
File:\windows\system32\Drivers\SEP\xxxxxxxx\xxxx.xxx\x64\SymELAM.sys
Environment
Release : SEP 14.x
Cause
The SymELAM (Early Launch Anti-Malware) drivers got removed from the uninstall process but the service failed to unload which cause the reboot failure.
Resolution
Solution 1: Disable SymELAM service in the Registry
From the Windows Recovery screen Go to Troubleshoot > Advanced options > Command Prompt
- Type in Regedit
- Got to the following Services Hive
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
- Select the SymELAM service
- Change the DWORD Start value to 4 (Disabled)
- 0 = Boot
- 1 = System
- 2 = Automatic
- 3 = Manual
- 4 = Disabled
6. Close and reboot
Solution 2: Copy the content of the folder x64 from a working system
Option 1:
- Go to a system that is running the same version of SEP
- Copy the contents of the x64 directory to the same directory on a system that is not booting.
- C:\Windows\system32\Drivers\SEP\xxxxxxxx\xxxx.xxxx\x64\
- Reboot the system after restoring the files
Option 2:
- Restore the files from the Full Installation CD
- ..\Symantec_Endpoint_Protection_14.3.0_Full_Installation_EN\SEPx64\System32\Drivers\Name\Version\BuildNum\x64
- Reboot the system after restoring the files
Feedback
