• More on April’s Win 7- and 8.1-patching debacle

    ISSUE 16.15.0 • 2019-04-22

    The AskWoody Plus Newsletter

    In this issue


    AskWoody Plus newsletter takes a week off

    Longtime Windows Secrets readers may remember our four-issues-a-month rule.

    In other words, we skipped any fifth publishing day that fell in a particular month. (Then, it was any fifth Thursday; now it’s Mondays.)

    We’re keeping that tradition, here at AskWoody. As such, there’ll be no new issue in your email inbox on Monday, April 29. Your regularly scheduled programming will return on May 6.

    Yours truly has a special reason for taking a week off. From the start of 2019, the editorial office of the AskWoody Plus newsletter has been a three-by-three-foot table, in an 11-by-19-foot, semi-insulated cabin, on a 67-acre tree farm. My desk has doubled as a food-prep and dining table, shared workstation with my wife, and a place for every other task we might do sitting down.

    It’s been an adventure — especially the days with 18 inches of snow and no power — but within the next few weeks, we’ll be finally moving into our completely rebuilt farm house — where I’ll once again have a real office, dedicated to publishing the weekly newsletter.

    There’s much to do for the move. So the newsletter bye week comes at a good time.

    Thanks to all for your continuing support!

    Tracey Capen, editor in chief


    More on April’s Win 7- and 8.1-patching debacle

    Woody Leonhard

    By Woody Leonhard

    For many Windows 7 and Win8.1 users, April’s Patch Tuesday brought calamity. Numerous admins managing Windows Server 2008 R2, Server 2012, and Server 2012 R2 shared in the pain.

    An unknown conflict between six April updates and installed antivirus products resulted in major system failures. If you were running AV apps from Sophos, Avira, Avast, or McAfee on any of the above systems, and you installed the April updates, your machine may have bluescreened on reboot or turned into virtual sludge.

    The story unfolded in a rather bizarre way. April’s updates arrived on Patch Tuesday in their usual, seemingly innocuous fashion. But when the updated systems rebooted — typically the next day — users were greeted with locked-up or slow machines.

    As I reported in a Computerworld article, the pattern of failure became clear almost immediately. Machines running Sophos Endpoint anti-malware wouldn’t boot — or they’d slow down interminably.

    In the following days, we saw reports of more clobbered systems — machines running other brands of antivirus software. Then, a week later, McAfee chimed in, stating that many machines running its AV product had slowed down after installing the patches.

    As of early this morning (April 22) — nearly two weeks after the patches went out — here’s where we stand.

    The six problematic patches

    These patches —

    • KB 4493472 – Win7 and Server 2008 R2 monthly rollup
    • KB 4493448 – Win7 and Server 2008 R2 security-only
    • KB 4493451 – Server 2012 monthly rollup
    • KB 4493450 – Server 2012 security-only
    • KB 4493446 – Win8.1 and Server 2012 R2 monthly rollup
    • KB 4493446 – Win8.1 and Server 2012 R2 security-only

    — are causing the following collateral damage:

    • Sophos states that applying any of those six patches to any machine running Sophos Endpoint Protection, installed and managed by either Sophos Central or Sophos Enterprise Console (SEC), will refuse to reboot.

      Sophos quickly released a new version of Endpoint Protection that bypasses the problem. And Microsoft has — belatedly — put in a block so its patches won’t install on machines that have the old version of Endpoint Protection. But for the unfortunate, unwinding the damage can be daunting.

    • Avast says that the four Win7 and Win8.1 patches clobber machines running Avast for Business, Avast CloudCare, or AVG Business Edition (AVG is a subsidiary of Avast). Microsoft claims that Server 2012 is affected, too.

      Avast has issued hotfixes for each of its versions. Reportedly, if you boot a broken system, wait 15 minutes, and then boot it again, the machine should pick up the patch and install it automatically, even if you never sign in to Windows — which is a scary story all by itself.

    • Avira posted an advisory, yanked it, and then posted a new one.

      “We have recently released an update that should fix this issue. Your Antivirus Pro will be automatically updated, and you don’t have to do anything else in the product.”

      Alone among the major AV manufacturers, Avira claims that the April updates cause slowdowns but not bluescreens on Win7 PCs. The company also states that Win8.1 machines are not affected — but Win10 1809 systems that installed April cumulative update KB 4493509 are.

      Microsoft hasn’t confirmed the Win10 claim.

    • More than a week late to the group mea culpa, McAfee claims that systems running Endpoint Security can become slow to boot or have slow performance after installing any of the six bad patches — or the Win10 1809 patch. The only workaround offered right now is to “disable any Access Protection rule that protects a service” — basically turn the blasted thing off.

      What happened? McAfee’s one-sentence explanation provides a tiny clue:

      “Changes in the Windows April 2019 update for Client Server Runtime Subsystem (CSRSS) introduced a potential deadlock with ENS (McAfee Endpoint Security).”

      The company gives no other details — anywhere. There’s nothing about Win7 or Win8.1; nothing about a software fix. That’s all we know about a bug that brought down hundreds of thousands — if not millions — of machines.

    What’s going on?

    We know that Microsoft hasn’t, so far, changed the patches. The company isn’t budging, except to block the patches on some machines. So the problem has to lie with the way antivirus products access and protect Windows.

    Although the symptoms vary, it’s now clear that a deadlock condition is part of the problem — the antivirus product is trying to do a task that’s delayed indefinitely.

    Unfortunately, neither Microsoft nor the antivirus manufacturers are talking.

    What can you do?

    Not much. But good on you if you delayed the April updates.

    I’ve long recommended sticking with Microsoft antivirus products — Microsoft Security Essentials (MSE) for Win7, Windows Defender in Win8.1 and Win10 — simply because they’re “good enough” and traditionally don’t suffer from Windows incompatibilities. That’s not, as they say, a guarantee of future performance; it’s just an observation of past results.

    But using MS AV products will become a problem for Win7 users — eventually. The company will stop issuing definition updates for MSE sometime after Win7 reaches its end of support next January.

    How long after? We don’t know and Microsoft isn’t saying. The company continued distributing definition updates for MSE on Windows XP until July 14, 2015 — fifteen months after XP officially expired. Will Microsoft afford the same courtesy to Win7 customers? We can only wait and see.

    Bottom line: If you’re sticking with Win7, and MSE definition updates stop, you’ll certainly want to change to another antivirus manufacturer. (Ah, but which one?)

    What really happened?

    Again, everyone’s tight-lipped about what caused the failures. But the following seems clear to me:

    • These antivirus products — and possibly some other AV products that haven’t yet sounded an alarm — were using Windows in ways that weren’t quite kosher. That’s par for the course for many types of system-level software. Programmers find ways to use Windows internals in unusual ways, as coding shortcuts or for better performance. It’s been true since the beginning of the Windows era.
    • Without any warning to the programming community, Microsoft changed something in April. And that change had devastating effects on many system-level programs — specifically, anti-malware software. So far, we’ve heard about problems only with the aforementioned antivirus products. Don’t be too surprised if reports of more software incompatibilities appear.
    • Whoever tested those six toxic updates — and, apparently, the Win10 1809 cumulative update — did a really poor job. Anti-malware software of some sort is nearly ubiquitous in PCs. So we expect that these kinds of conflicts will be identified and eliminated long before the updates hit the masses.

    Here’s what really concerns me. There has to be a group inside Microsoft that gives the final A-OK on specific patches. In the case of April’s debacle, that entity either:

    a) Didn’t know that the patches would cause these problems, or

    b) Didn’t care.

    I don’t know which case is worse.

    Questions? Comments? Thinly veiled prognostications of impending doom? Join us on the AskWoody Lounge. Bring your sense of humor.

    Eponymous factotum Woody Leonhard writes lots of books about Windows and Office, creates the Woody on Windows columns for Computerworld, and raises copious red flags in sporadic AskWoody Plus Alerts.


    Users stuck on Win10 1803 ask: ‘Force the upgrade or wait?’

    By Fred Langa

    Fred Langa

    There are solid reasons to force an upgrade to Win10 1809 now — and equally solid reasons to wait for Version 1903. Here’s how to decide what’s right for you.

    Plus: Why are there still 8.3-format filenames, in this day and age?

    Upgrade to Win10 1809 or wait for Version 1903?

    A number of LangaList readers have requested clarification on what seems to be conflicting advice. For example, Peter Vincent writes:

    • “Fred, I’ve become very confused about the current recommendations from you and your colleagues at AskWoody about whether or not to upgrade from Win10 1803 to Version 1809.

      “A few months ago, there was a recommendation that those of us still on Version 1803 should not click ‘Check for Updates’ — because Microsoft would then mark us as ‘Seekers’ and give us Version 1809, whether or not it might cause problems.

      “However, your article in the March 25 AskWoody Plus newsletter appears to advocate forcing the update.

      “I would welcome clarification.”

    Similarly, Ralph Nelson writes:

    • “Several weeks back, Woody suggested we not update [to Win10 1809]. And he gave us instructions on how to delay updates. I don’t believe he’s changed that advice, which appears to disagree with your recommendations in Issue 16.14.0 [April 15]. What’s a person to do?”

    Peter and Ralph, it’s not just you — or everyone else in this situation. The past six months of Windows Updates have been truly awful, resulting in no small amount of confusion.

    If you’re still running Win10 1803, you can certainly make a strong case for holding off on upgrading to Version 1809 — especially if you’re managing a significant number of PCs. Waiting until Win10 1903 (the spring 2019 release) is out and proven safe avoids the trouble-plagued Version 1809 entirely — including the tedious PC-by-PC troubleshooting and repair that might well ensue. In that case, waiting sounds perfectly sensible to me!

    But I think the equation changes somewhat if it’s your own PC or you’re managing a relatively small number of machines — say, a home-office or small-office setting.

    When the upgrade to Version 1803 fails, it seems mostly due to subtle incompatibilities and/or circumstances that Microsoft didn’t anticipate — and that Windows Update can’t handle.

    With that in mind, you might ask yourself: “Will the rollout of Version 1903 be better?” If Microsoft tried and failed for six months to successfully upgrade your PC to Win10 1809, why would you expect the Version 1903 upgrade to be any different? Whatever delayed the move to Version 1809 will likely still be present in your PC when you try the 1903 update.

    It is possible that Microsoft learned some important lessons with 1809 and will get it right with the next release. Maybe the upgrade to Win10 1903 will be as smooth as silk — maybe!

    I’m not that trusting, especially given Windows 10’s recent update history. If your setup caused the Version 1809 upgrade to choke, there’s currently no evidence that upgrading to Version 1903 will go more smoothly. Only time will tell.

    Moreover, moving directly from Win10 1803 to Win10 1903 will be, in effect, a double upgrade. It’ll require back-filling any prerequisite code and features in Version 1809 that 1903 will depend on. (You might see many more interim “compatiblity” updates.) So any issues that delayed Version 1809 might be even more problematic when leapfrogging to Win10 1903.

    Bottom line: If you skip Version 1809, it could be a long, long wait between Windows 10 upgrades (which isn’t necessarily a bad thing).

    So: Force Version 1809 or wait for Version 1903? It’s really a judgment call only you can make.

    Personally, if I were managing dozens, hundreds, or thousands of PCs that are still on Win10 1803, I’d take the conservative approach and wait until 1903 is proven safe and stable.

    But if it’s just a small number of PCs, I’d choose the possibly surer approach of forcing the upgrade to Version 1809 now. It might help you identify and correct issues that could delay Version 1903, and it gives you a system whose bits are closer to the next release’s.

    That’s why I’ve forced the 1809 upgrade on my Version 1803 PCs.

    In short: There’s no single, correct, one-size-fits-all answer to Windows upgrading. It’s up to you!

    Really? 8.3-format filenames in this day and age?

    LangaList reader Steve Fleckenstein wonders about a steadfast holdover from the earliest days of DOS.

    • “Why do many Windows application developers still use the shortened, almost cryptic, 8.3 file-name convention, rather than taking advantage of long file names that are more understandable?”

    In a word: Compatibility!

    Different file systems — DOS, Windows, Linux, Apple, CDs, DVDs, and so forth — have different expectations and requirements for filename length, allowed characters, path inclusion, and so on. (See the Wikipedia Comparison of file systems page.)

    But the plain-vanilla DOS 8.3 format is so old and entrenched, it represents a kind of “lowest common denominator” that virtually all file systems can understand and handle properly. The 8.3 format helps to ensure that a file’s name will always remain intact, no matter where the file is copied to — or what device is using it.

    Microsoft’s use of long file names dates back to Windows NT 3.5. All current Windows releases automatically store two versions of each filename. If you save a file with a long, human-friendly version of the name (e.g., something like “Start of Grand Canyon Vacation.jpeg”), Windows will automatically create a short, internal-version of the name — such as STARTO~1.JPE.

    Apps like File Manager use long file names by default; but internally, Windows works with the short, compatible-with-everything name.

    Want to see? Open a command window in any folder that has files with long names. (Need help? See the HowToGeek article “10 Ways to Open the Command Prompt in Windows 10.”) At the command prompt, type dir /x — you’ll then see a list showing both the long name you’re probably familiar with and the automatically generated, 8.3 version alongside it (see Figure 1).

    Short and long file names
    Figure 1. In a command prompt, entering dir /x displays both the short and long versions of each file’s name.

    Getting back to the main point of your question, neither you nor software developers have to use long file names. You also don’t have to use 8.3 names — unless you want to ensure compatibility with a very wide range of file systems and standards. It’s the safest choice.

    Send your questions and topic suggestions to Fred at fred@askwoody.com. Feedback is also always welcome in the AskWoody Lounge!

    Fred Langa has been writing about tech — and, specifically, about personal computing — for as long as there have been PCs. And he is one of the founding members of the original Windows Secrets newsletter. Check out Langa.com for all Fred’s current projects.

    Best Utilities

    Freeware Spotlight — Desktop Restore

    Deanna McElveenBy Deanna McElveen

    Our Windows desktops are much like a physical desktop — we have them organized just the way we like things.

    Some of us like a clean desktop with all folder and application icons placed neatly in the Start menu and taskbar. Some of us prefer to spread things out across the desktop, organized in a way only we can understand.

    We’re comfortable with our particular organization — until the day we boot our systems and discover a desktop that appears to belong to someone else. Grrrr!

    How did that happen? It’s possible something got scrambled when you or some app changed screen resolution — or you updated video drivers, or you installed a new video card. For whatever reason, Windows developed icon-placement amnesia.

    Midiox.com’s Jamie O’Connell created a solution for that problem. Desktop Restore is a small application that records where icons live on the desktop; if they get scrambled, it can quickly put them back where they belong.

    Desktop Restore is, of course, available as a no-cost download on our site. You know our motto: If it’s not free and comes with crapware, it’s not recommended by OlderGeeks.com.

    Desktop Restore is not a traditional program. It’s a Windows Shell Extension — typically a custom tool or option added to File Explorer’s drop-down or context menus. Dropbox and 7-Zip are just two of the many apps that add shell extensions to File Explorer.

    In this case, Desktop Restore appears when you right-click on the desktop, as shown in Figure 1.

    Desktop Restore menu option
    Figure 1. Once installed, Desktop Restore appears as a new menu option when you right-click the desktop.

    Selecting Desktop Restore displays a submenu (Figure 2) containing various save, restore, and customization options. To quickly save your current layout, simply click Save Desktop and then click OK in the popup Desktop Save and Restore dialog box (see Figure 3).

    Desktop Restore submenu
    Figure 2. Desktop Restore’s submenu of icon-management options

    Figure 3. Click OK in the Desktop Save and Restore window to save the current layout.

    Now, should your desktop icons suddenly become a jumbled mess — say, after a screen-resolution change, you can simply click Desktop Restore/Restore Desktop to bring back the last saved desktop layout.

    Other Desktop Restore tricks

    Desktop Restore’s options go beyond simple icon-layout recovery. You can, for example, have custom layouts for different users on the same PC — or change the desktop for different tasks.

    Start by selecting Desktop Restore and then Custom Save/Restore. You’ll get a popup window with a list of previously saved layouts (Figure 4).

    Custom Save/Restore
    Figure 4. To access other saved desktop layouts, select the Custom Save/Restore option.

    Let’s say you want to create a desktop designed for a child — one that has very few icons visible, and with your icons stuffed into a desktop folder. Using Custom Save/Restore, you can save multiple layouts by giving each an easily identifiable name.

    Start by saving your preferred layout. Right-click the desktop and select Desktop Restore, then click Custom Save/Restore. Now click the Save button and give the layout a logical name — something like “Not Jethro Safe.”

    Now simplify the desktop and repeat the above steps. However, this time give the saved layout a name such as “Jethro Safe.” At this point, it’s easy to use the Restore button to choose the specific layout you need.

    Some of our regular customers are now using Desktop Restore on their machines. While the PC is in our shop, it’s attached to different monitors, which can change the desktop layout. With this utility, customers can easily restore their preferred setup when the machine is back in the office or home.

    Some final Desktop Restore points

    If icons are added between saves, they’ll be placed in an empty area of your screen. To make them easier to find, choose the “Highlight Unmatched Icons” option in the submenu. But in our experience, it’s easier to just save your layout whenever you add or delete desktop icons.

    Also, when using multiple monitors, click Save Desktop in the submenu whenever you rearrange the desktop.

    Note: Don’t use this utility if your desktop is set to “Auto Arrange” because … well … what would be the point? Also, the developer recommends turning off the desktop’s “Align icons to grid” option (right-click desktop/View; see Figure 5). But I’ve not had any issues with leaving this setting turned on.

    Align icons to grid option
    Figure 5. Desktop Restore might work better if you turn off the Align icons to grid option.

    That’s it. Go grab the utility from its download page at OlderGeeks .com.

    Questions or comments? Feedback is also always welcome in the AskWoody Lounge!

    Deanna and Randy McElveen are celebrating 20 years in the computer business, seven years running OlderGeeks.com and 26 years of putting up with each other. Their computer store is in a small town in the Missouri Ozarks. Believing that happy customers are always the best advertisement, they hope to do it for another 20 years.


    Four ways to sign in to Windows — without a password

    Lance WhitneyBy Lance Whitney

    There are many reasons to hate passwords. Fortunately, Microsoft’s Windows Hello offers quick and easy alternatives.

    Passwords are the most common method for securing our personal information — they’re also the biggest chink in our digital armor. Too often, our passwords are either exceedingly simple — making them easily cracked (yes, there are people who still use “1234”) — or they’re so complex we can’t keep them in our personal, random-access memory. (And resetting passwords is a bothersome, time-consuming, and sometimes chancy task.)

    Having to use a password every time we sign in to Windows is especially annoying. The easy alternative is to set up a PIN. But Win10’s Windows Hello feature also lets you set up other sign-in options.

    For example, through Windows Hello, you can create a picture password; or, with the right hardware, you can set up fingerprint or facial recognition to verify your identity. Moreover, you can use any of these methods to sign in to both Microsoft and local accounts.

    Let’s check them out, so you can see which ones might work best for you.

    Setting up a PIN

    A PIN is the easiest alternative to both set up and use. Although “alternative” isn’t precisely accurate — for any of the Hello options. You’ll always have a Win10 password. That’s important, because on those occasions when a PIN isn’t sufficient, the OS will insist you enter your password.

    You might have established a PIN when you first set up Windows 10. If not, no problem; you can add one at any time. Click through Settings/Accounts/Sign-in Options. Look for PIN under Windows Hello and click the Add button (see Figure 1).

    Setting up a PIN
    Figure 1. The option for adding a PIN is in the Settings/Sign-in options window.

    Hold on a second! Before you enter the new PIN, consider this: You might be accustomed to concocting simple PINs with just four digits. Sure, they’re quick to type and easy to remember, but four-digit PINs aren’t that hard to crack.

    A longer, more complex PIN will provide significantly better security. The trick is to create a more secure PIN that’s still easy to use. Unlike most PINs, Windows PINs can be made up of both numbers and other characters. To do so, check the box labeled Include letters and symbols — this will also pop up a handy guide to PIN requirements (see Figure 2).

    I typically use a PIN made up of eight characters that are easy to remember but hard to crack.

    Enter your PIN, enter it again to confirm it, and then click OK

    PIN requirements
    Figure 2. A good Windows 10 PIN is complex — making it hard to break — yet still easy to remember (sort of like a secure password).

    Setting up a Picture sign-in

    Again, the best sign-in method is both iron-clad secure and easy to apply. That’s truly the goal of the Picture option. It works by having you draw specific gestures on a favorite picture each time you sign in. You can create and use a picture password with your mouse, but the feature really lends itself best to touch-screen devices.

    To set up a picture password, open the Sign-in options screen, scroll down to the Picture password section, and click the Add button. You’ll then be prompted to enter your MS or local-account password as verification. Click the Choose picture link and select a photo or other image stored on your PC. You can drag your picture around the screen to position it. Now, click the Use this picture button.

    Next, follow the prompts to create three different gestures. You can choose from a combination of circles, straight lines, and taps. Draw one of those gestures on a memorable spot on the picture. Do this twice more, as prompted (see Figure 3). To confirm your gestures, redraw each of the three. When you’re done, click Finish.

    Set up a Picture password
    Figure 3. To sign in with a Picture password, you create three gestures on a chosen image.

    Swipe to sign in

    If your PC has a fingerprint reader — USB-attached, keyboard-based, or built-in — a quick swipe is the fastest and easiest way to unlock Windows. The Fingerprint option should show up under Windows Hello only if you have a supported reader attached or built in. If you do, click the Set up button and then Get started.

    When asked, enter your PIN as verification. Next, repeatedly touch or swipe the reader as prompted (see Figure 4). Continue until your fingerprint is accepted.

    Fingerprint-reader setup
    Figure 4. If your system has a fingerprint reader, a simple swipe can give you quick access to Windows.

    Fingerprint readers are, in theory, very secure. But they can have difficulty reading your print — especially if your fingers tend to take a beating from gardening or other physical activities.

    Oh, I see it’s you!

    Facial recognition can be as quick and easy to use as a fingerprint reader and should be more reliable. But your PC’s webcam has to support Windows Hello. At this point, very few desktop cameras are compatible, and those that do are often expensive.

    Two USB cameras that work with Windows Hello are the Logitech Brio (around U.S. $180) and the Creative BlasterX Senz3D ($100). The webcams built into some laptops — certain Dells, for example — also support Windows Hello. As with fingerprint readers, if your camera is Windows Hello–compatible, the Face Recognition option will appear (see Figure 5).

    Set up Face Recognition
    Figure 5. With the right camera, the Face Recognition option will appear under Windows Hello.

    To add Face Recognition, click Set up/Get started and then enter your PIN. Next, you’ll be asked to look at the camera to have your face scanned. Keep your head still until the scan completes. If the scan doesn’t go properly, simply try it again.

    Sign in with your preferred method

    When it’s time to sign in to Windows, the lock screen will let you choose among the methods you’ve established — PIN, picture password, fingerprint, and/or facial recognition. Pick one, give the correct response, and Windows signs you in (see Figure 6.)

    Pin sign-in
    Figure 6. In this example, Windows is asking for my PIN.

    Questions or comments? Feedback is also always welcome in the AskWoody Lounge!

    Lance Whitney is a freelance technology reporter and former IT professional. He’s written for CNET, TechRepublic, PC Magazine, and other publications. He’s authored a book on Windows and another about LinkedIn.

    Publisher: AskWoody LLC (woody@askwoody.com); editor: Tracey Capen (editor@askwoody.com).

    Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody, Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody LLC. All other marks are the trademarks or service marks of their respective owners.

    Your email subscription:

    Copyright © 2019 AskWoody LLC, All rights reserved.