Windows – Born's Tech and Windows World

How can we extract the data obtained by Sysmon like ProcessGUIDs, ParentProcessGUIDs, LogonGUIDs? Someone wrote a small PowerShell script. Perhaps interesting for one or the other reader.

Well, it’s a little esoteric that I just came across. In the Sysinternals tools there is the program Sysmon, which even received an update a few days ago (see Sysinternals: Sysmon V8.0, Autoruns V13.90).

What’s Sysmon?

System Monitor (Sysmon) is a Windows system service and device driver that remains resident on a system through system reboots after installation to monitor system activity and write it in the Windows event log. The tool provides detailed information about process creation, network connections and file creation time changes. Administrators can collect and analyze events created using Windows Event Collection or SIEM agents. This makes it possible to detect and understand malicious or anomalous activities.

Extract Parent-/ProcessGUIDs, LogonGUIDs

Matt Graeber, a security expert, wanted to know a bit more about Sysmon and it’s log capabilities to fetch ProcessGUIDs, ParentProcessGUIDs and LogonGUIDs, as he wrote on Twitter .

I always wanted to know how Sysmon ProcessGUIDs, ParentProcessGUIDs, and LogonGUIDs were derived. I did some reversing and figured it out. Here’s a quick and dirty parser to extract the embedded data within the GUIDs. Enjoy! #DFIR https://t.co/C7sqz0Hg35 pic.twitter.com/e7v06MFEen

— Matt Graeber (@mattifestation) 8. Juli 2018

His motivation for this was that he needed the data outside sysmon for correlation purposes. He wanted to assess to what extent an attacker could influence the GUIDs.

So he dug a little and, as he writes, developed a fast and dirty parser to extract the embedded data within the GUIDs. The PowerShell code is available on GitHub. This gives some insights into the Windows internals. And as he adds, he now also knows that the first part of the GUID contains personally identifiable information.

Microsoft released the Windows 10 Insider Preview Build 17713 (Redstone 5) in Fast Ring and Skip Ahead Ring. The announcement was made as usual in the Windows-Blog. This build is already part of the RS5_RELEASE fork, the Skip Ahead ring will soon be changed to the Fast Ring. New features include Edge, Fluent Design, Display, Notepad Editor, Remote Desktop, Web Login, Windows Defender Application Guard, and more. Details can be found in the Microsoft blog entry.

[German]Microsoft has adapted its Media Creation Tool to create installation images of Windows 10 with build 17134.112. In addition, Microsoft has removed the targeted for Windows 10 V1803 with the July 2018 patchday.

If you create a Windows 10 installation image with the Microsoft Media Creation Tool (MCT) for Windows 10 V1803 you received the Windows 10 April Update (V1803). This means, you have to install cumulative updates after a fresh installation.

MCT loads Windows 10 17134.112

The colleagues of German site deskmodder.de reports here that the Media Creation Tool now downloads and creates an installation image (ISO or USB stick) with build 17134.112. This is the version level for Windows 10 V1803 with the June 2018 patch level (see Patchday: Windows 10 updates June 12, 2018).

Windows 10 V1803 is Semi Annual Channel (SAC)

And another change is to be announced. Crysta T. Lacey (@PhantomofMobile) pointed out to me on Twitter that Windows 10 V1803 is now Semi Annual Channel (SAC).

IT IS SAC NOW, TARGETED HAS BEEN DROPPED. SHOULD SEE ISO’s NOW.

ICYMI: @SBSDiva @AdminKirsty @woodyleonhard @thurrott @maryjofoley @bdsams @mehedih_ @ruthm @MPECSInc @etguenni @SwiftOnSecurity @pcper @SGgrc @MalwareJake @GossiTheDog @ryanshrout @JobCacka https://t.co/z8nXj4e8a7

— Crysta T. Lacey (@PhantomofMobile) 10. Juli 2018

This means, the restriction ‘Targeted’ within the life cycle model (see tabelle below) has been removed.

(Source: Microsoft; Click to zoom)

This means that Microsoft no longer limits the distribution of Windows 10 V1803 as a feature update to different targets. Windows 10 V1803 is in Semi Annual Channel (SAC).

[German]A short note to administrators running Windows Server version 1607 als DHCP failover server. Cumulative update KB4338814 causes a bold DHCP bug during installation, so that Windows 10 Enterprise clients no longer have a network connection.

The problem is actually limited to a small group of users, since Microsoft has discontinued support for the Anniversary Update (V1607) of Windows 10 Home and Pro (see Windows 10: End of Life for several builds). Only Windows 10 Enterprise and Education and Windows Server 2016 (and LTSC versions) still receive this update.

Unofficially, it should also be installable for Home and Pro, since CloverTrail machines receive support until 2023 (see Windows 10 support for Clover Trail machines till 2023). However, these machines are not affected by the bug, as it only affects clients via DHCP failover servers.

Update KB4338814 for Windows 10 Version 1607

For this reason I had only briefly mentioned KB4338814 update in my blog post Patchday: Windows 10-Updates July 10, 2018. Microsoft writes that the update contains quality improvements and addresses the following issues:

Updates Internet Explorer’s Inspect Element feature to conform to the policy that disables the launch of Developer Tools.
Addresses an issue that, in some cases, causes the wrong IME mode to be chosen on an IME-active element.
Addresses an issue where DNS requests disregard proxy configurations in Internet Explorer and Microsoft Edge.
Addresses additional issues with updated time zone information.
Updates support for the draft version of the Token Binding protocol v0.16.
Evaluates the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.

And the package contains security updates to Internet Explorer, Microsoft Edge, Windows apps, Windows graphics, Windows datacenter networking, Windows virtualization, Windows kernel, and Windows Server. This update is not available with express installation files for Windows Server 2016.

Microsoft revealed a DHCP issue on Servers

I didn’t explicitly address it in the blog post Patchday: Windows 10-Updates July 10, 2018(I’m not sure if it was already included in the KB article). Blog reader Thorsten has touched it in this comment and at reddit.com there is this thread to it. On reddit an administrator is annoyed that the KB4338814 update is pushed to his machines via WSUS, although there is a known issue. Microsoft writes under KB4338814 that there is a known problem with this update.

Ich hatte es im Blog-Beitrag Patchday: Windows 10-Updates 10. Juli 2018 nicht explizit adressiert (bin mir auch nicht sicher, ob es da schon im KB-Artikel enthalten war). German blog reader Thorsten left a comment and also at reddit.com there is this thread pointing out the issue. The reddit user shouts that update KB4338814 is been pushed via WSUS an his machines, althought there is a ‘known issue’. Microsoft writes in article KB4338814 about that issue.

After installing this update on a DHCP Failover Server, Enterprise clients may receive an invalid configuration when requesting a new IP address. This may result in loss of connectivity as systems fail to renew their leases.

Unfortunately, there is no workaround except to block the update. Microsoft is working to fix the bug and hopes that it can be fixed by mid-July 2018. Is anyone affected by this problem?

[English]Short notice for administrators in the Windows environment who have a Software Assurance contract available. Microsoft released the MDOP July 2018 Service Release for the Microsoft Desktop Optimization Pack (MDOP) on July 11, 2018.

What is Microsoft Desktop Optimization Pack (MDOP)?

Microsoft writes: The Microsoft Desktop Optimization Pack (MDOP) is a portfolio of technologies available as a subscription for Software Assurance customers. MDOP helps to improve compatibility and management, reduce support costs, improve asset management, and improve policy control.

The MDOP Information Experience provides product documentation, videos, blogs, and other resources to help users implement and optimize their experience with the MDOP technologies. The linked website contains further details.

MDOP Service Release July 2018

Twitter user WZor, previous known for his hints on Windows 8/8.1 Beta leaks posted this tweet mentiones the service release:

Download Microsoft Desktop Optimization Pack (#MDOP) July 2018 Servicing Release fixes #KB4340040 -> https://t.co/3BUiPRUpEE
thx @WinObs pic.twitter.com/vTJvaEd0eF

— WZor (@WZorNET) 12. Juli 2018

The download is available on this Microsoft page. The download consists of the following files:

MBAM2.5_Client_x64_KB4340040.exe
MBAM2.5_Client_x64_KB4340040.msp
MBAM2.5_Client_x86_KB4340040.exe
MBAM2.5_Client_x86_KB4340040.msp
MBAM2.5_X64_Server_KB4340040.exe
MBAM2.5_X64_Server_KB4340040.msp

Installation package for the 32- and 64-bit versions of the Windows clients and a 64-bit package for the servers are offered. Each package is available as an .exe file or an .msp file.

My hint: Download and use the .msp file (Microsoft Windows Installer Patch file) instead of the .exe files. The reason: The .exe variants just unpacks the .msp file into a temporary directory and then start the installer for the patch. This is not optimal for security reasons (see my German blog post Microsoft und die Office 20xx-Sicherheitslücke in ose.exe).

MDOP supports Windows 10, Windows 7 Enterprise, Windows 7 Ultimate, Windows 8 Enterprise, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2.

What else has to be considered

From Windows 10 1607, Microsoft Application Virtualization (App-V) and Microsoft User Experience Virtualization (UE-V) are included in the package. These components are maintained via the monthly Windows 10 update.

Microsoft’s reference to KB4340040 given within the download page is currently useless. The description does not exist yet – delivers a 404 page.

Windows Update [German]On July 10, 2018 (patchday) Microsoft has released further updates for Internet Explorer, Windows Server, etc. This blog post contains details of selected patches that are not included in the remaining articles linked at the end of the article.

General information

With the July 2018 patchday, Microsoft closed 53 vulnerabilities in Windows, Office and other Microsoft products, 18 of which were critical. Bleeping Computer has published an overview and an article of the fix for the “Lazy FP State Restore” bug on Intel CPUs. Talos has an overview of critical vulnerabilities closed on patchday and patchtuesdaydashboard.com list also these updates. A complete overview may also be found on Microsoft’s web site. Some of the updates mentioned there are described in separate blog posts (see link list at the end of the article).

Security updates

The following security updates have been released.

Update KB4134651: Security Update for WES09 and POSReady 2009 for x86-based Systems
Update KB4291391: Security Update for Windows Server 2008 and Windows XP Embedded
Update KB4293756: Security Update for Windows Server 2008
Update KB4295656: Security Update for Windows Server 2008
Update KB4338597: Security Only Update for .NET Framework 3.0 on WES09 and POSReady 2009
Update KB4338598: Security Only Update for .NET Framework 4 for WES09 and POSReady 2009
Update KB4338615: Security Only Update for .NET Framework 2.0 on WES09 and POSReady 2009
Update KB4338820: Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012
Update KB4338830: Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012
Update KB4338832: Security Update for Adobe Flash Player for Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10 Version 1511, Windows 10 Version 1507, Windows 10, Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, and Windows Server 2012
Update KB4339093: Cumulative Security Update for Internet Explorer
Update KB4339291: Security Update for WES09 and POSReady 2009
Update KB4339503: Security Update for Windows Server 2008
Update KB4339854: Security Update for WES09 and POSReady 2009
Update KB4340004: Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
Update KB4340005: Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Embedded 8 Standard and Windows Server 2012
Update KB4340006: Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1 and Windows Server 2012 R2
Update KB4340007: Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008
Update KB4340556: Security and Quality Rollup for .NET Framework 3.5.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
Update KB4340557: Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Embedded 8 Standard and Windows Server 2012
Update KB4340558: Security and Quality Rollup for .NET Framework 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2
Update KB4340559: Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008
Update KB4340583: Security Update for Windows Server 2008

Non security updates

Update KB2952664: Compatibility update for keeping Windows up-to-date in Windows 7
Update KB2976978: Compatibility update for keeping Windows up-to-date in Windows 8.1
Update KB4054529: Microsoft .NET Framework 4.7.2 Language Packs for Windows 7 and Windows Server 2008 R2
Update KB4054530: Microsoft .NET Framework 4.7.2 for Windows 7 and Windows Server 2008 R2
Update KB4054533: Microsoft .NET Framework 4.7.2 Language Packs for Windows Embedded 8 Standard and Windows Server 2012
Update KB4054534: Microsoft .NET Framework 4.7.2 Language Packs for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2
Update KB4054535: Microsoft .NET Framework 4.7.2 Language Packs for Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10 Version 1511, Windows 10 Version 1507, and Windows 10
Update KB4054542: Microsoft .NET Framework 4.7.2 for Windows Embedded 8 Standard and Windows Server 2012
Update KB4054566: Microsoft .NET Framework 4.7.2 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2
Update KB4054590: Microsoft .NET Framework 4.7.2 for Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10 Version 1511, Windows 10 Version 1507, and Windows 10
Update KB4073120: Microsoft .NET Framework 4.7.2 for Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10 Version 1511, Windows 10 Version 1507, and Windows 10
Update KB4073705: Microsoft .NET Framework 4.7.2 Language Packs for Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10 Version 1511, Windows 10 Version 1507, and Windows 10
Update KB890830: Windows Malicious Software Removal Tool – July 2018

Furthermore, Microsoft has changed the metafiles of some updates (affected packages can be found here). And on WSUS a number of updates were released again – cause is unknown.

Windows Update [German]Here is my Friday post with a short collective article about some of the issues surrounding the Microsoft July 2018 patchday. Microsoft has admitted the installation error 0x80092004 as known for the.NET-Framework Update KB4340558. Update KB4018385 has also been withdrawn.

Office 2016 Update KB4018385 pulled

I’ve mentioned non-security update KB4018385 for Office 2016, released on Office patchday (1st Tuesday of the month) within my blog post Microsoft Office Patchday (July 3, 2018).

Update KB4018385

Now Microsoft has pulled update KB4018385 for Microsoft Office 2016, the KB article shows the note visible within the screenshot above (thanks to the German blog reader for the hint). Addendum: The update has been pulled due to crashes of Office 2016 while using charts (see). Woody Leonhard has compiled the whole story with history at Computer World.

KB4338818 causes issued w. Exchange Server 2010

Update KB44338818 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) dated July 10, 2018 brings several fixes, for instance for the Lazy Floating Point (FP) State Restore flaw (CVE-2018-3665) in Intel processors. I’ve wrote about that update within my blog post Patchday: Updates for Windows 7/8.1/Server July 10, 2018.

German blog reader Michael Uray left this comment (thx), mentions serious issues with Microsoft Exchange Server 2010. The issue is discussed here at reddit.com for instance.

We look after several small business clients and this morning 3x different clients reported mail flow issues (all are running single-server installs of Exchange 2010 SP3 on Windows Server 2008 R2 Std, or similarly set up SBS 2011). They all have Windows Updates set to Automatic, and all installed the latest updates successfully last night. However this morning at different times between 9-11am they each stopped getting inbound email, and we could see it queuing at their scrubbing provider. After investigation it seems that the Exchange Transport service is not responding. On one of the servers we actually saw errors in the event log saying the server had timed out connecting to itself (exchange transport), but on the other two there were no errors. If we try to stop the service, it just hangs at ‘stopping’ for over 30min so we reboot the server and after the reboot everything was normal again and mail started flowing again.

After patchday July 10, 2018, some clients have problems exchanging mail with an Exchange Server 2010 SP1 (running on Windows Server 2008 R2 Standard). The clients do not receive mails any more. Several users confirm this, and later it is confirmed, that update KB4338818 to be the problem:

Throwing some more into the mix. On the machines with the update, there was an indication that it could no longer find the Microsoft Exchange Transport and that you couldn’t just restart the service. According to https://support.microsoft.com/en-ie/help/4338818/windows-7-update-kb4338818 there is some adjustments to DNS, which as we know must be working for Exchange to function well. There is also mention of the network interface changes.

I found also a thread at German heise.de site, where issues on Exchange Server 2010 caused by KB4338818 are reported.

.NET Update KB4340558 install issue confirmed

Microsoft has confirmed install issues with .NET Update KB4340558. I’ve covered the whole mess within my blog post .Net Framework: Update KB4340558 drops error 0x80092004?.

Update KB4135048 for MSSQL kills Reporting Service

German blog reader Michael Müller left a commen, mentions issues with update KB4135048 (Cumulative Update 1 for SQL Server 2016 SP2, which I didn’t address within my blog).

I’ve got something else too. Should also not be installed.
There was also a MSSQL update 2016 KB4135048 for the OS updates
This kills the reporting service.

Michael pointed me to this German MSDN forum thread, where the issue has already been discussed. Here is my translation:

after installing SP2 Cumulative Update (KB4135048) for SQL Server 2016, Reporting Services no longer work.

– you can no longer access the web portal URL
– in the event log that contains the application
Microsoft.ReportingServices.Portal.WebHost.exe
is faulty
– the server produces log files without content (0 KB), but very many of them (from Friday morning to Monday noon 17,000 pieces).

Server restart is useless; stopping the service “SQL Server Reporting Services” stops the creation of these log files, but of course it does not solve the problem…

Also this English MSDN forum post addresses the same error. Currently I receive the tip, not to install July 2018 patches (at least for Windows Server 2008 R2) due to ‘quality issues’. More will follow.

.Net Framework: Update KB4340558 drops error 0x80092004?
DHCP-Bug in Update KB4338814 (Windows 10 Version 1607)
July 2018 Patchday issues, KB4018385 pulled – Part I

[German]Users of Windows 8.1 systems using the online storage of Dropbox have to swallow a bitter pill. Dropbox has withdrawn its support for Windows 8.1.

Specifically, Dropbox has pulled its app from the Microsoft Store. As MS PowerUser reports here, the app is no longer available.

Dropbox-App
(Source: MS PowerUser)

If you try to download the app again from the store, you will receive a message that it is no longer available (see screenshot above). Recently the Microsoft Bing Translator disappeared from the store as an app. I haven’t tried it, but the Dropbox Windows client (Desktop app) should be useable in Windows 8.1.

Wer versucht, die App neu aus dem Store herunterzuladen, erhält die Meldung, dass diese nicht mehr verfügbar sei. Kürzlich war erst der Microsoft Bing-Translator als App aus dem Store verschwunden (Windows 8.1: Tschüss Microsoft Translator). Ich habe es nicht probiert, imho sollte der Dropbox-Windows-Client (Desktop-App) weiter verwenden lassen. Frage: Vermisst jemand von euch Windows 8.1-Nutzern die App?

[German]Another short patchday summary for administrators in business environments. July 2018 patchday (July 10, 2018) is proving more and more a disaster – currently every administrator should consider whether and which updates he releases for installation.

The clever administrator only releases updates for servers and clients manually if it is clear that’s save to be installed. I provided an overview of the updates of July 3 and 10, 2018 in various blog posts (see link list at the end of the article). But that is not the end of the story, patchday is the beginning of a process that I guess has developed to a little disaster. Here is a summary of what an administrator should have taken note of – it’s part II of my article July 2018 Patchday issues, KB4018385 pulled – Part I.

Re-Releases in Microsoft Update Catalog

I was already informed on July 12, 2018 that Microsoft has released a massive flood of re-releases of updates in the Update Catalog.

OMG! REDUX on the MASS RERELEASE ON MS CATALOG, IT’S GETTING DUSTY!

ICYMI: @SBSDiva @AdminKirsty @woodyleonhard @thurrott @maryjofoley @bdsams @mehedih_ @ruthm @MPECSInc @etguenni @SwiftOnSecurity @pcper @SGgrc @MalwareJake @GossiTheDog @ryanshrout @JobCacka pic.twitter.com/QfkvOwoM4s

— Crysta T. Lacey (@PhantomofMobile) 13. Juli 2018

Just for the records: Patchday was July 10, 2018 – and on July 12, 2018 (see also this article by Woody Leonhard) a flood of ‘updates’ dated July 13, 2018, arrived on Microsoft Update Catalog. That’s more than crazy.

Update issues documented within the blog

During the last days I have spent, besides writing the patchday articles, documenting some more serious problems caused by the July 2018 updates. Here are the links to the respective.

.Net Framework: Update KB4340558 drops error 0x80092004?
DHCP-Bug in Update KB4338814 (Windows 10 Version 1607)
July 2018 Patchday issues, KB4018385 pulled – Part I

Blue screen bingo with July 2018 updates

Susan Bradley has published an overview of the July 2018 patches and known issues on Askwoody.com (I’ve already been tweeted). It’s not nice what we read there.

Update KB4338819 for Windows 10 V1803

Update KB4338819 for Windows 10 V1803 has two know issues, that Microsoft has added to its kb article:

After installing this update on a DHCP Failover Server, Enterprise clients may receive an invalid configuration when requesting a new IP address. This may result in loss of connectivity as systems fail to renew their leases.
After installing this update, some devices running network monitoring workloads may receive the 0xD1 Stop error because of a race condition.

There is no workaround for either bug. Microsoft is working on a solution and hopes to make it available in mid-July 2018.

Update KB4338825 for Windows 10 V1709

Update KB4338825 for Windows 10 V1709 has four known issues documented now from Microsoft. In addition to the two points I already mentioned in the blog article Patchday: Windows 10-Updates July 10, 2018, the DHCP and 0xD1 stop errors mentioned for KB4338819 have also been added.

Update KB4338826 for Windows 10 V1703

Update KB4018126 for Windows 10 V1703 drops a blue screen 0xD1 mentioned at update KB4338819.

Update KB4338814 for Windows 10 V1607

Update KB4338814 for Windows 10 V167 has the DHCP-Bug (see DHCP-Bug in Update KB4338814 (Windows 10 Version 1607)) and the stop error 0xD1 mentioned at KB4338819.

Update KB4338829 for Windows 10 V1507 (LTSC)

Update KB4338829 for Windows 10 (RTM)drops a blue screen 0xD1 mentioned at update KB4338819.

Susan Bradley has raised other issues for Windows 7 and Windows 8.1 updates in the table in this article.

Stop July 2018 update rollout recommended

If you go through the above and the rest of my blog posts for July 2018 updates, it becomes clear that Microsoft has a massive quality problem with these updates. One of my sources told me not to roll out updates for Windows Server 2008 R2 because of quality issues (I know the source of the information without being able to disclose it). I’m going to extend that warning: Think about stopping July 2018 update rollout to your machines.

[German]Another weekend topic, especially for administrators in the business environment. It came to my attention a few days ago. Microsoft will discontinue the Delta updates for Windows 10 in favor of the Express updates available on WSUS & Co.

If I remember correctly, I stumbled across the topic via the Twitter channel of @MSWindowsITPro (but there were some tweets that specifically drew my attention to it). Here is the relevant Tweet:

Explained: Windows 10 quality updates & the end of delta updates: https://t.co/FvjmeqSxNr pic.twitter.com/6HDZ43uhCi

— Windows IT Pro (@MSWindowsITPro) 11. Juli 2018

which summarizes the various variants for rolling out update packages in a graphic.

Delta Updates explained

Microsoft has introduced cumulative updates in Windows 10. If such an update is installed, the installer checks which patches are missing on the machine and installs them. As a result, the size of a cumulative update increases with each patchday. The package must contain all patches so that the update installer can make up for the missing patches on the machine.

For Windows 10 the Microsoft developers have therefore relied on the solution with the so-called’Delta Updates’. The delta updates only contain the patches of the previous month and no longer the complete update history of the relevant Windows 10 build. This should reduce the size of the update packages by up to 40 % (see the following diagram).

Größe von Delta-Updates zu kumulativen Updates
(Source: Microsoft)

Microsoft Delta updates were introduced with Windows 10 Creators Update and are available for the following versions.

Windows 10, Version 1607
Windows 10, Version 1703
Windows 10, Version 1709
Windows 10, Version 1803

Delta updates will also be available for Windows 10 (October update), which will be released in autumn.

The end of delta updates

Now Mike Benson from Microsoft announced last Wednesday in the article Windows 10 quality updates explained & the end of delta updates the end of the above mentioned delta updates. First, he discusses the different models for update packages (Full Update, Delta Update and Express Update) in enterprise environments. Under WSUS, for example, there are still express updates that should install faster (and according to the graphics should also be more compact). He then writes that Microsoft will stop the delta updates.

The background: The concept of express updates allows to generate differential downloads for each component in full update. The generated downloads are based on the update history of the machine and the differential updates on the Microsoft update servers. This allows the scope of a full update to be distributed as a package, but the size can be significantly reduced by differential delivery (only changes to files are delivered).

For example, the latest cumulative May 2018 update (called Latest Cumulative Update, LCU) contains the file tcpip.sys. Microsoft now wants to create a differential for all tcpip.sys file changes from April to May, from March to May and from the original version to May. A device that uses Express Updates uses the network protocol to determine optimal differences between the installed version and the modifications on the Microsoft server. Then Windows Update will download only what you need. Microsoft writes that this is usually about 150-200 MB per month. The more current a device is, the smaller the size of the differential download.

Devices that are directly connected to Windows Server Update Services (WSUS), System Center Configuration Manager, or a third-party update manager that supports express updates receive these smaller payloads.

As Express Update Support for third-party update managers has been available for over a year, Microsoft plans to discontinue the delivery of Delta updates. Starting February 12, 2019, Microsoft will end its practice of creating delta updates for all versions of Windows 10. Express updates are much smaller, and simplifying cumulative options reduces complexity for IT administrators. You can read more details, including the user discussion, in Microsoft’s article.

[German]Microsoft is releasing cyclically Servicing Stack Updates (SSU) for Windows (Windows 7, Windows 8.1 and Windows 10). But what should you know about that SSUs and what’s behind them?

An example of such a servicing stack update is KB4132216 from May 2018, which is available for Windows 10 version 1607. Microsoft generally says, that SSUs should improve the stability of the (Windows 10) servicing stack. Depending on the update, further improveds are mentioned.

Servicing Stack Update (SSU) explained

Recently German blog reader Markus K. pointed out to me an article from Microsoft Japan about this subject. The Ask Core team (Microsoft Japan Windows Technology Support) has published an article About the service stack update program that improves the update installation process. Almost in parallel I also received a Twitter notification from @PhantomofMobile – thanks for that:

SERVICING STACK UPDATES(SSU) EXPLAINED from Japan(Translated)

ICYMI: @SBSDiva @AdminKirsty @woodyleonhard @thurrott @maryjofoley @bdsams @mehedih_ @ruthm @MPECSInc @etguenni @SwiftOnSecurity @pcper @SGgrc @MalwareJake @GossiTheDog @ryanshrout @JobCacka https://t.co/DvPATMRAoN

— Crysta T. Lacey (@PhantomofMobile) 12. Juli 2018

This SSU program updates the service stack (servicing stack). This updates the component CBS (Component Based Servicing), which is responsible for the installation process of the operating system. The purpose of installing a service stack update (SSU) is to improve the installation process of the operating system, including the installation of the update program.

Cumulative updates require SSUs

Servicing stack updates (SSUs) must always be installed separately from the cumulative updates for Windows 10 (and prior to installation). I had pointed this out several times in various blog posts about Windows 10 updates. If this is ignored, installation errors may occur during cumulative updates.

SSUs can’t be uninstalled

Microsoft Japan writes in its blog that the scope of modifications to SSUs is limited – only the CBS components are updated. Servicing stack updates (SSU) cannot be uninstalled by default.

If there are issues with Windows after a Servicing Stack Update has been installed, you can restore an older system image backup or try System Restore (if active) to roll back the system.

I posted the article Uninstalling ‘uninstallable’ Windows Updates, that shows ways to uninstall such an ‘uninstallable’ package for test purposes. However, this is not a permanent solution, since the following cumulative updates can usually no longer be installed.

Microsoft Japan gives some more hints about these updates in the article. For example, to find out the last SSU, Microsoft recommends searching the support area using this URL. But maybe the information above will help you.

Skype Microsoft has just released version 8.0 of the Skype desktop client. This client will have a couple of new features, that has been described within Microsoft’s blog post here. Within this post there is also an announcement, that Microsoft plans to shut down all services for the older version 7.0 of Skype desktop client, after September 1, 2018.

Windows Update [German]Microsoft has released a number of new updates for Windows 10 on July 16, 2018. Here is an overview of this Windows 10 updates, that fixes a couple of known issues from older July 10, 2018 updates.

The updates are documented at this Microsoft web site dokumentiert.

Update KB4345421 for Windows 10 V1803

Update KB4345421 for Windows 10 V1803 changes OS build to 17134.167 and contains the following fixes:

Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
Addresses an issue with the DHCP Failover server that may cause enterprise clients to receive an invalid configuration when requesting a new IP address. This results in a loss of connectivity.
Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

This fixes the biggest bugs like BlueScreens or the DHCP IP address problem under this Windows 10 version. Microsoft is not aware of any other problems. The update is available via Windows Update or in the Microsoft Update Catalog.

Update KB4345420 for Windows 10 V1709

Update KB4345420 for Windows 10 V1709 changes OS build to 16299.550 and contains the following fixes:

Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
Addresses an issue with the DHCP Failover server that may cause enterprise clients to receive an invalid configuration when requesting a new IP address. This results in a loss of connectivity.
Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

The update is available via Windows Update or in the Microsoft Update Catalog . The known issues like the message “Reading scheduled jobs from file is not supported in this language mode” or the non-functioning operators like & etc. when Device Guard is active, see kb article).

Update KB4345419 for Windows 10 V1703

Update KB4345419 für Windows 10 V1703 changes OS build to 15063.1208 and contains the following fixes:

Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

No other issues are known. The update is available via Windows Update or in the Microsoft Update Catalog.

Update KB4345418 for Windows 10 V1607 (LTSB)

Update KB4345418 for Windows 10 V1607 (LTSB) changes OS build to 14393.2367 and contains the following fixes:

Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
Addresses an issue with the DHCP Failover server that may cause enterprise clients to receive an invalid configuration when requesting a new IP address. This results in a loss of connectivity.
Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

No other issues are known. The update is available via Windows Update or in the Microsoft Update Catalog.

Update KB4345455 for Windows 10 V1507 (LTSB)

Update KB4345455 for Windows 10 V1507 (LTSB) changes OS build to 10240.17918 and contains the following fixes:

Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

No other issues are known. The update is available via Windows Update or in the Microsoft Update Catalog.

Microsoft has released an update directly to the Windows Update client (of the above updates) to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 Feature Update based on device compatibility and Windows Update for Business deferral policy. This does not apply to long-term servicing editions.

.Net Framework: Update KB4340558 drops error 0x80092004?
DHCP-Bug in Update KB4338814 (Windows 10 Version 1607)
July 2018 Patchday issues, KB4018385 pulled – Part I

Windows Update [German]Microsoft has released an updated update KB4345459 for Windows 7 and an update KB4345424 for Windows 8.1 – as well as the respective server counterparts – on July 16, 2018 to fix various bugs. .NET framework updates have also been updated.

Update KB4345459 for Windows 7/Server 2008 R2

Update KB4345459 is for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1. The update dated July 16, 2018 contains the following fixes:

Addressed issue in which some devices may experience stop error 0xD1 when you run network monitoring workloads.
Addresses an issue that may cause the restart of the SQL Server service to fail with the error, “Tcp port is already in use”.
Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

The update is distributed via Windows Update, but is also available via Microsoft Update Catalog. A restart is required after the update installation. There are no known issues with this update.

Update KB4345424 for Windows 8.1/Server 2012 R2

Update KB4345424 is available for Windows 8.1 und Windows Server 2012 R2. The update dated July 16, 2018 contains the following fixes:

Addressed issue in which some devices may experience stop error 0xD1 when you run network monitoring workloads.
Addresses an issue that may cause the restart of the SQL Server service to fail with the error, “Tcp port is already in use”.
Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

The update is distributed via Windows Update, but is also available via Microsoft Update Catalog. A restart is required after the update installation. There are no known issues with this update.

Update KB4345425 for Windows Server 2012 R2

Update KB4345425 is available for Windows Server 2012 R2. The update dated July 16, 2018 contains the following fixes:

Addressed issue in which some devices may experience stop error 0xD1 when you run network monitoring workloads.
Addresses an issue that may cause the restart of the SQL Server service to fail with the error, “Tcp port is already in use”.
Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

The update is distributed via Windows Update, but is also available via Microsoft Update Catalog. A restart is required after the update installation. There are no known issues with this update.

Updates for .NET Framework

Microsoft has released the following .NET Framework-Updates:

Update KB4340558: Security and Quality Rollup updates for .NET Framework 3.5 SP1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1 for Windows 8.1, RT 8.1, and Server 2012 R2.
Update KB4340557: Security and Quality Rollup updates for .NET Framework 3.5 SP1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1 for Windows Server 2012 (KB 4340557)

In the KB articles, however, the Known Issue is still listed with installation error 0x80092004 (possibly the KB text, status 13.7.2018, has not yet been updated).

.Net Framework: Update KB4340558 drops error 0x80092004?
DHCP-Bug in Update KB4338814 (Windows 10 Version 1607)
July 2018 Patchday issues, KB4018385 pulled – Part I

Windows Update As of July 16, 2018, Microsoft has released revisions to its security alerts that were released on previous patchdays. Here are a few details I know so far.

Microsoft Security Advisory ADV180016

– Title: Microsoft Guidance for Lazy FP State Restore
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180016
– Reason for Revision: Removed Windows 10 version 1511 for 32-bit
   Systems and Windows 10 Version 1511 for x64-based Systems from
   the Affected Products table. This is an informational change
   only.
– Originally posted: June 13, 2018
– Version: 2.1

Überarbeitung von CVE-2018-8319

Revision Information:
=====================

– CVE-2018-8319 | MSR JavaScript Cryptography Library Security
Feature Bypass Vulnerability
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8319
– Reason for Revision: Information updated to announce the release
of MSR JavaScript Cryptography Library version 1.4.1.
– Originally posted: July 10, 2018
– Updated: July 16, 2018
– Aggregate CVE Severity Rating: Important
– Version: 2.0

Windows Update [German]I just made a strange observation in Windows 7 SP1. After installing the 10 June 2018 security only updates, I am offered old security updates for Microsoft XML Core Services 4.0 Service Pack 3 released in 2012/2013. Addendum: Explanation for this behavior added.

A surprise in the morning

First, the security update for Microsoft XML Core Services 4.0 Service Pack 3 for x64 systems (KB2756145) was offered as important during the update search. But the release date, January 8, 2013, irritated me. So I hide this update.

Sicherheitsupdate für Microsoft XML Core Services 4.0 Service Pack 3 (KB2721691)

Then the security update for Microsoft XML Core Services 4.0 Service Pack 3 (KB2721691) dated October 9, 2012 was displayed as Important from the update search. Microsoft writes that a vulnerability has been discovered in Microsoft XML Core Services (MSXML) that could allow an attacker to enter and take control of Windows systems.

So I’m facing the following situation: There were a number of Microsoft XML Core Services 4.0 Service Pack 3 patches, but these updates are all ancient. Hence the question: Has anyone else noticed this, or am I the only one again?

Probably an explanation …

Shortly after I’ve published the German edition of this blog post, I received some comments from reader Michael Py. First he wrote:

Years ago I read an independent article that there was an update for XMLv4. However, Microsoft did not offer them via WU or WSUS. But at that time you could manually download and install the updates.

That explains, why I probably never installed these old patches. In a second comment Michael shed a bit more light to this ‘issue’ and pointed out:

The Secunia PSI tool informed all PSI users that there was an SP3 for XMLv4, but there was no automatic update of SP2.

SP3 itself had to be downloaded/installed or PSI muted to stop the warning from PSI. Here is an interesting link: https://altonblom.com/s34e03/

It seems Microsoft finally offers the SP3 in WU :-)

You may also be able to uninstall XLM4: https://altonblom.com/s34e10/

After reading that, it became transparent to me, what probably happened. So I’m going to uninstall that stuff.

[German]Last week, the Microsoft Desktop Optimization Pack (MDOP) July 2018 Service Release was published. Today I like to take a brief look at the MDOP/MBAM update KB4340040 under security aspects.

Microsoft Desktop Optimization Pack (MDOP) Update

The Microsoft Desktop Optimization Pack (MDOP) is intended for administrators in the Windows environment who have a Software Assurance contract. It is a portfolio of technologies available as a subscription for Software Assurance customers. MDOP is designed to help improve compatibility and management, reduce support costs, improve asset management and improve policy control. On July 11, 2018, Microsoft released the Microsoft Desktop Optimization Pack (MDOP) July 2018 Service Release. I wrote about update KB4340040 within my blog post Microsoft Desktop Optimization Pack (MDOP) July 2018 Service Release.

Use the .msi Installer for security reasons!

I also mentioned within my blog post, that Microsoft provides the installer both as an .exe file and as an .msi installation file. Within my blog post I had recommended to use the .msi installation file for security reasons. The .exe installers often unpack the installation files into temporary folders before starting the installation with administrator rights. However this is bad ‘programming practice’, because it a potential security risk (for DLL hijacking) and should be avoided. Also Microsoft is aware of that and provided many hints not to do that in some ‘does and don’t programming articles’-

Vulnerabilities in MDOP/MBAM

I informed German security researcher Stefan Kanthak about the blog post and he investigated the MDOP/MBAM .exe installers. Then he contacted the Microsoft Security Research Team (MSRC).

> From: Stefan Kanthak
> Received: Sun Jul 15 2018 03:40:19 GMT-0700 (Pacific Daylight Time)
> To: <Microsoft Security Response Center>; Microsoft Security Response Center; Microsoft Security Response Center
> Cc: ….; CERT; CERT/CC; cert@cert.org; ….
> Subject: KB4340040: multiple vulnerabilities allow escalation of privilege CRM:0461057028
>
> Hi, you just released “July 2018 servicing release for Microsoft Desktop Optimization Pack” The executable installers

MBAM2.5_Client_x64_KB4340040.exe MBAM2.5_Client_x86_KB4340040.exe MBAM2.5_X64_Server_KB4340040.exe

you offer for download from are but VULNERABLE!

1. All three executable installers are vulnerable to DLL hijacking: they load multiple system DLLs from their “application directory”, typically the user’s “Downloads” directory %USERPROFILE%\Downloads\, instead from Windows’ “systemdirectory” %SystemRoot%\System32\, resulting in arbitrary code execution. On a fully patched Windows 7 SP1,

MBAM2.5_Client_x64_KB4340040.exe and MBAM2.5_Client_x86_KB4340040.exe

load AT LEAST the following rogue DLLs: msls31.dll, propsys.dll, ntmarta.dll, version.dll, secur32.dll

On a fully patched Windows 7 SP1, BAM2.5_X64_Server_KB4340040.exe loads AT LEAST the following rogue DLLs: uxtheme.dll, cabinet.dll, msi.dll, version.dll For this well-known and well-documented BEGINNER’S ERROR

That’s what I’ve had in mind, as I mentioned to avoid the .exe installers. Stefan Kanthak refers the MSRT in his mail to his own Microsoft documentation or guidelines, which outlaws such things. I recently received an e-mail from Stefan Kanthak with the MSRC team’s answer. First, Microsoft’s security team confirmed that KB4340040 contains multiple vulnerabilities allowing escalation of privilege and escalated the case internally for review. Then they came out with the confirmation of security breaches:

From: “Microsoft Security Response Center” <secure@microsoft.com>
To: “Microsoft Security Response Center” <secure@microsoft.com>; “Stefan Kanthak”
Sent: Monday, July 16, 2018 9:37 PM

[Stefan wrote:] for your information: as expected, the MSRC confirms these BLOODY BEGINNERS ERROR in the latest MDOP/MBAM update KB4340040, but writes that no security fix will be released.

“Defense in depth — the Microsoft way” … oder “trustworthy computing” was yesterday …

Unfortunately, “DLL spoofing” has been known since the day before yesterday, see <https://skanthak.homepage.t-online.de/ntintrotosec.html> This is a short version of the NSA Guide written by the same author. <http://fy.chalmers.se/~appro/nt/nsaguide.pdf>; see pages 105/106 there

That’s odd! Microsoft has released a ton of programmers guide lines, that recommend to avoid this programming practice. But their own developers are ignoring those good programming practice guidelines. I’ve mentioned several cases with Skype installer and Office Ose.exe installer for instance within my German blog.

Short information for administrators in a business environment. Microsoft has updated the ADMX files for Group Policies for Windows 10 April Update (version 1803).

I read that information via the Twitter channel @MSWindowsITPro from Microsoft’s Windows IT Pro‏ group.

The ADMX for Windows 10 v1803 have been updated: https://t.co/qx6H9sthW9 #Windows10 #GroupPolicy pic.twitter.com/yt1UfY0QbF

— Windows IT Pro (@MSWindowsITPro) 16. Juli 2018

Version 2.0 of Administrative Templates (.admx) for Windows 10 April 2018 Update (1803) have been released at July 13, 2018. The ADMX files are required by Group Policy tools to display the policy settings for Windows 10 V1803 on the user interface. The ADMX files are downloadable in the following languages.

cs-CZ Czech – Czech Republic
da-DK Danish – Denmark
de-DE German – Germany
el-GR Greek – Greece
en-US English – United States
es-ES Spanish – Spain
fi-FL Finnish – Finland
fr-FR French – France
hu-HU Hungarian – Hungary
it-IT Italian – Italy
ja-JP Japanese – Japan
ko-KR Korean – Korea
nb-NO Norwegian (Bokmål) – Norway
nl-NL Dutch – The Netherlands
pl-PL Polish – Poland
pt-BR Portuguese – Brazil
pt-PT Portuguese – Portugal
ru-RU Russian – Russia
sv-SE Swedish – Sweden
zh-CN Chinese – China
zh-TW Chinese – Taiwan

More details may be found on this Microsoft page.

It looks like the mail app included in Windows 8.1 suddenly rquires to log in to a Microsoft account to . Here are a few hints.

I only knew until now, that the Windows 8.1 mail app also works with a local user account to access external mail accounts. Now something seems to have changed. I received the information by mail from German blog-reader Martin Feuerstein (thanks for that), who made the following observation on the family system.

Mail-App requires a Microsoft account

He got a call from a family memer claiming that a login request (see photo above from the German Windows 8.1 system) for a Microsoft account pop ups, if he attempts to access his e-mails via Windows Mail app. Martin wrote:

The affected laptop runs under Windows 8.1, previously an Exchange e-mail account was configured. Apparently, the app now inevitably requires a Microsoft account and no longer likes self-hosted mail servers on a local account.

“Of course” a local user account has been set up. I have now created a link to the OWA on the desktop, so that helps the user to access his mail account.

That’s not nice from Microsoft. Maybe the blog post will be helpful to others. I never used that mail apps in Windows – Thunderbird is a choosen mail client.

PS: Currently I’m noticing on my German blog that many apps for Windows 8 and Windows 8.1 are suddenly removed from Store, because the links are flagged as broken (I’ve a plug-in, that cyclically checks all outgoing links of the blog).

Windows Update [German]Microsoft has released the preview rollups KB4338821 for Windows 7 SP1 and KB4338831 for Windows 8.1 on July 18, 2018. Here is an overview of these updates.

The updates are listed on this website (Windows 7) and on this website (Windows 8.1).

KB4338821 for Windows 7/Windows Server 2008 R2

Update KB4338821 (2018-07-18 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems) is available for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 as Preview of Monthly Rollup. This is not a security update. The preview rollup contains the patches from the monthly rollups and also addresses the following issues:

Addresses additional issues with updated time zone information.
Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

With the exception of the time zone update, this update fixes the bugs described in the blog article Windows 7/8.1: Revised Updates July 16, 2018 (Update KB4345459). The difference is that Update KB4338821 is now distributed as an optional update via Windows Update and Microsoft Update Catalog, while Update KB4345459 was only available in Update Catalog.

Update KB4338821 unfortunately has the bug that has been known for months: Third party software that refers to a missing file (oem<number>.inf) causes the network interface controller to fail after installing this update. Microsoft specifies as a workaround that the driver should be installed manually in the device manager using the driver search. If you are not affected by the bugs mentioned above, you should hide the update

KB4338831 for Windows 8.1/Windows Server 2012 R2

Update KB4338831, June 18, 2018, is available for Windows 8.1 and Windows Server 2012 R2 as Preview of Monthly Rollup. This is not a security update. The preview rollup addresses the following problems:

Addresses additional issues with updated time zone information.
Addresses an issue that causes memory leaks until it becomes necessary to restart the system; for example, when using AppLocker to manage application usage.
Addresses an issue in which copying EFS-encrypted files from a client machine to a server share copies the files as encrypted instead of warning the user.
Addresses an issue that prevents printing on a 64-bit OS when 32-bit applications impersonate other users (typically by calling LogonUser). This issue occurs after installing monthly updates starting with KB4034681, released in August 2017. To resolve the issue for the affected applications, install this update, and then do one of the following:
- Use Microsoft Application Compatibility Toolkit to globally enable the Splwow64Compat App Compat Shim.
- Use the following registry setting, and then restart the 32-bit application:
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print Setting: Splwow64Compat
  Type: DWORDValue1: 1
Addresses an issue that intermittently causes hypervisor to stop working with error code “0x20001”.
Addresses an issue in which LDAP Modify requests for group membership change. The LDAP_SERVER_PERMISSIVE_MODIFY_OID operator is used, and the membership modification operation is already true (member is already removed or already present). As a result, the SUCCESS status is returned and audit events 4728 and 4729 appear, which indicates that the operation was completed.
Addresses an issue in which the LastAccessTime file property does not get updated as expected for files in dedup volume if the file’s $Data extent is completely sparse. After installing this update, configure the following items in the registry:

Set the value to 0 for HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate.
Create the REG_DWORD item and set the value to 0 for HKLM\System\CurrentControlSet\Services\ddpsvc\Settings\DisableLastAccessUpdate.

Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

The update is optional and is offered via Windows Update, but can also be downloaded and installed via Microsoft Update Catalog. Microsoft is not yet aware of any problems with the update.

The last three fixes mentioned in the list above have already been fixed by the revision update KB4345424 (see blog article Windows 7/8.1: Revised Updates July 16, 2018).If the above issues are not relevant, I would hide the update and wait for the August 2018 update.

.Net Framework: Update KB4340558 drops error 0x80092004?
DHCP-Bug in Update KB4338814 (Windows 10 Version 1607)
July 2018 Patchday issues, KB4018385 pulled – Part I