Microsoft has officially confirmed that its April 2026 Patch Tuesday security update (KB5083769) intentionally blocks the vulnerable third-party kernel driver psmounterex.sys, causing widespread failures in backup applications relying on VSS (Volume Shadow Copy Service) snapshots across Windows 10, Windows 11, and Windows Server environments.
The root cause traces back to CVE-2023-43896, a high-severity buffer overflow vulnerability in the psmounterex.sys driver. This flaw allows attackers to escalate privileges or execute arbitrary code on vulnerable systems.
To neutralize this attack vector, Microsoft added the driver to its Vulnerable Driver Blocklist and enforced it through Windows Code Integrity as part of the April 14, 2026, security update rollout.
This was not an accidental regression; it was a deliberate security hardening change. As Microsoft told : “In the April 2026 Windows security update, we added known vulnerable kernel driver psmounterex.sys to the Vulnerable Driver Blocklist.”
The company has been steadily expanding enforcement of its driver blocklist, and this update reinforces that policy in a visible and operationally impactful way.
Microsoft April 2026 Update
The enforcement immediately cascaded into production backup failures across multiple enterprise-grade and SMB-targeted platforms. Confirmed affected products include:
- Macrium Reflect – Driver load failure preventing image mount operations
- Acronis Cyber Protect Cloud – VSS timeout errors during snapshot creation
- UrBackup Server – File backup jobs stopped working after installing KB5083769
- NinjaOne Backup – MSP-reported failures tied to the April Patch Tuesday rollout
Critically, full-image backup creation may still appear to succeed, but image-mount and restore operations will fail silently or return misleading error messages. This creates a dangerous blind spot for IT teams who assume backup success without validating the full restore path.
When psmounterex.sys is blocked by Code Integrity enforcement, affected systems exhibit several specific failure patterns that may initially be misattributed to general VSS issues:
- Backup applications fail to mount backup image files as virtual drives
- Browse or restore operations from backup images result in errors or timeouts
- Error messages such as “The backup has failed because Microsoft VSS has timed out during the snapshot creation” or
VSS_E_BAD_STATEappear - Event Viewer logs Code Integrity errors, confirming that
psmounterex.syswas blocked from loading - Full image backup creation may succeed, but all image-mount operations will fail
The most reliable diagnostic signal is Event ID 3077 with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816} in the Code Integrity Operational log. To locate it: right-click Start → Event Viewer → navigate to Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational → filter for Event ID 3077 in the middle pane.
Remediation
Microsoft has explicitly warned administrators against uninstalling or pausing KB5083769, noting that doing so removes a security protection designed to block active exploit paths targeting CVE-2023-43896. The recommended remediation path is:
- Update affected backup applications to the latest vendor-released version that replaces
psmounterex.syswith a patched, non-blocked driver - Check vendor advisories from Macrium, Acronis, UrBackup, and NinjaOne for updated release builds
- Audit your environment for Event ID 3077 in Code Integrity logs to identify affected endpoints
- Conduct restore testing on all patched systems. Don’t assume a successful backup job confirms a functional recovery path
- Inventory all third-party kernel drivers across your fleet, including backup, VPN, security, and hardware management tools
The psmounterex.sys issue is one of several serious disruptions tied to Microsoft’s April 2026 Patch Tuesday cycle. On the Windows Server front, the update KB5082063 triggered an installation error 0x800F0983 on some Windows Server 2025 systems.
More critically, domain controllers running Windows Server 2016 through 2026 in environments using Privileged Access Management (PAM) encountered LSASS crashes during startup, leading to repeated restart loops that could render entire domains unavailable.
Microsoft responded by releasing out-of-band (OOB) emergency updates on April 19, 2026, including KB5091157, to address both the installation failure and the domain controller reboot loop.
Additionally, some Windows Server 2025 devices with non-standard BitLocker Group Policy configurations were prompted to enter BitLocker recovery keys after rebooting following the update.
The company’s April 2026 Patch Tuesday itself addressed 164 vulnerabilities, including one actively exploited zero-day (CVE-2026-32201, a SharePoint Server spoofing vulnerability).
The psmounterex.sys driver vulnerability (CVE-2023-43896) represents exactly the class of threat that Microsoft’s Vulnerable Driver Blocklist was designed to counter. Kernel-mode drivers run with the highest level of system privilege; a buffer overflow at that layer gives attackers a reliable path to full system compromise, bypassing user-mode security controls entirely.
By blocking this driver at the Code Integrity layer, Microsoft prevents even privileged attackers from loading the vulnerable component, significantly raising the cost of exploitation.
IT administrators should treat this incident as a wake-up call for kernel driver hygiene. Backup and recovery software often relies on legacy drivers that haven’t been updated in years, and those drivers increasingly become high-value targets as the rest of the security stack hardens.
FAQ
Q1: Why is my backup software failing after the April 2026 Windows update?
Microsoft’s KB5083769 update blocks psmounterex.sys via the Vulnerable Driver Blocklist, preventing backup apps from mounting disk images as virtual drives.
Q2: Is it safe to uninstall KB5083769 to restore backup functionality?
Microsoft strongly advises against uninstalling the update, as it protects against active exploit paths tied to CVE-2023-43896’s privilege escalation and code execution risks.
Q3: How do I confirm whether psmounterex.sys is blocked on my system?
Open Event Viewer, navigate to CodeIntegrity\Operational, and search for Event ID 3077 with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816} to confirm the driver is being blocked.
Q4: What is the correct fix for backup software failures caused by the April 2026 update?
Update your backup application to the latest vendor-released version that replaces the vulnerable psmounterex.sys driver with a patched, blocklist-compliant alternative.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
