Bug: Windows 11 KB5027231 + (some) AV is Breaking Google Chrome

Here’s one hot off the presses. Getting right into it, here is what I have to share.

• What is happening?
• What is the root cause?
• What are the intermediate solutions?
• Update 7/20/23

I will update this article as the issue and information progresses.

What is happening?

Today we started seeing a handful of reports that Google Chrome would not launch on devices. As the day went on, this number started growing along with our concern.

Behavior: When Chrome is clicked, a task would appear in task manager, but nothing else would happen. No errors were displayed, nothing logged into anywhere in Event Viewer (that we could find), no crash log was made, nothing.

It was however quickly found that…

• Running as a different user, even a non-admin, would allow the app to launch (SHIFT + Right click the EXE).
• No amount of cache clearing, re-installing, temp file deleting, app data clearing, etc, allowed Chrome to run as the devices main user.
• Shutting off our AV however allowed Chrome to again run as the main user of the machine.

What is the root cause?

After some digging, this appears to have been narrowed down to the Windows 11 KB5027231 cumulative update for June 2023 in combination with certain anti-virus solutions. So far, I am aware of Cisco Secure Endpoint and have seen others talking about Malwarebytes.

It’s not yet understood exactly why these three items in combination are causing an issue and no issue has been seen on Windows 10 (yet).

There are other articles reporting on Malwarebytes already, but I haven’t seen any articles covering CSE (Cisco Secure Endpoint). However, there are folks on the forums talking about it here. Interestingly, they notate the issue is specific to 8.7.1 but, we are also seeing the issue occur on versions prior to that in addition to 8.7.1.

Unfortunately, at least for CSE, the module at fault is Exploit Prevention. That module has proven in the past to have a nasty habit of taking action and not logging it anywhere. That’s something I have personally discussed with Cisco and it’s not something they have a great answer for. Regardless, for that reason, this issue was not easy to identify and narrow down. You will simply have to shut that module or SEP off entirely to confirm the issue.

It is not believed that this has anything to do with the latest June Chrome as the issue can be replicated on months old versions.

What are the intermediate solutions?

There are a few, but they are not pretty.

1. Rename Chrome.exe, confirmed working with CSE. Shortcuts will break, HTML links may continue to work if you have Chrome as the default browser thanks to AP ID.
   
   
2. Prevent KB5027231 from reaching Windows 11 devices, obviously not best practice.
   
   
3. On the AV side, we know Cisco Secure Endpoint is blocking it via the Exploit Prevention module – you could shut is off but again, not best practice. There are other solutions coming out of the cracks for other AV solutions like Malwarebytes.
   
   
4. Update: For reasons that don’t immediately make sense, if Chrome is the default browser, the issue will not occur.

Given the importance of Google Chrome, and that others are beginning in to notice the issue, it is only a matter of time before either Microsoft or AV vendors release a proper solution.

Update 7/20/23:

To provide some news on this, to our knowledge this has yet to be fixed over a month later. We are certainly still able to replicate the issue. Why? As best we can tell there is a finger pointing match going down between Microsoft, Chrome, and the various AV vendors involved. This is because a Microsoft update is what occurred as the issue began, but it’s the select few AVs that ultimately cause Chrome grief. Chrome seems to be the only thing effected though, which is putting some blame onto them.

Maybe it’s just a ploy to push organizations to Edge. Who knows. Hopefully they get it fixed soon.

Disclaimer

The following is the disclaimer that applies to all scripts, functions, one-liners, setup examples, documentation, etc. This disclaimer supersedes any disclaimer included in any script, function, one-liner, article, post, etc.

You running this script/function or following the setup example(s) means you will not blame the author(s) if this breaks your stuff. This script/function/setup-example is provided AS IS without warranty of any kind. Author(s) disclaim all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall author(s) be held liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the script or documentation. Neither this script/function/example/documentation, nor any part of it other than those parts that are explicitly copied from others, may be republished without author(s) express written permission. Author(s) retain the right to alter this disclaimer at any time. 

It is entirely up to you and/or your business to understand and evaluate the full direct and indirect consequences of using one of these examples or following this documentation.

The latest version of this disclaimer can be found at: https://azuretothemax.net/disclaimer/