News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Brinkmann, Horowitz: Are remnants of the despised “GWX” Get Windows 10 campaign still on your Win7 computer?

    Posted on January 15th, 2019 at 07:39 woody Comment on the AskWoody Lounge

    This is… disturbing.

    Yesterday, Michael Horowitz published a detailed rundown of GWX remnants still on a Win7 PC.

    … today, I took a glance at the Event Logs of a Windows 7 PC and found it was still trying to upgrade to Windows 10. I kid you not. The machine in question last had  bug fixes installed on December 3, 2018. In other words, it had all the November 2018 patches. The Event Log indicated the GWX (Get Windows 10) tasks were scheduled

    Ab-so-lute-ly mind boggling.

    This morning, Martin Brinkmann at ghacks.net provided additional background:

    What is puzzling about all this is that GWX should not be running anymore on the system. Microsoft ended the Get Windows 10 campaign in 2016 and there is no reason to keep scheduled tasks or files associated with it on the system.

    Is Microsoft preparing for another Get Windows 10 campaign? Is it a bug? Leftover files on a system that were never removed completely?

    It is unclear but it is probably a good idea to check the tasks and folders on Windows 7 or Windows 8.1 devices to make sure that these tasks and files don’t exist.

    Just when you thought it was safe to get back in the GWX cesspool….

    UPDATE: Günter Born has additional background.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Brinkmann, Horowitz: Are remnants of the despised “GWX” Gets Windows 10 campaign still on your Win7 computer?

    This topic contains 84 replies, has 27 voices, and was last updated by

     EP 3 months ago.

    • Author
      Posts
    • #311038 Reply

      woody
      Da Boss

      This is… disturbing. Yesterday, Michael Horowitz published a detailed rundown of GWX remnants still on a Win7 PC. … today, I took a glance at the
      [See the full post at: Brinkmann, Horowitz: Are remnants of the despised “GWX” Gets Windows 10 campaign still on your Win7 computer?]

      9 users thanked author for this post.
    • #311051 Reply

      Microfix
      Da Boss

      There were kb3184143 patches released by Microsoft to remove the triggers and accompanying cruft for Windows 7 and 8. Both available here:
      microsoft kb3184143 patches
      The amount of times I’ve seen $BT folder in the Windows directory in W7 PC’s..
      It’s more than likely care-free owners who just use their PC’s for whatever and don’t pay attention to Tech sites and AskWoody.

      | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x86 | XP Pro O/L
      6 users thanked author for this post.
      • #311210 Reply

        woody
        Da Boss

        Good point. I haven’t seen any independent reports of problems.

        Guess we’ll find out sooner or later….

        2 users thanked author for this post.
    • #311060 Reply

      anonymous

      Steve Gibson offers a util to check if win 10 upgrade is enabled on your pc

      https://www.grc.com/never10.htm

      9 users thanked author for this post.
    • #311073 Reply

      anonymous

      Guess thats one main reason i still have the GWX control panel still activated on my pc. No remnants in mine

      4 users thanked author for this post.
    • #311120 Reply

      WildBill
      AskWoody Plus

      Gunter Born doesn’t have a translation on his English German-language blog. He translates most, but not all, entries to there. Use Google Translate if you want to understand it; I don’t read German.
      MVP Edit: FTFY

      Windows 8.1, 64-bit, now in Group B!
      Wild Bill Rides Again...

      1 user thanked author for this post.
    • #311138 Reply

      Seff
      AskWoody Plus

      I’ve never uninstalled or disabled GWX Control Panel, and I have no intention of ever doing so. This article explains why!

      2 users thanked author for this post.
    • #311139 Reply

      Canadian Tech
      AskWoody_MVP

      Simple solution really. Set Windows Update to NEVER…. Disable Windows Update service Forget about Microsoft updates completely. They will create more hassle and reduce system reliability than the supposed security improvements are worth.

      Proof positive. My 130 client computers have not had an update in 20 months now and the result is smooth running, no problems what so ever. Oh, stop using IE and use Chrome instead, and remove Adobe Reader, Adobe Flash and Java.

      CT

      9 users thanked author for this post.
      • #311227 Reply

        Seff
        AskWoody Plus

        Good to hear that your systems are still running ok, CT. It’s an option that will become increasingly significant as we approach January 2020, and one I’m still considering depending on how Windows 10 performs between now and then.

      • #311237 Reply

        anonymous

        Same here. Win7 64 ‘home premium’. Just a home user/browser/few programs. Have followed Woody’s advice from the first appearance of KB2952664, but I stopped installing even the stand-alone security updates more than a year ago and still have smooth, fast, reliable operation. IE explorer disabled. Windows update disabled. Only adobe product is photoshop4. Malwarebytes free.  Oh yes, just like Bart & Milhouse, I always click on every flashing banner! Thanks Woody, & all who offer such useful advice…

      • #311303 Reply

        Klaas Vaak
        AskWoody Lounger

        @Canadian Tech: set Windows Update to NEVER is not possible for PC with the Home edition. For them the solution is not simple, it is absent.

        1x Linux Mint 19.1 | 1x Linux antiX

        • #311342 Reply

          Seff
          AskWoody Plus

          CT is not talking about Windows 10, which I assume you are. My Windows 7 x64 Home edition PCs are set to “Never check for updates” every month, until it’s stated here that it’s time to install the month’s updates. Windows 10 is the only version of Windows that precludes this.

          6 users thanked author for this post.
    • #311141 Reply

      anonymous

      I found the same on a Win7 Home Premium 64-bit laptop just two weeks ago.  Most updates had stalled some time previously because of corruptions to several system files, and the machine was rather neglected, though still working – slowly.

      After a thorough clean-up, removing several AV programs, 30 copies of one printer(!),  suspect applications and running AV, chkdsk and sfc scans, I started to apply the outstanding important Windows updates to be told it was updating to Windows 10!  Luckily I was able to hit cancel in double-quick time and then ran GWX_control_panel to neutralise it.  I also removed (via WUSA /uninstall) all 20 or so copies of KB2952664 ‘just in case’.   Panic over for now, but I needed to lie down there for a while!

      Tony H.
      Bristol, UK

      3 users thanked author for this post.
    • #311159 Reply

      anonymous

      Horowitz apparently has a machine that he was not paying much attention to. Do not know what ‘all’ November 2018 patches mean. He needs to be specific. We have multiple Win 7 machines, both x64 and x86, with no problems as Horowitz described at all. Seems like Horowitz missed a collection of M$ malware patches from the last 4 years or so.

      • #311302 Reply

        woody
        Da Boss

        It’s entirely possible – happens to the best of us. But those Monthly Rollups are supposed to be, uh, Rollups, aren’t they?

        Sorry. Rhetorical question. 🙂

      • #311334 Reply

        Michael432
        AskWoody_MVP

        This PC is the exception, not the rule. As for updates, on Dec 3, 2018 Windows Update was run and all available patches were installed. That said, the computer did go long stretches without any Windows patches. The previous run of Windows Update was Feb. 2018

        WindwsUpdateHistory

        Get up to speed on router security at RouterSecurity.org

        • This reply was modified 3 months ago by
           Michael432.
        Attachments:
        You must be logged in to view attached files.
        2 users thanked author for this post.
        • #311339 Reply

          Microfix
          Da Boss

          aha! you have kb2952664 installed which is an assistant for GWX, if I’m not mistaken.
          kb971033 is the activation patch which has been giving some devices problems also.

          | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x86 | XP Pro O/L
          • This reply was modified 3 months ago by
             Microfix.
        • #311589 Reply

          GoneToPlaid
          AskWoody Plus

          Hi Michael432,

          You will be wanting to use my CMD file to automatically remove all installed versions of KB3150513, KB2952664, KB2977759. For example, there could be dozens of versions if KB2952664 installed on your computer. You may optionally want to use my other CMD file which uninstalls other updates which installed telemetry.

          Here is a link to my AskWoody Dropbox folder:

          https://www.dropbox.com/sh/sonx6ep8xziig8j/AADeG486PARTPLqB54NWZhm5a

          The README.txt file contains notes about my CMD files and usage instructions.

          The CMD files to check for and to remove the three infamous telemetry updates, KB3150513, KB2952664 and KB2977759, is in the “WIN7 — KB3150513, KB2952664, KB2977759” folder.

          The “WIN7 — Additional telemetry” folder contains CMD files to check for and optionally remove other updates which installed telemetry.

          Best regards,

          –GTP

           

    • #311180 Reply

      Mr. Natural
      AskWoody Plus

      I see GWX folders and references on Windows 7 machines quite often. I didn’t think the service was running any more and appears to me to be left over remnants of the GWX age. There is also a hidden folder on the root of C: drives called “$GetCurrent” which is also left over from the GWX process.

      Red Ruffnsore reporting from the front lines.

    • #311181 Reply

      Klaas Vaak
      AskWoody Lounger

      Much ado about nothing. Judging from some of the comments here and on the Ghacks site, I get the strong impression Horowitz’s PC isn’t patched properly.

      1x Linux Mint 19.1 | 1x Linux antiX

      • #311189 Reply

        MrJimPhelps
        AskWoody_MVP

        Can you blame him if his PC isn’t up to date on patches? A lot of people are hesitant to allow automatic Windows updates because of the underhanded things Microsoft did to try to get people on Windows 10.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        3 users thanked author for this post.
        • #311232 Reply

          Klaas Vaak
          AskWoody Lounger

          @mrjimphelps: I am by no means a Windows or PC expert, and am part of the AskWoody group B i.e. choosy about which updates I install. I still managed to get rid of all the GWX c*** except for an empty GWX folder in System32.

          So, I am somewhat surprised that Horowitz, who is undoubtedly far more knowledgeable than me about Windows and all things PC, would not have been able to patch his own PC properly. But then, I guess everything is possible where MS is concerned.

          1x Linux Mint 19.1 | 1x Linux antiX

          • #311337 Reply

            Michael432
            AskWoody_MVP

            I would think this is a fluke, something went wrong with GWX removal way back when.

            Get up to speed on router security at RouterSecurity.org

            2 users thanked author for this post.
        • #311233 Reply

          anonymous

          Yes, we can blame him. If Horowitz proposes to speak with some kind of authority, then he needs to do his research before he posts articles of this kind. Behavior such as this does nothing positive for one’s reputation.

          1 user thanked author for this post.
          • #311304 Reply

            woody
            Da Boss

            Welllllllll… I wouldn’t cast that kind of aspersion.

            If Michael has installed the latest Win7 Monthly Rollup, he could reasonably expect that it covers pertinent previous patches — including, notably, the patches that obliterate GWX.

            5 users thanked author for this post.
            • #311318 Reply

              Klaas Vaak
              AskWoody Lounger

              @woody: I disagree. Horowitz is an expert, in any case more than many, and certainly more than the average Windows home user. With his report he has created an upheaval by giving the impression there is a good chance that GWX bug is still around on most computers. That is pertinently not the case, and where it is still present it is because (a) certain patch(es) has/have not been installed.

              So, Anonymous’s comment has nothing to do with “aspersion” but merely with an observation that causing such a storm in a tea cup is not what one may expect from someone like Horowitz. S’all.

              1x Linux Mint 19.1 | 1x Linux antiX

            • #311408 Reply

              Sessh
              AskWoody Lounger

              I don’t really read tech articles much for Windows stuff unless I am looking for something specific, but I know both Horowitz and Brinkmann are both referenced here quite often and I do not get the impression either one are anything less than power users who know their way around Windows.

              So, knowing that they are not amateurs, I must side with them and Woody on this one. If one installs a rollup of patches, you shouldn’t have to comb through the file system, task scheduler and whatever else to make sure they worked. That is absurd.

              If something in those patches was supposed to remove GWX and, upon installing said patches, GWX was not removed, that means two things; 1. the patch failed to do it’s job and 2. it is reasonable to assume that if this happened once, it has also happened to others. How many others is anyone’s best guess, but I do not think it is wrong to report it as was done here nor does it, in any way, damage whatever credibility these two tech writers have accrued.

              I have not patched since June of 2017 and I will remove June’s patch eventually to roll back to May of 2017 and stay there. There is nothing GWX anywhere on my system.

              • This reply was modified 3 months ago by
                 Sessh.
              2 users thanked author for this post.
            • #311835 Reply

              Klaas Vaak
              AskWoody Lounger

              @sessh: the fact that Horowitz is (or may be) a power user does not mean by definition that everything he does or writes is perfect. As far as I know, nothing and nobody in the world is perfect, nor has there ever been a perfect human being.

              Taking that as a starting point, I fail to understand that a power user like Horowitz is able, or perhaps willing, to create what is obviously a storm in a tea cup when most non-techies who religiously perform their patches without giving it too much thought, and who certainly did not “comb through the file system, task scheduler and whatever else to make sure they worked”, find their computers clean.

              Still, if your appreciation of a power user is that that behaviour is normal/acceptable, then fine, I just beg to differ.

              1x Linux Mint 19.1 | 1x Linux antiX

          • #311317 Reply

            Microfix
            Da Boss

            It’ll certainly not damage his reputation when it comes to his push for better router security:
            https://routersecurity.org/ the guy is, in my book, a great advocate. Just needs louder shouts from around the interweb.

            | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x86 | XP Pro O/L
            3 users thanked author for this post.
            • #311327 Reply

              Klaas Vaak
              AskWoody Lounger

              @microfix: he might be a great router expert, but routers are not the topic here. Fr Windows he has not impressed me with this storm in a tea cup.

              1x Linux Mint 19.1 | 1x Linux antiX

    • #311182 Reply

      geekdom
      AskWoody Plus

      Regardless of reasons, it’s probably best to do a little checking to see if files, folders, and tasks related to GWX are on your system. Sometimes prevention measures don’t work.

      Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta
      2 users thanked author for this post.
    • #311183 Reply

      Geo
      AskWoody Plus

      Steve Gibson`s  “never 10”  software is free.

    • #311188 Reply

      PKCano
      Da Boss

      MS released KB3184143 to supposedly remove the vestiges of GWX. And anyone on Automatic updates should should have received it through WU.
      But there were a lot of people hiding anything even vaguely related to GWX so they may have hidden it and not have applied that patch.

      Also, I had a friend that bought a new Win computer (don’t remember if it was 7 or 8.1) early on in the GWX campaign. The upgrade to Win10 came as a CHECKED update in the OPTIONAL updates! I had a fit with it b/c the computer, on Auto updates by default, started the upgrade immediately after initial startup. I had to do a Factory Restore and get rid of the upgrade before I connected it back up to the Internet.

      Anyone doing a Factory Restore on that computer might run into the same thing.

      6 users thanked author for this post.
    • #311220 Reply

      GoneToPlaid
      AskWoody Plus

      Win7 Pro on all of my computers, Group B, and updated through Nov 2018. I installed KB3184143 back in 2016 to remove GWX, which it did. Anyway, there are no traces of GWX on my computers.

      2 users thanked author for this post.
    • #311228 Reply

      GoneToPlaid
      AskWoody Plus

      Separately, what is up with today’s two new security patches, KB931906 and KB2758694, which just showed up in Windows Update on my Win7 computers? Not sure if KB931906 is rated critical, but KB2758694 is rated critical. It appears that these are older updates which Microsoft is pushing again to all Win7 computers.

      1 user thanked author for this post.
      • #311307 Reply

        woody
        Da Boss

        By Jove, looks like we have a bunch of incoming Previews….

        I’ll get that posted right away. Thanks!

    • #311250 Reply

      GreatAndPowerfulTech
      AskWoody Lounger

      GWX folders in ProgramData and AppData\Local can be deleted. Even if a task is scheduled, it can’t run if the file is gone. I’ll also start deleting the Task Scheduler GWX folder also.

      Thanks for the tip!

      GreatAndPowerfulTech

      • #311432 Reply

        Mr. Natural
        AskWoody Plus

        If GWX folders are found on a pc then there will also be registry entries for GWX as well. I’ve seen them. The usual edit the registry at your own risk disclaimer.

        Red Ruffnsore reporting from the front lines.

    • #311254 Reply

      byteme
      AskWoody Lounger

      Win 7 Home Premium, Group B.

      I try to be a fastidious installer of all the Woody-recommended updates (for Group B), and my update history doesn’t include 3184143. Did I miss one?

      In any case, I used GWX Control Panel back when, but never ran it in “monitor” mode, and hadn’t run it in eons, but I just pulled it up, and it reports that I have no Win10 Download folders — along with all the rest of the usual No’s.

      I’m assuming there’s no reason for me to run 3184143 at this point, but am open to advice to the contrary.

    • #311258 Reply

      anonymous

      I have 2 Win 7 Ultimate 64 systems.  A year or so ago, I installed & used GRC’s “Never10” utility to turn off GWX.  It worked.  But in Dec I started experiencing the classic intense disk activity shortly after startup that reminded me of GWX.  ???

      Investigating, saw GWXConfigManager running.  Also noted CompatTelRunner was re-enabled (I’d disabled it previously).  Looked further and saw the GWX scheduled tasks were back in place (which I’d disabled previously).

      I re-ran GRC’s Never10 & it confirmed the reg entries to disable Win10 upgrade were still in place.  Head-scratching ensued.

      So, whatever MS installed in the Nov updates re-enabled some of GWX – and completely ignored the reg entries that are supposed to prevent this.

      I went ahead and manually removed GWX scheduled tasks and disabled the GWX executables.   No more crazy disk activity – at least until MS installs another update to their malware.

      1 user thanked author for this post.
      • #311340 Reply

        Michael432
        AskWoody_MVP

        You might want to try blocking CompatTelRunner with an outbound firewall rule which prevents it from phoning home. The procedure is documented here in the section on blocking programs

        https://www.michaelhorowitz.com/KillingWindowsUpdate.php

        Get up to speed on router security at RouterSecurity.org

        1 user thanked author for this post.
        • #311590 Reply

          anonymous

          Do not just block it, delete it outright or lookup how to get rid of it in a more normal procedure.

      • #311737 Reply

        GoneToPlaid
        AskWoody Plus

        Do you have KB3184143 (the GWX removal tool) installed on your computer?

    • #311380 Reply

      Elly
      AskWoody MVP

      As a non-techy who is a little less non-techy than family and friends, I’ve been handed several different computers that had not been used ‘for a while’ and found GWX on them. Surprise! I don’t criticize people, ’cause I figure we are all doing the best we can. These may have been the type of people that Microsoft wanted to force into updating to avoid the spread of mal-ware… but their choice is to avoid updating, as it has ’cause way more problems.

      It is good that an expert does not jump over problems that personal computer users may encounter, by dismissing them by saying it would have been solved if they had updated fully. That is Microsoft’s pat answer, and following their directions caused all kinds of problems… leading to the next recommendation to get a new computer that will be compatible. Instead, through what I’ve learned here, they are still using the same old computers without any issues, completely contrary to Microsoft’s pat advice.

      One Windows 7 laptop out of our family/friends group did finally bit the dust. Apparently placing it on the trunk of a car, having it slide off, and then driven over, was what it took to kill it. So backing up provided an example of the importance of backing up … (the computer, not the car).

      Win 7 Home, 64 bit, Group B

      2 users thanked author for this post.
    • #311403 Reply

      anonymous

      Does @microfix ‘s observation in #post-311339 give the full explanation. It appears @michael432 installed “all available patches” including two that are on the no-go list.

      If there is a deeper issue under discussion, please help me recognize it.

    • #311412 Reply

      abbodi86
      AskWoody_MVP

      One more year, just hang in there 😀

      p.s. idon’t agree with the amount of exaggeration in this matter

      1 user thanked author for this post.
    • #311459 Reply

      anonymous

      I checked my two HP and one Lenovo, all Win7Prox64, and found this issue does not hit me.

    • #311513 Reply

      Carl D
      AskWoody Lounger

      Something else to be on the lookout for:

      I wouldn’t be surprised if MS is already preparing a nice little ‘surprise’ for all remaining Windows 7 users  – possibly a non removable message in the bottom right hand corner of the screen – or worse, a ‘popup’ or ‘flyout’ message (similar to the ones in Windows 10 when you disconnect a removable drive, etc.) that keeps appearing over and over to remind you that Windows 7 is reaching EOL next January and you should ‘upgrade’ to Windows 10.

      No doubt it will be slipped into an important or security update or, at the very least, it’ll be a separate update marked as important and ticked to install by default, of course.

      3 users thanked author for this post.
      • #312229 Reply

        SueW
        AskWoody Plus

        And those of us who religiously watch for DEFCON 3 (or 4, or 5) will already be made aware of this and know what to do, thanks to AskWoody.com!

        Win 7 SP1 Home Premium 64-bit; Office 2010; Group B; Former 'Tech Weenie'

        1 user thanked author for this post.
    • #311564 Reply

      GoneToPlaid
      AskWoody Plus

      Hi everyone,

      I still have KB3184143 (the GWX uninstaller) installed on all of my Win 7 Group B computers. As mentioned, I am updated through November, yet no GWX stuff has showed up on any of my computers. I have two questions for everyone…

      For those of you who are seeing new GWX stuff showing up, is KB3184143 listed in your installed updates under Programs & Features > View installed updates?

      And for those who are seeing new GWX stuff, are you on Group A, or are you on Group B?

      • This reply was modified 3 months ago by
         GoneToPlaid.
      1 user thanked author for this post.
      • #311597 Reply

        anonymous

        Hi GoneToPlaid, I looked into this laptop to help describe another data point. It shows this KB3184143 was installed 21-Sep-2016. This predates my reading at AskWoody. I have followed Group A since learning of it. I do not recognize GWX activity in normal use.

        I do keep several updates “Hidden”. Whenever there is discussion of a service stack that fails to mind its manners, I have done a full cycle of “Restoring” all hidden items in the Windows 7 section of that list, then hiding again everything not desired. This is overkill for what is needed, but it has given me opportunity to see that Windows Update will still offer many of these updates unless they are specifically hidden.

        So no, I do not see any GWX items show up under normal use. But I can create a use where the associated updates will show up, unrequested. I hope I have followed your thoughts, and added useful information.

      • #311618 Reply

        OscarCP
        AskWoody Plus

        GoneToPlaid,

        From a practical point of view, if one finds  KB2952664 is still installed and not KB3184143, before installing the latter should one first delete KB2952664? Any other steps that might be also necessary to finish the job?  Thanks.

        Group B, Windows 7 Pro Sp1, x64.

    • #311609 Reply

      Bill C.
      AskWoody Plus

      Windows 7Pro-64_SP1, Group B, WU for .NET and Office 2010 (MSI version).

      I am not sure my experience is routine, but after finding lots of churning and CPU cycles, I did research and learned about GWX (hence my presence here). I uninstalled all the GWX and telemetry updates, I then removed the GWX folders and disabled, and later totally deleted the tasks for GWX. As I caught the infection early, it has not yet created the large data repositories like the hidden folder on the root of C: drives called “$GetCurrent” or “$BT” or the blocks of upgrade files. I installed the GWX Control Panel and it said nothing was detected. When it was released, I also installed the KB3184143 GWX removal tool. I have run the scripots to see if KB2952664 was on the machine and get a negative.

      As I kept reading I found other components and repositories of the GWX data and compatibility logs. These were also deleted. I still run the GWX Control Panel as it provides a quick indicator of changes to the WU, but I still check after each monthly patch session or any software upgrades to ensure WU is set to never. I have also disabled IE from auto-updating.

      I wonder if the telemetry that was recently included in the roll-ups, utilize some of the GWX analytical and appraisal tools that might have remained even after the removal of GWX system.

    • #311689 Reply

      GoneToPlaid
      AskWoody Plus

      GoneToPlaid, From a practical point of view, if one finds KB2952664 is still installed and not KB3184143, before installing the latter should one first delete KB2952664? Any other steps that might be also necessary to finish the job? Thanks. Group B, Windows 7 Pro Sp1, x64.

      Hi OscarCP,

      Now that is a really good question. Let’s think this through…

      KB3184143 kills GWX, yet will not uninstall any and all installed versions of KB2952664. So the first thing to do is to install KB3184143 to kill GWX. After killing GWX, KB3184143 remains installed on your computer. Perhaps KB3184143 remains installed as a flag to Microsoft that the user does not want to upgrade to Windows 10 — ever?

      After installing KB3184143, and rebooting if asked, then you can run my CMD file for removing all instances of the three infamous telemetry updates which includes KB2952664. Note that all instances of a given telemetry update must be uninstalled, before proceeding to uninstalling all instances of the next telemetry update. Since there are three telemetry updates to be uninstalled, my CMD file must be run three times (if all three telemetry updates are reported as being installed) and with a reboot after each run (just pay attention to the instructions which my CMD file displays) in order to remove all instances of all three telemetry updates.

      After the above is done, run my CMD file one final time (as a sanity check) so that you can confirm that all three telemetry updates are no longer installed on your computer. My CMD file will report if these three telemetry updates truly have been removed from your computer.

      Best regards,

      –GTP

       

      1 user thanked author for this post.
    • #311717 Reply

      GoneToPlaid
      AskWoody Plus

      …When it was released, I also installed the KB3184143 GWX removal tool. I have run the scripts to see if KB2952664 was on the machine and get a negative. As I kept reading I found other components and repositories of the GWX data and compatibility logs. These were also deleted. I still run the GWX Control Panel as it provides a quick indicator of changes to the WU, but I still check after each monthly patch session or any software upgrades to ensure WU is set to never. I have also disabled IE from auto-updating. I wonder if the telemetry that was recently included in the roll-ups, utilize some of the GWX analytical and appraisal tools that might have remained even after the removal of GWX system.

      Your last sentence in particular caught my attention. I too installed the KB3184143 GWX removal tool. It remains installed. Yet it is rumored that recent windows security only updates supposedly have KB2952664 or some other telemetry baked in? I haven’t seen any telemetry activity on my Windows 7 Group B computers which are updated through November 2018. I don’t see any active telemetry related tasks, and I am not seeing my computers making connections to Microsoft’s telemetry servers.

      So this gets me to thinking. If KB3184143 is installed, its presence is clearly telling Microsoft that the user has no desire to upgrade to Windows 10. If KB3184143 is not installed, maybe this is why some users are seeing a sudden reactivation of GWX? If it really is the latter, then this would seem to stoke fears that Microsoft may have intentions of forcing Windows 10 on all Windows 7 users who did not install KB3184143. I’m just throwing this out there as food for thought.

      1 user thanked author for this post.
      • #311728 Reply

        DrBonzo
        AskWoody Lounger

        I believe it’s the Rollup updates, not the Security Only updates, that have KB 2952664 – or some variation of it – incorporated in them.

    • #311745 Reply

      GoneToPlaid
      AskWoody Plus

      I believe it’s the Rollup updates, not the Security Only updates, that have KB 2952664 – or some variation of it – incorporated in them.

      Hmm…perhaps the Group A Rollup updates have KB2952664 baked in, yet KB2952664 doesn’t show up in the list of installed updates? That would be interesting news.

      I wonder what my CMD file will report. I would love for a Windows 7 Group A user, whose computer is fully updated and who always avoided installing KB2952664, to run my CMD file to see if DISM reports that KB2952664 is in fact installed even if KB2952664 is not listed under installed updates. This is my $64 thousand dollar question.

      • #311771 Reply

        anonymous

        As the DISM command syntax contains the logic “find the string of characters that matches KB2952664”, I interpolate that it scans the same database used by the Installed Updates display. In different words, it searches for the title, not the functionality.

        I will not claim your $64,000 prize. Although I fit your described classification, Group A through December 2018, including the suspect function contained in the cumulative rollup, I also might have changed the criteria by running @abbodi86 ‘s “W10tel” executable found in AKB2000012.

        In any case, when I run the single line command (elevated)
        dism /online /get-packages | findstr KB2952664
        it returns an empty result. No joy.

        1 user thanked author for this post.
      • #311860 Reply

        PKCano
        Da Boss

        Since the 2018-09 Preview Rollup and the 2018-10 Monthly Rollup, the KB2952664 functionality has been included in the Group A patches – not the KB2952664 separate distinct patch. The evidence is in the appearance of KB3150513 in Windows Update, which will not appear without the KB2952664 functionality installed. It was not added to the Group B Security-only patches to my knowledge. I believe we had this discussion before back in October.

        KB2952664 and it’s Win8.1 KB22976978 equivalent have NEVER been installed on any of my machines. I am patching Group A, and I have seen KB3150513 appear (and be immediately hidden) in WU on my machines. I am also running @abbodi86 ‘s script to neutralize the telemetry in an attempt to remain in Group A.

        2 users thanked author for this post.
    • #311749 Reply

      OscarCP
      AskWoody Plus

      GoneToPlaid,

      Thanks for your timely advice.

      I just checked and found that I do have installed bad KB2952664, but not good KB3184143 (which I am installing right after I finish writing this). Also not  installed, the other two bad ones you mentioned: KB3150513 and  KB2977759.

      So this is a bit different from the situation for which you have recommended using your script. Any advice on this? Thanks again.

      After two attempts (the first from an MS site where, it turned out, only the x86 version was available), I found the Catalog correct page and downloaded KB3184143, x64 plus an executable file (gwxwu_4e813955262d8e9d497a10018c36299ac02fce5e.exe). Not sure what to do with it… It was together with the .msu file, but it looks, from the name, that it is meant for Windows 8.1…

      Group B, Windows 7 Pro SP1, x64, I-7 “sandy bridge”.

      • This reply was modified 3 months ago by
         OscarCP.
      • #311757 Reply

        satrow
        AskWoody MVP
        • #311765 Reply

          OscarCP
          AskWoody Plus

          Thanks satrow, I found it, as you can see in my answer to GoneToPlaid above, but also found an unexpected executable with it that I downloaded as well and is a bit of mystery to me what to do with it, right now.

          • #311769 Reply

            GoneToPlaid
            AskWoody Plus

            Not sure, but I think that the EXE maybe does additional cleanup? I don’t know. Anyway, here is another Microsoft link for KB3184143 which doesn’t include a separate EXE file:

            https://www.microsoft.com/en-us/download/details.aspx?id=53859

             

          • #311797 Reply

            satrow
            AskWoody MVP

            The gwxwu_4e813955262d8e9d497a10018c36299ac02fce5e.exe is exactly the same W7x64 file as the GWXWU.exe contained within the Windows6.1-KB3184143-x64.msu installer file I linked the download page of. Also packaged in that .msu are several other files (see image), including a PkgInstallOrder.txt:

            MSU_Install_Order

            Attachments:
            You must be logged in to view attached files.
      • #311766 Reply

        GoneToPlaid
        AskWoody Plus

        Hi OscarCP,

        satrow’s link for the x64 of KB3184143 is correct. Get that puppy installed and reboot if asked to do so, and then run my CMD file to wipe out all installed instances of KB2952664. I am curious about how many instances of KB2952664 which my CMD file reports are installed. For example, on one Win7 laptop computer in which I messed up and unknowingly installed KB2952664, nine other versions of KB2952664 were silently installed during the next several months before I caught my error.

        You mentioned: “Also not  installed, the other two bad ones you mentioned: KB3150513 and  KB2977759.” Oops. My bad. I went back through my old notes and saw that KB2977759 is an early version of KB2952664, and that neither requires the other to be installed.

        Best regards,

        –GTP

         

        • #311768 Reply

          OscarCP
          AskWoody Plus

          GoneToPlsid, Thanks.

          I guess I do not need to run your CMD script then. But what should I do with that pesky executable? (See my earlier reply).

          • #311770 Reply

            GoneToPlaid
            AskWoody Plus

            You still need to run my CMD script to wipe out KB2952664 after you deal with installing KB3184143. I posted an alternative Microsoft link for KB3184143 which doesn’t additionally include a separate EXE file. Maybe satrow can shed some light about the EXE file, in terms of whether you run the EXE file first or after installing KB3184143.

            1 user thanked author for this post.
          • #311772 Reply

            GoneToPlaid
            AskWoody Plus

            Ahah! I just looked at the internals of the EXE. What it does is to clean up and remove GWX scheduled tasks and GWX registry stuff, the install packages for GWX, and other GWX stuff. Thus, you run the EXE after first installing KB3184143. Nothing is reported after running the EXE (I just ran it.).

            • This reply was modified 3 months ago by
               GoneToPlaid.
            • #311774 Reply

              OscarCP
              AskWoody Plus

              GoneToPlaid,

              That is good news! Since the executable gets rid of all remnants of GWX, am I guessing correctly that I still may have to run the CMD script after running the .exe file to make sure KB2952664 is gone for good? Even when the .exec has “8.1” at the beginning of its name?

              Thanks for your patience and advice.

              Group B, Windows 7 Pro, SP1,x64.

            • #311776 Reply

              GoneToPlaid
              AskWoody Plus

              Hi OscarCP,

              Yes, you need to run my CMD script to remove all installed instances of KB2952664. I hope that you will report back about how many instances of KB2952664 were removed, as this information will roughly indicate how long you unknowingly had KB2952664 installed on your computer.

              And you are most welcome!

              Best regards,

              –GTP

               

              1 user thanked author for this post.
            • #311781 Reply

              OscarCP
              AskWoody Plus

              GoneToPlaid,

              I’ll do that and let you know how it went.

              Thanks again.

            • #311795 Reply

              DrBonzo
              AskWoody Lounger

              In cases where there are 2 files that are downloaded, one being a .exe file, and the other, say, a .msu file (as in the present case), simply download both to the same folder (downloads folder, desktop, or some other folder you have or make that’s convenient), and install the .msu file. In the process of installation the .msu file will cause the .exe file to execute. If you watch your monitor closely you’ll often see a small command line box show up for a fraction of a second or so as the .exe file executes. It should not be necessary to separately run the .exe file manually, although I don’t suppose it will hurt anything if you do.

              2 users thanked author for this post.
            • #311813 Reply

              OscarCP
              AskWoody Plus

              Mission accomplished!

              This is what I did just now, and what happened, blow by blow:

              (1) Created a recovery point.(Just in case…)

              (2) Istalled KB3184143
              Restarted the computer: went through the “do not turn your computer” routine.
              (3) Run the “.exe” file. (unnecessarily, it seems, but my machine is still breathing…)

              (4) Run GoneToPlaid CMD “search and destroy” script to see if there are some
              instances of KB2952664 and the other bad hidden spies still around and uninstall them. Three found, listed below, but not deleted by the script.

              Then run the other script, to see if the first one had missing something. No: same story.

              (5) Restarted the computer again, because I could. Oddly enough, it went once more through the “do not turn your computer” routine…

              (6) And here I am. The PC lives! (For now.)

              Also: The CMD script did not delete KB2999226 & KB3118401 – To be deleted manually, later.
              Failed to delete KB3021917 with error level 3010.

              Keep the Win 10 and Office 365 enablers? I do not see Windows 10 or Office 365 ever getting into my elderly machine, even if I wanted to use them, which I do not. I already have Windows 7 and Office 2010 running on it, so… No. They’ll go out of support in the not too distant future, but it is still NO.

              Thanks to GoneToPlaid, satrow and DrBonzo for helping out. I hope this sub-series of entries that started with my first one asking for help with this issues may be of some use to others who read all that has been written here as a result.

            • #312055 Reply

              GoneToPlaid
              AskWoody Plus

              You could try manually uninstalling KB3118401, KB3021917 and KB2999226 via Programs and Features > View installed updates. They could be permanently baked into the computer if you ran Disk Cleanup and cleaned up Windows Updates to get more free space on your hard drive. If this is the case, then these updates can not be be easily uninstalled. If these updates can’t be uninstalled, it is no big deal if you are opted out of CEIP. These updates do seem to honor your CEIP settings in terms of not sending telemetry if you are opted out of CEIP.

              1 user thanked author for this post.
            • #312557 Reply

              abbodi86
              AskWoody_MVP

              KB3118401 and/or KB2999226 are part of Microsoft Visual C++ 2015/2017 Redistributable, they are needed to run programs compiled by this version, and should not be removed at all
              even Office 2016/2019 need it

              5 users thanked author for this post.
    • #311796 Reply

      anonymous

      This Group W-er is watching the re-run of the circus… again? with amazement!
      Numbers don’t lie – people behind the numbers do!
      Patches do patch – but do you know what the ‘secret sauce’ is in there?

    • #312386 Reply

      Bill C.
      AskWoody Plus

      Your last sentence in particular caught my attention. I too installed the KB3184143 GWX removal tool. It remains installed. Yet it is rumored that recent windows security only updates supposedly have KB2952664 or some other telemetry baked in? I haven’t seen any telemetry activity on my Windows 7 Group B computers which are updated through November 2018. I don’t see any active telemetry related tasks, and I am not seeing my computers making connections to Microsoft’s telemetry servers.

      If I remember correctly, the various telemetry updates of the past were not solely GWX specific. I believe the long range plan of MS (alluded to but never specifically said) was to also use the transmitted data to report on errors and also patch installations going forward. As such I do believe that the GWX specific issues were removed by the GWX removal patch, but other capabilities may remain. Unfortunately my habit of doing late night research and testing got the better of me when I removed the last vestige of GWX I found using the Process Explorer applet from Sysinternals. There was an unnamed, unknown task in my Windows task library. It was grouped with the CEIP ones.

      I had used CEIP up until the GWX/Telemetry issue began to surface. I disabled them. However the unnamed one remained enabled. Not until doing some testing with the Process Explorer did I discover the linkage of the unnamed task to the GWX or Telemetry tasks. I then disabled it like the CEIP tasks.

      Unfortunately, I did not document it in my notes.

      My initial comments were about Rollups, not the Security Only patches. I have not found any changes with recent Group B patches that would point to telemetry being present. Possibly if they are, they are honoring the various task settings of disabled, as I see no new tasks or changes to settings. Additionally when I disable some tasks, I also disable (by editing) the task trigger (just in case).

      BTW, Thanks, as your scripts have proven very useful.

      1 user thanked author for this post.
    • #313870 Reply

      EP
      AskWoody_MVP

      A reminder to install KB3184143, then remove/hide/block the KB2952664 (for Win7), KB2976978 (for Win8/8.1) and KB3150513 updates.

      see this attached pic: I have KB3184143 installed on a Win7 computer and KB2952664 & KB3150513 are not installed.

      KB3184143updateinstalled

      • This reply was modified 3 months ago by
         EP.
      • This reply was modified 3 months ago by
         EP.
      Attachments:
      You must be logged in to view attached files.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Brinkmann, Horowitz: Are remnants of the despised “GWX” Gets Windows 10 campaign still on your Win7 computer?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: