[German]Microsoft’s operating system Windows XP, which has long since fallen out of support, continues to run on millions of PCs. These are the new figures from NetmarketShare from August 2020. Here is a quick look at the situation.

In 2018 I had reported in the German article Windows XP: Nicht tot zu kriegen about the phenomenon that the Microsoft operating system Windows XP, which was released at the turn of the millennium, won’t die – even though it no longer receives support. Worldwide, there are still many systems running and in 2018 the share of Windows XP even increased.

What is the situation in August 2020?

In the article OS /Windows/Browser Share (August 2020) I had spread the latest figures on the distribution of desktop operating systems at the end of August 2020. Windows 10 runs on 60.57% of desktop systems as operating system.

(OS Share 8-2020, Source: netmarketshare.com)

I had ignored the figures for Windows XP when I wrote the article. The following tweet brought me back to the topic.

Techradar had a closer look at the numbers and wrote that Windows XP still runs on 1.26% of the systems. But this is not quite true, as the NetMarketShare value is averaged over the period 8.2019 to 8.2020. From July 2020 to August 2020, NetMarketShare for Windows XP has a value of only 0.80%. However, Windows 8 has a 0.53% share, while Chrome OS sails at 0.38%. Windows Vista is still listed at 0.08%.

Windows XP still runs on millions of desktop systems

However, it can be concluded that Windows XP still runs on millions of desktop systems, although Microsoft has discontinued support as of April 14, 2014. Only companies could buy extended support – and there were probably embedded versions of the operating system that were still being supported until recently. The operating system was released for distribution in 2001.

One year ago, in August 2019, in the German article Windows XP-Systeme bei 1/3 der Firmen im Einsatz I had taken up the topic. At that time we were facing the end of support for Windows 7 on January 14, 2020. A Spiceworks report The Future of Network, which deals with (missing) security aspects in companies, stated at that time that 32% of companies still have Windows XP installed on at least one device in their network.

(Windows OS penetration rates, Source: Spiceworks)

The British Army also still uses Windows XP on its submarines (see Britische Armee nutzt Windows XP? Ja, und Windows ME). 

[German]On September 8, 2020 (second Tuesday of the month, Patchday at Microsoft) several cumulative updates for the supported Windows 10 builds were released. Here are some details about the respective updates.

A list of the updates can be found on this Microsoft website. I have pulled out the details below. The update installation requires an existing current Servicing Stack Updates (SSUs). Meanwhile, Microsoft publishes an overview of current Servicing Stack Updates (SSUs) under ADV990001 (if it is not up to date, please check the Microsoft Update Catalog for Servicing Stack Updates).

Important: From July 2020 all Windows updates disable the RemoteFX vGPU feature due to the CVE-2020-1036 vulnerability (see also KB4570006). After installing this update, attempts to start virtual machines (VM) with RemoteFX vGPU enabled will fail. More information can be found here.

Updates for Windows 10 Version 2004

Microsoft provides the following update packages for the Windows 10 version 2004 released in May 2020.

Update KB4571756 foür Windows 10 Version 2004

Cumulative Update KB4571756 reaises the OS build to 19041.508. The update is available for Windows 10 version 2004 and for Windows Server version 2004. It contains quality improvements but no new operating system features. Here is the list of improvements, called highlights by Microsoft:

• Updates to improve security when using input devices (such as a mouse, keyboard, or pen).
• Updates to improve security when Windows performs basic operations.
• Updates for storing and managing files.
• Updates to improve security when using Microsoft Office products.

The following fixes and improvements are added:

• Addresses an issue with a possible elevation of privilege in windowmanagement.dll.
• Addresses a security vulnerability issue with user proxies and HTTP-based intranet servers. After installing this update, HTTP-based intranet servers cannot leverage a user proxy by default to detect updates. Scans using these servers will fail if the clients do not have a configured system proxy. If you must leverage a user proxy, you must configure the behavior using the Windows Update policy “Allow user proxy to be used as a fallback if detection using system proxy fails.” This change does not affect customers who secure their Windows Server Update Services (WSUS) servers with the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols. For more information, see Improving security for devices receiving updates via WSUS.
• Security updates to Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Input and Composition, Windows Media, Windows Shell, Windows Cloud Infrastructure, Windows Fundamentals, Windows Management, Windows Kernel, Windows Virtualization, Windows Storage and Filesystems, the Microsoft Scripting Engine, and the Microsoft JET Database Engine.

This update is automatically downloaded and installed by Windows Update. This update is also available in the Microsoft Update Catalog and via WSUS. Microsoft strongly recommends that you install the latest service stack update (SSU) KB4577266 for your operating system before you install the latest cumulative update (LCU).

For this update, Microsoft indicates that users of the Microsoft Input Method Editor (IME) for Chinese and Japanese may receive an error, or the application may stop responding or close when they try to drag the mouse.

Microsoft has also released an update directly to the Windows Update Client to improve its reliability. This is rolled out outside of Windows Update if the machine is compatible and not an LTSC variant and updates have not been blocked by GPO.

On Facebook a user wrote: Windows 10: Today update KB4571756 causes big problems: The Windows-Explorer has become extremely slow. Each opening of a file leads to a forced pause of several seconds, also the Windows-Explorer crashes again and again. Update KB4571756 uninstalled, they are gone. Does anyone have the same experience?

Updates for Windows 10 Version 190x

Microsoft provides the same update packages for the Windows 10 builds 1903 and 1909 released in 2019. The following updates are available for the Windows 10 May 2019 Update (Version 1903) and the Windows 10 November 2019 Update (Version 1909).

Update KB4574727 for Windows 10 Version 190x

Cumulative Update KB4574727 raises the OS build to 18362.1082 (Windows 10 V1903) and  to 18363.1082 (Windows 10 V1909). The update is available for Windows 10 version 1903, for Windows 10 version 1909 and for Windows Server version 1903 and Windows Server version 1909. It contains quality improvements but no new operating system features. Here is the list of improvements, called highlights by Microsoft:

• Updates to improve security when Windows performs basic operations.
• Updates to improve security when using input devices (such as a mouse, keyboard, or pen).
• Updates to improve security when using Microsoft Office products.

In addition, the following fixes and improvements to Windows 10 version 1909, which are identical to version 1903 (update is also available for the Hololens):

• Addresses a security vulnerability issue with user proxies and HTTP-based intranet servers. After installing this update, HTTP-based intranet servers cannot leverage a user proxy by default to detect updates. Scans using these servers will fail if the clients do not have a configured system proxy. If you must leverage a user proxy, you must configure the behavior using the Windows Update policy “Allow user proxy to be used as a fallback if detection using system proxy fails.” This change does not affect customers who secure their Windows Server Update Services (WSUS) servers with the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols. For more information, see Improving security for devices receiving updates via WSUS.
• Security updates to Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Input and Composition, Windows Media, Windows Shell, Windows Cloud Infrastructure, Windows Fundamentals, Windows Management, Windows Kernel, Windows Virtualization, the Microsoft Scripting Engine, and the Microsoft JET Database Engine.

This update is automatically downloaded and installed by Windows Update. This update is also available in the Microsoft Update Catalog and via WSUS. Microsoft strongly recommends that you install the latest service stack update (SSU) for your operating system before you install the latest cumulative update (LCU). For this update, Microsoft states that no known issues are reported.

Microsoft has also released an update directly to the Windows Update Client to improve its reliability. This is rolled out outside of Windows Update if the machine is compatible and not an LTSC variant and updates have not been blocked by GPO.

Updates for Windows 10 Version 1809

The following updates are available for Windows 10 October 2018 Update (Version 1809) and Windows Server 2019.

Update KB4570333 for Windows 10 Version 1809

Cumulative Update KB4570333 raised the OS build to 17763.1457 and includes quality improvements but no new operating system features. Here is the list of improvements, called highlights by Microsoft:

• Updates to improve security when using Microsoft Office products.
• Updates to improve security when using input devices such as a mouse, keyboard, or pen.
• Updates to improve security when Windows performs basic operations.
• Updates for storing and managing files.

Added the following fixes and improvements to the Windows version:

• Addresses a security vulnerability issue with user proxies and HTTP-based intranet servers. After installing this update, HTTP-based intranet servers cannot leverage a user proxy by default to detect updates. Scans using these servers will fail if the clients do not have a configured system proxy. If you must leverage a user proxy, you must configure the behavior using the Windows Update policy “Allow user proxy to be used as a fallback if detection using system proxy fails.” This change does not affect customers who secure their Windows Server Update Services (WSUS) servers with the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols. For more information, see Improving security for devices receiving updates via WSUS.
• Security updates to Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Input and Composition, Windows Media, Windows Shell, Windows Cloud Infrastructure, Windows Fundamentals, Windows Management, Windows Kernel, Windows Virtualization, Windows Storage and Filesystems, the Microsoft Scripting Engine, and the Microsoft JET Database Engine.

This update is automatically downloaded and installed by Windows Update, but is also available in the Microsoft Update Catalog. icrosoft strongly recommends that you install the latest service stack update (SSU) for your operating system before you install the latest cumulative update (LCU). Microsoft lists the known issue that the update causes. When you install the update, you may receive the error 0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND Also the Edge Browser may crash. Details can be found in the KB article.

Microsoft has also released an update directly for the Windows Update Client to improve its reliability. This is rolled out outside of Windows Update if the machine is compatible and not an LTSC variant and updates were not blocked by GPO.

Updates for Windows 10 Version 1507 bis 1803

For Windows 10 RTM up to version 1803, various updates are available for the LTSC versions and, if necessary, the Enterprise versions. The Home and Pro versions on the other hand have been dropped from support. These updates are automatically downloaded and installed by Windows Update, but are available for download in the Microsoft Update Catalog (search for the KB number). Before manual installation, the latest Servicing Stack Update (SSU) must be installed. Details can be found in the respective KB article.

• Windows 10 Version 1803: Update KB4577032 is only available for Enterprise and Education. The update raises the OS build to 17134.1726.
• Windows 10 Version 1709: Update KB4577041 is only available for Enterprise and Education. The update raises the OS build to 16299.2107.
• Windows 10 Version 1703: Update KB4577021 is only available for Enterprise and Education. The update raises the OS build to 16299.2500.
• Windows 10 Version 1607: Update KB4577015 is only available for Enterprise and Education. The update raises the OS build to 14393.3930.
• Windows 10 Version 1507: Update KB4577049 is only available for Enterprise and Education. The update raises the OS build to 10240.18696.

There was no update for Windows 10 V1511 and V1703, because these versions were dropped from support. Details about the above updates can be found in the respective Microsoft KB articles in case of doubt.

Similar articles:
Microsoft Office Patchday (September 1, 2020)
Microsoft Security Update Summary (September 1, 2020)
Patchday: Windows 10-Updates (September 8, 2020)
Patchday: Windows 8.1/Server 2012-Updates (September 8, 2020)
Patchday: Updates für Windows 7/Server 2008 R2 (September 8, 2020)
Patchday Microsoft Office Updates (September 8, 2020)

[German]On September 8, 2020, Microsoft released various updates for Windows 8.1. These updates are also available for Windows Server 2012 R2. Here is some information about them.

For Windows 8.1 and Windows Server 2012 R2 a rollup and a security-only update were released. The update history for Windows 8.1 and Windows Server 2012 R2 can be found on this Microsoft page. 

Important: Starting July 2020 all Windows updates disable the RemoteFX vGPU featire due to the CVE-2020-1036 vulnerability (see also KB4570006). After installing this update, attempts to start virtual machines (VM) with RemoteFX vGPU enabled will fail. More information can be found in the KB article and here.

KB4577066 (Monthly Rollup) for Windows 8.1/Server 2012 R2

Update KB4577066 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) contains improvements and fixes, and addresses the following issues.

• Updates time zone information for Yukon, Canada.
• Addresses an issue when you evaluate the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.
• Addresses a security vulnerability issue with user proxies and HTTP-based intranet servers. After you install this update, HTTP-based intranet servers cannot leverage a user proxy to detect updates by default. Scans that use these servers will fail if the clients do not have a configured system proxy. If you must leverage a user proxy, you must configure the behavior by using the Windows Update policy “Allow user proxy to be used as a fallback if detection using system proxy fails.” This change does not affect customers who secure their Windows Server Update Services (WSUS) servers that use the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols. For more information, see Improving security for devices receiving updates via WSUS.
• Security updates to Windows Media, Windows Input and Composition, Windows App Platform and Frameworks, Windows Graphics, Windows Cloud Infrastructure, Windows Authentication, Windows Cryptography, Windows Fundamentals, Windows Kernel, Windows Hybrid Cloud Networking, Windows Peripherals, Windows Storage and Filesystems, Windows Network Security and Containers, Windows Update Stack, the Microsoft Scripting Engine, and Windows SQL components.

This update is automatically downloaded and installed by Windows Update, but is also available in the Microsoft Update Catalog and via WSUS. In case of a manual installation, the latest Servicing Stack Update (SSU KB4566425KB4566425 dated July 14, 2020) must be installed beforehand – but this SSU cannot be uninstalled. 

Microsoft is aware of the following problem in connection with the update: Certain operations, such as renaming, that you perform on files or folders on a cluster shared volume (CSV) may fail with the error “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that does not have administrator privileges. As a workaround, you can do one of the following:

• Perform the operation from a process that has administrator privileges.
• Perform the operation from a node that does not have CSV ownership.

Microsoft has been working (for months) on a solution and will provide an update in a future release. This update contains telemetry functions.

KB4577071 (Security-only update) for Windows 8.1/Server 2012 R2

Update KB4577071 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) addresses the following items

Security updates to Windows Media, Windows Input and Composition, Windows App Platform and Frameworks, Windows Graphics, Windows Cloud Infrastructure, Windows Authentication, Windows Cryptography, Windows Fundamentals, Windows Kernel, Windows Hybrid Cloud Networking, Windows Peripherals, Windows Storage and Filesystems, Windows Network Security and Containers, Windows Update Stack, and Windows SQL components.

The update is available via WSUS or in the Microsoft Update Catalog. Details about the update are described in the KB article. In case of a manual installation the latest Servicing Stack Update (SSU) KB4566425 must be installed first. This update contains telemetry functions (see the discussion within my German blog).

The security update KB4577010 for IE should also be installed.

Similar articles:
Microsoft Office Patchday (September 1, 2020)
Microsoft Security Update Summary (September 1, 2020)
Patchday: Windows 10-Updates (September 8, 2020)
Patchday: Windows 8.1/Server 2012-Updates (September 8, 2020)
Patchday: Updates für Windows 7/Server 2008 R2 (September 8, 2020)
Patchday Microsoft Office Updates (September 8, 2020)

[German]On Patchday (September 8, 2020) Microsoft released the update KB4571756 not only for Windows 10 Version 2004. The update is also available for Windows insiders in the Beta Channel for testing.

In Windows 10 20H1 and 20H2 Microsoft follows the same approach as in Windows 10 version 190x. Both Windows 10 versions (2004 and 20H2) receive the same update packages. The announcement was made in the Windows blog; the update is also available for testing by corporate customers from the Windows Insider program in the Release Preview Channel. Update KB4571756 upgrades Windows 10 version 20H2 to OS build 19042.508 and includes the following fixes.

• We fixed an issue with a possible elevation of privilege in windowmanagement.dll.
• We fixed a security vulnerability issue with user proxies and HTTP-based intranet servers. After installing this update, HTTP-based intranet servers cannot leverage a user proxy by default to detect updates. Scans using these servers will fail if the clients do not have a configured system proxy. If you must leverage a user proxy, you must configure the behavior using the Windows Update policy “Allow user proxy to be used as a fallback if detection using system proxy fails.” This change does not affect customers who secure their Windows Server Update Services (WSUS) servers with the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols. For more information, see Improving security for devices receiving updates via WSUS.
• Security updates to Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Input and Composition, Windows Media, Windows Shell, Windows Cloud Infrastructure, Windows Fundamentals, Windows Management, Windows Kernel, Windows Virtualization, Windows Storage and Filesystems, and the Microsoft JET Database Engine.

This update is offered via Windows Update on machines in the Windows Insider program.

[German]On September 8, 2020 Microsoft released various (security) updates for Windows 7 SP1 (ESU) and Windows Server 2008 R2. Here is an overview of these updates.

Updates for Windows 7/Windows Server 2008 R2

For Windows 7 SP1 and Windows Server 2008 R2 SP1 a rollup and a security-only update have been released. However, these updates are only available for systems with ESU license. The update history for Windows 7 can be found on this Microsoft page. Installation requires installed SHA2 support for the successful installation of the security updates.

Beginning January 15, 2020, Windows 7 will display a full-screen end-of-support notification in Starter, Home Basic, Home Premium, Professional (without ESU license) and Ultimate. This must then be closed by the user.

As of January 14, 2020, Windows 7 SP1 and Windows Server 2008 R2 SP1 have reached the end of support and will in future only receive paid security updates as part of the ESU program. ESU license holders are advised to take a look at the Windows Message Center for details.

The Techcommunity article on the ESU program was last updated by Microsoft on March 10, 2020. Please refer to the notes on the requirements (SSU, SHA-2). For ESU systems, you must also install the KB4538483 (see Windows 7 ESU-Update KB4538483 (May 2020)) and the update KB4575903 (see Windows 7 ESU Preparation Package Update KB4575903 (July 31, 2020)).

Because the updates are provided in the Microsoft Update Catalog, do not attempt to install them on systems without an ESU license. The installation fails and a rollback is performed. But what works: Apply the BypassESU method. Discussions about using ByPassESU for September 2020 may be found in my German blog here.

Important: From July 2020 all Windows updates disable the RemoteFX vGPU feature due to the CVE-2020-1036 vulnerability (see also KB4570006). After installing this update, attempts to start virtual machines (VM) with RemoteFX vGPU enabled will fail. More information can be found in the KB article and here.

KB4577051 (Monthly Rollup) for Windows 7/Windows Server 2008 R2

Update KB4577051 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) contains (besides the security fixes from last month) improvements and bug fixes and addresses the following issues:

• Updates time zone information for Yukon, Canada.
• Addresses a security vulnerability issue with user proxies and HTTP-based intranet servers. After you install this update, HTTP-based intranet servers cannot leverage a user proxy to detect updates by default. Scans that use these servers will fail if the clients do not have a configured system proxy. If you must leverage a user proxy, you must configure the behavior by using the Windows Update policy “Allow user proxy to be used as a fallback if detection using system proxy fails.” This change does not affect customers who secure their Windows Server Update Services (WSUS) servers that use the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols. For more information, see Improving security for devices receiving updates via WSUS.
• Security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Cloud Infrastructure, Windows Authentication, Windows Cryptography, Windows Kernel, Windows Hybrid Cloud Networking, Windows Peripherals, Windows Storage and Filesystems, Windows Network Security and Containers, the Microsoft Scripting Engine, and Windows SQL components.

Compared to the previous months, nothing has changed for ESU systems. This update is automatically downloaded and installed via Windows Update, but is also availabe within the Microsoft Update Catalog and will be offered on WSUS. Details about the requirements and known issues (without ESU the installation fails and there is a “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)” error) can be found in the KB article.

KB4577053 (Security Only) for Windows 7/Windows Server 2008 R2

Update KB4577053 (Security-only update) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1 with ESU license. The update addresses the following issues.

Security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Cloud Infrastructure, Windows Authentication, Windows Cryptography, Windows Kernel, Windows Hybrid Cloud Networking, Windows Peripherals, Windows Storage and Filesystems, Windows Network Security and Containers, and Windows SQL components.

The update is available via WSUS or in the Microsoft Update Catalog. To install the update, the preconditions listed in the KB article and above for the rollup update must be met.

Additionally, the security update KB4577010 for IE should be installed. Both updates (Rollup, Security-only) contains telemetry components.

Similar articles:
Microsoft Office Patchday (September 1, 2020)
Microsoft Security Update Summary (September 1, 2020)
Patchday: Windows 10-Updates (September 8, 2020)
Patchday: Windows 8.1/Server 2012-Updates (September 8, 2020)
Patchday: Updates für Windows 7/Server 2008 R2 (September 8, 2020)
Patchday Microsoft Office Updates (September 8, 2020)

[German]With the September 2020 cumulative update for Windows 10, Microsoft introduced changes that improve the security of clients that scan Windows Server Update Services (WSUS) for updates. Here is a brief overview on this topic.

I became aware of the topic through this tweet – Microsoft has published this Techcommunity article on this topic. 

Standardmäßig sicher: TLS-Protokoll/HTTPS Pflicht

Starting with the September 2020 cumulative update, HTTP-based intranet servers will be secure by default. To ensure that clients remain inherently secure, Microsoft no longer allows HTTP-based intranet servers to use user proxies by default to detect updates.

In a WSUS environment that is not secured with the TLS protocol/HTTPS, and where a device requires a proxy to successfully connect to intranet WSUS servers – and this proxy is configured for users (not devices) only – then all WSUS scans for updates from the September 2020 cumulative update onwards will fail.

Starting with the September 2020 cumulative update, HTTP-based intranet servers will be secure by default. To ensure that clients remain inherently secure, Microsoft no longer allows HTTP-based intranet servers to use user proxies by default to detect updates.

In a WSUS environment that is not secured with the TLS protocol/HTTPS, and where a device requires a proxy to successfully connect to intranet WSUS servers – and this proxy is configured for users (not devices) only – then all WSUS scans for updates from the September 2020 cumulative update onwards will fail.

To ensure the security of the WSUS infrastructure, Microsoft recommends using the TLS/SSL protocol between the devices and the WSUS servers. The Microsoft Update System (including WSUS) relies on two types of content: Update payloads and update metadata. More informatio will be found in Michael Cureton’s post Security Best Practices für Windows Server Update Services (WSUS). The Techcommunity article contains more details and recommendations how to configure clients for WSUS update scans.

[German]In Windows 10 version 2004 there is the problem that SSD drives were optimized unnecessarily often by the Windows defragmentation. It looks like the cumulative update KB4571756 fixes this issue. Can anyone else confirm this?

Bug defragments SSDs too often

In Windows 10 May 2020 Update (Version 2004) there is a nasty bug in the Windows Defragmenter. The drive optimization no longer remembers the latest version, but shows ‘Never run, optimization required’, as blog reader Volker noted in this comment at the end of May 2020. This leads to the unpleasant effect that SSDs are optimized more often than necessary. The bug was reported in January 2020 and should have been fixed long ago. I had described the details in the blog post Windows 10 Version 2004: Update KB4571744 will fix the Defrag bug. 

Microsoft tested the preview update KB4571744 with Windows Insiders in the last weeks. The description of the update also says that a defrag error is fixed. However, the hope that the bug that defragmented SSDs was fixed has been dashed. I had added the details in the blog post Windows 10 Version 2004: Update KB4571744 will fix the Defrag bug.

Update KB4571756 fixes the SSD defrag bug

This German comment already asked if the SSD defragmentation bug is fixed. The cautious answer from my side: Yes, but I did not test. In this article Lawrence Abrams discussed the preview update KB4571744 (2020-08 Cumulative Update Preview for Windows 10 Version 2004). According to his tests, the bug that causes excessive defragmentation of SSDs should have been fixed in the latest version of the update.

However, the description of the update KB4571756 does not provide any information about this. It only states that an error during defragmentation has been fixed: Addresses an issue that causes the Optimize Drives dialog to incorrectly report that previously optimized drives need to be optimized again. In the first versions of the preview update, users reported that the SSD defragmentation bug was still present. Regardless of this, the update KB4571756 for Windows 10 V2004 has now been released. Blog reader Derek M has posted this comment her in this blog.

This has finally been fixed for Windows 10 2004 in the September Cumulative update! Confirmed on 2 different computers! It now remembers the last time you defragged/optimized your drives after a restart!

The comment came to the post Windows 10 2004: Bug defragments SSDs too often. So the bug should be fixed. Can anyone confirm this?

Update KB4571756 for Windows 10 Version 2004

Cumulative Update KB4571756 is available for Windows 10 Version 2004 and for Windows Server Version 2004. It includes quality improvements but no new operating system features. I had addressed this update in the article Patchday: Windows 10-Updates (September 8, 2020).

Similar articles:
Microsoft Office Patchday (September 1, 2020)
Microsoft Security Update Summary (September 1, 2020)
Patchday: Windows 10-Updates (September 8, 2020)
Patchday: Windows 8.1/Server 2012-Updates (September 8, 2020)
Patchday: Updates für Windows 7/Server 2008 R2 (September 8, 2020)
Windows 10: Changes in WSUS update scan

[German]Users of Windows 10 version 2004 have been suffering for some time now from the fact that the sleep or standby mode may be blocked. The problem has been going on for some time and is likely to occur with the cumulative update KB4571744 from September 2020.

Problem with USO Worker since June 2020

With the Windows 10 May 2020 Update (Version 2004) some users have problems with the energy saving mode right from the beginning. I found the Microsoft Answers forum thread Windows 10 2004 Update – Sleep Mode Issue and Workaround  from June 14, 2020. Someone there complains that it takes infinitely long to shut down to sleep mode. On September 5, 2020 a user in this Thead reported that his desktop system does not automatically go into sleep mode anymore:

My desktop PC has similar issues, won’t go to sleep at times even with nothing running I noticed hours after I stopped using it the monitor was asleep but desktop still had fans running and had not gone into sleep mode.

Also in July 2020, users noticed that the preview update KB4568831 prevents Windows 10 2004 from switching to sleep mode. The update was released on July 31, 2020 (see Windows 10 2004: Cumulative Update KB4568831). Responsible is the process MoUsoCoreWorker.exe (USO Worker), which prevents the system from entering the sleep mode and wakes up the system. I found this Microsoft Answers forum thread from June 2, 2020, which already clearly describes this problem and has now been expanded to many pages. The problem should have been fixed with the update KB4568831 from the end of July 2020.

Issues with .NET Framework Update KB4570721

At German site deskmodder.de I already came across this post from the colleagues these days, which describes the problem of the no longer working stand by mode (sleep mode).  There the not installed optional .NET Framework Update KB4570721 is mentioned as the cause if Windows 10 does not want to go into energy saving or sleep mode. Actually the update should be installed, but Windows Update does not manage to do this and prevents a standby. Whether this is true can be found out with a test. Give the following command in an administrative command prompt:

powercfg /requests

a report is created. This report lists the power status queries for applications and drivers that prevent the computer from entering sleep or hibernation mode. Colleagues indicate in the article how to identify the devices that prevent the computer from entering standby (power-saving) mode. Shows up in the report under Execution:

… System32\MoUsoCoreWorker.exe

Windows Update prevents the corresponding energy saving mode (standby). Then the Windows Update service should be stopped and restarted afterwards. Then check via Windows Update whether an optional update is now available. You should have this installed. With a bit of luck the problem will be solved. 

Update KB4571744 blocks sleep mode

The cumulative Update KB4571744 s already tested since August 2020 as a preview and should fix numerous bugs in Windows 10 May 2020 Update. But the update is also responsible for other subsequent errors. Some users report the problem of a no longer working ‘sleep mode’. Windows Latest now reports here that the cumulative update KB4571744 is responsible for the problem of a malfunctioning sleep mode for some users. The article refers to the Microsoft Answers forum post of June 2, 2020 and the last post of September 2020 mentioned above. 

So it seems that the problem is back or has never been solved. As a workaround it is suggested to stop the Windows Update service and restart it afterwards. Then check via Windows Update whether an update is now available. You should have it installed and restart the machine. Afterwards the problem with the sleep mode (hibernation) could be solved. All in all, the whole update process seems to be quite shaky now. Anyone affected by the error?

Similar articles:
Windows 10 2004: Preview Update KB4571744 released
Windows 10 Version 2004: Update KB4571744 will fix the Defrag bug
Does Update KB4571756 fixes the SSD defrag bug in Windows 10 V2004?
Windows 10 Insider Preview Build 19042.487 (20H2)

[German]I got a report, that cumulative security update KB4571756, released by Microsoft on September 8, 2020, causes Explorer issues and crashes when usein gPaint Shop Pro 7.

Update KB4571756 for Windows 10 Version 2004

Cumulative Update KB4571756 is available for Windows 10 Version 2004 and for Windows Server Version 2004. It includes quality improvements but no new operating system features. The update brings a number of improvements, also in terms of security for performing basic operations. For example, there are fixes for saving and managing files and patches to improve security when using Microsoft Office products. I covered the details in the blog post Patchday: Windows 10-Updates (September 8, 2020).

Issues  with Windows Explorer

Shortly after I published the blog post, blog reader Thomas I. contacted me via Facebook and reported serious problems with the Windows Explorer:

Windows 10: Today, update KB4571756 came in, it is causing serious problems for me: The Windows-Explorer has become extremely slow. Each opening of a file leads to a forced pause of several seconds, also the Windows-Explorer crashes again and again. Update KB4571756 uninstalled, they are gone.

The user asked: Does anyone have the same experience? Since nobody answered, the user continued to test.

Paint Shop Pro 7 is the root cause

The user noticed that the Explorer problems occurred in connection with image files. After various tests he was able to trace the problem back to Paint Shop Pro 7.

It turned out that Paint Shop Pro 7 is the culprit. After uninstalling Paint Shop Pro 7 the problem was solved. Tests have shown that Paint Shop Pro 7 now takes a long time to quit and Windows Explorer may crash. And this only in combination with KB4571756.

Possibly the preview handler for image files installed by Paint Shop Pro 7 is the cause. In the past, such handlers were the cause of Explorer crashes or tough Explorer actions. Ich hatte mal im Blog-Beitrag Startmenü oder Explorer geht nicht mehr/ist langsam sowie im Beitrag Windows Explorer oder die Shell macht Probleme was zu geschrieben.

Similar articles:
Microsoft Office Patchday (September 1, 2020)
Microsoft Security Update Summary (September 1, 2020)
Patchday: Windows 10-Updates (September 8, 2020)
Patchday: Windows 8.1/Server 2012-Updates (September 8, 2020)
Patchday: Updates für Windows 7/Server 2008 R2 (September 8, 2020)

Windows: Explorer has stopped working (a possible fix)

[German]There are reports that the cumulative update for the Windows 10 May 2020 Update (version 2004) from September 8, 2020 breaks the Windows subsystem for Linux (WSL 2). After installing the update, this business feature can no longer be used.

We have just finished the September 2020 patchday at Microsoft and already the hints for bugs are coming in. On GitHub you can find this entry which deals with problems with WSL 2 in connection with the cumulative update KB4571756.

Windows-Subsystem for Linux (WSL 2)

The Windows subsystem for Linux allows developers to run a GNU/Linux environment (including most command line tools, utilities and applications) directly on Windows without the added overhead of a traditional virtual machine or dual-boot setup. Microsoft has described WSL in this document.

Windows Subsystem for Linux (WSL 2) is a new version of the architecture in WSL that changes how Linux distributions interact with Windows. The main goals of WSL 2 are to improve file system performance and add full compatibility of system calls. WSL 2 is only available in Windows 10, version 1903, build 18362 or higher. Some information about WSL 2 can be found in this document.

WSL 2 broken after Update KB4571756

In this GitHub entry, someone mentions a problem with WSL 2 in connection with the cumulative update KB4571756. He has Windows 10 2004, build 10.0.19042.0 installed and is using Ubuntu 20.04 as his WSL 2 distribution. As soon as he installs the cumulative update KB4571756 and then reboots the system, WSL 2 stops working. If he opens a terminal window with WSL, nothing happens.

Terminal with WSL 2 hangs

Only the error “Element not found” is reported with installed update KB4571756. In the GitHub thread several users acknowledge the error in connection with Docker. Uninstalling the update fixes the problem. According to neowin Microsoft is working on this problem. 

Update KB4571756 for Windows 10 Version 2004

Cumulative Update KB4571756 is available for Windows 10 Version 2004 and for Windows Server Version 2004. It includes quality improvements but no new operating system features. I described the details in the blog post Patchday: Windows 10-Updates (September 8, 2020). The update is responsible for some collateral damage and issues, but Microsoft didn’t mention the above bug. 

Similar articles:
Patchday: Windows 10-Updates (September 8, 2020)Windows 10 20H2 Build 19042.508 (KB4571756) für Insider
Does Update KB4571756 fixes the SSD defrag bug in Windows 10 V2004?
Windows 10 2004: Update KB4571756 collides wit Paint Shop Pro 7

[German]Users of Bitdefender antivirus protection have had a problem in Windows 10 190x. The security solution incorrectly blocked the Windows 10 cumulative update KB4574727 as malicious.

Update KB4574727 for Windows 10 Version 1903/1909

Update KB4574727 was released on September 8, 2020 for Windows 10 version 1903/1909 and Windows Server version 1903 and 1909. The update brings the following improvements:

• Updates to improve security when Windows performs basic operations.
• Updates to improve security when using input devices (such as a mouse, keyboard, or pen).
• Updates to improve security when using Microsoft Office products.

I had reported more details about this cumulative update in the blog post Patchday: Windows 10-Updates (September 8, 2020). Since it closes vulnerabilities and fixes bugs, installing the update on affected machines is essential. 

Bitdefender Antivirus blocks Update KB4574727

However, users who use Bitdefender as antivirus protection on Windows 10 have run into a problem. The security solution incorrectly blocked the Windows 10 cumulative update KB4574727 as malicious. On reddit.com there is this thread where a user describes the problem. 

Anyone else getting Trojan hits for the latest windows 10 patch Windows10.0-KB4574727-x64.cab? Bit Defender keeps pinging it as Trojan.Ciusky.Gen.13

When Bit Defender protection is used, the antivirus engine incorrectly flags the KB4574727 cumulative update as a potential threat. After the update is successfully downloaded from Windows Update, the Bitdefender antivirus engine blocks this update when the device is restarted. Actually the restart is used to complete the installation process. However, this cannot be done, which means that update KB4574727 cannot be installed successfully. Someone has posted a screenshot of this message on Twitter.

(Bitdefender blocks Update KB4574727, Source: Twitter)

The error is confirmed by several users on reddit.com. Also on Microsoft Answers there is this thread with a corresponding post. Also in the Bitdefender-Forum there is this post about the error. Softpedia picked it up here and Techdows here. As a workaround it is recommended to disable Bitdefender during the update installation or to define an exception.

[German]Windows 7 SP1 users who want to continue to install the September 2020 security updates from the ESU program but do not have an ESU key will need an updated version 8 of the BypassESU solution. Here is some information on the topic. 

What is update installation with BypassESU?

Since 14.1.2020 Windows 7 SP1 and Windows Server 2008 R2 have been dropped from support. To continue to install security updates in Windows 7 SP1 and Windows Server 2008 R2 after the end of support (14.1.2020) Microsoft offers Extended Security Update (ESU). In forums tinkerers have posted the tool BypassESU, with which updates can be obtained via Windows Update even without an ESU license in Windows 7 SP1. In the blog post Windows 7: Forcing February 2020 Security Updates – Part 1 I gave some hints about this solution.

September 2020 Updates need BypassESU v8

In my German blog somebody gave the feedback to the article Patchday: Updates für Windows 7/Server 2008 R2 (08.09.2020) that the tool BypassESU v7 didn’t work for installing September 2020 security updates. A user wrote:

BypassESU has been updated to v8, v7 no longer works with the September updates. […]

Explanation of the authors: “They bumped ESU component version to 7602.24560 which exceeds KB4528069 version 7602.20587 this was expected, I’m surprised it took them 6 months to do it”.

However, the developers have released an updated ESUBypass version v8, which allows to install the updates from September 2020 on Windows 7 SP1. A comment within the article Patchday: Updates für Windows 7/Server 2008 R2 (08.09.2020)  contains the GitHub links to the downloads. The colleagues from deskmodder.de have taken up the topic as usual and point out that ByPassESU v7 does not work anymore. In this updated article you can find the necessary conditions that have to be fulfilled for the successful installation of September 2020 updates. 

• All updates up to 14.1.2020 have already been installed (requires no ByPassESU)
• Update KB4575903 for ESU licensing from 29.7.2020 was installed
• ByPassESU v8 is required – the download addresses can be found at deskmodder.de

Afterwards you should be able to install the security update from September 2020 (rollup, security-only) and the Servicing Stack Update (SSU). In case of problems, especially with the .NET Framework Update Sept. 2020, check the German comments here in the blog and at deskmodder.de.

Similar articles:
Wow! Windows 7 get extended support until January 2023
Windows 7: Free Extended Update Support and usage
Windows 7 Extended Security Updates (ESU) requirements
Windows 7 Extended Security Update (ESU) program available
Windows 7 Extended Security Updates (ESU) program, price and source for SMEs

Windows 7: Buy and manage ESU licenses – Part 1
Windows 7: Preparing for ESU and license activation – Part 2
Windows 7: ESU Activation inEnterprise Environment – Part 3
Windows 7: ESU questions and more answers – Part 4

Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674

Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2

Patchday: Updates for Windows 7/Server 2008 R2 (09/08/2020)

[German]Microsoft has released the Windows 10 Insider Preview Build 20211 for Windows Insider on the Dev Channel on September 19, 2020. The announcement was made in the Windows-Blog, where you can read the list of new features, fixes and known issues. Microsoft has added a search to the pages of the standard applications in Settings. And it is possible to access Linux file systems in the Windows subsystem for Linux.

[German]The cyber criminals behind the blackmail Trojan Emotet malware are currently running a new ransomware campaign. Security authorities in various countries are warning of new waves of attacks.

Emotet started it’s life as a simple banking Trojan when it was created in 2014 by a hacker group with various names, including TA542, Mealybug and MUMMY SPIDER. Since that time, Emotet has evolved as one of the longest running and most dangerous ransomware variants. At the beginning of 2020, there was some calm because a security researcher had found an antidote (see EmoCrash protectet systems for 6 months against emotet-infections).

But since summer 2020 Emotet is back and currently the backers are running new campaigns to distribute the blackmail strojan. The countries France, Japan and New Zealand are currently affected by a wave of Emotet attacks. Therefore the responsible cyber security authorities have issued warnings. Bleeping Computer has here addressed the warning of the cyber security authorities of France.

ZDNet reports a sharp increase in Emotet attacks.  According to ZDNet, the warnings of Emotet refer to e-mail spam campaigns. These emanate from the Emotet infrastructure and target companies and government agencies in these countries.

In France, Emotet infected computers on the network of the Parisian justice system. The French Ministry of the Interior blocked the delivery of all office documents (.doc) by email. The French cyber security agency ANSSI issued an official cyber security warning this week on Monday. ANSSI asked government agencies to be vigilant about the emails they open.

The weet above shows an Emotet Heat Map with the worldwide infections. A second map can be found here. The USA and Europe are doing well.

Similar articles:
Emotet C&C servers deliver new malware
FAQ: Responding to an Emotet infection
CERT-Bund/BSI Warning about Emotet-Trojan/Ransomware
Cryptolaemus and the fight against Emotet
Emotet Trojan can overload computers on the network
Microsoft warns of massive Emotet campaign
EmoCrash protectet systems for 6 months against emotet-infections

[German]ACROS Security has released a micropatch for the vulnerability CVE-2020-1530 (Use-after-free bug in Windows Remote Access Phonebook) for Windows 7 and Server 2008 R2 (without ESU license).

The vulnerability CVE-2020-1530

CVE-2020-1530 was issued for a remote access elevation of privilege vulnerability in Windows. Microsoft does not provide details, but only writes that an elevated privilege escalation exists if Windows Remote Access handles memory improperly. According to Microsoft, to exploit this vulnerability, an attacker would first have to obtain execution on the victim’s system (but can do so remotely). An attacker could then execute a specially crafted application to elevate privileges.

However, ACROS Security states that it is a use-after-free vulnerability in Windows Phonebook that allows attacks via Windows Remote Access. Microsoft released security updates for Windows 7 to Windows 10 on August 11, 2020. However, users of Windows 7 SP1 and Windows Server 2008 R2 who do not have an ESU license will no longer receive the security updates released by Microsoft.

0patch-Fix for Windows 7 SP1/Server 2008 R2

ACROS Security has developed a micropatch for the vulnerability CVE-2020-1530. I got aware of the information about the release of the micropatch for Windows 7 SP1 and Windows Server 2008 R2 via Twitter. 

(0patch Fix for CVE-2020-1530 )

This micropatch is now available for 0patch users with PRO license and is already applied to all online computers with 0patch Agent (except in non-standard enterprise configurations). As always, there is no need to restart the computer and users’ work is not interrupted.

For information on how the 0patch Agent works, which loads the micro-patches into memory at runtime of an application, please refer to the blog posts (e.g. here) I have linked below. 

Similar articles:
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2

[German]Microsoft has released the Windows 10 Insider Preview Build 20211.1005 as an update (KB4581021 for Windows Insider in the Dev Channel. Addendum:The build has been pulled.

The announcement of build 20211 was made in the Windows-Blog, where you can read the list of fixes and known issues. There the update KB4581021, which does not contain any new features, is mentioned. Here is the tweet of the Windows Insider Team:

The update KB4581021 raises Windows 10 to build 20211.1005, but is only a test.

Addendum: But the text passage is now crossed out in the meantime.  In an addendum Microsoft confirmed a bug that prevents the installation. Barb Bowman and Rafael Rivera have posted the following tweets about it.

Microsoft has been investigating the issue and pulled the update.

[German]Short question to administrators who are still using Windows 10 Enterprise LTSC V1607 or Windows Server 2016 Will the Event Viewer be flooded with Event ID 5827 entries when Update KB4571694 from August 11, 2020 is installed? I already had this topic in my blog, now a blog reader has fallen into the trap. The problem is that the changes requested by Microsoft are not possible via MMC. A DLL is suddenly broken and generates errors.

Update KB4571694 for Windows 10 V1607

KB4571694 released on August 11, 2020 is only available for Windows 10 Version 1607: Enterprise LTSC and Windows Server 2016. According to the KB article, the security update includes numerous fixes. Here are the highlights:

• Updates an issue that causes File Explorer to close unexpectedly when creating shortcuts.
• Updates for verifying usernames and passwords.
• Updates to improve security when Windows performs basic operations.
• Updates for storing and managing files.

Details about the fixes can be found in the support article linked above.

Update KB4571694 causes issues

I received a reader’s message from Black Smith via the social network mewe.com. He installed this update in a DataCenter Server environment with Active Directory (AD) and encountered issues. Here is his description:

Update KB4571694

I blocked this update, but it made its way to several 2016 data center servers. If anyone has any relevant hints why this update explodes the event log on every server belonging to the AD, I would be grateful. Event ID 5827, and if there was an explanation for this mangy behaviour due to the multiple installation…I would be very impressed…

Within my the blog post Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020) I already mentioned the fact that the update from August 11, 2020 generates EventID 5827 – 5829 warnings in the event viewer of Active Directory (AD) domain controllers. 

In my blog post I had also referred to a support article from Microsoft with hints how to turn this off. The user has tried to implement the notes in this Microsoft support article How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472, but he failed. He writes that at the point:

Navigate in  Group Policy to Computer Configuration > Windows Setting > Security Settings > Local Policy > Security Options

an wsecedit.dll error occurs (see screenshots below). Thus the MMC refuses to include it snap-in (2nd screenshot).

The recommendation within the popup is to relaunch MMC, but didn’t help. The environment: Virtualized Server 2016 Datacenter Edition, fully patched, according to information provided by the victim. ESX host 6.7, latest patches. There are 19 affected, Veeam Backup has also stopped working due to authentication errors. Anyone who has had similar experiences or has a tip.

[German]A small reminder for users of Windows 10 version 1903, which was released in spring 2019 and reaches the end of its 18-month support period on December 8, 2020.

I don’t know how many blog readers are on Windows 10 version 1903. But December 8, 2020 marks the end of the 18-month support period. That’s what Microsoft’s Windows Lifecycle information sheet says. 

(Source: Microsoft)

Since Windows 10 version 1903 is a version released in spring, the end of support applies to all variants:

• Windows 10 Home Version 1903
• Windows 10 ProVersion 1903
• Windows 10 Pro EducationVersion 1903
• Windows 10 Pro for WorkstationsVersion 1903
• Windows 10 EnterpriseVersion 1903
• Windows 10 EducationVersion 1903
• Windows 10 IoT EnterpriseVersion 1903

On December 8, 2020, these SKUs will thus receive their last security updates. According to this FAQ, Microsoft recommends to upgrade to the current Windows 10 version (which would be 2004) as soon as possible. I assume that even Windows 10 20H2 will be generally released in December 2020. 

Windows 10 V1903: Forced update threatens

Microsoft now gives users of Windows 10 the option of postponing function updates. However, owners of older Windows 10 installations should now be able to feel what Windows-as-a-Service means. In addition to a notification that the end of support is imminent on December 8, 2020, there is also the threat of a forced upgrade. Microsoft had reserved the right to download and install function updates shortly before the end of support for a Windows 10 build. This should now soon be the case. Anyone who has received this notification or has been forcibly upgraded to a current Windows 10 build?

Similar articles:
Windows 10 V1803 threatens a forced update as of July 2019
Windows 10 V1803: Force update to V1903 – Part 1
Windows 10 up to V1803: Details for Upgrade to V1903  – Part 2
Windows 10 V1803 will be updated to Version 1903
Windows 10: force upgrade to V1803 and EOL notification
Windows 10 V1809: Auto Update to Version 2004 has begun?
Support extension for Windows 10 V1809 until Nov. 2020

[German]A reverse engineer bumped a vulnerability in Windows 10 in conjunction with the Hyper-V/Sandbox feature. Activating Hyper-V or the sandbox opens a 0-day vulnerability that can be used to attack the system.

What is the Windows Sandbox?

Probably every Windows user is familiar with it: It’s software you’re using for the first time. But you have concerns about running the downloaded executable file. This is exactly where the Windows Sandbox comes in: It provides an environment in which the software can be installed and executed. The application is isolated from the actual operating system and cannot make any changes there. The Windows Sandbox provides an isolated, temporary desktop environment where users can run untrusted software without fear of permanent impact on your PC.

Any software installed in Windows Sandbox stays only in the Sandbox and cannot affect your host. When you close Windows Sandbox, all software, files and statuses are permanently deleted. This feature is part of Windows 10 Pro, Education and Enterprise, but not part of Windows 10 Home. I have summarized further details in the blog post Windows 10 gets Sandbox for applications. In addition, the virtualization function Hyper-V must be supported by the CPU and the sandbox mode must be activated under Windows. 

The vulnerability in the Windows Sandbox/Hyper-V

I recognized the Windows Sandbox mainly because of several bugs, so it was not usable (see link list at the end of this article). Now there is a 0-day vulnerability in the sandbox and Hyper-V. The reverse engineer Jonas Lykkegaard recently discovered this issue and published it in a tweet.

The vulnerability allows an unprivileged user to create an arbitrary file in the system32 Windows subfolder. Normally, files can only be placed in this Windows subfolder with elevated privileges. The vulnerability in the Windows Sandbox or with Hyper-V enabled also allows users with standard user rights to write to the system32 Windows subfolder.

To demonstrate the vulnerability in the affected driver, Lykkegaard created an empty file phoneinfo.dll in \system32. Since the creator of the file is also its owner, an attacker can use this to place malicious code in it and execute the file on demand. Security researcher Will Dorman confirms the vulnerability on Twitter and writes:

Any Windows system with Hyper-V enabled is vulnerable to a trivial privilege escalation by allowing an unprivileged user to create a file named whatever he wants and wherever he wants.

The good news is that this only works when Hyper-V is enabled on the Windows 10 / Windows Server system. This should limit the scope of an exploit, since the Hyper-V option is disabled by default. Bleeping Computer has collected more details here. 

Similar articles
Windows 10 gets Sandbox for applications
Windows 10 V1903: Sandbox fails with error 0xc0370106
Windows 10: Update KB4483214 breaks Sandbox mode
Windows 10 V1903: Update KB4497936 breaks Sandbox

[German]A German blog reader contacted me for an observation. He has been getting for weeks  more and more messages from users in his enterprise network with Windows Server 2012, that Office documents sporadically cannot be stored on network shares. On the clients Windows 10 version 1909 is used. After tests he suspects that updates could cause the issue.

It is clear to me that there could be a thousand reasons for these observations, which could be caused by the user’s network alone. But in case of such errors it helps to ask for other affected persons.

The problem description

Blog reader StefanP works as an administrator in a corporate environment and takes care of the users, as I read in his mail yesterday. He said in his mail yesterday ‘Maybe you can put the following time in the blog in the larger round …’ and describes the symptoms in this manner:

Trouble with network shares in Office/Excel

For several weeks now, we have been getting more and more reports from users here in my enterprise, that Office documents cannot be stored on network shares.

My research so far shows the following, comprehensible scenario:

1.)  Open a network share in Windows Explorer (e.g. \\MyServer\MyShare\MyFolder oder auch X:\MyFolder)

2.) Double-click on an Excel file (XLS or XLSX), Excel opens the file

3.) Immediately after pressing the F5 key in Windows Explorer, an error message appears: “\\\MyServer\MyShare\MyFolder” is not available. If …

4.) After a few seconds press F5 again in Windows Explorer: Everything is OK again, all files in \\\MyServer\MyShare\MyFolder are displayed. 

5.) Close Excel without changes to the file

6.) Immediately after pressing the F5 key in Windows Explorer, the error message “\\\MyServer\MyShare\MyFolder” is not available again. If … occurs.

7.) After a few seconds press F5 again in Windows Explorer: Everything is OK again, all files in \\\MyServer\MyShare\MyFolder are displayed.

So access to network shares is sporadically unavailable. Stefan describes his environment as:

• The network shares are on a Windows Server 2012 (not R2).
• The domain server is also a Windows Server 2012, and the AutoDisconnect option is, according to his specifications, disabled on the file server.
• Excel (32bit) is used on all computers as part of Office 2016 Standard.
• The workstation used as clients runs with Windows 10 V1909.

The computers are fully patched. Stefan wrote that on all computers the September 2020 updates for Windows and Office 2016 are installed..

The problem occurs only with Office

StefanP did further tests and tried the above scenario with simple text files. For this scenario he writes the following:

1.) Opening a TXT file with the Windows Editor from the same network share does not cause any problems.

2.) Opening an Excel file from the same network share does not cause problems on a test system under Windows 10 V1809.

He concludes that Windows 10 V1909 seems to be at least part of the problem. However, most of his computers have been updated from Windows 10 V1809 to V1909 months ago. Since Microsoft Office 2016 has been in use for years, he suspects that Windows and/or Office patches are probably partly responsible.

He asks if I have ever heard of such problems? I’ve been seeing a lot of Office 365 issues lately, but this issue is not present. So I pass the question on to blog readers and ask: Are you aware of this behavior?