Microsoft’s latest monthly security update, released on April 14, 2026, has added the third-party kernel driver psmounterex.sys to the Microsoft Vulnerable Driver Blocklist, immediately preventing it from loading on Windows devices. The change, part of the April 2026 Patch Tuesday rollout, is causing widespread failures for users who rely on popular backup and disk-imaging software that depends on this driver to mount backup images and interact with Volume Shadow Copy Service (VSS) snapshots.

System administrators and home users alike began reporting problems shortly after installing the update across Windows 10 (version 22H2), Windows 11 (versions 24H2 and 23H2), and Windows Server 2025. Backup applications that use psmounterex.sys to present backup archives as virtual drives or to tap into VSS for consistent, application-aware snapshots are now throwing errors or failing silently. The result: disrupted backup and recovery workflows, failed system restores, and the inability to browse or extract individual files from image-based backups.

What Is the Vulnerable Driver Blocklist?

The Microsoft Vulnerable Driver Blocklist is a security feature built into Windows that prevents known vulnerable kernel drivers from being loaded. Even if a driver is digitally signed with a valid certificate, it can be blacklisted if it contains flaws that attackers could exploit to gain elevated privileges, execute malicious code, or bypass security controls. The blocklist is updated through Windows Update, typically as part of monthly security releases, and is enforced by Windows Defender Application Control (WDAC) and Hypervisor-Protected Code Integrity (HVCI) when enabled.

Microsoft maintains a list of drivers that have been reported to have security vulnerabilities, often assigned CVEs. When a driver lands on this list, all versions with that signature or filename will be blocked from loading on updated systems. The goal is to protect users even when third-party vendors are slow to fix or retire vulnerable drivers. However, the block can cause immediate compatibility issues if that driver is critical to widely used software.

Psmounterex.sys is a kernel-mode driver used by several backup and imaging utilities—most notably products from Paragon Software but also others that license the driver for mounting disk images. Its primary role is to create a virtual storage device that the operating system treats as a physical disk. This allows backup sets to be mounted as browsable volumes, enabling file-level restores or verification of backup integrity without a full restoration. The driver also interfaces with VSS to mount snapshots taken by the backup software, providing a consistent point-in-time view of the system.

Because it operates at the kernel level, psmounterex.sys has deep access to system resources. A vulnerability in such a driver could allow an attacker with local access to escalate to SYSTEM privileges or to tamper with mounted volumes. Microsoft’s security review identified a flaw in psmounterex.sys—identified as CVE-2026-XXXX (details still under embargo)—that fits this pattern. The April update adds the driver’s SHA-256 hash and file metadata to the blocklist, applying the restriction globally.

The Real-World Impact

Once the April 2026 update is installed, Windows refuses to load psmounterex.sys. Backup applications that require it to mount images or access VSS snapshots will fail with errors such as “Failed to mount backup,” “Driver could not be loaded,” or “VSS snapshot operation failed.” Affected users report the following scenarios:

  • Image-level backups become read-dead: Full disk or partition images can be created but not mounted later. This breaks the ability to verify backup integrity or extract individual files.
  • VSS-based backups fail: Applications that rely on VSS snapshots, including many server backup solutions, cannot create or mount snapshots. This halts incremental or differential backups that depend on VSS for change tracking.
  • System restore points break: System Restore itself uses VSS snapshots. If a backup application’s VSS provider is blocked, creating or restoring to a system restore point may be affected.
  • Bare-metal recovery impaired: Without the ability to mount a backup image, recovering an entire system from backup media may become impossible using the affected software.

On community forums like Reddit’s r/sysadmin and the Spiceworks community, IT professionals are sharing workaround attempts and frustrations. “Our entire weekend backup verification job is toast,” wrote one system administrator. Another noted, “Paragon Hard Disk Manager 17 just started throwing ‘driver missing’ errors after this month’s updates were pushed by WSUS.” Home users are also caught off guard, with posts on Microsoft’s own community site seeking help: “Why won’t my backup software mount my old backups after the latest Windows Update?”

Why Now? The Vulnerability Deep Dive

While the specific CVE details for psmounterex.sys are not yet public in full, security researchers familiar with the driver note that older versions contained a classic buffer overflow or arbitrary memory write flaw. A local user or a piece of malware running with low privileges could craft a malicious IOCTL (input/output control) request to the driver, causing it to write data outside allocated buffers, leading to kernel memory corruption and privilege escalation. Such vulnerabilities have been common in third-party kernel drivers, and Microsoft has been aggressively expanding the blocklist since 2021 to combat the rise in driver-based post-exploitation techniques.

Paragon and other vendors have long been aware of the push towards tightening driver security. Microsoft began recommending that backup and disk utilities shift away from arbitrary kernel drivers and use user-mode APIs or storage minifilters instead. However, the transition is not trivial, and many popular products still rely on legacy kernel components. The April 2026 block appears to be the culmination of a timeline where vendors were given advance notice but may not have released updated drivers in time, or users haven’t updated their software yet.

Community Efforts and Temporary Workarounds

For users who cannot immediately update their backup software or wait for a vendor patch, some temporary measures have emerged—though Microsoft and security experts warn against them for obvious security reasons.

One method involves temporarily disabling the vulnerable driver blocklist enforcement. This can be done by setting a registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config and adding “VulnerableDriverBlocklistEnable”=dword:00000000. A reboot is required. However, this disables the entire blocklist, not just for psmounterex.sys, exposing the system to all blocked drivers. Alternatively, if HVCI is enabled, the blocklist is always enforced; turning off HVCI (memory integrity) also weakens system security. Neither approach is suitable for production environments.

A less risky workaround is to locate a newer version of psmounterex.sys that has been re-signed and possibly patched, then replace the driver file in the application directory. But that requires the vendor to have released such a version, and users must verify its hash against the blocklist (which has not yet been updated to trust the new version). Some advanced users have reported success by creating a custom WDAC policy that explicitly allows the specific version of the driver they trust, but that is a complex process involving PowerShell and XML policy creation.

The ideal solution is for affected software vendors to release an updated driver that addresses the vulnerability and to distribute it through their update channels. Once the updated driver is signed with a new certificate and its file hash differs, Microsoft can update the blocklist to allow it (or simply not block it). Users should check for updates from their backup software vendor immediately.

What Microsoft Says

Microsoft has acknowledged the issue in a support bulletin linked from the April 2026 Security Update Guide. The company reiterates its commitment to protecting users from vulnerable drivers and notes: “Drivers that are added to the blocklist have been reported to have known vulnerabilities that can be exploited for privilege escalation or other security bypasses. We work with vendors to address these issues, and the block ensures systems are protected until updates are deployed. Organizations and users should update their backup software to the latest versions that use safe drivers or alternative mounting technologies.”

No Known Issue Rollback (KIR) has been announced for this specific block. A rollback would be unusual for a security-driven driver block, as it would reintroduce the vulnerability. Instead, Microsoft’s Release Health dashboard for both Windows 10 and 11 lists the issue under “Safeguard holds” with guidance to contact the software vendor.

The Road Ahead for Backup Software

The psmounterex.sys incident highlights an ongoing shift in Windows security: the deprecation of kernel-mode drivers for tasks that can be accomplished in user space. Windows now offers the Projected File System (ProjFS), Storage Spaces, and the Cloud Files API, all of which allow file virtualization without custom kernel code. Backup vendors are being urged to move to these models, but the transition takes time and often requires substantial architectural changes.

For users, the immediate future involves a tough choice: upgrade backup software to a supported version, switch to a competing product that uses Microsoft-sanctioned methods, or risk staying on outdated Windows updates—an equally bad idea. The coming weeks will likely see hotfixes from the main vendors, and once those are installed, normal backup operations should resume.

In the broader context, the blocklist expansion is a net positive for Windows security. Each vulnerable driver removed from the ecosystem closes an avenue that ransomware and nation-state actors have used to disable antivirus or burrow into the kernel. But the disruption underscores the need for better communication and faster turnaround from ISVs to keep up with Microsoft’s security cadence.

How to Check if You’re Affected

To determine if psmounterex.sys is being blocked on your system:
- Open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational. Look for event ID 3081 (driver blocked) with details mentioning psmounterex.sys.
- Check the output of running sc query psmounterex in Command Prompt; if it’s not running and your backup software is installed, the driver is likely blocked.
- Review your backup software’s logs for IOCTL failures or “driver not loaded” errors.

If you are affected, first contact your backup vendor’s support to see if there is an update. Then follow Microsoft’s guidance on managing the vulnerable driver blocklist, but only as a temporary stopgap if absolutely necessary.

Final Thoughts

The April 2026 Windows update is another stark reminder that the operating system’s security walls are getting higher, and third-party software must adapt or be locked out. While the short-term pain is real—especially for enterprises that depend on nightly backups—the long-term gain is a more resilient Windows ecosystem. As more vulnerable drivers are swept from systems, attackers lose one of their favorite tools, but the transition comes with bumps. For now, keep your backup software patched, test your restore process regularly, and stay tuned for vendor updates that will put psmounterex.sys in the rearview mirror.