If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rate Thread | Display Modes |
#16
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros andbootleggers
(PeteCresswell) wrote:
Per VanguardLH: You have to configure the startup mode of the WU service to Disabled if you really want to ensure Microsoft doesn't try to sneak in a background update (which you may only realize happened when you shutdown and see notice about applying updates on shutdown and then completing them on the next startup). I am getting a little glimmer of a recollection (?) that even Disabling Windows Update is not 100%. Maybe Somebody Who Knows can comment. I have to wonder if leaving Windows Update on autopilot and having a "Good" image on hand at all times might be the path of least resistance. At least then, the manhours are spent on the user's schedule. i.e. things get flaky, the user can elect to re-image if/when they want - as opposed to being in the middle of troubleshooting a production problem, re-booting for some reason-or-another, and getting hit with "Please wait while Windows installs 97 updates"..... The logic being that automagic updates will apply an update here, an update there.... and the user will hardly notice - and maintain control of their PC at all times. OTOH, the image that is re-imaged from will probably need about a bazillion updates.... But, at least, after the re-image the user can elect to reboot and take a lunch break or something... There are at least four services that are associated with Windows Update. If things get desperate enough, those could be hammered. net stop bits net stop wuauserv net stop appidsvc net stop cryptsvc That's not how to do it, that's just a copy and paste of the "interesting parties". BITS is the background intelligent transfer service. And wuauserv tends to scan the packages on the system, and build an inventory of things that are needed. A kind of manifest. And it runs more than once a day. Without some of those contributory items, Windows will "walk with a definite limp" :-) Note that some things on a computer, are considered to be outside Windows Update. For example, one evening a 100MB download starts, and I'm scrambling to figure out WTF is using my network link. It turns out all the Metro Apps were being updated, and without paying any attention to Windows Update settings at all. It's possible some of that stuff depends on BITS too. I would not expect the Windows Update settings to be all that effective. But "chopping some of the legs off Windows", that oughta help :-) Paul |
Ads |
#17
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros andbootleggers
VanguardLH wrote:
Ed Cryer wrote: I've left mine on "Check and ask me". It does actually check each day on first boot, but doesn't inform me if there are any updates. So I simply look in there once a day; making sure, of course, that the latest date of check is today's date (if it should turn out not to be, well then I'll do a manual check and figure out a plan B.) The problem with that mode is I and others have noted that updates DID get downloaded without any prompting and they get applied during a shutdown. You never got prompted to grant permissions for any download and install of updates. You shutdown and scratch your head why Windows is telling you to wait for updates to install. And later you reboot into Windows and are told to wait until updates complete their installation. Some updates, like the Get Win10 App, don't need your permission to retrieve the, ahem, "update". All they need is for the WU service to be available (or maybe it is the BITS service to do the background download). Setting the WU client to "notify only" or even to "never notify" does not guarantee that Microsoft won't still update Windows or utilize their WU and BITS services to surreptitously obtain programs aka "updates". Too many users have noted getting updates for which they were never prompted despite setting the WU client to ask or never check. As proof that Microsoft doesn't need your permission to use the WU service to obtain updates is their Defender product. It uses the WU service to obtain its updates and you never get prompted for those despite how you configured the WU client. For me, there is no point to using "notify only" because that merely means that I will be pestered with reminders to get the updates before I have prepared for applying them (saving an image backup, allotting time to review all the updates, and then apply them one by one to check for artifacts in unwanted behavior). Even with the WU client configured for "never notify", not too long later I did a shutdown and got hit with updates installing on shutdown and then having to wait for them to complete on the next Windows startup. So "never notify" does not work. Microsoft can still push updates as long as something on your host runs to utilize the WU or BITS services. Setting those services to Disabled is the only way you can ensure of Microsoft not changing the state of your Windows setup. In fact, notice that the BITS service is configured for Manual startup. That means a caller process asks for that service to to do background downloads. Although I have the WU client set to "never notify" and the WU service is configured as Disabled, I still find the BITS service has started. With manual startup mode, that means something called it. I disabled Defender (worthless and I use far superior 3rd party security software), what else would be calling the BITS service to do background downloads? At first, I set the WU client to "never notify". That did not work because I still got unprompted updates that were applied on shutdown and completed on the next startup of Windows. So I disabled the WU service. Yet I found something had called the BITS service to perform background downloads. So I've disabled the BITS service, too. Eventually Microsoft might wise up and realize users are nailing the doors and windows closed to prevent any updates until the users decide if and when to retrieve and apply them. So Microsoft will probably start pushing updates that can phone home: if users accept those updates, especially considering how Microsoft is moving to vague descriptions of them and even merging more than one functional change within them (many now modify several features instead of one), those users may end up with phone-home "updates" which are actually updaters themselves. Since Microsoft's firewall does not, by default, block outbound connections, tis time to invest in a firewall that prompts on ALL outbound connects so can authorize just what can connect out. But then Microsoft could push out a kernel-mode updater "update" that could bypass any 3rd party firewall. Long ago they added IP addresses for some of their well-known server hosts so they could have Windows connect to those without fear of users adding entries in the 'hosts' file in trying to block Microsoft from getting to those servers. No DNS lookup means no DNS blocking (and what the 'hosts' file eventually became used for). Microsoft knows how to circumvent any blockage provided there is an incentive to do so. Making sure Windows 10 doesn't flop as did Windows Vista is a strong incentive. I haven't noticed any update applied here unauthorised by me; not a one. And here's my recent update history; https://dl.dropboxusercontent.com/u/...te31.10.15.JPG My only problem is lack of notification. My system checks daily for updates, registers them in WinUpdate, but doesn't inform me through the taskbar icon as it used to. I can only theorise about why I'm better off; and my best shot is that I downloaded the Win10 media creation tool onto this machine, burnt the iso, but left the folders $Win...BT and $Win...WS in the C: root. It could be that the presence of those precludes a lot of what you're having foisted on you. Ed |
#18
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros andbootleggers
On 30/10/2015 19:28, Char Jackson wrote:
Windows 10 upgrade push changes things for IT pros and bootleggers http://www.engadget.com/2015/10/29/w...and-bootlegge/ Microsoft mistakenly pushed Windows 10 upgrades to existing Windows 7/8 users through the Update process earlier this year, but next year it will do it on purpose. ... "Soon" the Windows 10 Upgrade will be added to Windows 7/8's system update feature as an option, and at some point next year it will change from optional to recommended. What that means for many people is that because of their Windows Update settings, their machine will automatically update to Windows 10 if it hasn't already. You can still downgrade afterwards if it's not to your liking, but expect the push to get more aggressive going forward. Along the same lines... blogs.windows.com/windowsexperience/2015/10/29/making-it-easier-to-upgrade-to-windows-10/ October 29, 2015 1:30 pm / by Terry Myerson Making it Easier to Upgrade to Windows 10 [...] Early next year, we expect to be re-categorizing Windows 10 as a “Recommended Update”. Depending upon your Windows Update settings, this may cause the upgrade process to automatically initiate on your device. Before the upgrade changes the OS of your device, you will be clearly prompted to choose whether or not to continue. And of course, if you choose to upgrade (our recommendation!), then you will have 31 days to roll back to your previous Windows version if you don’t love it. If you are on a metered connection on Windows 7 or Windows 8.1, then you have the option of turning off automatic updates. ... [...] |
#19
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros andbootleggers
On 10/31/2015 4:42 PM, edevils wrote:
On 30/10/2015 19:28, Char Jackson wrote: Windows 10 upgrade push changes things for IT pros and bootleggers http://www.engadget.com/2015/10/29/w...and-bootlegge/ Microsoft mistakenly pushed Windows 10 upgrades to existing Windows 7/8 users through the Update process earlier this year, but next year it will do it on purpose. ... "Soon" the Windows 10 Upgrade will be added to Windows 7/8's system update feature as an option, and at some point next year it will change from optional to recommended. What that means for many people is that because of their Windows Update settings, their machine will automatically update to Windows 10 if it hasn't already. You can still downgrade afterwards if it's not to your liking, but expect the push to get more aggressive going forward. Along the same lines... blogs.windows.com/windowsexperience/2015/10/29/making-it-easier-to-upgrade-to-windows-10/ October 29, 2015 1:30 pm / by Terry Myerson Making it Easier to Upgrade to Windows 10 [...] Early next year, we expect to be re-categorizing Windows 10 as a “Recommended Update”. Depending upon your Windows Update settings, this may cause the upgrade process to automatically initiate on your device. Before the upgrade changes the OS of your device, you will be clearly prompted to choose whether or not to continue. And of course, if you choose to upgrade (our recommendation!), then you will have 31 days to roll back to your previous Windows version if you don’t love it. If you are on a metered connection on Windows 7 or Windows 8.1, then you have the option of turning off automatic updates. ... [...] Wonder if that will spike the sales of wireless cards. I cut the wire and installed a wireless card in my win10 exploration machine for that very reason. Maybe someone will figger out a way to spoof a wireless card to enable the upgrade turnoff. That might eliminate the need for all the other workarounds. |
#20
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros andbootleggers
On 10/31/2015 9:13 AM, sctvguy1 wrote:
On Fri, 30 Oct 2015 18:39:43 +0000, Ed Cryer wrote: Right then, who'll join me at Thermopylae? I'm prepared to fight until July 27th 2016. I love Win7 and I've updated all my machines apart from this my main workhorse. But I can go for a free Win10 here as I will. In the meantime I'm putting up with the broken WinUpdate messages, the negligent drivers, the massed ranks and numbers of MS' corporate forces, the sarky comments about Ludditeism, et al. Vivat Win7! Ed Use the XP hack and you can continue getting updates and stuff for XP until 2019! I still run XP SP3 with the hack on an old Dell P4. No need to update to anything. Latest Chrome, Firefox, Thunderbird, etc. Interesting... Do you have a url where I can read about the hack? |
#21
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros and bootleggers
Paul wrote:
There are at least four services that are associated with Windows Update. If things get desperate enough, those could be hammered. net stop bits net stop wuauserv net stop appidsvc net stop cryptsvc That's not how to do it, that's just a copy and paste of the "interesting parties". Personally I prefer to use the sc.exe (service controller) program to configure, stop, or start services; however, I don't remember if sc.exe was available back in Windows XP. BITS is the background intelligent transfer service. And can be used by other programs than just the WU service. https://msdn.microsoft.com/en-us/lib...=vs.85%29.aspx "BITS is designed for C and C++ developers." So there is probably some library or API a program (and not just from Microsoft) could use to facilitate their own background file downloads. https://msdn.microsoft.com/en-us/lib...=vs.85%29.aspx That mentions how to create BITS jobs and even mentions using PowerShell to do that and also mentioned at: https://msdn.microsoft.com/en-us/lib...=vs.85%29.aspx So that's probably how Defender and Security Essentials manage to retrieve their signature updates in the background despite users configuring the WU client to "notify only" or "never check" and even with just the WU service disabled. Those apps use BITS as their file transfer handler. Note that some things on a computer, are considered to be outside Windows Update. For example, one evening a 100MB download starts, and I'm scrambling to figure out WTF is using my network link. It turns out all the Metro Apps were being updated, and without paying any attention to Windows Update settings at all. It's possible some of that stuff depends on BITS too. Maybe those apps have their own updater rather than rely on the WU client's config. I would not expect the Windows Update settings to be all that effective. But "chopping some of the legs off Windows", that oughta help :-) I see no need to disable the Crypto service. Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. https://msdn.microsoft.com/en-us/lib...=vs.85%29.aspx https://technet.microsoft.com/en-us/...=ws.10%29.aspx https://technet.microsoft.com/en-us/.../cc962093.aspx https://en.wikipedia.org/wiki/Crypto...rvice_Provider Have you tried disabling that service and then use your web browser to connect to an HTTPS web site? Passwords are saved into a crypto section of the registry (to which you don't get access even as an admin when using regedit.exe). Without the CryptoAPI, not only would there be troubles in accessing old or saving new passwords into the crypto registry section but any programs calling the CryptoAPI would fail. I also do not see the need to hammer the AppIDsvc. Determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced. http://maximumpcguides.com/windows-7...idsvc-service/ https://technet.microsoft.com/en-us/.../dd759117.aspx http://www.howtogeek.com/howto/6317/...ith-applocker/ Since this service is needed by Applocker but AppLocker is only usable in the Ultimate and Enterprise editions of Windows 7, why does it need to be running on my Home edition of Windows 7? Well, to be accurate, the AppIDsvc is not configured to automatic load on Windows startup. It is configured for Manual startup mode which means a caller process has to call that service to have it run. So it seems a dormant service: it's defined, it's there, but it doesn't start until something calls it and that something (AppLocker) isn't available in my edition of Win7. AppLocker is supposed to replace the Software Restriction Policies (SRPs) feature. I've used SRPs in the past (on non-Home editions of Windows). It was handy to prevent a program from ever loading. I would define a Path rule that pointing at the executable that I wanted to block from ever running. I forget the program (got rid of a long time ago, maybe it was MagicJack) that would run an ancilliary program to get updates, and their updates were never needed but merely to skirt methods used to make fuller use of their software (which was based on someone else's software with more features). To prevent the unwanted background updates that often resulted in users complaining for a month that the [main] program stopped working, I just prevented their setup program from rerunning to perform an in-place upgrade of their software on my computer. An event got logged that I could see in Event Viewer for when the SRP prevented the unwanted program from loading. Most users never knew about SRPs, and I missed them in the Home edition. While all policies are registry entries, SRPs would generate random IDs for each rule so I couldn't merely slide in a SRP into the registry. It was handy to have a built-in kernel-mode controller that could give me control over which programs could not load. Back in Windows XP, I remember having to edit the registry to add another mode to SRPs. By install-time default, SRPs could only let you Allow or Block a program. I found another value that could be added to the registry to add Basic mode to an SRP. Basic was used to restrict a program to loading under a LUA (limited user account) token. This meant I could force a program to load as though I had logged on under a restricted (basic) user account instead of have the program get privileges from my admin account. Remember how many gurus used to advise that you run certain programs, like web browsers, under a LUA token? Well, what you usually saw was them telling you that you should not be logging on under an admin account and instead always logon under a restricted account. SRPs with the added Basic mode could force a program to run under a LUA token despite I had logged on under an admin account. Since AppLocker is the successor of Software Restriction Policies, and from my understanding of SRPs, I don't see how the AppIDsvc has anything to do with the Windows update process. So far, the only 2 services that I know of that must be disabled to effectively disable Windows Updates are the WU (wuauserv, which used to be the "Automatic Updates" service) and BITS services. Nailing those two should kill any updates to Windows (and anything else using WU or BITS). I haven't yet tested but figure a the batch files might have something like: WU_off.bat: sc.exe stop BITS sc.exe config BITS start= disabled sc.exe stop wuauserv sc.exe config wuauserv start= disabled WU_on.bat: sc.exe config BITS start= manual sc.exe config wuauserv start= manual sc.exe start wuauserv My question is about timing. Are these command synchronous (they must complete before the next command gets executed) or asynchronous (they issue a request, exit, and the next command runs but the prior command may have not completed yet). When requesting a service to start or stop, it can take some time before the service controller determines if the service acknowledged, performed, and completed the request. |
#22
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros andbootleggers
Mike S wrote:
On 10/31/2015 9:13 AM, sctvguy1 wrote: On Fri, 30 Oct 2015 18:39:43 +0000, Ed Cryer wrote: Right then, who'll join me at Thermopylae? I'm prepared to fight until July 27th 2016. I love Win7 and I've updated all my machines apart from this my main workhorse. But I can go for a free Win10 here as I will. In the meantime I'm putting up with the broken WinUpdate messages, the negligent drivers, the massed ranks and numbers of MS' corporate forces, the sarky comments about Ludditeism, et al. Vivat Win7! Ed Use the XP hack and you can continue getting updates and stuff for XP until 2019! I still run XP SP3 with the hack on an old Dell P4. No need to update to anything. Latest Chrome, Firefox, Thunderbird, etc. Interesting... Do you have a url where I can read about the hack? There is WinXP used in a POS (Point Of Sale) version of Windows. Apparently it still receives security updates. The idea is, to modify your desktop WinXP, so it receives POS updates instead. http://www.zdnet.com/article/registr...or-windows-xp/ ******** pos.reg ******** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady] "Installed"=dword:00000001 ******** pos.reg ******** http://www.zdnet.com/article/hacked-...ll-a-bad-idea/ "The basis of it is that Microsoft has an embedded variant of Windows XP and support doesn't end on that until April 2016." Paul |
#23
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros andbootleggers
On 01/11/2015 03:58, mike wrote:
On 10/31/2015 4:42 PM, edevils wrote: On 30/10/2015 19:28, Char Jackson wrote: Windows 10 upgrade push changes things for IT pros and bootleggers http://www.engadget.com/2015/10/29/w...and-bootlegge/ Microsoft mistakenly pushed Windows 10 upgrades to existing Windows 7/8 users through the Update process earlier this year, but next year it will do it on purpose. ... "Soon" the Windows 10 Upgrade will be added to Windows 7/8's system update feature as an option, and at some point next year it will change from optional to recommended. What that means for many people is that because of their Windows Update settings, their machine will automatically update to Windows 10 if it hasn't already. You can still downgrade afterwards if it's not to your liking, but expect the push to get more aggressive going forward. Along the same lines... blogs.windows.com/windowsexperience/2015/10/29/making-it-easier-to-upgrade-to-windows-10/ October 29, 2015 1:30 pm / by Terry Myerson Making it Easier to Upgrade to Windows 10 [...] Early next year, we expect to be re-categorizing Windows 10 as a “Recommended Update”. Depending upon your Windows Update settings, this may cause the upgrade process to automatically initiate on your device. Before the upgrade changes the OS of your device, you will be clearly prompted to choose whether or not to continue. And of course, if you choose to upgrade (our recommendation!), then you will have 31 days to roll back to your previous Windows version if you don’t love it. If you are on a metered connection on Windows 7 or Windows 8.1, then you have the option of turning off automatic updates. ... [...] Wonder if that will spike the sales of wireless cards. I cut the wire and installed a wireless card in my win10 exploration machine for that very reason. Maybe someone will figger out a way to spoof a wireless card to enable the upgrade turnoff. That might eliminate the need for all the other workarounds. Setting your wifi as "Metered connection" is a way to avoid/delay non-security updates, but if you just don't want automatic "recommended" updates you can change your w7/8 windowsupdate settings accordingly, and leave "automatic" for important/critical updates only. http://cdn3.howtogeek.com/wp-content...2dc500e7ea.png |
#24
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros andbootleggers
On 10/31/2015 11:13 AM, sctvguy1 wrote:
[snip] Use the XP hack and you can continue getting updates and stuff for XP until 2019! I still run XP SP3 with the hack on an old Dell P4. No need to update to anything. Latest Chrome, Firefox, Thunderbird, etc. Chrome, Firefox, Thunderbird, Opera, etc... continue to support XP. The Windows Upgrade hack has nothing to do with it. I suspect that Windows XP, Vista, 7, 8, 8.1, and 10 are all very similar. I suspect the fact that MSIE doesn't support all of them (since V8) is artificial. Windows 9 IS different :-) -- 54 days until the winter celebration (Friday December 25, 2015 12:00:00 AM for 1 day). Mark Lloyd http://notstupid.us/ "No god ever gave any man anything, nor ever answered any prayer at any time -nor ever will." [Madelyn O'Hair, "An Atheist Epic"] |
#25
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros andbootleggers
Mark Lloyd wrote:
On 10/31/2015 11:13 AM, sctvguy1 wrote: [snip] Use the XP hack and you can continue getting updates and stuff for XP until 2019! I still run XP SP3 with the hack on an old Dell P4. No need to update to anything. Latest Chrome, Firefox, Thunderbird, etc. Chrome, Firefox, Thunderbird, Opera, etc... continue to support XP. The Windows Upgrade hack has nothing to do with it. I suspect that Windows XP, Vista, 7, 8, 8.1, and 10 are all very similar. I suspect the fact that MSIE doesn't support all of them (since V8) is artificial. Windows 9 IS different :-) Some of the browsers use hardware acceleration, and that could make a difference. Of course doing that (introducing hardware acceleration) is artificial, and totally unnecessary. No browser needs hardware acceleration, neither does a browser need 1GB or RAM to display the Yahoo news page. But, it happens. I remember a time when an entire 3D game and all textures could be loaded in 1GB :-) Paul |
#26
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros andbootleggers
On 11/1/2015 1:29 AM, Paul wrote:
Mike S wrote: On 10/31/2015 9:13 AM, sctvguy1 wrote: On Fri, 30 Oct 2015 18:39:43 +0000, Ed Cryer wrote: Right then, who'll join me at Thermopylae? I'm prepared to fight until July 27th 2016. I love Win7 and I've updated all my machines apart from this my main workhorse. But I can go for a free Win10 here as I will. In the meantime I'm putting up with the broken WinUpdate messages, the negligent drivers, the massed ranks and numbers of MS' corporate forces, the sarky comments about Ludditeism, et al. Vivat Win7! Ed Use the XP hack and you can continue getting updates and stuff for XP until 2019! I still run XP SP3 with the hack on an old Dell P4. No need to update to anything. Latest Chrome, Firefox, Thunderbird, etc. Interesting... Do you have a url where I can read about the hack? There is WinXP used in a POS (Point Of Sale) version of Windows. Apparently it still receives security updates. The idea is, to modify your desktop WinXP, so it receives POS updates instead. http://www.zdnet.com/article/registr...or-windows-xp/ ******** pos.reg ******** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady] "Installed"=dword:00000001 ******** pos.reg ******** http://www.zdnet.com/article/hacked-...ll-a-bad-idea/ "The basis of it is that Microsoft has an embedded variant of Windows XP and support doesn't end on that until April 2016." Paul Thanks Paul |
#27
|
|||
|
|||
Article: Windows 10 upgrade push changes things for IT pros and bootleggers
In message , Paul
writes: [] Of course doing that (introducing hardware acceleration) is artificial, and totally unnecessary. No browser needs hardware acceleration, neither does a browser need 1GB or RAM to display the Yahoo news page. But, it happens. I remember a time when an entire 3D game and all textures could be loaded in 1GB :-) Paul Hm. I have a folder C:\Program Files\Games\DOOMS. 22 objects (most of which are dated 1995-2-1), total size 5.31 MB ... (actually one file - DOOM1.WAD - is 4M, so all the rest'd fit on a floppy; the largest .exe is 694 KB.) I don't remember the details of how to play it ... Wow, that means it's over 20 years old ... -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf Unlike my parents' generation, I don't think we'll ever admit that we're old. We battle against the dying of the light. - Jane Asher, Radio Times 31 Jan-6 Feb 09 |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|