[German]A brief tip for Windows 10 users who suddenly suffer from a full system drive and find gigabyte-sized text files with names like SnipUsages or SnipUsagesUpload in the user profile.

Some Windows 10 users complain that their system drive suddenly has no free capacity. I have now come across a special case where I can even present a solution.

SnipUsagesUpload and SnipUsages occupy the disk

A few days ago I was contacted by an acquaintance who owns a notebook with Windows 10 and noticed that the 128 GByte SSD had hardly any free capacity left. I gave him a hint to look at Windows.old and try a disk cleanup. In addition, I gave him the tip to look at the drive assignment with tools like TreeSize. A few days later I got a hint that he found an unused Office365 on the machine. By uninstalling it, he was able to free a few gigabytes of memory on the SSD. But he ran into problems, as the following mail showed a few days later.

Hi Günter, due to lack of memory I cannot update to 1903. Under AppData/Local/ I found the test files SnipUsagesUpload and SnipUsages, which together occupy about 70 GB hard disk space and are actually even larger. Can I delete them? I would be happy if you could help me. A yes or no would be enough for me.

I then searched the Internet for the keywords SnipUsagesUpload and SnipUsages and found what I was looking for.

Multiple hits on the Internet

The most prominent and first hit I found on a search engine can be found in this reddit.com posting.

SnipUsagesUpload.txt and SnipUsages.txt

Anyone know what these are or where they come from before I delete this sht. SnipUsagesUpload.txt is 73.8GB and SnipUsages.txt is 15.4GB. Someone said this stf shouldnt be on my pc and that I should delete it but I feel like I should know what in the world files this big are before i send it to the netherworld

So also the well-known ‘error pattern, the files SnipUsagesUpload.txt and SnipUsages.txt has been mentioned. The files located in the profile folder occupy many gigabytes of drive capacity. Another user confirms this problem, but I did not find a clue to the cause. The same user on reddit.com complains about the capacity loss of his Surface Pro 4 in this thread. Another user on this website complains about a 2 GB text file. a massive capacity loss of his SSD.

All other hits to those file names appear in forums that deal with malware. I told the affected friend to delete the files and indicate that he should search for the cause.

The culprits: SnipInsights and SnipIT

During my search I first came across a program called SnipInsights, which is provided by Microsoft in its Microsoft AI School in source code here. The description says: Snip Insights is a cross-platform open source AI tool for creating intelligent screen copies. The AppUsageLogger.cs module contains references to exactly these two files. And then the acquaintance contacted me with another e-mail in which the veil was lifted:

after the deletion I had enough space again (instead of 3.6 Gb now 80 Gb) for the installation. Windows actually needs almost 10 Gb for this. On the search for the tool I probably found it. It is a small portable application called SnipIT. After the upgrade to 1903 and a restart I found the txt file SnipUsages in the local folder again. I have been using SnipIT on different Windows computers for years and never had any problems. I also find a txt file with 100 Gb strange. I removed it now. In the settings of the application there was no indication of any automatic protocol behavior???

Thanks again. Lost almost a whole day because of the fiddling. This used to be true for Linux, now it’s true for Windows. Could it be that Windows is increasingly falling out of time?

If you search for SnipIT, you will find it on the relevant sites such as CNet and softonic. The description says that SnipIT is an add-on for Windows Internet Explorer. The software is installed in the IE browser and offers the possibility to create screenshots and send them as text by email.

[German]Microsoft has released the KB4505903 cumulative update on June 25, 2019 for the Windows 10 May 2019 Update (Versions 1903) after an extensive testing period with Windows Insiders. At least, this update is available via Microsoft Update Catalog.

For a list of cumulative Windows 10 updates, visit this Microsoft Web page. However, the update has not yet been documented by Microsoft. The update installation requires an existing current Servicing Stack Updates (SSUs).

In my article Windows 10 V1903 Updates (July 17, 2019) I collected some information about the preview versions of this update in advance. I will add more details as soon as they are known.

Updates for Windows Version 1903

The following updates have been released for Windows 10 May 2019 Update (version 1903) and Windows Server 2019.

Update KB4505903 for Windows Version 1903

Ccumulative update KB4505903 for Windows version 1903 increases the build number to 18362.267. I’ve inspected the files within the package – it addresses everything from printer system patches to drivers to shell updates.

The update is (currently not yet) delivered via Windows Update, but can also be downloaded from Microsoft Update Catalogereit.

Servicing Stack Update KB4508433 for Windows Version 1903

For Windows version 1903 Microsoft has also released (currently only for Insider) a Servicing Stack Update (SSU) KB4508433. Therefore no details are available yet.

[German]In a blog post, Microsoft explained the complex approach of in-place upgrading of a Windows Server 2008/R2 to successor systems. It’s not all that easy.

The background: Windows Server 2008 and Windows Server 2008 R2 will be dropped from support in 2020. An upgrade to a successor is required, with Microsoft suggesting Windows Server 2019. The alternative is to run the server instances in a Microsoft Azure cloud. Microsoft will continue to provide support there until January 2023.

How to upgrade to Windows Server 2019

If you want to update your Windows Server 2008/R2 to Windows Server 2019 via Inplace Update, you may practice a triple jump. According to Microsoft, the Inplace Upgrade is done as follows:

• First, upgrade Windows Server 2008 R2 to Windows Server 2012.
• Then upgrade Windows Server 2012 to Windows Server 2016.
• Finally, upgrade to Windows Server 2019.

The chart below is from Microsoft and shows how long each server version will be supported. Windows Server 2012/R2 expires in support in 2023 and Windows Server 2016 expires in 2027..

(Windows Server In-Place Upgrade, Source: Microsoft)

After the in-place upgrade orgy you have finally arrived at Windows Server 2019 and can dedicate yourself to its configuration. In the Techcommunity article Microsoft gives numerous hints what to consider.

Not an easy choice for administrators

Administrators have to choose, one of the following ‘bad solution, because each comes with a pitfall.

• When upgrading in-place to Windows Server 2012/R2, the swoop starts again at the end of 2022, as Windows Server 2012 Standard will tip over in January 2023, while Windows Server 2012 R2 Essentials will ‘still’ be supported until October 2023.
• With Windows Server 2016 you have support until January 2027. But here I would like to remind you of the topic slow update installation (see Windows Server 2016: Slow updates). 
• Windows Server 2019 has support until January 2029 and still doesn’t show the slow update installation behavior (but could still change with increasing patch number).

When the server is upgraded, the appropriate Client Access Licenses (CALs) must be purchased again. I also read that licensing the CALs for Windows Server 2019 will be about 10% more expensive. And now ‘Happy sysadmin day’.

[German]A German blog reader contacted me last week and pointed out a problem related to WSUS. His WSUS 3.2.7600.307 can no longer check PSF files. Here is some information about this topic.

This topic only affects administrators in corporate environments who use Windows Server Update Services (WSUS) to manage updates for their clients and servers. Currently, the message refers to WSUS 3.2.7600.307.

What are PSF files for?

Since I don’t use WSUS, I’m not familar with PSF files. According to this document, the Express Update packages are stored into PSF files. PSF could stand for patch storage files (see also this Microsoft page).

PSF file check fails in WSUS 3.2.7600.307

German blog reader Franz W. sent me a mail last week (thanks for that) describing a problem he has with his WSUS. Franz wrote:

I now have the following problem with the conversion of the MS updates to SHA256:

The WSUS can’t check updates that contain PSF files and then discards the download. EXE and CAB (only SHA256 signed) don’t cause any problems.

Currently I cannot distribute the updates KB4509094 and KB4507435 for Windows 10 1803.

Franz searched the internet and found this Technet forum thread, where the issues also has been described.

More affected users in Technet

A user named Deniz opened a thread on July 13, 2019 called File cert verification failure regarding only KB4504418 and described the problem.

I’m currently experiencing the following problem:

A WSUS 3.2.7600.307 running on a Windows 2008 R2 Standard server repeatedly fails to download two specific files. The server itself is fully updated; .NET 3.5.1 is installed; WID is used for the WSUS database.

The problematic files are two express installation files for KB4504418 (Servicing Stack Update for Windows 8.1, Server 2012, und Server 2012 R2), as reported by the corrsponding events:

Inhaltdateisynchronisierung ist fehlgeschlagen. Ursache: File cert verification failure. Quelldatei: /c/msdownload/update/software/secu/2019/07/windows8-rt-kb4504418-x86_cbfca28e203
c05cf0d8bf6e8c56d81c9bd170789.psf Zieldatei: c:\WSUS\WsusContent\89\CBFCA28E203C05CF0D8BF6E8C56D81C9BD170789.psf.

Inhaltdateisynchronisierung ist fehlgeschlagen. Ursache: File cert verification failure. Quelldatei: /c/msdownload/update/software/secu/2019/07/windows8-rt-kb4504418-x64_7fc2ec35606
f12f6065408850962706ebd9c9816.psf Zieldatei: c:\WSUS\WsusContent\16\7FC2EC35606F12F6065408850962706EBD9C9816.psf.

WSUS cannot download two specific PSF files. He then investigated the problem further and found the following:

• Manually downloading the file windows8-rt-kb4504418-x86_cbfca28e203c05cf0d8bf6e8c56d81c9bd170789.psf works in general.
• The SHA1 hash value of this file matches the file name as well as the FileDigest entry found in tbFile.
• The SHA256 hash value of the file should be 0x52A3560EB5DB626E0CF52894CBB41D09B360C0310FF9692DE867FB2F2F3C7DFA according to tbFileHash.

The manual download works and the hash value of the file is found. But there is an error in the log file SoftwareDistribution.log:

[…]
2019-07-11 04:34:31.281 UTC      Info      WsusService.12      ContentSyncAgent.WakeUpWorkerThreadProc      Processing Item: 316170c4-97ec-4dbc-9364-17b6832294f3, State: 10
2019-07-11 04:34:31.921 UTC      Info      WsusService.12      ContentSyncAgent.VerifyCRC      calculated sha2 sha256 hash is 52A3560EB5DB626E0CF52894CBB41D09B360C0310FF9692DE867FB2F2F3C7DFA
2019-07-11 04:34:31.936 UTC      Info      WsusService.12      CabUtilities.CheckCertificateSignature      File cert verification failed for c:\WSUS\WsusContent\89\CBFCA28E203C05CF0D8BF6E8C56D81C9BD170789.psf with 2148098064
2019-07-11 04:34:31.983 UTC      Warning      WsusService.12      ContentSyncAgent.WakeUpWorkerThreadProc      Invalid file deleted: c:\WSUS\WsusContent\89\CBFCA28E203C05CF0D8BF6E8C56D81C9BD170789.psf
[…]

The check of the Cert file probably fails. The source of the error will be in another post than in the file:

C:\Windows\System32\Psfsip.dll

located. This is the “Crypto SIP provider for signing and verifying .psf patch storage files”. Besides blog reader Franz, there are other people who have reported in the thread. Therefore two questions: Is any of you also affected? And is there a fix?

[German]Systems that have certain versions of the Intel® Rapid Storage Technology (Intel® RST) drivers installed cannot be updated to the Windows 10 May 2019 Update. Microsoft has set an upgrade blockade. And for machines in a domain, there are boot issues with MIT Kerberos when installing the May update (KB4497935).

When upgrading a Windows 10 system to the new version 1903 (May 2019 update) or after upgrading, there may be several issues. Microsoft will then set an upgrade stopper for known issues. I had already reported about such issues in a series of articles (see Windows 10 V1903: Known Issues – Part 1). Similar to Windows 10 V1809, Microsoft has published a list of Known Issues for the Windows 10 May 2019 Update (Version 1903). This list is available here.

Issues with Intel® RST drivers

Microsoft and Intel have discovered compatibility issues with certain versions of the Intel® Rapid Storage Technology (Intel® RST) drivers in conjunction with the Windows 10 May 2019 update. I became aware of the issue via tweet and this article. If the device to be updated has an Intel® RST driver version installed between 15.1.0.1002 and 15.5.2.1053, it cannot install the May 2019 update. Microsoft points this out in KB article 4514156. 

(Source: Microsoft)

The upgrade wizard then displays the above message and the update is terminated. Microsoft has therefore set an upgrade blockade for such systems. The issue can be easily solved, because the driver versions 15.5.2.1054 or higher are compatible. For affected devices it is recommended to install Intel RST version 15.9.6.6.1044. A device on which these drivers are installed can install the Windows 10 May 2019 update after the next reboot.

Boot issues: Domain systems with MIT Kerberos realms

A second issue affects Windows 10 systems with the May 2019 update (version 1903) that are embedded in a domain. Devices that are connected to a domain that is configured to use MIT Kerberos realms will not boot after KB4497935 is installed or will get into a reboot loop. This affects both domain controllers and domain members. Microsoft specifies the following platforms:

• Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
• Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016

Microsoft currently recommends that you do not install the KB4497935 update. This document also describes how to check if you are affected.

Similar articles
Windows 10 Mai 2019 Update released
Windows 10 N: Media Feature Pack for Version 1903 released
Windows 10 V1803 threatens a forced update as of July 2019
Windows 10 V1903: Known Issues – Part 1
Windows 10 V1903: Known Issues – Part 2

How critical are unpatched vulnerabilities (0-day exploits) in their impact on the latest version of Windows? I’ve been able to get an interesting piece of information that indicates the trend since 2015.

The following overview is by Microsoft employee Matt Miller, who works in the Microsoft security team. He posted the following on Twitter.

This highlights that staying current with the latest version of Windows has remained a good defense for many of the zero day exploits observed in the wild that target Windows CVEs due in large part to the mitigations being added each release

— Matt Miller (@epakskape) July 23, 2019

Only about 40% of the 0-day exploits can work in the current version of Windows, since 66% of the vulnerabilities have already been considered. With Windows 10 this always refers to the last build like e.g. version 1903. Well, statistics is not very helpful in case of a problem.

Microsoft has released Windows 10 Insider Preview Build 18945 (from development branch 20H1) for Windows Insider in Fast Ring. The announcement with details about new features/changes and bugs can be found in the Windows Blog.

After extensive testing with insiders and an unintended release on June 25, 2019, Microsoft finally released the two updates KB4505903 (CU) and KB4508433 (SSU) for Windows 10 Version 1903 on June 26, 2019. I have added the necessary additions to the blog post Windows 10 V1903 Update KB4505903 (07/26/2019).

Microsoft  has released a safety alert effective July 24, 2019. Microsoft has probably updated several Servicing Stack Updates (SSUs) for Windows 10. The latest SSUs can be found on the website ADV990001.

[German]A short note about workarounds for the strange behavior of the Explorer under Windows 10. The folder view suddenly jumps to the first folder. I saw this issue mentioned since Windows 10 RTM. There is a workaround.

The Problem: Folder View Jumps

The problem occurs on Windows 10 when a user navigates between folders in Explorer. The user scrolls down a folder branch to see the bottom contents. Suddenly, the Explorer scroll bar automatically jumps or scrolls up and the top of the folder appears.

This is not only confusing and annoying, but can lead to renaming or similar operations that require constant re-navigation. What is particularly stupid is that this uncontrollable scroll problem occurs randomly in Windows 10. Sometimes it takes 5-10 minutes and sometimes only seconds.

The behavior can be found in all Windows 10 versions – I remembered having seen it in forums like this as early as 2015.

Win10 – File Explorer “jumps” to top of folder

I’ve been using Windows 10 for a couple days now, and this is something that’s been continuously occurring since the upgrade and is fairly annoying.

In File Explorer, if the folder I’m in contains enough files that there’s a scroll bar, it won’t let me stay scrolled down. The folder view will “jump” back to the first files in the folder after a few seconds. This occurs no matter how far down in the folder I am. I tried changing the View option to see if setting it to a horizontally-scrolling view would stop it from moving, but it still pops back to the beginning of the folder. In order to ensure it’s not me accidentally scrolling with my laptop’s touchpad, I have scrolled down and then completely taken my hands away from the computer, and it still moves back up after a few seconds. The movement isn’t slow, as if it was scrolled back up, but occurs immediately.

Any way to determine why it’s happening or what I can do to stop it?

Somebody posted an answer, the culprit is the automatic Accent Color for your background. The advise was, to switch the automatic pick of the accent color off.

(Source: Microsoft)

The bug had already come under my eyes several times, but I hadn’t mentioned it here in the blog. Through a tweet by @PhantomofMobile pointing to Vishal Gupta’s tweet, I becam aware again. Gupta took up the topic on askvgcom.

[Fix] File Explorer Automatically Scrolls / Jumps to Top of Folder in #Windows10 :https://t.co/cAShkIRYHw

— Vishal Gupta (@VishalGuptaMVP) 23. Juli 2019

Gupta mentioned beside the automatic accent colors that is can also be also due to the slideshow for background images that are displayed on the desktop. The linked article contains hints for a workaround.

@PhantomofMobile informed my by e-mail, that the fix outlined above also solved further issues with Winows 10:

Shuttering
Stuttering
Jitter
windows flashing
scroll bar flickering and refreshing as well as jittering. In FeedBack Hub as well. So far I have not noticed lagginess or sluggish response.

I can now open “Categories & sub” in FeedBack Hub as well. So far the Realtek audio and Intel graphics Drivers issues still persist, though

I AM STILL running my huge slideshow changing about every 10 secs. I put the Background color to Black. It is better under the Pictures anyway

The manufacturer has released a hotfix for its Nvidia 431.60 WHQL Game Ready driver. The hotfix is supposed to correct a mouse pointer bug in a game.

I didn’t report it, but a few days ago Nvidia released the 431.60 WHQL Game Ready driver (neonwin.net reported here). Now a hotfix had to be added. According to the release notes for this hotfix, it fixes a bug in the old driver. This caused the “mouse pointer to be displayed incorrectly after leaving a game”. The error only seems to have affected Windows 10 devices.

The driver update is offered in two variants: the Windows 10 64-bit standard driver and the Windows 10 64-bit DCH variant. Furthermore, the hotfix, which is based on last week’s 431.60 drivers, is optimized for Wolfenstein: Youngblood, Wolfenstein: Cyberpilot, Madden NFL 20, and the first DLC for Metro Exodus. The Madden game also has an updated SLI profile. These drivers also supported three new G-SYNC compatible monitors from HP and AOC – neowin.net has described these details here. The GeForce Hotfix Driver Version 431.68 can be downloaded here. (via)

[German]A brief information for people who still use Windows Vista. Since July 2019 the unofficial approach to install Windows Server 2008 SP2 updates seems to simply doesn’t work anymore. But there is a solution.

Windows Vista End of Support, but …

In April 2017 the extended support for Windows Vista expired – I had reported about it in the blog article Windows Vista reached End of Live (April 11, 2017). Microsoft no longer distributes security updates for this operating system.

But the code base used for Windows Vista and Windows Server 2008 is the same. This allows updates for Windows Server 2008 to be downloaded manually from the Microsoft Update Catalog and installed manually under Windows Vista.

SHA-2-Issue: Unofficial patches no longer installable

Blog reader Gero H., who still runs a system with Windows Vista, had posted some lists of unofficial updates here in the blogs. Now Gero has informed me by mail about the following.

There was the possibility to download Server 2008 SP2 updates and install them under Vista. Unfortunately this doesn’t work anymore after July 2019 Patchday.

The 2019-07 – Security Quality Update for Windows Server 2008 (KB4507461) and Rollups
2019-07 – Monthly Security Quality Rollup for Windows Server 2008 (KB4507452)
2019-07 Update for Windows Server 2008 (KB4507704)

cannot be installed under my test VM (Vista SP2 x64 Ultimate, update June 2019).

Only the 2019-07 Cumulative Security Update for Internet Explorer 9 for Windows Server 2008 (KB4507434) can be installed.

It does not matter if the update script of os.ingenserverhost.de is used or not. Possibly it could be that after about 2 years Microsoft has now installed another algorithm that recognizes whether it is actually a Server 2008 SP2 system or a Vista.

I have changed the registry in the WindowsNT CurrentVersion key to a server 2008 SP2 datacenter. Furthermore the updates are not installed.

Much more likely it is that Windows Vista has not strapped the support for SHA2. So I downloaded the respective SHA2 support updates for Server 2008 SP2 and tried to install them. The update is rejected with the message “The update does not apply to your system”.

Windows Vista is now completely unofficially out of support since June 2019. Only Internet Explorer 9 can still be updated (.NET Framework not tested).

Gero sent me some links to his server, where the old updates can still be downloaded. Since this is legally tricky and the support has now come to an end, I do without the links. Thanks to Gero for the hint.

But there is another solution

Gero H. contacted me a 2nd time and outlined a solution to the problem. I add this as a supplement.

I now have a solution to the problem that Windows Vista will no longer install updates from July 2019 due to the lack of SHA2 support.

If you search the net for updates for Server 2008 SP2 you can find this article at Microsoft. There you are referred to the KB4039648, which should guarantee the SHA2 support. Now this update cannot be installed.

However, there is another list which also addresses systems like Windows 7 or Server 2008 R2. There is a SSU update KB4493730 stated “that introduce SHA-2 code sign support for the servicing stack (SSU) was released as a security update.” If you install this update, it is possible to install the July 2019 updates. No matter if Security Only or Rollups. That means the SHA2 support is given.

There are two more updates for Server 2008 SP2, this is KB4474419 in v1 and v2. KB4474419 describes “re-released to add missing MSI SHA-2 code sign support”. My testsysem (Vista x64 Ultimate VM) does not need this and rejects it with “does not apply to your system”. It doesn’t matter if v1 or v2 is tried.

So it could happen, if a future update requires parts of the MSI SHA2 code, that it is still not installable, because the update KB4474419 is rejected.

So for now Windows Vista is upgradeable for SHA-2 support, wondering for how long?

A brief information for Windows insiders who are still staring enthusiastically at the upcoming development. Microsoft is planning a new webcast for August 2019.

I just saw the announcement on Twitter for August 1, 2019. This webcast will be broadcast via Microsoft’s mixer channel.

Our next #WindowsInsider webcast is this week, Thursday August 1st at 2pm PDT / 9pm UTC! Tune in to meet another team working on Windows and find out what they’re working on! https://t.co/Z24OxO5z1D

— Jason (@NorthFaceHiker) July 29, 2019

[German]Brief note for users of HPE servers running VMware ESXi 6.5 Update 3 with a custom image. I just came across a problem report that there are problems with the custom image.

ESXi 6.5 Update 3 HPE Custom

VMware ESXi is a bare-metal hypervisor, i.e. a minimal operating system that can be installed directly on your physical server. Then virtual machines can be installed on the server.

For HP servers (ProLiant), customized VMware ESXi-ISO files are offered for installation. These include all necessary drivers and management software to run ESXi on HPE servers. In addition, according to this HP announcement, this customized installation should work seamlessly with Intelligent Provisioning.

Warning, there are issues

It is currently only a single voice – I did not find any further hits during a short search. On administrator.de you can find this German article where a user describes his experiences.

I had an unpleasant encounter with the ESXI 6.5 Update 3 HPE Custom.

A clean install on two differently configured ML350 Gen10 will cause the management interface to stop responding about 2 minutes after boot-up. Neither via the WebUI, nor via the console via F2 (also not via Alt F1). You can only shut down or restart the server via F12.

Firmware is always “up-to-date” at the level of HP SPP 2019.03 (2019.06 has not yet been released). On 6.5 U2 HPE Custom the servers run normally.

Within my German blog post, other users also confirmed issues with ESXi 6.5 on HPE hardware. Anyone else who works with this constellation and has had similar experiences?

Similar articles:
VMware ESXi: Hosts crash during VM shutdown with PCI passthrough

[German]Today a brief overview of what happened at Microsoft at the end of July 2019 with regard to Windows Defender and Microsoft Security Essentials as well as Advanced Thread Protection (ATP). Microsoft released, for instance, a ”Security Intelligence – Update for Microsoft Security Essentials“.

Background

I became aware about the topic by this user comment of  German blog reader Hans Thölen. He wrote:

Addendum to Microsoft Security Essentials:
Every morning and every evening I use Windows Update to look for updates for the MSE. So far I always got “Definition update for Microsoft Security Essentials”. Today I got the following update for the first time : “Security Intelligence – Update for Microsoft Security Essentials”.

Also blog reader Father confirmed this information within this comment here in the blog:

I also noticed it.
I get new updates displayed here https://www.microsoft.com/en-us/wdsi/definitions.

This user comment has encouraged me to look into the subject and search the Internet to see what Microsoft has published so new.

Security Intelligence–Update for MS Security Essentials

I checked Windows Update in Windows 7 for new pending updates, I a new update Security Intelligence – Update for Microsoft Security Essentials“ have been offered.

The link More informations in Windows Update dialog box opens the site Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware in Internet Explorer. There you will learn that Microsoft continuously updates the security information in anti-malware products. The goal is to cover the latest threats and constantly optimize the detection logic. The goal is to improve the ability of Windows Defender Antivirus and other Microsoft antimalware solutions to accurately identify threats.

This security intelligence works directly with cloud-based protection to deliver fast and powerful next-generation AI-based protection. Microsoft Security Intelligence updates include software that includes third-party material. Information can be found under Notices and Third Party Information.

The Update from Juli 31, 2019

The website contains the information that a Security Intelligence Update version 1.299.891.0 was released on 31.7.2019. The update is to be installed automatically and can be downloaded there for the various platforms, from Microsoft Security Essentials (Windows 7) to Windows Defender (Windows 8.1, Windows 10) to System Center 2012 Configuration Manager and Microsoft Forefront Protection & Co. The website also tells you how to trigger updates manually using commands from the command prompt.

Updates des Network Inspection System (NIS)

On the website you can find out that the following products use updates of the Network Inspection System (NIS): 

• Microsoft Security Essentials
• Forefront Endpoint Protection
• System Center 2012 Endpoint Protection

These updates are designed to protect systems from network threats. This also applies to exploits that are supposed to take effect on the network during transmission. Microsoft recommends that you check the version of the Antimalware Client component on your security software and download the correct version of the NIS updates for the platform you are using.

What changes with Update Version 1.299.891.0?

Microsoft now maintains the Change logs for security intelligence update page, which currently refers to the changes in Version 1.299.891.0.

On the page you can select the update version via the list box and see what new malware attacks are detected. Two Trojans have been included in the detection. In the ‘Severity’ column, the severity of the threat is listed. In the last update, no Thread Detections were added.

However, if you select older updates, you will find entries to detect potentially unwanted applications/software (PUA) or Trojans. The Trojans Winnti, the Ransomware Ryuk or the Exploit Exploit:O97M/CVE-2017-11882 for exploiting the vulnerability CVE-2017-11882 in the old Office Formula Editor (see Hacker are misusing CVE-2017-11882 in Office EQNEDT32.EXE) are detected by the update version 1.299.843.0 of July 30, 2019.

Meanwhile, Microsoft also maintains the blog on Microsoft security intelligence, where you can always find the latest articles on security issues. On 29 July 2019, for example, there was this article which deals with the further development of the functions of Microsoft Thread Protection

In addition, there is the Microsoft Security Scanner on this page, a scan tool that was developed to detect and remove malware from Windows computers. The tool can be downloaded and run. Then it is scanned to find malware, so that if it hits you can try to eliminate the infection or reinstall the system to eliminate it. On this page you will find hints on how to use the tool.

Microsoft has released Windows 10 Insider Preview Build 18950 (from development branch 20H1) for Windows Insider in Fast Ring. This version had been leaked recently. The announcement with details about new features/changes and bugs can be found in the Windows Blog.

[German]Does cumulative update KB4505903, released July 26, 2019, for Windows 10 V1903 fills the system disk with useless event entries? I received a message from a blog reader, that indicates this behavior. Now we have been able to identify MicrosoftOfficeHub as a root cause.

Update KB4505903 for Windows 10 V1903

Cumulative Update KB4505903 is available for Windows Version 1903 and Windows Server Version 1903. The patch was released on July 26, 2019 after extensive tests with Windows insiders and various improvements by Microsoft and increases the build number to 18362.267. The update contains quality improvements, but no new operating system functions. I had reported about details in the blog post Windows 10 V1903 Update KB4505903 (07/26/2019).

Hard disk filled with thousands of evtx files

I have not yet installed the update on my test systems because it has some known issues. Now German blog reader Olaf E. e-mailed me for the weekend and reported about an observation, which I simply set.

Windows 10 with new cumulative update kb4505903, which by the way installed twice, now up to date.

Afterward I actually only checked different hardware drivers (because AMD, SATA and memory controller etc. for updates) in the hardware manager, when I noticed that there is no more space on my 150 GB system drive.

(Click to zoom)

OK, I deleted all files in temp folder. After updating the hardware, I restarted the system as a precaution. After restart I have had a look into C:\Windows\Temp and xyz-event-files will be created again; probably until hard disk is full.

(Click to zoom)

I certainly didn’t catch a virus (yet) (:-), because I hardly installed anything, but only prepared it -> I wanted to have a VHDX template for trying it out in Hyper-V or under Linus in VM…. But with this “Error”…

If you search the Internet, you will come across this older case, for example, which describes something similar. Short question to the Windows 10 V1903 users who have already installed the cumulative update KB4505903: Can this be confirmed? If so, is there a workaround?

Addendum: The root cause has been identified

Blog reader Olaf E. sent me two more e-mails with new information after I had set the problem here in the blog. Here is the first e-mail.

Thanks, the hard disk, even my 110 GB (volume c), was incredibly full. The del /F/Q/S *.* command couldn’t even delete so fast. I also thought at first, of a remote hack. But the files will also be 11 MB in size.

Therefore first I pulled the LAN cable. Inserted in RunOnce the command del /F/S/Q *.* and restarted. The disk still becomes full with events.

Found a workaround (switch off AppStore): deactivate AppXSvc on StartType four or via GPO Store. Restart and clean the temp folder, which then remains empty! Unfortunately, the start menu and taskbar were then inoperable! So I activated AppXSvc again

Steps for app repair executed as described at deskmodder.de – but before that cleaned the folder:

USERPROFILE\AppData\Local\Packages…

I deleted everything, because it will be created again. Then I restarted Windows. The issue wasn’t that strange anymore.  Now ‘only’ an uncountable number of AppXError-GUID-*.txt (1 kB) files are created – but which App/s are responsible?

Turning off the app store was also a workaround in one of the above linked posts. In a second mail Olaf E. revealed the cause:

Now it is ONLY the MicrosoftOfficeHub*number* with ErrorCode: 80073CF6 resp. 800700B7 with Component Deployment Operation: 4294967293

And only these; every second and in thousands and thousands of *.txt-files. But I can search for them well. Thanks to all ;-)

The MicrosoftOfficeHub has already been discussed within my blog post Windows 10: News about System restore error 0x80070091 as a trouble maker. At that time the file permissions were broken. The above mentioned error code 0x80073CF6 stands for ERROR_INSTALL_REGISTRATION_FAILURE. The MicrosoftOfficeHub app can probably not be registered during installation

Similar articles:
Windows 10 V1903 Update KB4505903 (07/26/2019)
Windows 10 V1903 Update KB4505903 (for Insider, 07/23/2019)
Windows 10: News about System restore error 0x80070091

McAfee Endpoint Protection has rolled out new rules for protection against BlueKeep. As a side effect, Windows Update is being blocked, so July 2019 updates are not coming.

Users of the security solution McAfee Endpoint Protection have their problems with Windows 10. The past months I had some warnings about problems with McAfee with Windows Update in this blog.

McAfee Endpoint Protection has an interesting one, they’ve added a rule called RDP which I think is designed around BlueKeep (?), but it stops Windows Update applying July’s security patches. pic.twitter.com/i7kOWU2vT2

— Kevin Beaumont (@GossiTheDog) August 1, 2019

The above tweet by security researcher Kevin Beaumont now addresses another Issue. In McAfee Endpoint Protection, developers have introduced a rule called RDP. Might have something to do with the BlueKeep vulnerability. It only blocks the July 2019 updates. This user confirms that he received the July 2019 updates only after uninstalling the McAfee security solution. Any of you who have noticed that?

Similar articles
McAfee Endpoint Security blocks Windows login
Windows Updates: Issues with McAfee and Sophos AV SW

[German]As of August 1, 2019, Microsoft has released a new version of the reliability update KB4023057 for Windows 10, version 1507 to version 1803. Here are a few details.

Update KB4023057 is well known

Update KB4023057, titled ‘Update to Windows 10, versions 1507, 1511, 1607, 1703, 1709 and 1803 for update reliability’, is cyclically re-released by Microsoft. It is available for Windows 10 V1507 (RTM version) up to version 1803 (but not for version 1809 upwared). Microsoft writes within the support article that this update brings improvements in the reliability of the Windows Update service.

This update includes reliability improvements to Windows Update Service components in Windows 10, versions 1507, 1511, 1607, 1703, 1709, and 1803. It may also take steps to free up disk space on your device if you do not have enough disk space to install Windows updates.

This update includes files and resources that address issues that affect the update processes in Windows 10 that may prevent important Windows updates from being installed. These improvements help make sure that updates are installed seamlessly on your device, and they help improve the reliability and security of devices that are running Windows 10.

This is in fact the same text as for the previous releases. So Microsoft leaves its users pretty much in the dark as to what exactly is to be improved in detail. What has changed: The update is now available in Microsoft Update Catalog.

What you should know about the update

It should be noted that Microsoft does not distribute this update in corporate environments. What I also find strange are the Windows 10 versions 1507, 1511, 1607, 1703, 1709 and 1803 mentioned by Microsoft in the blog post to which this update applies. But Windows 10 versions 1507 through 1703 will only get updates in the Enterprise versions (see my blog post Patchday Windows 10 Updates (May 14, 2019)). So it might be an attempt, to upgrade these old systems to Windows 10 Version 1903.

The update deeply interferes with the existing Windows 10 installation, cleans user-set update blockers, creates free disk space on the system drive if necessary, resets the network connection and more. More details about this cyclically released update can be found in the article Windows 10: Update KB4023057 re-released (02/14/2019). Another special feature is that this update is installed as an app and may cause installation errors (see my older blog post Windows 10: Update KB4023057 re-released (01/16/2019)).

Similar articles:
Windows 10: Update KB4023057 released (Dec. 7, 2018)
Windows 10 reliability update KB4023057 (02/08/2018)
Windows 10: Update KB4023057 re-released
Windows 10 Updates KB4295110/KB4023057 (08/09/2018)
Windows 10: Update KB4023057
Windows 10: What is REMSH.exe for?
Windows 10: Update KB4023057 released (Sept. 6, 2018)
Windows 10: What are Rempl.exe, Remsh.exe, WaaSMedic.exe?
Windows 10: Update KB4023057 re-released (01/16/2019)

German blog reader Andi O. has made a feature update to Windows 10 version 1903 on his machine. Then he detected that the CPU usage after the upgrade was too high.

The blog reader informed my about his experiences with Windows 10 V1903 already at the beginning of July 2019 by e-mail (thanks for that). Here an outline of the descriptions.

Hello Mr. Born
As you can see from my last e-mail, I made a function upgrade to the 1903. Here is my experience:

I had to go back to the previous version of Windows 10 using Start -> Settings -> Update and Security –> Restore

So the system was back to the Windows 10 version 1809. For my hardware, HP Pavilion 550-141ng, the idle CPU load of the 1903 was too high.

CPU utilization Windows 10 V1903

With Windows 10 version 1809 it was then normal again in idle mode.
See screenshot

CPU utilization Windows 10 V1809

With “too high” I was referring to speed (GHz), not usage (%). As you can see on the screenshot “Utilization 1903”, the 3.93 GHz was almost 15.25% faster than my base speed. And that in idle. The CPU gets too hot there.

Do you have similar experiences regarding the CPU load?