Unbricking the Early Launch Antimalware Module on a Windows 10 install…

It’s the holidays and I wake up one morning to find a client in distress because their laptop won’t boot up into Windows 10. While I explain to them that I’m not doing repairs on the holidays, I agree to check it out.

Back on the workbench…

This laptop that failed to boot Windows was one I had previously repaired via System Restore late December 2022. It was exhibiting the same behaviour: A “Starting Automatic Repair, diagnosing your PC, can’t repair” boot loop.

So, after letting the repairs fail, I checked the log file and something caught my eye – a driver called protected_elam.sys. Googling this driver name gives nothing fruitful. I chop off the first part of the filename and search for “elam.sys” – bingo, Early Launch Antimalware Module for Windows 8.x and onwards.

What’s elam.sys?

This module basically is a security check for the kernel to prevent rootkits from starting before everything else. Well, so you’d hope.

In a clean setup, the driver is loaded and then for every other kernel driver Windows is loading, integrity checks are performed.

In this case, it’s a boot critical driver meaning that Windows cannot boot without it. While in the recovery environment, I ran a system files check (sfc /scannow) and it detected corrupted files. Luckily, it was able to repair the corruption.

Rebooting to see if that fixed the problem, I was greeted with the same boot loop. Fuck.

No fighting in the war room

At this point I was going to have to reach for the red “Nuke from Orbit” button and reinstall Windows. Then it dawned on me that maybe I could disable ELAM temporarily and get it booting that way via Windows’ “Advanced Startup Options” menu?

Well, turns out that gamble played out to be a success. Pays to bet on Coburn sometimes, huh?

With the ELAM protection temporarily disabled, I was able to get into the client’s laptop installation of Windows 10. After a few minutes, I was sitting at the desktop.

Search and Destroy

I scanned the installed programs list and looked at the Security software that was installed. Looks like my client was using TotalAV – a somewhat usable piece of security software that’s using the Avira Security engine, developed by a company with a very shady past – a quick google will reveal this information.

Funnily enough, TotalAV wasn’t even running. There was no system tray icon, it wouldn’t respond to clicking the TotalAV icon on the desktop or start menu. With TotalAV plucked off, Windows Defender was enabled, updated and authorized to run a scan.

The scan came up clean as expected. I then re-enabled the ELAM protection and rebooted Windows. Surprise surprise, it booted up fine. No more boot loop.

Mission fucking accomplished. Job done!

TL;DR: Too long, didn’t read…

If you get a similar issue with something of a BSOD with “ELAM” in the filename, try the following:

  1. Get into the Windows Recovery Environment
  2. Get into Advanced Startup Options
  3. Press 8 (may vary) to disable the Early Launch Anti-Malware Module for this boot attempt
  4. If you get to the desktop successfully, UNINSTALL your Security software. Reboot. At this point, Windows should now load fine if your security software was bricking it.
  5. Ensure Windows Defender turns back on, make sure it is also up to date. Do a full system scan to let it detect any threats.
  6. Optionally, reinstall your Security software. Honestly, for 90% of the time though, Windows Defender does a good job protecting your six and sniping threats before they get too close for comfort.

If this little bit of knowledge helps you, consider dropping me a coffee or popping some spare change in the tip jar. As always, thanks for reading and have a nice morning/day/evening/night/whatever it is!