Solved After Win10 to Win11 upgrade, laptop fails boot every time with code 0XC000000F

It's still not clear to me what had happened with the panda seen in the upgrade fail logs.


This was from Copilot AI:

zbook said:

It's still not clear to me what had happened with the panda seen in the upgrade fail logs.


This was from Copilot AI:

Code:

2026-04-30 20:16:23, Info                  SP             [2] Process: C:\Program Files\Panda Security\WAC\PSANHost.exe
2026-04-30 20:16:23, Info                  SP             [2] Pattern: !WGUA.Bin\wgua_critical_file.3g2
2026-04-30 20:16:23, Info                  SP             [2] Mode: 1
2026-04-30 20:16:23, Info                  SP             [3] Process: C:\Program Files (x86)\Panda Security\WAC\PSANHost.exe
2026-04-30 20:16:23, Info                  SP             [3] Pattern: !WGUA.Bin\wgua_critical_file.3g2
The new log snippet shows something much more concrete: Windows Setup is detecting that Panda Security’s PSANHost.exe process is actively running, and it is checking for a specific critical file pattern that is known to interfere with OS upgrades.

🔍 Short answer
Windows Setup is flagging Panda Security’s PSANHost.exe as an active process that may block or break the upgrade. The “Pattern: !WGUA.Bin\wgua_critical_file.3g2” line indicates Setup is checking for a known‑problematic Panda update/upgrade agent file.

🧠 What each line means
Process: C:\Program Files\Panda Security\WAC\PSANHost.exe
This is Panda’s PSANHost.exe, the core background service for:

Panda Dome

Panda Free Antivirus

Panda Endpoint Protection

Adaptive Defense 360

Windows Setup logs this when it detects running antivirus processes that may interfere with migration.

You can explore more about PSANHost.exe or Panda remnants.

Pattern: !WGUA.Bin\wgua_critical_file.3g2
This is the interesting part.

WGUA = Windows Generic Upgrade Assessment

wgua_critical_file.3g2 is a marker file used by Microsoft’s compatibility database

The ! prefix means “blocker pattern”

This pattern is associated with known upgrade-blocking antivirus components

In plain terms:

Windows Setup is checking whether Panda’s upgrade agent has files that are known to break Windows upgrades.

You can dive deeper into ACMigration patterns or upgrade blockers.

Why this appears twice
You have two Panda installations:

C:\Program Files\Panda Security\WAC\PSANHost.exe (64‑bit)

C:\Program Files (x86)\Panda Security\WAC\PSANHost.exe (32‑bit)

This is common with older Panda versions or partially removed installations.

🚨 What this means for your upgrade
Windows Setup is almost certainly:

Detecting Panda antivirus

Checking for known‑bad files

Preparing to block the upgrade if Panda is installed or remnants exist

Even if you think Panda was uninstalled, leftover services or folders can still trigger this.

✔️ What you should do next
To avoid upgrade failures:

Fully uninstall Panda (if still installed)

Remove leftover folders:

C:\Program Files\Panda Security\

C:\Program Files (x86)\Panda Security\

Remove leftover services/drivers

Reboot

Try the upgrade again

If you want, I can analyze more of your setupact.log or help you identify the exact compatibility block. Just paste the next section or the part around any “Error”, “Block”, “Compat”, or “MOUPG” entries.

Code:

2026-04-30 13:40:15, Warning               SP         CMonitoredPath::AddOverride: Found existing override [C:\Program Files\Panda Security\WAC\PSANHost.exe, !WGUA.Bin\wgua_critical_file.3g2] for path C:\Users\Public\Documents, will remove it
2026-04-30 13:40:15, Warning               SP         CMonitoredPath::AddOverride: Found existing override [C:\Program Files (x86)\Panda Security\WAC\PSANHost.exe, !WGUA.Bin\wgua_critical_file.3g2] for path C:\Users\Public\Documents, will remove it
The warnings you’re seeing confirm something important: Windows Setup found Panda Security upgrade‑blocking rules already registered for PSANHost.exe, and it is now removing those override entries because they were duplicates.

🔍 Short takeaway
Windows Setup had previously created compatibility‑block rules for Panda’s PSANHost.exe. When it scanned again, it found the same rule already present and removed the duplicate. This means Panda antivirus (or its remnants) is still being detected, and Setup is actively managing compatibility blocks for it.

You can explore more about Panda remnants or upgrade blockers.

🧠 What the warning actually means
The log line:

Code
CMonitoredPath::AddOverride: Found existing override
[C:\Program Files\Panda Security\WAC\PSANHost.exe, !WGUA.Bin\wgua_critical_file.3g2]
for path C:\Users\Public\Documents, will remove it
breaks down like this:

CMonitoredPath::AddOverride
Windows Setup is adding a compatibility override (a rule telling Setup how to treat a file/process during upgrade).

Found existing override
Setup discovered that the same override already exists in its internal compatibility list.

[PSANHost.exe, !WGUA.Bin\wgua_critical_file.3g2]
This is the exact Panda antivirus blocker pattern.
The ! prefix means “this file is known to cause upgrade issues.”

for path C:\Users\Public\Documents
This is the monitored path where Setup tracks upgrade‑sensitive files.

will remove it
Setup removes the duplicate entry to avoid conflicts.

You can dive deeper into ACMigration patterns or PSANHost.exe.

🧩 Why this matters
This confirms:

Panda antivirus components are still present (even if you think it’s uninstalled).

Windows Setup has compatibility rules specifically targeting Panda because it is known to break upgrades.

Setup is actively trying to manage these rules, which often happens right before a compatibility block or rollback.

🚨 What this usually leads to
If these Panda components remain:

The upgrade may fail,

Or Setup may issue a hard block,

Or the system may rollback after the first reboot.

✔️ What you should do next
To prevent upgrade failure:

Remove Panda completely

Delete leftover folders:

C:\Program Files\Panda Security\

C:\Program Files (x86)\Panda Security\

Remove leftover services/drivers

Reboot

Retry the upgrade

If you want, paste the next part of your setupact.log—especially anything near “Compat”, “Block”, “MOUPG”, “Error”, or “0xC1900101”—and I’ll pinpoint the exact blocker.

Click to expand...

Just for completeness (and because I saw it in the report above), I went back and also checked subdirectories off of Program Files (x86). There's no Panda directories there, either. (see listing below) I wonder if the Win11 upgrade process deleted it because it knows it's a problem?

Volume in drive C is Windows
Volume Serial Number is FA61-38EC

Directory of C:\Program Files (x86)

05/07/2026 12:57 PM <DIR> .
05/08/2026 01:12 PM <DIR> ..
07/17/2025 02:45 PM <DIR> Acronis
04/25/2026 04:35 PM <DIR> Adobe
11/28/2022 10:52 AM <DIR> Bonjour
03/16/2021 05:46 PM <DIR> BookWright
05/06/2026 10:23 PM <DIR> Common Files
05/03/2026 01:46 PM <DIR> Dropbox
09/15/2025 03:07 PM <DIR> epson
08/27/2021 02:52 PM <DIR> EPSON Software
05/07/2026 12:57 PM <DIR> Everything
06/25/2020 03:22 PM <DIR> Hardcoded Software
04/27/2021 09:01 PM <DIR> InstallShield Installation Information
06/25/2020 03:38 PM <DIR> Intel
05/06/2026 10:16 PM <DIR> Internet Explorer
04/30/2026 01:22 PM <DIR> Lenovo
04/18/2026 11:31 AM <DIR> Microsoft
10/29/2025 09:18 AM <DIR> Microsoft Office
05/06/2026 10:23 PM <DIR> Microsoft.NET
09/18/2025 01:49 PM <DIR> Mozilla Maintenance Service
06/25/2020 03:13 PM <DIR> Mp3tag
05/06/2026 10:11 PM <DIR> MSBuild
06/25/2020 01:19 PM <DIR> Plustek
06/25/2020 02:06 PM <DIR> Quicken
05/06/2026 10:11 PM <DIR> Reference Assemblies
03/21/2021 03:50 PM <DIR> Uninstall Information
07/17/2020 10:47 AM <DIR> VisiPics
05/06/2026 10:16 PM <DIR> Windows Defender
05/06/2026 10:16 PM <DIR> Windows Mail
05/06/2026 10:16 PM <DIR> Windows Media Player
04/01/2024 04:00 AM <DIR> Windows NT
05/06/2026 10:16 PM <DIR> Windows Photo Viewer
04/01/2024 03:34 AM <DIR> Windows Sidebar
04/27/2026 02:45 PM <DIR> WindowsInstallationAssistant
04/01/2024 03:34 AM <DIR> WindowsPowerShell
0 File(s) 0 bytes
35 Dir(s) 69,957,787,648 bytes free

Thx.

It may remain a mystery.


Please post results for administrative command prompt:

fltmc