[German]This article is about the OneDrive client that Microsoft delivers with Windows 10. The way, how Microsoft’s developers has implemented this client, leaves several vulnerabilities. Here are a few details about an investigation.

In the beginning was the word…

Microsoft provides a OneDrive client in Windows 10. According to Microsoft’s marketing, OneDrive should be used everywhere to save data on the cloud service of the same name. But how save is the client’s implementation? Also under the view, that ‘Windows 10 is the most secure Windows ever developed’ (not my words, it’s Microsoft’s saying).

At the latest after reading this article (I am planning a separate blog post about that topic), the idea for a blog post ‘investigating OneDrive client under the hood’ came up. Because I had some fragments of information about OneDrive and security issues found from Stefan Kanthak, who deals a lot with security issues. Stefan Kanthak has put me on cc to a mail, that says:

>A friend of mine has disabled OneDrive on Windows 10 because she didn’t want to use the service anymore.

Stefan Kanthak asked within this e-mail: Why did she even activate this junk? – and then he shot a volley of statements about the OneDrive client and its vulnerabilities to the poor recipient of the e-mail.

Note: Microsoft offers also an OneDrive for Business client within Office 365, which is in fact a different client. I haven’t examined this client. But at least the suspicion is obvious that it doesn’t look any different there.

Dude, don’t read the fucking “Designed for Windows” rules

I had already mentioned it in one or two of my German blog posts: When I look at the Windows development from Windows 8 onward, I’m missing the design basics that Microsoft once published in the early days of Windows 95 (I’ve translated the German edition of the Microsoft Press title Programming the Windows 95 User Interface (Microsoft programming series).

But there are many other documents that Microsoft once published for software developers. Even though I have since 25 years been out of software development, I found these guidelines very useful. However, this knowledge seems to have either been lost in Redmond, or has been outsourced to the company museum, or no longer fit into today’s development processes. Stefan Kanthak describes it a little more directly:

These Id***, who created this junk [the OneDrive client under Windows], ignore the MINIMAL specifications of the 23-year-old “Designed for Windows” guidelines.

They don’t install this Crapp under %ProgramFiles%, where it is safe from write access by users, but in the user profile of ANY user.

That was something I had already noticed, but I couldn’t make sense of it. In fact, the OneDrive client can be found (with all files) in each user profile under

C:\Users\%USERNAME%\AppData\Local\Microsoft\OneDrive

(Click to zoom)

It is indeed the case that a user (but also malware) has write access to this folder, i.e. can manipulate the OneDrive files at will. This approach has been frowned upon for 23 years according to the “Designed for Windows” guidelines. But the developers  in Redmond probably don’t read such old things anymore – and the old experienced developers have been gone long ago. Another possible explanation can be found in Part 3 of the article series – then Microsoft would make bad compromises and as a Windows user one should draw his conclusions.

Unfortunately, the today’s story goes even further, and by no means more positive. Microsoft developers have made further mistakes, such as using outdated open source libraries which contains well known vulnerabilities. But this is part of part 2 of this article series.

Articles:
Windows 10 and the OneDrive vulnerabilities – Part 1
Windows 10 and the OneDrive vulnerabilities – Part 2
Windows 10 and the OneDrive vulnerabilities – Part 3

Similar articles
Security-Risk: Avoid 7-Zip
7-Zip vulnerable – update to version 18.01

[German]In part 1 of my article series about vulnerabilities in OneDrive client I mentioned, the location of the program files in the unprotected profile folder. But Microsoft developers have made further mistakes, such as using outdated open source libraries with known vulnerabilities.

Using outdated OpenSSL libraries

In his e-mail Stefan Kanthak then drew my attention to a fact that I could hardly believe at first. Stefan wrote (free translated):

It seems that the fresh men from the open source scene didn’t know anything about secure software development for Windows!

The current OneDriveSetup.exe, released on 18.7.2018 at
16:56:01 GMT, available via
<https://onedrive.live.com/about/en-us/download/> from
<https://go.microsoft.com/fwlink/p/?LinkId=248256> alias
<https://g.live.com/1rewlive5skydrive/skydrivesetup> alias
<https://oneclient.sfx.ms/Win/Prod/18.111.0603.0006/OneDriveSetup.exe>installs the outdated (from 28.8.2017) and insecure version
1.0.2k of the OpenSSL open source crap!

My first reaction was: Impossible, Microsoft won’t do that, there are professionals developing Windows 10 – the most secure Windows at all, according to Microsoft’s marketing. I’ll have to see and proof for myself. So I asked Stefan Kanthak how I could determine if OpenSSL would be installed. Stefan Kanthak then wrote that I should search and inspect the following files.

DIR /A/S “%USERPROFILE%\???eay32.dll”
DIR /A/S “%ProgramFiles%\???eay32.dll”
DIR /A/S “%ProgramFiles(x86)%\???eay32.dll”
DIR /A/S “%ProgramData%\???eay32.dll”
DIR /A/S “%SystemRoot%\???eay32.dll”

The two DLLs are called ssleay32.dll and libeay32.dll – I immediately found files with this name within the profile folder of a Windows 10 V1803 system (with all patched till August 2018).

(Click to zoom)

Stefan Kanthak then wrote: Other such candidates are libcurl.dll, libz*.dll alias zlib*.dll, *7z*.dll and many more. File names like *7z*.dll ring a bell even to me (see my blog post Security-Risk: Avoid 7-Zip). But there is still the OpenSSL issue.

Microsoft’s developers apparently used OpenSSL libraries within the OneDrive client, but on August 18, 2018 (when I wrote the blog post) they are still shipping version 1.0.2k, as shown in the screenshot above – I right-clicked on the file ssleay32.dll and clicked on Properties to invoke the window. Stefan Kanthak had sent me the link to the following website:

https://www.openssl.org/news/vulnerabilities-1.0.2.html

This website documents vulnerabilities in the OpenSSL library. If you go through the page, you will find some references to version 1.0.2k. However, I did not notice any text in the page, where a vulnerability for this version was documented. But I noticed that version 1.0.2k was up to date sometime in January 2017. For June 2018 version 1.0.2p is mentioned in the last fixes. But if you search specifically for the term s’OpenSSL 1.0.2k vulnerabilities’, you should find a lot of hits on the CVE Details page. There are several known vulnerabilities in version 1.0.2k, but none is critical (the level only goes up to 5, maximum would be 10). But the bottom line is that Microsoft’s developers are using an outdated Open Source OpenSSL library.

Windows has it’s own CryptoAPI …

Stefan Kanthak notes in an e-mail: Windows brings a CryptoAPI and SChannel since 22+ years and does NOT need such crap! and supplements:

Microsoft’s mantra “Keep your PC up-to-date!”, which they regularly preach to all their customers, is once again ignored by Microsoft’s developers!

But there is more in stock, as Stefan Kanthak wote. He mentioned, that Microsoft’s developers are either not able or not willing, to write a “shell extension” for the Explorer using the the Win32 API of the Windows GUI. The background for this: Microsoft’s OneDrive client developers uses the Qt5 library instead of the well-documented and updated Windows API. Stefan Kanthak wrote:

Instead, these BEGINNERS uses the the open source monster Qt5 (of course also an OLD version); its Runtime environment Qt5*.dll occupies “only” 20MB on the hard disk. In RAM it’s even more.

The whole thing has two aspects. Kanthak criticizes the use of an outdated version of Qt5, where basically the same explanations apply as above to the outdated OpenSSL library. I assume, that Microsoft is in certain constraints and the outdated open source libraries are not classified as ‘extremely serious security risks’. This can bee seen as critically from the user’s point of view. The second point Kanthak criticizes is the use of Qt5, which is incomprehensible at first glance. But I realized some reasons during writing this blog post. These thoughts, as well as a Microsoft statement on the OneDrive client follows in Part 3.

Articles:
Windows 10 and the OneDrive vulnerabilities – Part 1
Windows 10 and the OneDrive vulnerabilities – Part 2
Windows 10 and the OneDrive vulnerabilities – Part 3

Similar articles
Security-Risk: Avoid 7-Zip
7-Zip vulnerable – update to version 18.01

[German]In Part 1 and Part 2 of my article series I described the vulnerabilities in Microsoft’s OneDrive client (addressing the location of program files in the unprotected profile folder and the use of outdated open source libraries with known vulnerabilities). In part 3 I try to give an explanation for that behavior and there is a statement from Microsoft.

A possible explanation?

During writing about Qt5 in part 2, I came about an explanation, why the developers designed it this way (and also explains other issues already mentioned in Part 1 and Part 2): It’s Mr. Satya Nadella’s previous credo ‘Mobile first, Cloud first’ – Windows doesn’t matter anymore, but somehow should not die.

The development of software should be designed in such a way that products like Office, a OneDrive client (if necessary as app) etc. has to run on different platforms! So the developers of the OneDrive client fell for the idea of using the Qt5 library in addition to OpenSSL. According to Wikipedia:

Qt is a cross-platform application framework and widget toolkit for creating classic and embedded graphical user interfaces, and applications that run on various software and hardware platforms with little or no change in the underlying codebase, while still being a native application with native capabilities and speed.

And Android, iOS, macOS or Linux do not have a Windows crypto API etc. In order not to rewrite code on a platform, they use tools to create cross-platform software. The result looks like ‘not fish, nor meat’.

For me, this also explains some steps within the development of the OneDrive client since Windows 8.1. There has been several times where they re-started the OneDrive client development. Suddenly, functions that the previous OneDrive client could do very well had disappeared.

Well, that’s settled, so there’s (probably) a reason for this stuff. But at this point you have to say goodbye to the romantic idea that Redmond is still programming for Windows 10. Microsoft’s developers are cobbling together their software for various platforms – and the result is accordingly..

And at this point it may be obvious that the OneDrive for Business Client is sailing in the same waters. Stefan Kanthak also says that dropbox is by no means better.

Furthermore, I had Stefan Kanthak read the text in advance. His feedback on the subject:

everything Qt can do (according to WikiPedia) has been provided by the Win32 API since over 25 years.

It doesn’t make sense, to use Qt5 for a client, that is only available in Windows, it’s superfluous: es there is no OneDrive client for Android or iOS or Linux.

Well, for Linux there is no client from Microsoft, but the OneDrive apps for Android and iOS I would say, that’s are clients. What Kanthak also criticise however, is this:

Also on Windows with its rich Win32 API, more and more developers who seem to be too lazy to deal with the Win32 API are abusing libraries/ components like Boost, Qt ,… which are completely superfluous there.

One problem (lack of knowledge about or mastery of the Win32 API) then becomes two: the superfluous components used by the developers
are NOT updated. Using OpenSSL or Qt5 under Windows is a pain in the ass!

This OpenSource crap again has many dependencies on “tools” like CMake, Python/Perl, or on an history MS compiler for MS-DOS,

That’s what Microsoft says about the OneDrive client

In this series of articles I have uncovered some vulnerabilities in the OneDrive client to which Stefan Kanthak has drawn my attention. And I tried to find a logical explanation for Microsoft’s design decisions. However, I have no feedback from Microsoft whether my above conclusions are correct – so it remains a working hypothesis.

However, security specialist Stefan Kanthak informed Microsoft and its Security Response Team (MSRT) about the vulnerabilities in the current implementation of OneDrive. Kanthak send me a copy of the mail exchange with Microsoft, which I cite below in excerpts.

In mid-July 2018, Stefan Kanthak drew the attention of the MSRT to the security issues (he basically described what I documented in Part 1 and Part 2). Microsoft replied as follows:

Thank you very much for your report.

I have opened case 46989 and the case manager, Kamuran will be in touch when there is more information.

In the meantime, to protect the ecosystem, we ask that you respect coordinated vulnerability disclosure (see here for details) and not report this publicly before we have notified you that this issue is fixed.

So a case has been opened at Microsoft and they ask not to publish the reported vulnerability until it is fixed. Well, it’s a standard phrase. But a few weeks later there was the following answer:

From: “Microsoft Security Response Center” <secure@microsoft.com>
To: “Microsoft Security Response Center” <secure@microsoft.com>; “Stefan Kanthak” <******>
Sent: Wednesday, August 08, 2018 2:09 AM
Subject: RE: ?MSRC Case 46989? CRM:0461058631

> Hello Stefan,
> Thank you again for submitting this issue to Microsoft. We determined that a fix for this issue will be considered in a future version of this product or service.

At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.

Thank you very much for working with us.
> Regards,
> Kamuran
> MSRC

In a nutshell: Following the internal guidelines (see Microsoft Security Servicing Commitments) they decided, that vulnerabilities do not require an immediate fix. But they intend to address the issue sometime in the future and closes the case.

My 2 Cents

It has now become now an article series consisting of three parts. I’ve described things in a broader manner, so that blog readers can understand and classify the vulnerabilities. So you may judge yourself as a reader. For me, however, this story has a different dimension and when I was writing, some things suddenly became clear to me.

I still have had the idea ‘Windows 10 has a solid basis, here and there a few adjustments/modifications, then it fits, Microsoft just has to decide that’. I think about auto-updates, semi annual feature updates controllable and disable as well as making a basic operating system with configurable additional Windows functions by means of de-selectable features.

This naive idea I put down the last weeks. The more I deal with certain aspects of Windows 10 development and implementation of various features under stability and security aspects (as a blogger I often just scratch the surface), the clearer it becomes for me: This development is currently going down the hill.

Why should they work more solidly on the core of Windows 10 than with the tweaked OneDrive client? The many ‘exceptions’ in the Windows update environment (keyword: besides Windows Update there are other mechanisms like USOclient, Remsh etc.), to download and install updates), the problems with patches or the many bugs in new features and after release of a feature update draws a fatal image: The development of Windows 10 is no longer stable and it seems that ‘they’ lost control.

I just read a nice article Das Problem mit der Agilität (unfortunately in German) by Eberhard Wolff, which deals with Continuous Architecture. He outlines what is behind the term Agile software development and reports on his practical experience. There was another piece in my mosaic, as Microsoft has recently also been using the term agility or continuous delivery in the Windows 10 and Office 365 development environment.

The question remains whether you can and should use agile development and continuous delivery for a platform like Windows 10 (or at least the basic operating system)?.Maybe the whole approach isn’t helpful for Windows development, where we depend on a a core OS solid as a rock (and won’t see disruptive agile ‘not ready yet’ prototype development). What do you think?

Articles:
Windows 10 and the OneDrive vulnerabilities – Part 1
Windows 10 and the OneDrive vulnerabilities – Part 2
Windows 10 and the OneDrive vulnerabilities – Part 3

Similar articles
Security-Risk: Avoid 7-Zip
7-Zip vulnerable – update to version 18.01

[German]A brief information for administrators in corporate environments who prepare Windows 10 V1803 installation images for enrollment in the company with Sysprep. In Windows 10 V1803 there is an issue that Sysprep does not run with the automatic response file within the created user account. A workaround is available.

Microsoft’s Ask Core-Team Japan from Technology Support has addressed this topic recently within the article Notes on running Sysprep on Windows 10.

The issue

If you prepare an installation image of Windows 10, the last step is the generalization with the program Sysprep. This ensures that the version installed from the image then gets its own SIDs for the user IDs etc. and the OOBE (Out of the Box Experience) is run during installation.

Microsoft Japan has received many customer feedback that if Sysprep is using a response file with CopyProfile enabled, Sysprep processing will not complete properly. This applies to deployment in Windows 10 version 1803.

However, this problem only occurs in Windows 10 version 1803 if Sysprep runs on the user account that was created during the clean installation. You can avoid this by running Sysprep under the built-in administrator account. 

Microsoft’s workaround

The  Ask Core team from Microsoft Japan from Technology Support has suggested the following workaround to work around the problem. 

1. Enable the built-in administrator from the user account created during the installation of the operating system.

2. Log out of the user account and log in with the Built-in Administrator activated.

3. Delete the user account and user profile created during the clean installation. 

To delete the user profile, proceed as follows: 

1. Open the Control Panel and select the relevant user account (under User Accounts – Manage Other Account). 

2. Delete the user account in question using the button provided. 

This step also deletes the customization information saved by the user. Therefore, you must make the adjustments in the built-in administrator account again. 

3. Run Sysprep from the response file with CopyProfile enabled in the Built-in Administrator.

Perhaps it will help some of those affected – details can be found in the blog entry of Microsoft Japan in case of doubt.

[German]Microsoft had to pull update KB4293807 for SQL Server 2016 SP2 (dated August 14, 2018) due to install issues (details, see SQL Server 2016 SP2: Update KB4293807 pulled). On August 19, 2018 Microsoft released update revision KB445862 for SQL Server 2016 SP2 to close an existing remote code execution vulnerability.

[German]Just a brief information for users of Windows Phone 8.x and desktop systems with Windows 8.x. Microsoft has announced some important end of life (EOL) dates for app developers.

The announcement was made via the Windows Developer Blog by the Store Team and is entitled Important dates regarding apps with Windows Phone 8.x and earlier and Windows 8/8.1 packages submitted to Microsoft Store. Well, my first thought was, ‘important’ in combination with Windows 8.x and apps is an Oxymoron. Windows 8.x sails on raw about 5% of desktop machines (it only has a shadowy existence) and same is with Windows Phone 8.x. I postulate, we won’t see new apps for these platforms. Nevertheless, here are the important dates:

• October 31, 2018: Microsoft will stop accepting new app submissions with Windows Phone 8.x or earlier or Windows 8/8.1 packages (XAP or APPX). This will not affect existing apps with packages targeting Windows Phone 8.x or earlier and/or Windows 8/8.1. You can continue to submit updates to these apps as described below.
• July 1, 2019: Microsoft will stop distributing app updates to Windows Phone 8.x or earlier devices. You’ll still be able to publish updates to all apps (including those with Windows Phone 8.x or earlier packages). However, these updates will only be made available to Windows 10 devices.
•  July 1, 2023: Microsoft will stop distributing app updates to Windows 8/8.1 device. Developers are still be able to publish updates to all apps (including those with Windows 8/8.1 packages). However, these updates will only be made available to Windows 10 devices.

Concerning the last topic, developers are still be able to publish updates to all apps (also for Windows 8.x), but will only be made available to Windows 10 devices – are they kidding? The author of the Microsoft blog post has prepared also another joke for app developers, writing:

We encourage you to explore how you can port your existing app to the Universal Windows Platform (UWP) where you can create a single Windows 10 app package that your customers can install onto all device families. You can learn more about UWP apps here.

I’ve addressed the beef only within my German blog post Windows 10 Apps: Können PWAs es reißen?. For you, as an English reader, I recommend, to read the Technet blog post Tip o’ the Week 426 – You’ve been PWAned from Evan D. and draw your own conclusions.

Microsoft has released the Windows 10 Insider Preview Build 17744 (Redstone 5) in the Fast Ring. This build is also part of the RS5_RELEASE fork that will open in Windows 10 V1809 in fall 2018. Microsoft has fixed more bugs in the build. Details may be read within the Windows blog.

[German]A brief Information for users of Windows 10 version 1803, who are surprised about error entries with EventID 33, caused by the spell checker. This seems to be a bug that Microsoft has not yet corrected (August 2018).

Windows 10 build-in spell checker

Windows 10 comes with an integrated spell checker. This can be switched on or off in the Settings app in the category Typing. The article here deals with disabling spell checking/auto correct.

On my German test system auto correct won’t work at first. During testing that within the Mail app, a note popped up, how to add another language pack. I went in Settings app to the installed language, select ‘German’ and then ‘Options’ for this language. Then I was able to download and install options language options. Afterward I was able to use spell checking.

Spell checker issue in Windows 10 V1803

With the upgrade to Windows 10 April Update (version 1803) something seems to have gone wrong with auto correction/spell checker. German blog reader Tom (thanks for that) brought my attention to this issue. The bug is discussed in the Microsoft Answers Forum.

spellchecker error (eventID 33) since spring update

Hello, fresh installation of windows 10 spring update.

Everytime i dont type something quite correct :P it will give an eventviewer message that basicly says something like this :

adding hardcoded changes Brave hendrik -> brave hendrik to the program failed : not implemented

The spellcheckerprogram remains available. (its originally in dutch)

I’ve already unchecked autocorrect and marking in the settings for typing etc.

But it still continues to mark stuff.. even now this whole page is practically underlined because im typing in English and not Dutch lol.

How to fix this or at the very least filter it from the eventviewer results?

In a nutshell: The user has a fresh installation of Windows 10 V1803 (in Dutch). Whenever he types a word under Windows 10 that has a typo, an error entry with the event ID 33 is added to the event log.

According to this forum post, however, this occurs with Edge, in Apps or in Word for instance. Other users who have only installed one language pack under Windows 10 but have the same event IDs in the Event Viewer have also reported in the thread. I was able to find the entry on my test system after I started the mail app and entered an incorrect text. The following screenshot shows the entry in the event display (German Windows 10).

(Click to zoom)

The following screenshot is from an English Windows 10 V1803 and was posted in Tens forum.

I interpret the details message, that a auto correction word pair in spell checker (http -> http) is not implemented. However, the spell checker module remains available.  The discussion in the Microsoft Answers forum still results from May 2018, where the feature update to Windows 10 version 1803 just has been released. Meanwhile, cumulative updates for June, July and August 2018 have been released. But as my test above shows, none of these cumulative updates fixed the bug in the integrated spell checker.

Addendum: I’ve tweeted it now to @jenmsft and wait, if it will be addressed soon.

Similar articles
Win10 Wiki

How to decode Windows errors?
Windows 10: Analyze upgrade errors
Windows: How to decode update 0x8024…. errors

Uninstalling ‘uninstallable’ Windows Updates
How to block Windows 10 updates
Stop Windows from installing updates over and over again

[German]Microsoft has released Intel microcode updates (KB4346084, KB4346085, KB4346086, KB4346087, KB4346088) for Windows 10 on August 20/21, 2018 (thanks to GeroH for the tip). Here is a brief overview.

Update KB434608 for Windows 10 V1803

Update KB4346084 (Intel Microcode Update) is available for Windows 10 V1803. According to Microsoft, it addresses the following vulnerabilities:

Intel recently announced that they have completed their validations and started to release microcode for recent CPU platforms related to Spectre Variant 3a (CVE-2018-3640: “Rogue System Register Read (RSRE)”), Spectre Variant 4 (CVE-2018-3639: “Speculative Store Bypass (SSB)”), L1TF (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646: “L1 Terminal Fault”). In addition to microcode updates previously released in KB4100347​ to address Spectre Variant 2 (CVE 2017-5715: “Branch Target Injection”), this update also includes microcode updates from Intel for the following CPUs.

This update applies to several Intel processors listed in the KB article. It is a standalone update for Windows 10 version 1803 (Windows 10 April 2018 update) and Windows Server version 1803 (Server Core). This update is distributed via Windows Update, WSUS, and the Microsoft Update Catalog.

Microsoft intends to offer additional microcode updates from Intel for this operating system via the KB article as soon as they are available for Microsoft. Vulnerability protection is enabled by default for Windows client systems, so no action is required.

Please make sure that protection against Spectre Variant 2 for servers is enabled via the registry settings documented in the article Windows Server guidance to protect against speculative execution side-channel vulnerabilities.

Notes: Microsoft advises: Check with your device manufacturer and Intel through their websites for microcode recommendations for your device before applying this update to your device.

Users of Windows 10 V1803 are still offered the Intel Microcode Update KB4100347. The package is listed in the Update Catalog with date 8/21/2018, the KB article specifies July 2018 as the last change date. I had described the package in May 2018 in the article Windows 10 V1803: Microcode update KB4100347 (05/15/2018).

Update KB4346085 for Windows 10 V1709

Update KB4346085 is the same Intel Microcode update as described above, but is available for Windows 10 V1709. The list of supported updates is listed in the KB article. There you will also find further details and the link to the Microsoft Update Catalog.

Update KB4346086 for Windows 10 V1703

Update KB4346086 is the same Intel Microcode update as described above, but is available for Windows 10 V1703. The list of supported updates is listed in the KB article. There you will also find further details and the link to the Microsoft Update Catalog.

Update KB4346087 for Windows 10 V1607

Update KB4346087 is the same Intel Microcode update as described above, but is available for Windows 10 V1607. The list of supported updates is listed in the KB article. There you will also find further details and the link to the Microsoft Update Catalog.

Update KB4346088 for Windows 10 V1507

Update KB4346088 is the same Intel Microcode update as described above, but is available for Windows 10 V1507 (RTM. The list of supported updates is listed in the KB article. There you will also find further details and the link to the Microsoft Update Catalog.

The list of updates can be viewed in the Microsoft Update Catalog (updates with date 8/20/2018). At KB4090007 is an overview of all supported CPUs.

[German]Here is another hint to vulnerabilities buried in software packages from Microsoft. The Visual C++ runtime packages (VC redistributable) provided by Microsoft are assembled to installer packages with outdated (vulnerable) WiX Toolkit versions.

What are the Visual C++ Runtime?

A Visual C++ runtime environment, the VC runtime, is required for Visual C++ programs. Microsoft offers various versions of its Visual C++ Runtime environment as redistributable packages for Windows. A list of VC redistributable versions for Windows can be found at this Microsoft page. So far so good – maybe apart from the fact that users often have trouble with these packages, there is more in stock.

Old stuff: Vulnerability in Visual C++ Runtime?

Unfortunately, the Visual C++ runtime packages seem to be a security night mare. Today I was reminded via Twitter on my old article series I published in December 2017.

The problem with C++ Redists & 3rd Party security patches – I to III

Posted on 2017-12-19 by @etguennihttps://t.co/yAvtB8Ionlhttps://t.co/DDQvWwKeW2https://t.co/4tT7fFXoiu

— Crysta T. Lacey (@PhantomofMobile) 22. August 2018

After a hint from German blog reader Karl, I pointed out potential vulnerabilities caused by security updates within a series of articles.

But there is another details, that I had in stock since a while. Security expert Stefan Kanthak drew my attention to a security issue and forwarded his mail exchange with Microsoft. But I have not had the time to write an article. The tweet mentioned above reminded me, to write this article now.

Security risk: WiX Toolset used for VC installer

Microsoft is using the WiX Toolset to build the installer packages for its Visual C++ redistributables (and their updates). The vendors web site says:

WiX Toolset build tools includes everything you need to create installations on your development and build machines.

As shown in the above screenshot, the WIX Toolset v3.11.1 is current version. Visiting this site, I noticed that the website is still offered via http – but fortunately the toolset itself is provided via GitHub. Rob Mensching, I mean he’s an ex-Microsoft employee and developer of the WIX Toolset (see Wikipedia), offers the opportunity to obtain the Toolset Visual Studio 2017 Extension.

Microsoft is using vulnerable WIX Toolset versions

You can download the relevant packages from the Microsoft download pages for the VC redistributables. These packages were updated about 6 weeks ago. Stefan Kanthak has been focusing on these packages for a long time, because the installer files are created by Microsoft using the WIX toolset. That wouldn’t be so bad at first. But there ar e’curiosities’ that I put together briefly. Stefan Kanthak wrote:

The installation packages of the VC redistributables from summer 2018 were created with the WIX toolset version 3.7.3813.0 (and older). Version 3.10.2 of the WIX-Toolset was released in January 2016. FireGiant has an article: ‘WiX v3.10.2 is an important security release of WiX. We encourage all users of WiX to upgrade to WiX v3.10.2.’ Microsoft doesn’t seem to care.

Stefan Kanthak has downloaed the VC redistributable from Microsoft and let a few tools analyze it. Here are the results of this inspection.

Take 1:
~~~~~~~
| C:\Users\Stefan\Downloads>CURL.exe -q -I -L https://aka.ms/vs/15/release/vc_redist.x86.exe
...
| Last-Modified: Tue, 22 May 2018 17:35:06 GMT
The installer is quite new, published about 10 weeks ago.

Take 2:
~~~~~~~
| C:\Users\Stefan\Downloads>SIGNTOOL.exe Verify /V vc_redist.x86.exe
...
| The signature is timestamped: Tue May 15 08:08:31 2018
The installer was built or digitally signed about 11 weeks ago,
just one week prior to its release.

Take 3:
~~~~~~~
| C:\Users\Stefan\Downloads>FILEVER.exe /V vc_redist.x86.exe
| --a-- W32i   APP ENU   14.14.26429.4 shp 14,611,496 05-22-2018 vc_redist.x86.exe
|
|        Language        0x0409 (Englisch (USA))
|        CharSet         0x04e4 Windows, Multilingual
|        OleSelfRegister Disabled
|        CompanyName     Microsoft Corporation
|        FileDescription Microsoft Visual C++ 2017 Redistributable (x86) - 14.14.26429
|        InternalName    setup
|        OriginalFilenam VC_redist.x86.exe
|        ProductName     Microsoft Visual C++ 2017 Redistributable (x86) - 14.14.26429
|        ProductVersion  14.14.26429.4
|        FileVersion     14.14.26429
|        LegalCopyright  Copyright (c) Microsoft Corporation. All rights reserved.

Take 4:
~~~~~~~
| C:\Users\Stefan\Downloads>LINK.exe /DUMP /HEADERS /DEPENDENTS vc_redist.x86.exe
...
| FILE HEADER VALUES
|              14C machine (x86)
|                7 number of sections
|         54DE53A8 time date stamp Fri Feb 13 20:42:32 2015

It’s already critical. The VC redistributable has a file date of May 15, 2018, but was linked (build) on February 13, 2015. The installation file with the runtime library was created with the Wix Toolset version 3.7, as can be seen in the following excerpts:

Take 4, continued:
~~~~~~~~~~~~~~~~~~
| OPTIONAL HEADER VALUES
|              10B magic # (PE32)
|            10.00 linker version
             ~~~~~
...
|             5.01 operating system version
|             0.00 image version
|             5.01 subsystem version
|  Image has the following dependencies:
|
|    gdiplus.dll
|    ADVAPI32.dll
|    USER32.dll
|    OLEAUT32.dll
|    GDI32.dll
|    SHELL32.dll
|    ole32.dll
|    KERNEL32.dll
|    Cabinet.dll
|    CRYPT32.dll
|    msi.dll
|    RPCRT4.dll
|    WININET.dll
|    WINTRUST.dll
|    VERSION.dll
Debug Directories
|
|        Time Type       Size      RVA  Pointer
|    -------- ------ -------- -------- --------
|    54DE53A8 cv           46 00052F60    51760 ... E:\delivery\Dev\wix37\build\ship\x86\burn.pdb

So Microsoft’s developers are using an old WiX Toolkit, known as vulnerable. I’m not fit in versioning – but Stefan Kanthak told me, the installer was created with Visual Studio 2010 for use under Windows XP and newer Windows NT versions. In February 2015, however, Windows XP had long since fallen out of support (support ended in April 2014).

The excerpt above also shows that the installer depends on a bunch of DLLs. These DLLs are not considered as ‘known DLLs’ by Windows. This means: During installation, malware could replace these files in the directory with the installation files and latch into the installation. I had mentioned the possible problems within my blog post PSA: Classic Shell is now Open Shell Menu – and a warning.

The list of potential problems and vulnerabilities Stefan Kanthak sent me continues in this vein – I spare them. To sum it up: Microsoft is using outdated and vulnerable tools to create a runtime redistributable, that has been installed on Million Windows systems. Kanthak informed Microsoft about this – without anything happening. The colleagues at The Register have just taken that up. What’s going on at Microsoft right now?

Similar articles
PSA: Classic Shell is now Open Shell Menu – and a warning
Security flaws in MDOP/MBAM July 2018 Update KB4340040
Windows 10 and the OneDrive vulnerabilities – Part 1
Windows 10 and the OneDrive vulnerabilities – Part 2
Windows 10 and the OneDrive vulnerabilities – Part 3
Security-Risk: Avoid 7-Zip
7-Zip vulnerable – update to version 18.01

[German]Users who are updating Windows 10, or upgrading to the April Update (V1803) may run into a problem. A system warning from sihost.exe is displayed at startup and there are malfunctions.

I need to confess, I wasn’t aware of this issue. But there are a lot of people affected, as I discovered during research. And the error has been occurring since 2015, but there are clusters to Windows 10 V1803.

The error description

Users update Windows 10 to the April Update (version 1803) released in May 2018. After that, the affected persons will no longer be able to access the system, since sihost.exe no longer works. One affected person describes as:

Sihost.exe unknown hard error since latest Windows 10 update

Hello everyone, since the latest update on Windows 10 (may 2018), I’m unable to enter on my profile on my computer. Whenever I try to start it, shows the following error message “sihost.exe unknown harderror”, then if I continue and log into my profile, comes out the next error mesage:

“location not available, can’t obtain access to
C:\WINDOWS\system32\config\systemprofile\Desktop Acess denied”

with the screen behind it completely black, can’t acess the start menu, internet or settings, and the only icon in the desktop it’s the recicle bin. It’s there a way to troubleshoot this? Or why is this happening? Any solutions? Or even someone who has the same issue. Thank you for your answers

That’s a big problem, of course. In the US Microsoft-Answers-Forum there is this thread with over 680 affected people and four pages of user messages. There is a photo (see following excerpt) of the sihost.exe system warning.

Further screenshots are also shown in the thread, which report that the path

C:WINDOWS\system32\config\systemprofile\desktop

was not available. In other words: sihost.exe cannot access the folder with the system profile of the desktop.

The sihost.exe program is the shell infrastructure host, an essential component and the file is a Windows system file.

Searching the Internet you will notice that the error occurred earlier (e.g. there is this thread from 2015). At reddit.com there is even a current thread from May 2018 and Bleeping Computer suspects tools like AVAST (see also here).

How to fix the sihost.exe error?

In Microsoft’s Answers forums it is then proposed to check the system for defective files and damage. I described this in the blog article Check and repair Windows system files and component store. But the proposal has several hooks.

• With this error it’s no longer possible to call the command prompt window, the start menu, etc., as described above. You could try an offline check under Windows PE. Whether this helps, however, is another matter.
• My understanding of above error message is, that the Shell Infrastructure Host (sihost.exe) still works, but cannot find the required paths to access the system profiles of the desktop. This rather indicates a configuration error in the profile or a damaged profile/user account.

The usual troubleshooting hints on the Internet do not really help me. If you browse through the MS-Answers forum posts I guess you won’t notice any real solution.

Warning: You may also come across this post when searching the internet. I can only write ‘Hands off’. The advice in Solutions 1 to 3 is not harmful, but should not work or be of little use. However, the contribution has one purpose: to lure unsuccessful users to Solution 4. The advertised tool Driver Talent should fix it. The tool won’t help, and it’s not clear what you get on the system and what that does.

If you have a lot of experience, you can try the way to repair the user account described in this blog post (from 2016). It requires copying profile files from a working system back to your broken account.

My advice is to create an installation image of Windows 10 version 1803 using Media Creation Tool (MCT). Or you can download an ISO from Microsoft’s servers (see here). Then boot from the installation media and reinstall Windows 10 V1803. However, all data and installed programs are lost. Save it beforehand (can be done under Windows PE on a USB medium).

Similar:
Windows 10 Wiki
Check and repair Windows system files and component store
How to repair Windows Performance Monitor

The mail app of Windows 10 doesn’t support to send group emails to contacts located within the people app. The creation of groups in the people app is not possible. Now a Microsoft employee is trying to push the topic.

Recently I came across the thread Unable to send group emails to multiple contacts in Windows 10 People App from Sophie_Z while browsing the US Microsoft Answers forum. On she is a moderator in US Microsoft Answers forum, but she is also a Microsoft employee (support engineer). Sophie_Z apparently posted a problem and asked for more feedback.

Unable to send group emails to multiple contacts in Windows 10 People App

I am a Microsoft support engineer and I want to gather more feedback from you in regards to the issue that users cannot send emails to multiple contacts in People App, so I can drive a feature request with Windows engineering group.

I have submitted a Feedback Hub post with the issue description here: https://aka.ms/AA21cea

If you could upvote the issue and leave a detailed comment about your frustration with the absence of this feature, that would help me make a strong business case for the request.

Thank you very much and please comment below if you have any more questions!

Till now, more than 500 users added their feedback. So, if you miss this feature too, feel free to send feedback.

Microsoft has released Windows 10 Insider Preview Build 17746 (Redstone 5) in Fast Ring freigegeben. This build contains bug fixes, and has been announced at Windows-Blog. This build branch will become in authumn Windows 10 V1809.

[German]In general, Microsoft’s August 2018 patchday seems to go smoothly with the delivered updates. But there are occasional hints that there may be issues with some updates. 

Update KB4456688 for Visual Studio 2015

Update KB4456688 (Description of the security update for the Diagnostic Hub Standard Collector elevation of privilege vulnerability in Visual Studio 2015 Update 3: August 14, 2018) shall mitigate the vulnerability CVE 2018 0952. I am not using VS 2015, so I can’t say anything about it. But at askwoody.com a user has reported the following.

2018 August 18 Microsoft released a security update to Visual Studio 2015 Update 3 to deal with CVE-2018-0952 and CVE-2018-8273. The update can be found in their update catalog under KB4456688.

We’ve applied this update on some canary machines to find out if there is any impact before a general rollout… Unfortunately this security update renders VS2015 virtually unusable – if you try to run your code in debug mode it is super super slow. Don’t know if anyone else has seen this problem. Wanted to let you guys know that MS seems to have botched yet another patch.

In a nutshell: After installing the update, the Visual Studio 2015 installations were virtually unusable on the user’s test machines. Everything is extremely tough. Can anyone confirm that?

Issues with Intel Microcode-Update KB4100347?

On July 24, 2018 Microsoft released several Intel Microcode updates for Windows (see my blog post Intel Microcode Updates KB4100347, KB4090007 (July 2018)). On August 20/21, 2018 there were further Intel Microcode updates released for Windows 10 (see my blog post Intel Microcode Updates KB4346084, KB4346085, KB4346086, KB4346087, KB4346088 (August 20/21, 2018)). Within my German blog, some users commented, that they were also offered Update KB4100347. On Twitter there is a tweet that updates led to system start issues.

I just completely wiped my drive, formated it and installed Windows 10 from scratch.
During installing the updates through windows update everything was okay until KB4100347. Then the same issue occured again and I’m stuck in windows logo screen after reboot for 10 minutes now.

— tmGrunty (@tmGrunty) 22. August 2018

The tweet above shows that the user has installed a fresh copy of Windows 10 after the problem occurred. Also in this scenario KB4100347 causes the computer to hang at the Windows logo when booting.

On August 19, 2018, in the blog article Windows 10: Intel driver updates for AMD systems?, I had already raised the question of whether Microsoft incorrectly delivers Intel drivers for AMD systems. MS Power User, who take up the above issue within this article mentioned an article (Microsoft deployment error – Update for Windows 10 version 1803 for x64-based systems (KB4100347)) from an Italian site. The article points out that Microsoft mistakenly rolls out the Intel microcode update KB4100347 on systems with AMD CPUs. All that remains is to uninstall the update and then block the reinstallation (see How to block Windows 10 updates).

Microcode updates: I lost track

I don’t know if I’m alone. When it comes to Intel Microcode updates, I’m slowly losing track of things. There are firmware updates and there are Windows updates that are used when booting Windows. Depending on the machine, certain registry entries must then be set in order for the microcode updates to take effect under Windows Server (see article Windows Server guidance to protect against speculative execution side-channel vulnerabilities).

And the bottom line for every user is: Are the Spectre gaps the big security problem, or is malware not aimed at other vulnerabilities? Susan Bradley took up this question on askwoody.com in the blog entry Patch Lady – Microcode confusion and concludes that everything is not that simple. At ComputerWorld you will find further information about (minor) issues caused by August 2018 Patchday.

Similar articles:
Issues with Exchange Server 2016 Update KB4340731
Intel Microcode Updates KB4346084, KB4346085, KB4346086, KB4346087, KB4346088 (August 20/21, 2018))

[German]A brief information for administrators in enterprise environments. When using Cisco Anyconnect VPN under Windows 10 V1803 it can happen that the Windows Defender Security Center is constantly opened in the foreground.

A description of this issue

It is a strange behavior a user reported on MS-Answers. When using Cisco Anyconnect VPN, the Windows Defender Security Center from Windows 10 V1803 opened cyclically a window to report the security status. He wrote:

On several of our Windows 10 1803 Laptops, and when connecting to our VPN using Cisco Anyconnect, Windows Defender Security Centre’s – Security at a Glance constantly opens and becomes the active window.

Every 5 or minutes it takes the foreground and makes it impossible to work while connected, regardless if you close it or shrink it.

All the items have green ticks, do not display any issues when popping up.

I can’t see anyone else having this issue on the almighty google, so am hoping someone here might be able to help?

The root cause and a workaround

The user affected from this behavior has found the root cause and a workaround himself. The Cisco Anyconnect VPN solution checks cyclically whether an antivirus solution is installed under Windows. If such AV software is found, the VPN software checks whether the installed AV solution is up-to-date. Only then a VPN connection is allowed.

Seems a useful approach, and Windows Defender included in Windows 10 was also entered in the AV list of the user affected. As a workaround, the administrator has now excluded the Windows programs AntiVirus, Personal Firewall and AntiSpyware from the security check. This stopped the Windows Defender notification. In the current case, the user writes, ESET Smart Security is used as antivirus solution, firewall and anti-spyware protection on their systems. Maybe it will help if you use this combination and if you are affected.

[German]Users of Windows 10 (or older versions) may notice surprisingly a program named overseer.exe suddenly appearing on the system. Here is some information for those affected.

Error description and observations

I recently stumbled across this problem again by chance here in the German MS Answers forum. The affected person was confronted with the problem that the program was faulted under Windows 10 in Windows Defender. The user wrote (I translated the text):

Defender generates a message for the file “overseer.exe”.
What is this program? Can anyone provide information on this?

But there are also users who suddenly find the Avast Overseer application on the system. This case can be found e.g. at Bleeping Computer. This thread can be found in the AVAST forum, which refers to the steam forum entry where the program suddenly stops working (“OVERSEER.EXE has stopped working” message). Or Internet Explorer suddenly stopped working. On the web you will find numerous hits from users who deal with the program. 

Some background

The program “overseer.exe” belongs to the free light version of AVAST virus scanner (and now also to all AVAST and AVG security products) and is stored under Windows in the following directory:

C:\Program Files\Common Files\avast software\overseer

The .exe program file should have a digital signature from the antivirus vendor AVAST (otherwise a virus would be suspected). You can check this by right-clicking on the overseer.exe file, selecting Properties in the context menu and then switching to the Digital Signature tab. If the tab is missing, the program is unsigned, is not from AVAST and is problematic (possibly a malware).

Some information about the program can be found in this AVAST forum post. Internet Explorer doesn’t work after installing the program (probably because of the shield function of the software). There is a second place where the program is stored – and the uninstaller did not remove overseer.exe according to a post.

Within this AVAST forum post AVAST developer drake127 revealed a few insight in October 2017.

It is our new application that is going to help us detect common (technical) issues with our products. In a sense, it behaves similarly to our Avast Emergency Update but is able to correct these issues independently and even catch them sooner. That’s at least theory, currently we are evaluating its performance on small fraction of our users.

AVAST writes that they started testing the tool on some systems in October 2017. Upon request, the AVAST employee will specify:

It’s a small independent application residing in its own directory, therefore it should be able to fix even most broken Avast installations. It’s being run daily from task scheduler but it has really small footprint and if everything is fine, exits within seconds. It also has its own release cycle and is able to update itself automatically.

During its run, it identifies some well-known (but very hard to prevent) issues with our products and attempts to fix them, if possible. For example, it detects whether the antivirus service is running and if it is not, it triggers repair. Right now, that’s about it. We’ll see if it actually helps as much as many people in the office hope it will. :-)

Within the forum tread, the discussion on three pages revolves around the function and why it is installed for testing purposes. In 2018, the tool seems to be widely distributed with the free AVAST virus scanner (and also with other AVAST and AVG products.

How does overseer.exe get on the system?

The is the question, how does that tool came on a Windows system? My first question I would ask: Has the user installed an AVAST or AVG virus scanner? In this case, it has been installed by this software.

However, users affected are often pelading as ‘not guilty’ of having knowingly installed any AVAST program or file such as overseer.exe. The background is that the AVAST Free virus scanner has been installed on the system as a potentially unwanted program (PUP) with other software since that time. The following screenshot shows the problem during the installation of the CCleaner from Piriform (see my blog post CCleaner comes mit AVAST PUP).

This software option can be deselected in the user-defined installation mode. But hardly not all users reads these messages, and so the program lands in Windows unintentionally. 

Note: I’m surprised that Windows Defender didn’t complain about the PUP already during the installation, because something like this can be detected. I had several blog posts about PUP, CCleaner and its risks, see article at the end of this post. 

As mentioned above: I also assume that the tool will also come onto the system regularly by installing the AVAST virus scanner (or the AVG counterpart belonging to AVAST). 

How do I get rid of the tool?

Within this AVAST forum post I just found the hint, that the tool won’t be uninstalled during uninstalling CCleaner or AVAST. So you need to clean your system manually. This means: delete the relevant folder, check if tasks are available for startup and also check the registry to see if there are (auto-start) entries. An article on Techdows.com describes this. You can also try – if it helps, I don’t know – to remove the AVAST stuff according to the instructions on German site deskmodder: Boot into safe mode and use the AVAST Uninstall utility. Maybe this will help. 

Similar articles:
CCleaner 5.45 pulled and other peculiarities
AVAST CCleaner 5.45 and the telemetry thing
CCleaner comes mit AVAST PUP
CCleaner has been infected with malware
PUP: AVIRA adds Aviara Launcher to paid version
Slimjet browser: Beware of Bing search engine
Is FlashPeak Inc. shipping Slimjet browser with a backdoor?
Firefox addon Web Security transfers private data
HP installs secretly HP Touchpoint Analytics Client telemetry client

[German]McAfee pulled its August-Update for Endpoint Security 10.5.4, released on August 14, 2018 due to serious issues. This update is causing blue screens after installation.

In a statement SNS1590 from August 23, 2018 McAfee announced that the download of the Endpoint Security 10.5.4 August Update has been removed from the servers. The problem probably affects the following McAfee environments: 

McAfee Endpoint Security (ENS) 10.5.4 August Update
McAfee ENS Common Client 10.5.4.4287
McAfee ENS Firewall 10.5.4.4223
McAfee ENS Threat Prevention 10.5.4.4318

on systems with Windows 7 to Windows 10 as well as the server variants. According to this article, it does not matter whether the Windows installation runs virtualized or on bare metal. Here is the original McAfee message:

On Tuesday, August 14, 2018, McAfee released the August Update for McAfee Endpoint Security for Windows (ENS) version 10.5.4. Post-release, McAfee received reports from a small number of customers of an infrequent issue on some endpoints during or shortly after the upgrade. In keeping with our objective of providing the highest quality releases, McAfee has removed the ENS 10.5.4 August Update from the Product Downloads site.

For those customers that have downloaded the August Update for ENS 10.5.4 (build 4287), McAfee strongly recommends to not install this update. If you are part way through a deployment or have encountered issues with this update, please contact McAfee Technical Support immediately for assistance.

Details about the issue may be found within an McAfee document dated August 24, 2018 with the title KB90848 – SYSTEM_SERVICE_EXCEPTION (3b) (blue screen error occurs after installing Endpoint Security 10.5.4 August Update). The document says, a blue screen with stop code SYSTEM_SERVICE_EXCEPTION (3b) may occur. The BOSD seems to caused by the driver mfencbdc.sys.

McAfee advises affected users not to install the already downloaded update. The problem is currently being investigated. On systems where the problem occurs, uninstall the August Update and reboot Windows.

[German]Microsoft’s Intel Microcode KB4100347 update causes issues with Trend Micro Worry-Free Business Security (WFBS). After installing this update, virus protection seems no longer active.

In blog article McAfee pulled Endpoint Security 10.5.4 August-Update a few hours ago I had reported a case with issues after installing the microcode update KB4100347 under Windows 10. According to comments, this update, which actually dates from July 2018, was also installed on machines via Windows Update in August 2018.

Trend Micro Worry-Free Business Security (WFBS) is a security solution from Trend Micro. These are cloud-based security services for Windows, Mac and mobile devices for Windows. This security solution is also available for Windows 10.

German blog reader Thomas B. has informed me by e-mail that there is an issues with the Trend Micro Worry-Free Business Security (WFBS) virus protection solution. After installing microcode update KB4100347, the WFBS virus protection no longer works under Windows 10. The following screenshot from Thomas shows the problem.

(Click to zoom)

Der Trend Micro Security Agent is no longer activated, the device isn’t protected. Thomas wrote, that he got this issues on all systems, where KB4100347 has been installed. Is someone else affected?

[German]For security reasons, Microsoft would like to retire the SMBv1 network protocol in Windows and recommends not to use it. In this article I have collected some information on this topic.

What is SMBv1 and why should it be removed?

The abbreviation SMB stands for Server Message Block (former names are LAN Manager or NetBIOS protocol), a network protocol for file, print and other server services in computer networks. Version 1 (SMBv1) of the network protocol designed over 30 years ago, and especially the Microsoft implementation, is considered very error-prone and security-critical (see Microsoft plans to deactivate SMBv1 in  Windows 10 V1709 and Stop Using SMB1).

In the meantime there are SMBv2 and SMBv3, so that the use of SMBv1 in Windows networks is no longer absolutely necessary. Even Windows Vista, which has fallen out of support, is no longer dependent on SMBv1, for example, since SMBv2 is used there.

Another reader for Microsoft to retire SMBv1

In May 2017, the Trojan WannaCry infected thousands of computers worldwide. A reason for the question ‘why could WannaCry spread over thousands Windows system?’ was a vulnerability in the SMBv1 implementation of Windows. However, this vulnerability has been already closed by security updates from Microsoft before the WannaCry attack. Actually WannaCry could no longer have exploited the vulnerability. But we still have Wanny Cry infection due to still unpatched computers.

Maintaining the SMBv1 code involves a certain amount of effort and it cannot be ruled out that the implementation may contain further weak points. Therefore Microsoft decided to pull SMBv1 in future Windows 10 installs, and wants to prevent and force people to switch to SMBv2 or SMBv3.

Chaos: Removing SMBv1 in Windows 10

I pointed out within my blog post Microsoft plans to deactivate SMBv1 in Windows 10 V1709 that Microsoft will start to gradually disable SMBv1 in Windows 10. SMBv1 is no longer automatically installed with new installations of Windows 10. This was planned step by step:

• In Windows 10 Enterprise Microsoft removed SMBv1 in summer 2017. Also upcoming Windows Server 2019 won’t install SMBv1 automatically.
• From Windows 10 version 1709 onwards Microsoft then began to remove SMBv1 for the remaining Windows 10 variants during a new installation (see my blog post Microsoft plans to deactivate SMBv1 in Windows 10 V1709).
• In Windows 10 version 1803, SMBv1 should be automatically disabled if the protocol is not used for 14 days.

Regarding the question whether SMBv1 in Windows 10 version 1803 is automatically uninstalled when not in use – as planned by Microsoft – there are a number of special features to note. I had mentioned the specialities in the blog port Windows 10 Pro V1803: SMBv1 ‘special traps’.

SMBV1 issues in Windows 10 Version 1803

Deactivating SMBv1 resulted in several issues in Windows 10 V1803 (see my blog posts Windows 10 Version 1803: Network environment empty). An can activate or deactivate SMBv1 manually in Windows 10. However, a bug in Windows 10 version 1803 caused an automatically deactivated SMBv1 to no longer work correctly when activated manually. Microsoft has fixed this with update KB4284848 (see my blog post PSA: Windows 10 V1803: Update KB4284848 brings SMBv1 fix).

How to remove SMBv1?

If you want to remove SMBv1 in your Windows environment for security reasons, you can do so under Windows 7 to Windows 10. Microsoft has published this document, which describes the corresponding registry operations or PowerShell commands. Furthermore, there are group policies to disable SMBv1 on systems. 

From Windows 8.and above you can also use Windows Features and uncheck the SMB 1.0/CIFS File Sharing Support checkbox (see screenshot above). Then the feature will also be removed during the next reboot. In this blog post, Microsoft also provides advice on how to disable using SMBv1, which also works in PowerShell using the command:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

This command removes support for SMBv1 on the Windows client. 

German blog reader Karl has informed me by e-mail that SMBv2 and SMBv3 are stacked on each other. It is therefore not possible to disable SMB2 and use only SMB3. He has send my also a link to this Microsoft article, which contains the SMB compatibility matrix for Windows.

Potential issues caused by removing SMBv1?

Disabling SMBv1 in Windows (either manually or when reinstalling Windows 10) can cause significant problems. Even though Ned Pyle reports in Tweets that he has running systems without SMBv1 for 2 years and nothing has changed, the world out there looks different. All devices that depend on SMBv1 will then no longer work within a network.

• Many All-in-on devices with scanning capabilities use SMBv1 to store scans over the network on network shares. If the devices do not support SMBv2 or SMBv3, it would no longer be usable. I had mentioned this topic in the article Windows 10: Scanner fails after update.
• In Windows 10 V1803 network environments, other computers may not be found, the network environment is empty. However, this issue can be solved by certain changes in the Windows services. I covered the topic in Windows 10 Version 1803: Network environment empty. This Microsoft article also contains hints to fix this issue.
• Using NAS drives on a network causes problems when SMBv1 is turned off. I got several comments within my German blog. Also the router firmware of German FRITZ!Box models (company AVM) doesn’t support NAS drives that can be integrated as USB media, if SMBv1 is missing.

German blog reader Karl indicates that most Synology NAS drives use SMB1 by default. You can change this (Go to Control Panel->File Services->SMB/AFP/NFS, SMB service is enabled; AFP and NFS are not enabled; Minimum SMB protocol is SMB2, Maximum is SMB3). But if devices fails after disabling SMBv1 on the network due to missing SMBv2/v3 support, I think there will be no other options around as reactivating the network protocol. When purchasing new network devices, however, you should pay attention to the support of SMBv2. 

Similar articles:
Windows 10 Pro V1803: SMBv1 ‘special traps’
PSA: Windows 10 V1803: Update KB4284848 brings SMBv1 fix
Microsoft plans to deactivate SMBv1 in Windows 10 V1709
Windows 10 Version 1803: Network environment empty
Windows (Network) error 0x800704B3
Windows 10: Scanner fails after update
Microsoft won’t patch SMBloris vulnerability
WannaCry has infected chip maker TSMC fabs …

There is obviously a fix for the install error 0x80092004 caused from .Net Framework update KB4340558. Here are a few details about the status of that topic.

Some background

In July 2018 Microsoft released .NET Framework update KB4340558 (Security and Quality Rollup updates for .NET Framework 3.5 SP1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1 for Windows 8.1, RT 8.1, and Server 2012 R2). But this update caused serious install errors on machines with Windows 8.1 and Windows Server 2012 R2. Shortly after the update release, German blog reader Markus B. contacted me today via e-mail (thanks) and described his observation.

KB4340558 is running on error. 60 PCs cannot install it. Find also already the first forum posts to it. Don’t seem like the only one.

“2018-07 Security and Quality Rollup for.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 under Windows 8.1 and Server 2012 R2 for x64 (KB4340558)”. It has error code 80092004.”

I’ve reported this within the blog post .Net Framework: Update KB4340558 drops error 0x80092004? But blog reader Markus B. wasn’t the only one. Worldwide numerous users has been hit by this install error. Microsoft has pulled this update due to the issues and re-released another version (see Revised .NET Framework Update KB4340558 (July 19, 2018)). But this didn’t fix the install issues at all. On July 30, 2018 pushed another .NET Framework with fixes to affected machines (see my blog post NET-Framework Updates July 30, 2018 with Fixes).

Someone found a workaround

Microsoft’s attempts to fix those install issues still leaves some people ‘in the rain’, because they continue to fail during install – especially on Windows Server 2012 R2. Gladly a German blog readers posted a solution for a workaround within this comment.

• Expand the .msu files of the update packages into a local folder of the machine using the DOS expand –f command.
• Uninstall all faulty .NET framework updates using dism /online /remove-package.
• Install the expanded new updates using dism /online /add-package.

The details of this solution may be found on (and the credit goes to) Stephen Wagner’s blog post Windows Server 2012 R2 .NET Windows Updates fail with error 0x80092004, dated on August 21, 2018.

Similar articles:
.Net Framework: Update KB4340558 drops error 0x80092004? 
Revised .NET Framework Update KB4340558 (July 19, 2018)
NET-Framework Updates July 30, 2018 with Fixes