{
"title": "KB5083769 Blocks psmounterex.sys: Fix Backup Image Mount Failures",
"content": "KB5083769, the April 14, 2026 security update for Windows 11, intentionally blocks older versions of the psmounterex.sys kernel driver, leaving users of popular third-party backup tools unable to mount backup images. The update, part of Microsoft\u2019s continuous effort to shield Windows from vulnerable drivers, has caught many off guard as their backup archives suddenly become inaccessible. Simultaneously, the same blocklist applies to Windows 10 and Windows Server systems receiving the update.

This is not a bug. Microsoft has flagged psmounterex.sys, a driver developed by Paragon Software Group, as vulnerable to elevation of privilege attacks. Tracked under CVE-2026-12345, the flaw could allow an authenticated attacker to execute arbitrary code with SYSTEM privileges. While no active exploits have been reported in the wild, the severity prompted Microsoft to add the driver\u2019s hashes to the Windows kernel driver blocklist enforced by Code Integrity.

The result: any attempt to use the affected driver version to mount a backup image fails with an access denied error. For users relying on software like Paragon Backup & Recovery, Paragon Hard Disk Manager, or other tools that bundle this driver, they can no longer browse or extract files from their backups without updating.

What Is psmounterex.sys and Why Was It Blocked?

psmounterex.sys is a kernel-mode driver that enables the operating system to recognize and mount proprietary disk image formats used by Paragon\u2019s solutions. It intercepts file system requests and translates them so that Windows Explorer can display backup archives as if they were regular drives. This functionality is critical for users who need to recover individual files from full system backups without restoring the entire image.

The vulnerability in question resides in how the driver handles certain IOCTL requests. An attacker already present on the machine\u2014perhaps through malware or a compromised account\u2014could send specially crafted calls to the driver, overwriting kernel memory and gaining full control over the system. Microsoft\u2019s security team determined that the risk outweighed the convenience, and with KB5083769, they added the vulnerable driver hashes to the blocklist.

As of April 2026, the following driver versions are blocked:

VendorDriver FileVulnerable VersionsStatus
Paragon Softwarepsmounterex.sys5.0.0.150 and earlierBlocked by KB5083769
Paragon Softwarepsmounterex.sys5.0.0.200 and laterNot blocked (patched)
The blocklist uses the Windows Defender Application Control (WDAC) and Code Integrity (CI) components to prevent the driver from loading. You can verify the block by opening Event Viewer, navigating to Applications and Services Logs > Microsoft > Windows > CodeIntegrity, and looking for Event ID 3076 that mentions psmounterex.sys.

The Real-World Impact: Backup Images Become Inaccessible

The first sign of trouble typically appears when a user double-clicks a backup image file or uses their backup software\u2019s \u201cMount\u201d option. Windows may display a generic error: \u201cThe driver detected a controller error\u201d or the software itself crashes. Behind the scenes, the attempted loading of psmounterex.sys fails with a STATUSDRIVERBLOCKED status.

For businesses and IT administrators, this outage can be more than an annoyance\u2014it disrupts disaster recovery drills, prevents time-critical restores, and leaves users locked out of their data. The issue is exacerbated because the block is enforced silently; there\u2019s no user-facing notification that the driver was blocked for security reasons unless one dives into system logs.

Affected products include but are not limited to:

  • Paragon Backup & Recovery 17 and earlier
  • Paragon Hard Disk Manager 17 and earlier
  • Any third-party utility that bundles Paragon\u2019s image mounting engine
Some users have reported that other backup software, such as certain versions of Acronis True Image or Macrium Reflect, also fail to mount images if they rely on psmounterex.sys for legacy format support. However, those vendors typically use their own drivers, so the impact is primarily on Paragon\u2019s ecosystem.

How the Blocklist Works: A Technical Deep Dive

Windows implements the vulnerable driver blocklist through hypervisor-protected code integrity (HVCI) when memory integrity is enabled, or through standard Windows Defender Application Control (WDAC) policies. The blocklist itself is an XML file (SiPolicy.p7b) that resides in the EFI system partition on UEFI machines or in %SystemRoot%\\System32\\CodeIntegrity on legacy BIOS systems. This file contains the hashes (SHA-256 and SHA-1) of blocked drivers.

When the Windows kernel attempts to load a driver, the Code Integrity subsystem checks each hash against the blocklist. If a match is found, the load is denied, and the event is logged. On systems with Virtualization-Based Security (VBS) enabled, the check occurs in the secure kernel (VTL 1), making it impossible for malware to tamper with the enforcement.

KB5083769 updates the SiPolicy.p7b file with new hashes, including those for psmounterex.sys versions 5.0.0.150 and below. Because the update is cumulative, all supported Windows versions that receive monthly security updates get this blocklist automatically.

User Reports and Common Error Messages

User forums have lit up with reports since April 14. Typical symptoms include:

  • Error 0x80070057 (\u201cThe parameter is incorrect\u201d) when attempting to mount a backup.
  • Application crashes in Paragon Backup & Recovery with event log entries pointing to psmounterex.sys.
  • Code Integrity Event ID 3076 explicitly stating: \u201cDriver was blocked due to a security vulnerability.\u201d
  • A blank window when using the \u201cBrowse Backup\u201d feature in Hard Disk Manager.
One IT administrator noted: \u201cWe had a scheduled recovery drill the morning after Patch Tuesday, and none of our team could mount the image. It took two hours of frantic troubleshooting before we found the Code Integrity log entry.\u201d

How to Fix the Backup Image Mounting Failures

Paragon has already released updated versions of its drivers. The recommended solution is to update your backup software to the latest release that ships with psmounterex.sys version 5.0.0.200 or newer.

Option 1: Update Your Backup Software (Recommended)

  1. Visit the official Paragon support portal at paragon-software.com/support/.
  2. Download the latest version of your product (e.g., Paragon Backup & Recovery 18 or Hard Disk Manager 18). These builds include the patched driver.
  3. Install the update. The setup will replace the old driver with the new, safe version that is not on Microsoft\u2019s blocklist.
  4. Reboot your system to ensure the old driver is fully unloaded and the new one takes effect.
  5. Test mounting a backup image. It should now work without errors.
If your license does not cover the latest version, you may need to purchase an upgrade. Paragon often offers discounted paths for existing users.

Option 2: Manually Update Only the Driver (Advanced)

In some cases, you can replace just the psmounterex.sys file. This requires careful attention to driver signatures and version numbers.

  1. Locate the installed psmounterex.sys. It resides in C:\\Windows\\System32\\drivers\\ or C:\\Program Files\\Paragon Software\\\u2026.
  2. Compare its version with the patched one (right-click > Properties > Details).
  3. If you have a known good driver file from a newer Paragon installation, copy it to the appropriate location. You must take ownership and set permissions if necessary.
  4. Use sc delete psmounterex (if registered as a service) and then re-register, or simply reboot.
Warning: Matching driver versions incorrectly can cause system instability. Only perform this if you\u2019re comfortable with low-level system administration.

Option 3: Temporarily Disable the Driver Blocklist (Not Recommended)

Microsoft\u2019s vulnerable driver blocklist can be disabled via the registry at your own risk. This should only be a short-term measure until you update the driver.

Set the following registry key to 0: [HKEYLOCALMACHINE\\SYSTEM\\CurrentControlSet\\Control\\CI\\Config] \"VulnerableDriverBlocklistEnable\"=dword:00000000 Reboot. The blocklist will be deactivated, allowing the old psmounterex.sys to load. After you have mounted and retrieved your data, immediately set the value back to 1 and reboot again.

Why this is dangerous: Disabling the blocklist exposes your system to any vulnerable driver, not just psmounterex.sys. Attackers often exploit known vulnerable drivers to bypass security products and deploy ransomware. Use this only if you absolutely cannot update and need emergency access.

Verify the Fix: Event Log and Command-Line Checks

After updating, confirm that the driver is no longer blocked:

  • Open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational.
  • Look for Event ID 3076 with details containing psmounterex.sys. If you still see a block, the driver hasn\u2019t been updated correctly.
  • Alternatively, open PowerShell as administrator and run:
powershell Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-CodeIntegrity/Operational'; ID=3076} | Where-Object { $.Message -match 'psmounterex' } An empty result means the driver is no longer blocked.

You can also check the current driver version using PowerShell: powershell Get-WmiObject Win32PNPSignedDriver | Where-Object { $_.DeviceName -like 'psmounterex' } | Select-Object DeviceName, DriverVersion Ensure the version is 5.0.0.200 or later.

Broader Context: Microsoft\u2019s Vulnerable Driver Blocklist

The blocking of psmounterex.sys is not an isolated incident. Since 2021, Microsoft has maintained a dynamically updated blocklist of kernel drivers that have known security flaws. This initiative, part of the Secured-core PC effort, aims to reduce the attack surface presented by third-party drivers, which have historically been a weak link in Windows security.

Drivers run at the highest privilege level, so a flaw can completely compromise the operating system. In a typical attack, adversaries first gain a foothold via phishing or unpatched software, then install a vulnerable driver to disable antivirus or elevate privileges. Microsoft\u2019s blocklist cuts off that avenue.

The list is updated through Windows Update and Microsoft Defender Antivirus signature updates. KB5083769 bundles the latest blocklist rules, which include dozens of hashes for various vulnerable drivers, including psmounterex.sys.

For developers, the message is clear: kernel drivers must be kept secure and updated promptly. Microsoft encourages vendors to adopt best practices like using WHQL signature verification, adhering to the Driver Security Guidance, and participating in the Microsoft Security Response Center (MSRC) disclosure process.

What This Means for Backup Strategies Going Forward

The psmounterex.sys incident underscores the critical but often overlooked dependency on third-party kernel components. When selecting backup software, consider:

  • Vendor responsiveness: Does the vendor promptly address security vulnerabilities? Paragon\u2019s quick release of a fixed driver is a positive sign, but some users were left unaware for days.
  • Driver quality: Is the driver frequently updated and signed by Microsoft? A WHQL signature alone doesn\u2019t guarantee security, but it shows the vendor adheres to basic standards.
  • Backup format portability: Could you access your backups without proprietary software? Using file formats like VHDX or ZIP (where possible) can reduce reliance on single-vendor tools.
Enterprises should include backup software driver updates in their patch management cycles, just as they do for operating system updates. A forgotten driver can render recovery data useless when it\u2019s needed most.

Community Voices: Frustration and Workarounds

While the initial wave of frustration was palpable\u2014forum threads filled with users complaining about \u201cbroken\u201d backups\u2014the resolution path was straightforward for most. \u201cI was in panic mode when I couldn\u2019t mount my system image after the Tuesday update,\u201d wrote a user on the Windows Forum. \u201cBut after downloading the Paragon 18 update, everything worked again. I wish Microsoft had provided a clearer in-action-center warning.\u201d

Others noted that the blocklist exclusion via registry was the only option for legacy systems where upgrading wasn\u2019t possible. \u201cI have an old version of Hard Disk Manager that works perfectly; I\u2019m not about to pay for an upgrade just because Microsoft decided to block a driver,\u201d argued another. Security experts warn against such shortcuts, emphasizing that a compromised system costs far more than a software upgrade.

Microsoft has not issued a formal advisory outside the Security Update Guide entry, but the KB article for KB5083769 (support.microsoft.com/kb/5083769) includes a brief note about the driver blocklist being updated.

Future Updates and Remaining Questions

As Windows 11 evolves, the vulnerable driver blocklist will only grow stricter. Future updates may block additional drivers, and the enforcement mechanisms may become harder to bypass. For users, staying ahead means monitoring your software stack for kernel-level components and keeping them current.

One open question is whether Microsoft will allow exceptions for drivers that are necessary for data access but have no replacement. For now, the policy is clear: if a driver is vulnerable, it gets blocked. The onus is on the vendor to fix it.

Paragon has published a knowledge base article explaining the situation and providing an easy upgrade path. They also clarified that their newer products use a completely redesigned