News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Must read: The connection between GWX’s 3035583 and 2952664

    Posted on March 18th, 2016 at 09:15 woody Comment on the AskWoody Lounge

    Excellent detective work by Andrew Orlowski at The Register.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Must read: The connection between GWX’s 3035583 and 2952664

    This topic contains 21 replies, has 4 voices, and was last updated by  louis 2 years, 1 month ago.

    • Author
      Posts
    • #45851 Reply

      woody
      Da Boss

      Excellent detective work by Andrew Orlowski at The Register.
      [See the full post at: Must read: The connection between GWX’s 3035583 and 2952664]

    • #45852 Reply

      louis

      Wow….”How Microsoft copied malware techniques…”

      What more need be said?

    • #45853 Reply

      woody
      Da Boss

      Yep. That’s stating the obvious, to a first approximation anyway, far as I’m concerned.

      What wasn’t obvious (at least to me) is the complicity of KB 2952664.

      BTW, the discussion between Mary Jo, Paul and Leo in this week’s Windows Weekly is absolutely right-on.

    • #45854 Reply

      Eric

      Right on in what way?

      To me it sounded like they were advocating the position that user error was responsible for unintended Win 10 installations.

    • #45855 Reply

      woody
      Da Boss

      They talked about the interaction between the two KBs – and gave a long list of changes….

      (Don’t think they said user error was responsible… I’ll have to go back and read it.)

    • #45856 Reply

      Byron

      I’ve been using the term “GWX Virus” for a while. Nice to see an article explaining what this menace does. Now I’m hoping that Mr. Orlowski will do some research into the Cortana Virus.

    • #45857 Reply

      byteme
      AskWoody Lounger

      I think Eric was referring to the Windows Weekly discussion, and I also got the impression from that that Paul and Mary Jo thought it was at least *possible* that it was mostly (if not entirely) a “user error” thing, albeit against a background where MSFT was setting things up to make those kinds of “errors” easy to inadvertently make.

    • #45858 Reply

      Robert Wilson

      I’ve said here before that Microsoft has become the single greatest threat to the security and integrity of my Windows 7 systems. It’s my opinion that Orlowski’s work tends to support my position.

    • #45859 Reply

      woody
      Da Boss

      Ah, now that is true. In the end, I think Paul and Mary Jo (and Leo!) decided that it’s just, simply, impossible to tell if somebody clicked something – even three or six months ago. If I hadn’t seen it myself, I wouldn’t have believed it. And it’s important to remember that Win10 did NOT install on my VM. It failed to install (although I did nothing to bring it on).

    • #45860 Reply

      T

      Wow just… wow. I’ve been using the phrase ‘malware distributor’ to describe microsoft for a while now and i’m not entirely sure i’m happy to get confirmation. I had to use powershell commands to strip out the various instances of package_2952664. I’m sure it’s still lurking in the registry though.

      The windows weekly cast was also extremely interesting to watch – their initial scepticism turning to outright horror over what microsoft have been up to. They weren’t very clued up on Josh Mayfield’s gwx control panel though, not realising that it does a lot more than what they thought it did. Speaking of… Josh deserves some sort of humanitarian award for making that, or at least lots of free beers, please buy him lots of beers when you see him.

    • #45861 Reply

      Eric

      That’s correct…it was the video presentation that left that impression. Makes me wonder if they hang out at sevenforums…

    • #45862 Reply

      Frank

      Frankly, I must admit I was not very surprised by the article in the “Register” as I felt GWX was behaving very much like malware. If it walks like a duck; it’s a duck! I really feel disappointed at MS resorting to tactics like these even if they can get away with it. Just because you think you can get away with doing something does not make doing it right. There has to be some moral center of gravity to guide one’s behavior. That said, I have been skeptical regarding the wisdom of installing the March IE11 cumulative security update (KB3139929) because of the possibility of opening up a “new vector” in the GWX assault games. I know you have recommended we hold our nose and install the update but does this new info change your opinion in any way. The apparent new propensity of MS to abuse security updates with potential nagware additions is very troubling in my opinion.

    • #45863 Reply

      woody
      Da Boss

      I’ve never met Josh face-to-face. (I’m something of a recluse.) But I’m going back to his site and making another donation. No telling how much time he’s put into GWX Control Panel. It’s a tremendous product.

    • #45864 Reply

      T

      Or a donation! Of course. I shall do that promptly, thanks for the reminder.

    • #45865 Reply

      woody
      Da Boss

      He’s earned it.

    • #45866 Reply

      ch100
      AskWoody_MVP

      Excellent find Woody! I knew about the inter-relation between the 2 patches as KB2952664 is a pre-requisite for the Windows 10 upgrade adware according to the official documentation which I found generally accurate but difficult to be understood in the finest detail which may be this way on purpose. What I didn’t realise though was how a newer version of KB2952664 reinstalls KB3035583 although we fully understood here how KB2952664 changes every time to avoid being hidden/blocked by the user. KB3035583 does not change.
      I think the article over-reacts in recommending dangerous procedures for the deletion of the CBS registry keys which is extremely dangerous and can mess up the whole Windows Update mechanism. I do all the time registry changes in professional setting, many undocumented but time tested, however CBS is one of the areas where the end-user or system administrator should not interfere directly, but by using Microsoft’s APIs and commands like dism.exe, pkmgr.exe, wusa.exe when the normal uninstallation procedures from Control Panel fail.
      I still think Josh’s approach for blocking GWX is the correct one making it easy for everyone to implement fully supported and documented functionality.

    • #45867 Reply

      ch100
      AskWoody_MVP

      (GWX Control Panel) ‘It’s a tremendous product.’
      Guaranteed it is. Next move, Microsoft acquires it for an undisclosed amount and discontinues it 🙂

    • #45868 Reply

      woody
      Da Boss

      I’m not recommending that people zap their registry keys. But it is an interesting observation….

    • #45869 Reply

      ch100
      AskWoody_MVP

      It is not you Woody, it is The Register.

    • #45870 Reply

      ch100
      AskWoody_MVP

      This is what The Register says:
      Unless the user gets rid of ALL of the “Get Windows 10” system updates and its helpers, the GWX popup will persist. These are:

      KB2952664
      KB3035583
      C:WindowsSystem32GWX
      C:WindowsSoftwareDistributionDownload*KB2952664*
      C:WindowsSoftwareDistributionDownload*KB3035583*
      ALL registry entries for KB2952664 and
      (optionally) KB3035583

    • #45871 Reply

      Michael

      I hope this whole disaster goes away when we hit July 30. After all, if people have to pay for it, and Microsoft still force-push it, there could be some lawsuits coming.

      (Sadly, I still think at that point Microsoft will just extend the free period for either another 12 months or will just make upgrades free forever and we’ll be stuck in this hell forever.)

    • #45872 Reply

      Allen

      I have had it with Microsoft. When my Vista is no longer supported early next year I am going to purchase an Apple Computer. I know I will need to reconfigure all my files to Apple’s format, but it will be worth it.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Must read: The connection between GWX’s 3035583 and 2952664

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: