KB4056894 -- Spectre and Meltdown Update

I currently look after six computers where I do some volunteer work.

With the update problems over the past two years I have put all out
computers on manual update and watch
https://www.askwoody.com/category/mi...ches-security/
website for problems. I t is a poor state that MS have got themselves
into when it comes to having to do this.

The computers are all Intel processors, OEM windows 7 pro OS, Avast
(Free) antivirus
Early this month Avast antivirus updated and put the following key into
the registry --

REGKEY on the machine
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft \Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD�
Data="0x00000000�

A few days later KB4056894 was offered for update.
I am waiting before I apply the update as there seems to be problems
with the update and I understand that MS have modified it a couple of
times all ready.

We also have a Windows Home Server 2011 on the network. It has run
without Antivirus from the beginning as Avast did not have an Antivirus
that would run on WHS2011.
It has not been offered the KB4056894 update as the registry key is
absent, no antivirus -- no registry key.

Question 1 -- Can I manually put the key into the Server Registry so
that it will be offered the KB4056894 update too, or is this really
necessary.
Question 2
As this update is said to slow down computers, is it really necessary to
install it at all on any of the computers.
Question 3
How do I, or can I, modify the registry key to stop the KB4056894 update
being offered to the computers.

My wife's has a Dell laptop with an Intel Core i7 processor, and an AMD
Radeon HD 7670M graphics card. The KB update is reported as BOSD'ing
this ( See link above )

Any answers, offers to buy MS, or observations etc would be gratefully
received.

--
~~~~~~~~~~~~
Maurice Helwig
~~~~~~~~~~~~

Maurice Helwig wrote:
I currently look after six computers where I do some volunteer work.

With the update problems over the past two years I have put all out
computers on manual update and watch
https://www.askwoody.com/category/mi...ches-security/
website for problems. I t is a poor state that MS have got themselves
into when it comes to having to do this.

The computers are all Intel processors, OEM windows 7 pro OS, Avast
(Free) antivirus
Early this month Avast antivirus updated and put the following key into
the registry --

REGKEY on the machine
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft \Windows\CurrentVersion\QualityCompat"

Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD�
Data="0x00000000�

A few days later KB4056894 was offered for update.
I am waiting before I apply the update as there seems to be problems
with the update and I understand that MS have modified it a couple of
times all ready.

We also have a Windows Home Server 2011 on the network. It has run
without Antivirus from the beginning as Avast did not have an Antivirus
that would run on WHS2011.
It has not been offered the KB4056894 update as the registry key is
absent, no antivirus -- no registry key.

Question 1 -- Can I manually put the key into the Server Registry so
that it will be offered the KB4056894 update too, or is this really
necessary.
Question 2
As this update is said to slow down computers, is it really necessary to
install it at all on any of the computers.
Question 3
How do I, or can I, modify the registry key to stop the KB4056894 update
being offered to the computers.

My wife's has a Dell laptop with an Intel Core i7 processor, and an AMD
Radeon HD 7670M graphics card. The KB update is reported as BOSD'ing
this ( See link above )

Any answers, offers to buy MS, or observations etc would be gratefully
received.

The purpose of the registry key, is a communication between
a third-party AV and the OS.

If you're *not* using a third-party AV, then Microsoft knows
Windows Defender is ready for the update, and so the OS will
receive the update.

But if you jammed in an update, where a third-party AV was
not ready for it, it can cause system files to be quarantined.
Setting the flag above means "we know you're about to mess
with stuff that would set off our heuristic detection".

If you are using a third-party AV, then the flag is a
gating item. And the OS knows whether a third-party AV
is present, because yet another registry entry turns
off Windows Defender.

This process should be fully automated.

You could try catalog.update.microsoft.com and attempt
to download and install the update. The .msu file you
download, has rudimentary protection where it checks
dependencies before it installs. For example, if you
download the 32 bit version, and try to install it
on a 64 bit OS, it will say "update is not for this computer".
I would expect the above Registry key to be encoded in
the .msu, so it delivers a snotty message if a dependency
it needs, hasn't been met.

Remember - you can do anything you want, if you have
backups. Right ? You should have a backup of C:
and System Reserved, just in case...

Paul

On 12/01/2018 02:05, Maurice Helwig wrote:


A few days later KB4056894 was offered for update.
I am waiting before I apply the update as there seems to be problems
with the update and I understand that MS have modified it a couple of
times all ready.




My personal opinion is to wait for two more weeks until Intel comes out
with its own patch. They are on record to fix this within 10 days so
I'll wait for their patch.

There is nothing Microsoft can do about problems with the hardware. This
bug is in the hardware not in the operating system so why try to apply
an OS fix when hardware fix will be released soon.

Intel will release a software patch to fix old hardware so you'll need
to install them. Microsoft fix may not be the right one for anybody IMO.

If, however, you want to do something to pass your time then apply
Microsoft patch and see if it works for you or not.


--
With over 600 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.

Good Guy wrote:
On 12/01/2018 02:05, Maurice Helwig wrote:


A few days later KB4056894 was offered for update.
I am waiting before I apply the update as there seems to be problems
with the update and I understand that MS have modified it a couple of
times all ready.




My personal opinion is to wait for two more weeks until Intel comes out
with its own patch. They are on record to fix this within 10 days so
I'll wait for their patch.

There is nothing Microsoft can do about problems with the hardware. This
bug is in the hardware not in the operating system so why try to apply
an OS fix when hardware fix will be released soon.

Intel will release a software patch to fix old hardware so you'll need
to install them. Microsoft fix may not be the right one for anybody IMO.

If, however, you want to do something to pass your time then apply
Microsoft patch and see if it works for you or not.

The next installment of the soap opera is here.

https://arstechnica.com/gadgets/2018...t-performance/

Spectre

IBRS ("indirect branch restricted speculation") protects the kernel
from branch prediction entries created by user mode applications;
STIBP ("single thread indirect branch predictors") prevents one
hyperthread on a core from using branch prediction entries
created by the other thread on the core;
IBPB ("indirect branch prediction barrier") provides a way to reset
the branch predictor and clear its state.

The Microsoft plan at the moment, seems to be to not load
the microcode patch using the OS microcode loader. Leaving
it to users (who want to suffer performance degradation),
the opportunity to flash up their BIOS and load a newer
version of microcode via the BIOS.

*******

How this works is, when the processor starts, the processor
revision is 00. That revision represents the "level" of
microcode patch currently loaded.

Let's say the BIOS loads version 07 microcode. It was available
the day you bought your motherboard. That's what "your CPU is
supported" means - there's a microcode available for it and
it's sitting in a segment in the BIOS chip.

Maybe two months ago, Intel released a regular installment
of microcode patches (patch bugs we never hear about),
and the version is 43. If the OS uses its microcode loader,
43 is higher than 07, so the OS one is loaded at boot
time, and the microcode loader then shuts down and
disappears. It works the same on Windows and Linux.

If you use the Intel PID program, it will list the processor
version as 43, which is actually the microcode version.

Now, the opposite is possible. If the BIOS has version 43,
and you boot Windows 2000 and the microcode loader in
that OS has 07, then the OS one does not load. The BIOS
version 43 wins. Between the two loaders, the highest version wins.

So when in this case, Microsoft doesn't put the Intel microcode
in their OS microcode loader, it leaves the choice up to the
customer. The customer can load version 51 via a BIOS flash update.

But sooner or later, this is going to catch up with Microsoft.
You can't do this. It's dumb. The microcode versioning system
was never intended for "user choice". To manage it this way
is pin-headed. Microsoft is simply afraid of the "flack" it
will receive, from doing the right thing. And if Intel
in March comes out with version 52, which fixes a critical
timing issue, then the 52 patch will have Spectre microcode
as well as a critical hardware fix. What's the user going
to do then ? How is Intel's good work, going to get delivered ?

it's a soap opera. Run by chicken ****s.

Sooner or later, someone has to admit that "security costs".
There is a cost to protecting you. Your games are going to
play 3 FPS slower. In order that the same computer can
web surf and run Javascript safely. Suck it up.

Paul

On 12/01/2018 2:48 PM, Paul wrote:
Maurice Helwig wrote:
I currently look after six computers where I do some volunteer work.

With the update problems over the past two years I have put all out
computers on manual update and watch
https://www.askwoody.com/category/mi...ches-security/
website for problems. I t is a poor state that MS have got themselves
into when it comes to having to do this.

The computers are all Intel processors, OEM windows 7 pro OS, Avast
(Free) antivirus
Early this month Avast antivirus updated and put the following key
into the registry --

REGKEY on the machine
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft \Windows\CurrentVersion\QualityCompat"

Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD�
Data="0x00000000�

A few days later KB4056894 was offered for update.
I am waiting before I apply the update as there seems to be problems
with the update and I understand that MS have modified it a couple of
times all ready.

We also have a Windows Home Server 2011 on the network. It has run
without Antivirus from the beginning as Avast did not have an
Antivirus that would run on WHS2011.
It has not been offered the KB4056894 update as the registry key is
absent, no antivirus -- no registry key.

Question 1 -- Can I manually put the key into the Server Registry so
that it will be offered the KB4056894 update too, or is this really
necessary.
Question 2
As this update is said to slow down computers, is it really necessary
to install it at all on any of the computers.
Question 3
How do I, or can I, modify the registry key to stop the KB4056894
update being offered to the computers.

My wife's has a Dell laptop with an Intel Core i7 processor, and an
AMD Radeon HD 7670M graphics card. The KB update is reported as
BOSD'ing this ( See link above )

Any answers, offers to buy MS, or observations etc would be gratefully
received.

The purpose of the registry key, is a communication between
a third-party AV and the OS.

If you're *not* using a third-party AV, then Microsoft knows
Windows Defender is ready for the update, and so the OS will
receive the update.

But if you jammed in an update, where a third-party AV was
not ready for it, it can cause system files to be quarantined.
Setting the flag above means "we know you're about to mess
with stuff that would set off our heuristic detection".

If you are using a third-party AV, then the flag is a
gating item. And the OS knows whether a third-party AV
is present, because yet another registry entry turns
off Windows Defender.

This process should be fully automated.

You could try catalog.update.microsoft.com and attempt
to download and install the update. The .msu file you
download, has rudimentary protection where it checks
dependencies before it installs. For example, if you
download the 32 bit version, and try to install it
on a 64 bit OS, it will say "update is not for this computer".
I would expect the above Registry key to be encoded in
the .msu, so it delivers a snotty message if a dependency
it needs, hasn't been met.

Remember - you can do anything you want, if you have
backups. Right ? You should have a backup of C:
and System Reserved, just in case...

Â*Â* Paul
Yes Macrium Reflect backups in place.
It is interesting that the server has never had a 3rd party Antivirus
installed neither the registry key is present and the KB4056894 update
has not been offered yet.

--
~~~~~~~~~~~~
Maurice Helwig
~~~~~~~~~~~~

"Paul" schreef in bericht
news
Maurice Helwig wrote:
I currently look after six computers where I do some volunteer work.

With the update problems over the past two years I have put all out
computers on manual update and watch
https://www.askwoody.com/category/mi...ches-security/
website for problems. I t is a poor state that MS have got themselves
into when it comes to having to do this.

The computers are all Intel processors, OEM windows 7 pro OS, Avast
(Free) antivirus
Early this month Avast antivirus updated and put the following key into
the registry --

REGKEY on the machine
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft \Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD�
Data="0x00000000�

A few days later KB4056894 was offered for update.
I am waiting before I apply the update as there seems to be problems with
the update and I understand that MS have modified it a couple of times
all ready.

We also have a Windows Home Server 2011 on the network. It has run
without Antivirus from the beginning as Avast did not have an Antivirus
that would run on WHS2011.
It has not been offered the KB4056894 update as the registry key is
absent, no antivirus -- no registry key.

Question 1 -- Can I manually put the key into the Server Registry so that
it will be offered the KB4056894 update too, or is this really necessary.
Question 2
As this update is said to slow down computers, is it really necessary to
install it at all on any of the computers.
Question 3
How do I, or can I, modify the registry key to stop the KB4056894 update
being offered to the computers.

My wife's has a Dell laptop with an Intel Core i7 processor, and an AMD
Radeon HD 7670M graphics card. The KB update is reported as BOSD'ing this
( See link above )

Any answers, offers to buy MS, or observations etc would be gratefully
received.

The purpose of the registry key, is a communication between
a third-party AV and the OS.

If you're *not* using a third-party AV, then Microsoft knows
Windows Defender is ready for the update, and so the OS will
receive the update.

But if you jammed in an update, where a third-party AV was
not ready for it, it can cause system files to be quarantined.
Setting the flag above means "we know you're about to mess
with stuff that would set off our heuristic detection".

If you are using a third-party AV, then the flag is a
gating item. And the OS knows whether a third-party AV
is present, because yet another registry entry turns
off Windows Defender.

This process should be fully automated.

You could try catalog.update.microsoft.com and attempt
to download and install the update. The .msu file you
download, has rudimentary protection where it checks
dependencies before it installs. For example, if you
download the 32 bit version, and try to install it
on a 64 bit OS, it will say "update is not for this computer".
I would expect the above Registry key to be encoded in
the .msu, so it delivers a snotty message if a dependency
it needs, hasn't been met.

Remember - you can do anything you want, if you have
backups. Right ? You should have a backup of C:
and System Reserved, just in case...

Paul




Yesterday I got an extensive program update from Comodo internet security on
both computers. Today I got the KB4056894 -- Spectre and Meltdown Update
from MS and it installed without problems. Without any previously added
registry key...




--


|\ /|
| \/ |@rk
\../
\/os

Paul wrote:
Good Guy wrote:
On 12/01/2018 02:05, Maurice Helwig wrote:


A few days later KB4056894 was offered for update.
I am waiting before I apply the update as there seems to be problems
with the update and I understand that MS have modified it a couple of
times all ready.




My personal opinion is to wait for two more weeks until Intel comes
out with its own patch. They are on record to fix this within 10 days
so I'll wait for their patch.

There is nothing Microsoft can do about problems with the hardware.
This bug is in the hardware not in the operating system so why try to
apply an OS fix when hardware fix will be released soon.

Intel will release a software patch to fix old hardware so you'll need
to install them. Microsoft fix may not be the right one for anybody IMO.

If, however, you want to do something to pass your time then apply
Microsoft patch and see if it works for you or not.

The next installment of the soap opera is here.

https://arstechnica.com/gadgets/2018...t-performance/

From the comment section of that article, comes this.

https://support.lenovo.com/us/en/solutions/len-18282

"Withdrawn Broadwell & Haswell CPU Microcode Update:

Intel provides the CPU microcode updates required to address Variant 2,
which manufacturers like Lenovo then incorporate into their UEFI
firmware. Intel has notified manufacturers of quality issues in the
initial Broadwell and Haswell microcode updates with instructions to
no longer distribute the affected microcode. As such, Lenovo has
withdrawn previously issued UEFI firmware containing the affected
Broadwell and Haswell CPU microcode. We will issue revised UEFI
firmware updates as soon as possible following Intel’s release of
revised Broadwell and Haswell CPU microcode.

Servers affected by this issue are noted, below, as “Earlier update X
withdrawn due to a microcode quality issue.�

Per Intel, customers that have already installed the prior firmware
update and are not experiencing difficulties can continue to use that
firmware update. There is no need to roll back to a prior release.
"

https://newsroom.intel.com/news/inte...reboot-issues/

"We have received reports from a few customers of higher system reboot rates
after applying firmware updates. Specifically, these systems are running
Intel Broadwell and Haswell CPUs for both client and data center. We are
working quickly with these customers to understand, diagnose and address
this reboot issue. If this requires a revised firmware update from Intel,
we will distribute that update through the normal channels. We are also
working directly with data center customers to discuss the issue.
"

Soap opera.

Paul

On Fri, 12 Jan 2018 13:33:28 -0500, Paul wrote:


Soap opera.

Paul

Let me ask a silly question. If we can update the microcode in our
CPU chip, why do we need the KB4056894?

It sounds like you're saying we should flash a new BIOS, and then the
CPU microcode will be done for us. Do I understand you correctly?

And if so, where would we look for the new BIOS -- Intel, computer
manufacturer (Dell, in my case), or ... ?

And, by the way, is there any way within Windows to find out which
BIOS version I have? I couldn't locate it in Device manager.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

On Sat, 13 Jan 2018 15:09:40 -0500, Stan Brown
wrote:

And, by the way, is there any way within Windows to find out which
BIOS version I have? I couldn't locate it in Device manager.

The program "Speccy" can be downloaded from Piriform, either as an
installable program or as a portable version. This program will tell
you a lot of info about your PC, including BIOS version.

Stan Brown wrote:
On Fri, 12 Jan 2018 13:33:28 -0500, Paul wrote:

Soap opera.

Paul

Let me ask a silly question. If we can update the microcode in our
CPU chip, why do we need the KB4056894?

It sounds like you're saying we should flash a new BIOS, and then the
CPU microcode will be done for us. Do I understand you correctly?

And if so, where would we look for the new BIOS -- Intel, computer
manufacturer (Dell, in my case), or ... ?

And, by the way, is there any way within Windows to find out which
BIOS version I have? I couldn't locate it in Device manager.


Meltdown can be patched from the OS.

Spectre, first level patch is via the browser. That
removed the most dangerous attack surface first.
Firefox 57.0.4 for example, has protection against
sidechannel (timing) attacks on Javascript arrays.
Users are most likely to gain the benefits of this,
if they haven't meddled with the auto-updater on their
browser.

But the Branch Target Buffer is another place for the
attack to happen, and the involved companies want a more
generic protection so that it won't matter whether
Notepad has an issue or whatever. By using the hardware
protection against Spectre, that knocks out a whole bunch
more attack surface. And that means the BIOS flash.

Only the more modern processors (Skylake, Kaby Lake, Coffee Lake,
Ryzen) have added features which modify the behavior on
speculative branching. The older processors don't have
any programmability in the BTB. It almost suggests
that some architects *did* notice there was a
potential for trouble, even without identifying
the exact exploit. I don't know what can be
done for the older processors. My initial thoughts
on the matter, is microcode could be used to
*completely shut down* the acceleration features
in a pipeline, which would absolutely ruin the
processor (drop to 50% speed). I wasn't aware that
the BTB had all these whizzy screwdriver adjustments
fitted to it. The notion of having a PID for the
BTB, and only cleaning PID specific sections of the
BTB. The Intel processor has 1000 instructions, and
only a glutton for punishment reads the *4000* page
document with the details. The file was machine
generated in part, which makes it particularly
hard to read (a human author would have tried to
group things in a more logical way, for easy
reader consumption).

The compiler writers only use 30% of the instruction set.
The other 70% would only be generated by hand coding in
assembler.

The OS writers turned up their noses at the PID tweak,
considering it too messy to implement. Now they have an
incentive to work on it.

I also haven't seen a statement as to what the Intel
microcode patch hopes to achieve, and what it is adjusting.
Obviously, it can't be the "hammer flavor" of fix,
just turning off speculation entirely. It has to be
a more nuanced fix, whatever it is.

https://arstechnica.com/gadgets/2018...t-performance/

Paul

Monty wrote:

On Sat, 13 Jan 2018 15:09:40 -0500, Stan Brown
wrote:

And, by the way, is there any way within Windows to find out which
BIOS version I have? I couldn't locate it in Device manager.

The program "Speccy" can be downloaded from Piriform, either as an
installable program or as a portable version. This program will tell
you a lot of info about your PC, including BIOS version.

This^^. Also, it's a very good idea to check the manufacturer's
support site regularly for BIOS, driver and system utility
updates.

I have Lenovo System Update runs as a scheduled job on my
Thinkpad E560. It alerted on Wednesday, Jan. 10, that Lenovo had
released a BIOS / Embedded controller update specifically related
to Meltdown / Spectre problem.

On 13/01/2018 20:09, Stan Brown wrote:
Let me ask a silly question. If we can update the microcode in our
CPU chip, why do we need the KB4056894?

There are multiple vulnerabilities.
Many people with older hardware won't be able to update their microcode
and updating the microcode doesn't fix all the vulnerabilities anyway.

--

Brian Gregory (in England).

Brian Gregory wrote:
On 13/01/2018 20:09, Stan Brown wrote:
Let me ask a silly question. If we can update the microcode in our
CPU chip, why do we need the KB4056894?

There are multiple vulnerabilities.
Many people with older hardware won't be able to update their microcode
and updating the microcode doesn't fix all the vulnerabilities anyway.


The diff on the latest Intel Microcode release looks like this.

Each Intel release gives microcode all the way back to a Pentium.
However, like an NVidia or ATI video driver, "old" hardware doesn't
receive new updates. When this list is prepared, it's a "diff" against
the previous release. That means, since 20171117, the following
processors received new microcode. The other processors would get the
same old, smelly microcode they always got :-)

Intel Processor Microcode Package for Linux 20180108 Release
-- Updates upon 20171117 release --
IVT C0 (06-3e-04:ed) 428-42a === my CPU barely made the list (Launch Date Q3'13)
SKL-U/Y D0 (06-4e-03:c0) ba-c2
BDW-U/Y E/F (06-3d-04:c0) 25-28
HSW-ULT Cx/Dx (06-45-01:72) 20-21
Crystalwell Cx (06-46-01:32) 17-18
BDW-H E/G (06-47-01:22) 17-1b
HSX-EX E0 (06-3f-04:80) 0f-10
SKL-H/S R0 (06-5e-03:36) ba-c2
HSW Cx/Dx (06-3c-03:32) 22-23
HSX C0 (06-3f-02:6f) 3a-3b
BDX-DE V0/V1 (06-56-02:10) 0f-14
BDX-DE V2 (06-56-03:10) 700000d-7000011
KBL-U/Y H0 (06-8e-09:c0) 62-80
KBL Y0 / CFL D0 (06-8e-0a:c0) 70-80
KBL-H/S B0 (06-9e-09:2a) 5e-80
CFL U0 (06-9e-0a:22) 70-80
CFL B0 (06-9e-0b:02) 72-80
SKX H0 (06-55-04:b7) 2000035-200003c
GLK B0 (06-7a-01:01) 1e-22

My CPU definitely doesn't have all three Branch Target Buffer
features. Maybe mine only has one of them.

Only one of my computers in the house, is affected. That patch
wouldn't touch any of my P4 machines.

In Windows 10, if I run the Intel Processor Identification
Utility, it reads out right now "428". That means Microsoft
has not put 42A in the OS microcode loader (as they stated
publicly would be their policy).

Now, in theory, if I were to install Ubuntu 17.10,
click the Software Updates button, suck in a new kernel,
reboot, then

dmesg | grep -i microcode

should state "42A", as Ubuntu has shipped the Jan8 update
to microcode, in the OS.

And I found at least one hint, that for VirtualBox, a
Linux Host behaves differently than a Linux Guest. The
Linux Guest can detect paravirtualization, knows it is "inside"
VirtualBox, and under those conditions, when it's patched
up, it will *not* force microcode into the CPU. Consequently,
a Windows 10 user with VirtualBox, with Ubuntu 17.10 as
a Guest, will find their Intel PIU reporting "428". Apparently,
about ten years ago, at the start of paravirtualization detection
code development, someone figured out it would be dumb for a
Guest to do that to the machine :-) Good call.

The Intel PIU will also give the "063e 04" part, so
you can check the above list, and see if you need
to do any delta analysis (like if you're dual booting
Win10/Ubuntu 17.10 say, and want to see if Linux is
patching the microcode).

The microcode can also be patched via a BIOS flash update,
when your motherboard maker is ready. And when the "noise
on the street", indicates it is safe to do that. The microcode
for Broadwell (BDW) and Haswell (HSW) was withdrawn, due to some kind
of reboot problem (on Lenovo). With no details on what the
issue is, it's pretty hard to give advice on that one.

Paul

On 12/01/2018 12:05 PM, Maurice Helwig wrote:
I currently look after six computers where I do some volunteer work.

With the update problems over the past two years I have put all out
computers on manual update and watch
https://www.askwoody.com/category/mi...ches-security/
website for problems. I t is a poor state that MS have got themselves
into when it comes to having to do this.

The computers are all Intel processors, OEM windows 7 pro OS, Avast
(Free) antivirus
Early this month Avast antivirus updated and put the following key into
the registry --

REGKEY on the machine
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft \Windows\CurrentVersion\QualityCompat"

Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD�
Data="0x00000000�

A few days later KB4056894 was offered for update.
I am waiting before I apply the update as there seems to be problems
with the update and I understand that MS have modified it a couple of
times all ready.

We also have a Windows Home Server 2011 on the network. It has run
without Antivirus from the beginning as Avast did not have an Antivirus
that would run on WHS2011.
It has not been offered the KB4056894 update as the registry key is
absent, no antivirus -- no registry key.

Question 1 -- Can I manually put the key into the Server Registry so
that it will be offered the KB4056894 update too, or is this really
necessary.
Question 2
As this update is said to slow down computers, is it really necessary to
install it at all on any of the computers.
Question 3
How do I, or can I, modify the registry key to stop the KB4056894 update
being offered to the computers.

My wife's has a Dell laptop with an Intel Core i7 processor, and an AMD
Radeon HD 7670M graphics card. The KB update is reported as BOSD'ing
this ( See link above )

Any answers, offers to buy MS, or observations etc would be gratefully
received.


Another Question while I wait for this mess to resolve --

If I hide the KB4056894 Update will it present itself again, or will it
be rolled up into February's 2018 Updates when they are released. If
they are rolled up into February's Updates, then they will be installed
whether I like it or not.

I am at the point of turning off updates all together -- the last two
years have been a real mess.

Patience is a virtue!!!!!!!!!!!!


Maurice Helwig

Maurice Helwig wrote:

Another Question while I wait for this mess to resolve --

If I hide the KB4056894 Update will it present itself again, or will it
be rolled up into February's 2018 Updates when they are released. If
they are rolled up into February's Updates, then they will be installed
whether I like it or not.

I am at the point of turning off updates all together -- the last two
years have been a real mess.

Patience is a virtue!!!!!!!!!!!!


Maurice Helwig

They have a bulletin about AMD crashes. There should be
new KB numbers (and obviously, a cumulative in a few
weeks time is going to include the "success" patch not
the "fail" patch).

https://support.microsoft.com/en-us/...-based-devices

https://support.microsoft.com/en-us/help/4056897

January 3, 2018—KB4056897 (Security-only update)

Microsoft has received reports from some customers
about AMD devices getting into an unbootable state

This issue is resolved in KB4073578.

https://support.microsoft.com/en-us/...ws-server-2008

Summary

An update is available to fix the following issue that
occurs after you install January 3, 2018—KB4056897
(Security-only update) or January 4, 2018—KB4056894 (Monthly Rollup):

"AMD devices fall into an unbootable state"

Go here, and install this. This assumes you have an AMD
processor or some sort. There was one report of an Intel
processor doing this too, for whatever amusement that is worth.

http://www.catalog.update.microsoft....px?q=KB4073578

2018-01 Update for Windows 7 for x64-based Systems (KB4073578)
Windows 7 Updates 1/12/2018 n/a 66.9 MB Download

Too bad the description is so terse. And there are maybe 3000 files
inside that thing, so hard to spot a "theme" in terms of what they're
trying to fix with that one. I can't tell if that replaces
the other one, or irons out a driver bug.

You could try MBSA 2.3 security analyzer, to see what Windows Update
might try to bring in. Or, do a backup (offline), go online,
install '578, reboot, then go to Windows Update and see what it proposes
to install after that. If it "looks bad", you always have your
backup to return you to the state you're in right now.

So the message is, the AMD bug has some sort of workaround,
but I don't have any info on the root cause, and the KB itself
is so devoid of info, I might as well be asking a large rock
for information.

Paul