If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Know of a good source of info on updates?
I've had it with updates screwing up my computer! Had to restore twice
in the last 4 days due to some update that is supposedly unobtrusive (according to the sources I know of) causing a lock-up whenever the computer was provided with access to the internet (WiFi or wired). No malware detected by scanners, and no hardware problems. I've narrowed it down to a handful of KB's, but no longer trust the info on them that I've found, and of course, MS is pretty much useless in this regard. Suggestions appreciated. -- Best regards, Neil |
Ads |
#2
|
|||
|
|||
Know of a good source of info on updates?
Neil wrote:
I've had it with updates screwing up my computer! Had to restore twice in the last 4 days due to some update that is supposedly unobtrusive (according to the sources I know of) causing a lock-up whenever the computer was provided with access to the internet (WiFi or wired). No malware detected by scanners, and no hardware problems. I've narrowed it down to a handful of KB's, but no longer trust the info on them that I've found, and of course, MS is pretty much useless in this regard. Suggestions appreciated. But you're talking about Windows 8.1 updates. The KB page should give some rough details. If a file manifest is listed ("win32k.sys"), then you might have some idea what has been changed. That file is the kernel. They have the kernel doing stupid stuff, like font rendering. Which should really be a user-level activity. The catalog server carries the KB files now. So at least some classes of files, are now on the catalog server. Updates like '583 are not on the catalog server, and can only be requested by Windows Update, when the qualifying conditions are met. (How to get a separate installer for KB2600217. Currently works in IE only, due to ActiveX plugin. Details of the update would be on a support.microsoft.com page... So the update and the description are in two separate places.) http://catalog.update.microsoft.com/...aspx?q=2600217 If you have the handful of updates, you try them against "Ask Woody" in Google and see if anything is known. You can hide updates. You can remove at least some updates. There are some updates of the "black hole" variety that cannot be reversed (short of restoring from a backup, of course). Windows Update, you should still have some update settings, which cause the machine to stop getting updates. I have some Win7 and Win8 installs here, in that state. WU turned off for safety. With Win10, you can try the Metered NIC hack, add a registry entry to the NIC claiming the NIC is "expensive" for bandwidth. Which can stop larger items from being installed. On the previous OSes, it would be easier to use the setting which has values between 0..4, where I think 0 is Windows Update disabled. And you should be able to get there from the GUI. The fact the registry supports numbers, isn't important in that case, as long as a settings screen continues to work. Paul |
#3
|
|||
|
|||
Know of a good source of info on updates?
On 7/19/2016 12:23 PM, Paul wrote:
Neil wrote: I've had it with updates screwing up my computer! Had to restore twice in the last 4 days due to some update that is supposedly unobtrusive (according to the sources I know of) causing a lock-up whenever the computer was provided with access to the internet (WiFi or wired). No malware detected by scanners, and no hardware problems. I've narrowed it down to a handful of KB's, but no longer trust the info on them that I've found, and of course, MS is pretty much useless in this regard. Suggestions appreciated. But you're talking about Windows 8.1 updates. Hi, Thanks... yes, this is for Win8.1. The KB page should give some rough details. If a file manifest is listed ("win32k.sys"), then you might have some idea what has been changed. That file is the kernel. They have the kernel doing stupid stuff, like font rendering. Which should really be a user-level activity. There are several instances of win32k.sys in various folders, and even more "win32k.sys.mui.c_xxxx" in other folders (about 2 dozen in total). What would I be looking for in those files that could shed light on their control of on-line access? (snipped) If you have the handful of updates, you try them against "Ask Woody" in Google and see if anything is known. BTDT. Those that seemed to be innocuous were installed (security updates and the like). Problem is, one or more are the problem. You can hide updates. Might be something to try, but does hiding disable _installed_ KBs? You can remove at least some updates. There are some updates of the "black hole" variety that cannot be reversed (short of restoring from a backup, of course). Restoring is how I've narrowed down the problem to a handful of KBs. A very time-consuming hack that I hoped could be circumvented. Windows Update, you should still have some update settings, which cause the machine to stop getting updates. I have some Win7 and Win8 installs here, in that state. WU turned off for safety. Yes. I only get notices of available updates. I'm not installing anything else until I have better information about them. With Win10, you can try the Metered NIC hack, Not planning on doing Win10. -- Best regards, Neil |
#4
|
|||
|
|||
Know of a good source of info on updates?
Neil wrote:
There are several instances of win32k.sys in various folders, and even more "win32k.sys.mui.c_xxxx" in other folders (about 2 dozen in total). What would I be looking for in those files that could shed light on their control of on-line access? The kernel runs in Ring0. Drivers run in Ring0. Your network service comes via a driver (at the lowest level). A protocol stack rests on top. The kernel fields calls from Ring3 userland, and eventually, a driver might be used to satisfy the call. It's unlikely to be Win32k.sys, and more likely to be a hardware driver, a change tn an AV product, a change to the Windows Firewall or a third party firewall. The possibilities are endless. Including the presence of malware. There was one update Microsoft sent, quite a while ago now, where it appeared they changed a file on purpose, to "uncover" malware. TDSS root kit changes atapi.sys. So Microsoft decided it would be cool to update atapi.sys. Anyone with TDSS on the computer had a crash (because TDSS patches atapi.sys as part of its attack). It took the TDSS developer almost two days to patch the mess and using the command and control center, push out an update to his victims, so that any other people suffering from his malware, would not crash when the MS Update installs. In some cases, the end-user is a tennis ball in an unwitting game of tennis. You'll have to review more than just some KBs, to find an answer. Paul |
#5
|
|||
|
|||
Know of a good source of info on updates?
On 7/19/2016 3:48 PM, Paul wrote:
Neil wrote: There are several instances of win32k.sys in various folders, and even more "win32k.sys.mui.c_xxxx" in other folders (about 2 dozen in total). What would I be looking for in those files that could shed light on their control of on-line access? The kernel runs in Ring0. Drivers run in Ring0. Your network service comes via a driver (at the lowest level). A protocol stack rests on top. The kernel fields calls from Ring3 userland, and eventually, a driver might be used to satisfy the call. Since they're binary, I looked at a couple of those files in TextPad, but didn't see much that would identify their association to the internet problem I experienced. It's unlikely to be Win32k.sys, and more likely to be a hardware driver, a change tn an AV product, a change to the Windows Firewall or a third party firewall. The possibilities are endless. Including the presence of malware. Fortunately, while in such cases there are many possibilities, I've narrowed them to being one (or more) of about 10 KB files. If it was malware, a restore wouldn't likely do much, and none of several scanners turned up anything at all. The symptoms are pretty specific; when updated, any access to the internet causes the machine to lock up. LANs are not affected, so that makes it unlikely to be a hardware or driver issue. When restored, things work as before. In fact, I've been writing these posts on the affected machine, which now has the recent KBs hidden. I would like some quality information about them so that I can see which ones are likely to act like a "denial of service" attack. You'll have to review more than just some KBs, to find an answer. Probably so, but at least it would be a start. -- Best regards, Neil |
Thread Tools | |
Display Modes | Rate This Thread |
|
|