Warning: Windows 7 Update Crashing NVRs

By Brian Rhodes, Published Aug 26, 2019, 01:42pm EDT (Info+)

Windows 7 updates are causing VMS servers to fail to boot.

After running the update, impacted systems do not boot as normal, instead display this warning screen:

Windows 7 Update Crashing NVRs

In this note, we examine:

  • Which systems are impacted
  • What is causing the issue?
  • Vendor recommendations to fix
  • Dahua and Hikvision not impacted
  • End-of-Life Win 7 is coming
  • Is this a win for VSaaS?

The Problem

IPVM has received multiple reports of Windows 7 and Windows Server 2008R2 systems that will no longer boot after installing Microsoft 8/2019 Security update 'KB4512506 Security Monthly Quality Rollup'.

The problem occurs because this update uses now required SHA-2 signing, but mistakenly assumes the embedded OS servers and NVRs have been upgraded from SHA-1, which is not the case for many systems.

One site gave this explanation:

It looks like Microsoft forgot to make this update available for Windows 7 Embedded OS which installs the ability to use SHA-2 code signing.

As soon as the Aug 2019 security rollup update is installed, " KB4512506 " upon reboot, the OS indicates "Windows cannot verify the digital signature for this file " which of course is caused by the lack of the SHA-2 code sign support. I've had two NVR's go down due to this issue.

Below, we cover the impacted security vendors and how to fix the issue.

Impacted ******* ****

**** *** **** ** ********* ******* with * ****** ** ******* ** this *****. ******* ****** ******* *****, with **** ************ **** ******* ** calls *** ** *** ******, ***** others *** ********* ****:

  • ********:[******] ******** *** ********* **** **** have *** **** ****** ** *** field **** ***** *******, *** ** a ******* *****, *** **********. **** machines *** ** ****** ******* ******** versions ** *******.
  • ******* ********: [******]** *** ********* **** * **** instruction*** *** ***** ** *** ** reimage ** ** *** * ********* Series *********.***** **** ******* **** ************ ********* that ** ******* ** ***** ** the *******, *** ******* *** *** responded ** ****. ** **** ****** when **** **.
  • *****:** ***** ** **** **********, ***** *** ****** * ****** at *** *** ** ***** **** and ************** ****** ************.
  • *********: ** ********* *********, *** **** us **** **** *** **** ******** of *** ******** ******* ** *** US. ********* ** ******* *** *** yet *********.
  • *******: *** ******* ****** ******** ****** via ***** ******* ****** *** ******** dealers ** **** *** ********* ******* 'until ******* ******'.
  • ***: *** ****** ****** ******** *** issue ** * **** ****** ***** warning **** *****,****** **! *********.*** ******* * *** 6*** ****** ********.

*******, ***** ***** *** **** ***** be ********, ** ****. ** **** update **** **** ** ***** ******** vendors *** *****.

Not ***** *** *********, *****, *** ***** ***** ****/*******

*************, *** ***** ** **** ***** only ******* ***** ******* ** ******** and ****.

********** ******** ******* ********* **** ***** and *********, *** ******* ******* ***** an ******** ******* ** *****.

Fix: ******* *** * ** ******** ********

** **** *****, ******** ******* *** recommending ******* ****** *** ***** ** reimaging *** *** * ** ** a ******** *******.

*** ****** ******* ****** ***** ** the ****** *****/*********** ****, *** *** process ********* ******** ******* ** ******** a '******** *******' *** **** ** a *** *****, **** ********** ** each ******** *** ** *** ***** and ******** *** ***.

Security ****** ********

******* ******** ******* **** ******** ******** notices *** ******** ***** *** *****.

*** *******, ***** *** ****** ******** ****** ** *** *** ** their ****:

******* **** ****** ******** ****** *** their ******* ******:

** ******** ** *** ******** ******, Genetec **** ********* ** ****:

"** ***** ** ********** *** **, this ** ********* **-*** **/**/** ****. SV-PRO **/** *** ********** ***, *** we *** **** ***** **** **** and ****** *** ******** **********."

[******] ******* ******** ************ **** * **** ************** *** ***** ** *** ** reimage ** ** *** * ********* Series *********.

Undiscovered ********

**********, **** ******** ******* *** **** undetected ******. ***** **** ************ ******* (especially ******* ******* ***** ******** **** are ********) *** *** ******** *********, many ******* *** *** ****** ***** recorded ******* ** ******.

***** ******** ****** ******* ***, **** ** ****** ** ****** in ************ ******:

* ***** ** ******* ** *** that **** ******* *** ***** **** be **** *** ****, ***** *** maybe **** ****** ****** ****** *******. Many ***** ******** *** ********** **** check ***** ******* **** *****'* * problem. **** ******* ** *****'* * significant ***** *** **** **** *** the ****** *** **** **** *** days ** ******?

Corrective ******: "**** *** ********* *******"

** ******* ****** ********, ******* *** telling ********** ** ******* ****** ********* Win * *******.

*******, **** ********** **** ****** *** systems ********** ** ******* * ******** threats *** ****** **** ********* ******* known *****.

Win * ***-**-*****, ******* ****** **** ****

*** ******* ** *********** ** *** official *** ** ******* ********** * ** ******* ****.

**** ** ******* ******* **** ** 2009, ******* **** *** ******* ******* security ******* ***** ******* ****, **** for '******* ******** ******** *'. *** company ****** ** ************ * ********* *****:

********* **** * ********** ** ******* 10 ***** ** ******* ******* *** Windows * **** ** *** ******** on ******* **, ****. **** **** 10-year ****** ****, ********* **** *********** Windows * ******* ** **** ** can ***** *** ********** ** ********** newer ************ *** ***** *** ***********.

** **** **** **** *******, ******** NVRs *** ******* ******* *** ******** OS **** ********** **** ** ******* operating *******, ** ** ********, ****** the **** **** **** ******* *********** equipment.

Impact ** *******

************* *** ******** *******, ******** ******* limited.

**** ****** ******** ******* **** '** response' ******** ******* ****** ************, ******* *** ********* ******* ************** to *** *** ******* ** **********.

******* ******* ** **** ****** **** tell *** **** *** '******* ****** on *** *** ****' *** **** 'We *** ****** ***** ** **** manhours' ********* ******* ******.

*** ******** ****** ********* ************ ****** ** ***** ********* ******** machines:

* **** ***** **** ** *** weekend ********* ******** ****. *** ******* based ** ****** ****** **** *** easiest ** ******. * ****** ******* typed ** ****** ****** *** ** a ****** ** **** **** *** updates. *** ******* * ******** ***** weren't ** ****. **** ********* *** to ** ******** ** *** ** the *** ********* ****** **** ***** operate. **** ***** *********** *** **** updates (***** *** **** **** ******* the *******) *** ********* **** ** their ******.

***** *** ********* *** **** *** impacted ** ********, ** ** *** expect ******* ** ****** *********** ********** resources ** *** *****.

A *** *** *****?

****** ***** ******* *** ***** ** argue **** ** * **** ************* for ***** **** *** *** ****** to ***** ***** **** **** ** crisis.

*******, *** **** ****** *** **** Windows * *** ** **** *** also ****** *** ***** ** ** happy ** *** ******* **** *** upgrade ***** ** **** *** ********* be ******* *******.

******* **** ******* ******* **** ***** a *********** ********* ****** ** *** is '* ****** ***** ** *******', *** ** ****** ****** **** this ******** ******* *********.

Comments (7)

This just happened to me (for the second time in the past year) running Axis Camera Station on a Windows 7 machine (Axis S1016 NVR). I do not run automatic updates but do manually process updates from time to time. Unfortunately, the only fix is indeed re-imaging the machine with files from Axis tech support.

Agree
Disagree
Informative: 5
Unhelpful: 1
Funny

Is this an Embedded Win7 issue or full Win7?

Agree
Disagree
Informative
Unhelpful
Funny

The problematic update impacts both versions.

With NVRs, it typically is the Embedded version that is used and affected.

Agree
Disagree
Informative: 1
Unhelpful
Funny

[UPDATE] DW Responds

Digital Watchdog has responded with a work instruction and ISO links of how to reimage OS on Win 7 BlackJack Series recorders.

Like other vendors, DW also instructs turning off automatic updates to prevent similar issues:

On the BlackJack NVR, Windows Updates were not configure to download and install automatically from the factory due to the unforeseen and unexpected issues the Windows Updates can cause to the performance of the system and DW Spectrum.

Agree
Disagree
Informative: 1
Unhelpful
Funny

We saw this happen last week for OpenEye Radius (not Apex, which uses Win10) and Pelco Digital Sentry (DSSRV2 server).

Agree
Disagree
Informative: 1
Unhelpful
Funny

Update: Avigilon has responded that they have had some issues in the field with these updates, but on a limited basis, not widespread. Most machines are no longer running affected versions of Windows.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Maybe this is the conspiracy theorist in me or I’ve become too cynical but I think Microsoft did this on purpose to force many to upgrade to Windows 10 or Server 2016. If we run into this issue we would NOT re-install Windows 7; we would install Windows 10 or Server 2016.

Agree: 1
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports