Windows boot error ‘klelam.sys’ missing or corrupt

[GBT]

Hi, sorry for the long first post but I’ve been on this a while.

recently, after the last windows 10 update ever, my pc went to reboot as normal but failed with a message that mentions “klelam.sys”.

Ive searched multiple sites and found that this file belongs to the Kaspersky AV suite that i uninstalled nearly 2 years ago. Ive been using Defender since then with zero issues after multiple reboots.

I cannot start windows in any form including safe mode.

i can start the RE but the find/repair options do not work.

if I select option 8 (‘do not use elam’) from the RE menu options the pc just hangs.

ive run multiple virus scans and removed a few bits of malware that the various tools identified.

ive searched the pc and cannot find klelam.sys but there are a number of elam.sys (which i think are the windows default files).

Ive used the 3 bcdedit commands to recreate the boot files just in case.

I’ve used bcdboot /c to force windows to recreate the boot files

I have run various repair tools from companies like easus, amoei, etc with no success as the error remains.

i have searched the system hive (mounted into Hirems windows recovery toolset) and cannot see any keys referencing Elam other than backup location so presume there are no policies set that would force the use of klelam.sys over Elam.sys

I have a hidden EFI partition of 300mb

boot drive is c

windows is located at c:\windows

i can read all of my NTFS c drive (including the files on the EFI partition which is formatted as fat32 and another 500mb system partition which is formatted to NTFS) using hirens recovery cd


I cannot:

uninstall recent updates or

Roll back to a previous restore point (even though I use them religiously every change I make it seems there is not a single one in the relevant folder)

I have searched the entire registry - no mention of klelam.sys

i have searched the entire c drive - ditto.

this is what is infuriating, there isn’t a klelam.sys file in existence nor referenced anywhere (but there is an Elam.sys) yet boot fails with the same error ‘a file is missing - klelam.sys, please locate and reboot’ or words to the effect.


I’ve reset the Amd bios on my ASU’s tuf 450 plus gaming mobo to system defaults and will try to reset the nvram just in case there is something in there.

I am not keen on turning off secure boot just in case there is something really nasty in the boot files that has evaded the 5 av scanners used so far.

I really do not want to blow away the drive and reinstall windows as i have a few hundreds apps that would need reinstalling as i create music.


my question is how do i force the boot loader to use the default elam.sys file and remove references to klelam.sys when i cant boot windows to run an in place upgrade?


Thanks

 

[ChatGPT]

Hi GBT — thanks for the detailed write-up, that helps a lot. Short version: Windows keeps ELAM (Early Launch Anti‑Malware) data in its own offline hive (C:\Windows\System32\config\ELAM) which Winload reads very early in boot; if that hive still references Kaspersky’s ELAM driver (klelam.sys) Winload will try to load it even if the driver file doesn’t exist anywhere else. You can fix this two safe ways from WinRE / a rescue USB:

• easiest (low risk): place a copy of Microsoft’s elam.sys named klelam.sys so the loader finds a driver file; or
• proper (one‑time registry edit): load and edit the offline ELAM hive and remove the Kaspersky vendor entry so Winload no longer tries to load klelam.sys.

I’ll give step‑by‑step commands for both approaches and what to check. Background references: Microsoft explains the ELAM hive location and vendor keys in HKLM\ELAM and the ELAM hive file usage. Kaspersky documents show klelam/klelaml as Kaspersky ELAM driver names. Before you start — safety checklist

1. Boot your rescue environment (WinRE Command Prompt, Hiren’s WinPE, or similar). Confirm which drive letter is your Windows volume (it may not be C: inside the recovery environment). Use dir X:\Windows to confirm the Windows folder and replace X: below with the correct letter.
2. Make a copy of the ELAM hive before editing: copy X:\Windows\System32\config\ELAM X:\ELAM.backup (or copy to an external USB). Don’t skip this.
3. If you have space, make a full image of the drive (Macrium/Clonezilla/whatever) — this is strongly recommended for systems with a lot of work/apps.

Option A — Quick test: copy elam.sys to klelam.sys (try this first)

• Why: if Winload is failing because the file klelam.sys is simply missing, creating a copy (a benign Microsoft ELAM driver) named klelam.sys can satisfy the loader so boot can proceed. This is reversible and non‑destructive.
• Steps (from WinRE command prompt):
  1. Verify location of elam.sys: dir X:\Windows\System32\drivers\elam.sys
  2. If it exists, make a copy named klelam.sys:
     copy X:\Windows\System32\drivers\elam.sys X:\Windows\System32\drivers\klelam.sys
  3. Set file attributes if needed (optional): attrib -r -s -h X:\Windows\System32\drivers\klelam.sys
  4. Reboot and test.
• Expected result: Winload finds the file and may boot. If it still fails, proceed to Option B.

Option B — Edit the ELAM hive (proper fix)

• Why: the ELAM configuration is stored in its own hive (C:\Windows\System32\config\ELAM). Winload uses keys under HKLM\ELAM\<VendorName>. Removing the Kaspersky vendor entry removes the request to load klelam.sys. Microsoft docs describe the vendor keys and the ELAM hive.
• Steps (run from an elevated WinRE command prompt):
  1. Confirm Windows drive letter and make a backup copy of the ELAM hive file:
     copy X:\Windows\System32\config\ELAM X:\ELAM.backup
  2. Load the ELAM hive into the running registry under a temporary key:
     reg load HKLM\OFFLINEELAM X:\Windows\System32\config\ELAM
     (Microsoft docs for reg load/reg unload).
  3. Open Registry Editor from the same RE environment:
     • regedit then navigate to HKEY_LOCAL_MACHINE\OFFLINEELAM
     • Or use command line to inspect: reg query HKLM\OFFLINEELAM /s | findstr /i "kaspersky klelam kl"
  4. Look for a subkey that is clearly Kaspersky vendor name (it may be named something like KasperskyLab, KAV, or contain KL/kl*). The vendor key is under the root you loaded (OFFLINEELAM\VendorName).
  5. If you find a Kaspersky vendor key, export it first (File → Export in regedit) then delete it:
     • To delete from command line: reg delete "HKLM\OFFLINEELAM\<VendorName>" /f
       (replace <VendorName> with the real key name you found).
  6. Unload the hive when done:
     reg unload HKLM\OFFLINEELAM
  7. Reboot and test.
• Expected result: Winload will no longer ask for klelam.sys because the ELAM vendor entry that expected that driver is gone.

Other checks (if the above don’t help)

• Inspect driver service entries in the offline SYSTEM hive too. Load SYSTEM hive similarly (reg load HKLM\OFFLINESYSTEM X:\Windows\System32\config\SYSTEM) and check under HKLM\OFFLINESYSTEM\ControlSetXXX\Services for any service name that references klelam or Kaspersky — delete those service keys if you confirm they are leftover. (Make backups.
• Check DriverStore and Drivers folder for any leftover KL files and remove them:
  • dir X:\Windows\System32\drivers\*kl*
  • dir X:\Windows\System32\DriverStore\FileRepository\*kl*
• If RE’s “Do not use ELAM” entry is hanging (you reported it hangs), that points to an ELAM hive problem that the above edits should fix.

Why this works (short technical note)

• Winload reads the ELAM hive early in boot and expects vendor entries and driver info there. If the ELAM hive points to klelam (Kaspersky) but the file is missing/corrupt, boot will stop with the error you saw. Editing the ELAM hive or providing a file named klelam.sys resolves that mismatch. Microsoft’s ELAM docs show the separate ELAM hive and vendor keys.

If you want, I can:

• Give the exact commands for your environment (tell me what drive letter your Windows partition shows as in WinRE, and paste the output of dir X:\Windows\System32\drivers\elam.sys and dir X:\Windows\System32\config), or
• Walk you step‑by‑step while you are in front of the machine.

One last warning: editing the registry hives offline is powerful and can render a system unbootable if done incorrectly — that’s why backing up the ELAM file and/or making a full image first is important.
If you want, start by trying Option A (copy elam.sys → klelam.sys) and report back whether that lets Windows start. If that fails, I’ll walk you through Option B with exact reg load/unload and the commands to find and remove the Kaspersky vendor key.