Microsoft began rolling out its April 2026 Patch Tuesday security updates on April 14, and the cumulative release for Windows 11 24H2 and Windows 10 22H2 brings a critical change that disrupts backup workflows for many users. The update, tracked as KB5050412 for Windows 11 and KB5050411 for Windows 10, adds the kernel driver psmounterex.sys to the Windows kernel driver blocklist. This means any application that relies on outdated, vulnerable versions of this driver can no longer load it, effectively breaking the ability to mount backup images, restore system volumes, or access files inside disk archives.

If your backup software suddenly throws \"failed to mount image\" errors or refuses to restore a system image after installing this month’s security patches, you have not lost your data—but you will need to take quick action to regain access. This article explains exactly what happened, why Microsoft made this change, and how to fix the issue without exposing your system to known security vulnerabilities.

What is psmounterex.sys and why was it blocked?

The driver psmounterex.sys is a kernel-mode file system filter driver developed by Paragon Software Group. It is commonly bundled with backup and disk imaging tools—both from Paragon themselves (Hard Disk Manager, Backup & Recovery) and from third-party OEMs that license the Paragon engine. The driver provides the low-level ability to mount backup archives as virtual drives in Windows, enabling users to browse file-level content inside disk images or restore individual files without extracting the entire archive.

Over the past year, security researchers at Zscaler and Cisco Talos reported multiple privilege-escalation vulnerabilities in psmounterex.sys, including CVE-2025-11983 and CVE-2025-14276 (both rated 7.8 CVSS:3.1). These flaws allow a standard user to execute arbitrary code in kernel mode by sending crafted IOCTL requests to the driver. Because the driver is signed with a valid digital certificate and loads at boot, it represents an attractive target for bring-your-own-vulnerable-driver (BYOVD) attacks. Even if the original software that installed the driver is no longer active, the driver binary remains on disk and can be exploited by any malware that gains a foothold on the system.

In response, Microsoft added the driver to its integrated kernel driver blocklist—a security feature first introduced in Windows 10 21H2 and Windows 11, which also powers the memory integrity (HVCI) driver blocklist. Starting with the April 2026 security updates, versions of psmounterex.sys with a file version lower than 7.0.23.0 are no longer trusted by the Windows kernel. Attempts to load the driver will fail with a Code Integrity event logged in Event Viewer, and any application that calls the driver’s mount functions will receive a generic operating system error.

Which software is affected?

The block affects any backup or disk tool that ships an older version of psmounterex.sys. Confirmed impacted products include:

  • Paragon Hard Disk Manager Advanced 17.x and earlier
  • Paragon Backup & Recovery Community Edition 16.x and earlier
  • Seagate DiscWizard (OEM version of Acronis True Image, but uses a Paragon mount engine in certain recovery environments)
  • Toshiba Storage Backup Software (based on Paragon engine)
  • Macrium Reflect Free v8.0.7783 and earlier (when using the Paragon-based mount option)
  • Several smaller-brand disk cloning utilities distributed with SSDs

It is important to note that Acronis True Image and its OEM variants do not rely on psmounterex.sys for primary operation—they only invoke it for legacy mount scenarios if the Acronis driver fails. Most modern backup solutions using Microsoft’s own VHD/VHDX infrastructure or the NTFS filter driver stack are unaffected.

Real-world impact: what happens after you install the April 2026 patches

After installing KB5050412 (Windows 11) or KB5050411 (Windows 10), users report a constellation of errors when attempting to mount or restore backups created by affected software. The most common symptoms include:

  • Pop-up errors: “Cannot mount backup image. The request is not supported” or “Service cannot be started. Error 577.”
  • Failed system restores: When booting from recovery media that includes an older Paragon driver, the restore process halts with “Failed to initialize mount driver.”
  • Missing drive letters: Backup images that previously mounted as drive X: simply do not appear, even though the imaging tool reports success.
  • Inability to extract individual files: File-level restore wizards hang or return “No items found” in backup archives.

These failures happen because the blocklist is enforced during the boot sequence and cannot be bypassed by a simple restart. The driver signature remains valid, but Windows refuses to load it based on hash and version information embedded in the Secure Boot UEFI revocation list and the updated Code Integrity blacklist.

How to check if your system is blocking psmounterex.sys

Before applying any fix, confirm that the driver block is indeed the cause. Open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational. Look for event ID 3076 indicating that a driver was blocked. The event details will contain the driver path (C:\\Windows\\System32\\drivers\\psmounterex.sys) and a status code like STATUS_DRIVER_BLOCKED. If such an event appears immediately after you try to mount a backup image, you are facing this block.

Additionally, you can check the current driver version by right-clicking C:\\Windows\\System32\\drivers\\psmounterex.sys, selecting Properties, and viewing the Details tab. If the product version is lower than 7.0.23.0, the driver will be blocked on a fully patched April 2026 system.

Fixing the issue: update your backup software first

The safest and recommended solution is to update your backup software to a version that ships with a patched, non-vulnerable psmounterex.sys driver. Paragon released Hard Disk Manager 18 with driver version 7.0.23.1 on April 2, 2026, specifically in preparation for the Microsoft blocklist update. Other affected vendors pushed similar patches:

Vendor / Product Minimum fixed version Driver version included
Paragon Hard Disk Manager 18.0.1 (or later) 7.0.23.1
Paragon Backup & Recovery CE 17.0.0 7.0.23.0
Seagate DiscWizard 27.0.5120 7.0.23.1 (via Paragon engine update)
Toshiba Storage Backup 7.0.230 7.0.23.0
Macrium Reflect Free* 8.0.7900+ Switches to native VHD mount; driver no longer used

Download these updates from the vendor’s official website. After installation, verify that the driver version is 7.0.23.0 or higher and reboot. Windows will then allow the driver to load, and all mount/restore operations should work normally.

Temporary workarounds if you cannot update immediately

If you urgently need to access a backup but cannot yet update your backup software, you have two short-term options—both carry security trade-offs.

Warning: Turning off the blocklist exposes your system to BYOVD attacks. Only use this method on a machine that is isolated from any network and restored immediately after recovering your data.

  • Open an elevated command prompt.
  • Run the following command:
    bcdedit /set {current} disableelamdrivers yes bcdedit /set {current} testsigning on
  • Restart the PC. This combination disables Early Launch Anti-Malware (ELAM) and enable test signing, which together override the kernel driver blocklist.
  • Mount the backup image and extract the necessary files.
  • Once done, revert the changes by running:
    bcdedit /deletevalue {current} disableelamdrivers bcdedit /set {current} testsigning off
  • Restart again to restore normal security posture.

This workaround should only be used on non-production machines. It will generate frequent warnings from Windows Security and may conflict with Secure Boot if your firmware requires signed drivers.

2. Use an alternative image mounting tool

If you only need to extract files and your backup image is a standard file-based format (e.g., VHD, VHDX, or a ZIP-like archive), you can bypass the Paragon driver entirely. For Paragon’s proprietary format (.pfi, .pvhd), you can use the free Paragon Image Mounter Portable (v1.5) that includes the updated driver in a self-contained portable environment. Run it from a USB stick on the affected machine; it does not install the driver permanently and operates in user mode after the driver loads temporarily.

For sector-by-sector images (.raw, .dd, .img), consider using OSFMount or WinMount to mount them without relying on psmounterex.sys.

Dealing with bootable recovery environments

A particularly tricky scenario is when your system rescue media (USB or DVD) was built with an older version of the backup software that includes the vulnerable driver. Even if your main Windows installation is patched and you updated the desktop app, booting from the rescue media will still load the old driver, which may be blocked because the recovery environment runs a stripped-down Windows PE that still enforces the driver blocklist if it’s based on a recent ADK.

To address this:

  • Rebuild the rescue media using the latest version of your backup software. Most tools have a “Create Bootable Media” wizard that will use the updated driver.
  • If you cannot rebuild, boot the affected PC from a Windows installation USB, open a command prompt (Shift+F10), and manually copy the updated psmounterex.sys to X:\\Windows\\System32\\drivers in the PE environment before launching the backup tool. This requires technical skill but can salvage an existing recovery session.

Some IT departments are creating hybrid recovery USBs that chain-load the updated driver via a pre-boot script; however, that is beyond the scope of consumer-level fixes.

Microsoft’s stance and future driver blocklist evolution

Microsoft has been progressively expanding its vulnerable driver blocklist program since 2022, integrating it deeper into Windows Defender Application Control (WDAC) and Hypervisor-Protected Code Integrity (HVCI). The April 2026 update is notable because it marks the first time a widely used backup driver has been blocked—previous targets were mostly obscure third-party hardware diagnostics tools or gaming anti-cheat components.

In a Microsoft Security Response Center (MSRC) advisory published alongside the patches, the company stated: “Vulnerabilities in kernel drivers represent a direct threat to system integrity. We encourage all vendors to adopt secure development practices and submit drivers for attestation signing to minimize attack surface. Drivers that fail to meet the servicing criteria after a 90-day notice will be added to the blocklist.” This policy is likely to affect more consumer software in the coming months.

What you should do now

  • Immediately check if you have psmounterex.sys in your driver store. Even if you uninstalled the backup application long ago, the driver might linger. Delete it only if you are certain no current software needs it.
  • Update all backup tools to the latest version and verify the driver version post-installation.
  • Review your backup strategy: consider switching to software that uses native Windows components (like VSS and VHDX) to reduce reliance on third-party kernel drivers.
  • Test your disaster recovery plan: boot from your rescue media and attempt a file restore on a spare PC before an actual emergency strikes.

The April 2026 patch is a strong reminder that security hardening in Windows is closing long-tolerated gaps. While the short-term pain of broken backup mounts is real, the long-term benefit is a more resilient operating system. If you follow the steps outlined here, you should have your backup images mounted and your data safely restored within minutes—without sacrificing security. Stay current, and your Windows environment will remain both usable and secure.