A quick overview of January patching recommendations for Windows

Topic

New Reply

The web site is getting hammered. Sorry about that, but there’s a reason why the main discussion thread for installing January 2018 takes a long time
[See the full post at: A quick overview of January patching recommendations for Windows]

5 users thanked author for this post.

jburk07, Pepsiboy, MrBrian, AJNorth, WildBill

Reply | Quote

Replies

Note to any MVP’s, as I don’t want to bother Da Boss: According to the Computerworld article, I downloaded Macrium Reflect Free, created bootable Rescue Media on an external drive (had to create a new partition for it, which is the 1st time for that), & added the boot menu option for it (which works, but at 1st had a blank screen; power button just put PC to sleep & woke it up again, so I had to remove my laptop battery & reinsert). Now comes the Main Event:

Making a full system image backup. According to Macrium, would I:

• Image selected disks on this computer (AKA C:, and maybe the File History folder on the E: external drive), or
• Create an image of the partition(s) required to backup & install Windows.

Sorry; I’m not as much a techie as I thought I was. Updating Windows 8.1, especially in Group A, is a piece of cake compared to this. However, better to be scared enough to backup, rather than to assume everything thing goes well. Of course, you know (at least us old-timers do) what happens when you Assume (this was before Microsoft, so no wonder they get bit & their changes bite us): You make an Ass out of U and Me! Thanks for Nothing, Nadella…

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

If you look at Control Panel\Admin Tools\Computer Management\Disk Management you will see the layout of the hard drive.

When I make a disk image, I include in the image all the partitions and the boot sector. (all my drives are legacy BIOS). I have never included more than one drive in the image. I have used Acronis (paid ver) for years. I do not install it. When I make the image I boot from the emergency CD/USB and run the software from there. That way there are no Win files in use.

1 user thanked author for this post.

WildBill

Reply | Quote

Okay, so image the C: drive. Again, I’m using Macrium Reflect Free & it’s the 1st time I’ve ever done a full system image backup. File History obviously isn’t a full backup. Anyone using Macrium Reflect want to give me a hand? Please?!

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

That is off-topic here.
Make a separate topic (maybe under “Tools”?) and request help for Macrium.

Reply | Quote

@wildbill: I use Macrium Reflect. The version is 5.1; I remember long ago making a conscious decision not to update it because newer versions dropped some feature that I considered important, although now I can’t remember what that was…

Anyway, what you (probably) want to do is to select all the partitions on your system drive: go to the Disk Image tab and select the “Create a Backup” tab there. Make sure that all the partitions on the physical disk that contains your OS are checked off. (I always include the “factory image” D: drive for good measure.)

If you have more than one physical disk on the PC, you will see more than one row of disk partitions. They will be identified as “MBR Disk 1,” “MBR Disk 2,” etc. followed by the disk’s model number and size so that you can verify you’re looking at the disk you want.

Now see below the row of partitions for the desired disk, where you have a choice to “clone this disk” or “image this disk.” Click on “image this disk.” A new smaller window will pop up, showing you the disk you’ve selected to image (the “source”) and asking where you want the image to be stored (the “destination”). Find the location where you want the image to go and give it the name you want (I just go with Macrium’s recommendation for the name).

Now click on the “Next” button. The window will change to show you what you are about to do. After verifying the backup source and destination, you can click on “Advanced Options” in the lower left corner to see your compression and other options, and to add a description of what you’re doing. (I write something like “full uncompressed backup done February 6, 2018” as it minimizes the chances for confusion later on if I need to restore a backup.) When you’re done, click OK and then click “Finish” in the smaller window.

Now you will get a further set of options, this time to save the instructions for making the image to an XML file that you can reuse later. Your choice. Make sure that “run this backup now” is checked and then click OK. The backup process will begin.

Let me know if you need more information, but this really should be enough to get you going.

As I said before, I’m using an older version of Reflect so what you see on your screen may not match exactly what I see, but the concepts should be basically the same.

Good luck.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

2 users thanked author for this post.

Elly, WildBill

Reply | Quote

Cybertooth: I have 7.1, which adds backup schedules & retention rules. I rolled my own there, but followed your instructions on ‘Advance Options’. Will let you know in Tools how it goes.

PKCano: Sorry if I was off-topic, but am usually commenting on Woody’s blog entries. Moving future discussions to Tools.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

@PKCano: Feel free to use my post above (and presumably WildBill’s) to start the new thread you recommend.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Woody, I appreciate the tremendous effort you and the MVPs have been making in these last few weeks, and not for the fun of it or for some kind of gain, but because of the dismal mistakes of others.

That said, I really like my old Win 7, x64, Pro, Intel I-7 “Sandy Bridge” PC. (This is relevant to what follows.) And am a convinced Group B person.

On the security only Windows 7 January patch, I have heard some advocating KB4056897 and others KB4073578. Having listened carefully to both sides, I have reached the firm decision to wait and see what happens to those who follow one or the other piece of advice.

Particularly since I see no reason to hurry and do something about it just now. (To me, IE11 is a different issue, and I am patching it. Same thing with Office.)

So I’ll be delighted to hear something about how (and if) the experiences vary between those choosing to install one update, and those choosing to install the other. Probably I’ll hear the gnashing of teeth, rending of garments and lamentations, if any, but those tend to be from the noisy and often clueless, and so of no great help — although better than nothing.

Evidence for the above claims:

@OscarCP you should install KB4056897 it’s a security only update; KB4073578 it is not and it’s for AMD devices
for me  KB 4056897 and  KB 4056568 (E11) both installed as Group B

MrBrian, though:

Group B Windows 7:

Manually install KB4073578. Manually install KB4056568.

2 users thanked author for this post.

AJNorth, Elly

Reply | Quote

My PC Win 7 Pro, SP1; Speccy says (excerpts) “CPU: Intel Pentium G3220 @ 3.00GHz…..Haswell 22nm Technology…..Environment Variables:…..PROCESSOR_ARCHITECTURE AMD64…..” I previously reported (my reply no. 157414 to Ask Woody) I successfully in Jan. installed Jan. 2018 KB 4056897; no brick; still boots and runs; and I did and do have the new registry key. CURRENTLY, after reading Mr. Brinkmann’s article on “Microsoft releases AMD-specific Windows 7…updates to fix unbootable state issue”, I am considering whether to install the new MS KB4073578 Brinkmann referred to. It ~appears~ to me (not a techie by occupation) that my processor was mfd. by Intel, but the architecture in it is the AMD-developed “AMD64”. Does ~anyone~ have a clue whether I need the new KB4073578 ?

Reply | Quote

You have an Intel chip. The ‘AMD64’ is basically telling you your system is 64 bit. The ‘AMD’ is there for some combination of historical/traditional/customary reasons. I think maybe AMD was the first chip manufacturer to make 64 bit chips.

But, repeating, you have an Intel chip.

1 user thanked author for this post.

SueW

Reply | Quote

But is KB4073578 necessary for Intel chip machines? That question seems to be unanswered.

Reply | Quote

See #165392

Reply | Quote

Win7 user with an old intel pentium here. The major bugs are on AMD right? Also, I run MSE as the anti virus it should have the new key already right?

Reply | Quote

Correct in both cases

1 user thanked author for this post.

TheSuffering

Reply | Quote

My best guess on 4058258 is that the classification for it in the catalog (just “Updates”) means that some won’t have it offered to them automatically, but that the stuff in it will be in the February update next week, which will be a “Security Update” and offered up automatically.

The other updates for 1709 x64 listed as just “updates” have never arrived for me (4051963/4073290), but the cumulatives have always arrived.

Everything is going smoothly here (knockonwood) on 16299.192. We’ll see the 16299.214 devices next week when we all get back on the same number again hopefully.

Reply | Quote

 

I’m running an 8.1 system and have installed 4056568 and 4056898. My processor is Intel and I have had no BSOD or any other problems. Do I need to install 4077561?

Reply | Quote

Woody, please move this info to the appropriate area and edit as necessary:

I have determined that the January 31 Cumulative update suffers from the same problem we saw several months ago where Windows Update will not find it if Pro users have Defer Feature Updates set to anything other than “0” (zero.)  As soon as I set both Feature and Quality Defer to “0”, Windows Update immediately found and installed the January 31 Cumulative update.

DJG

1 user thanked author for this post.

MrBrian

Reply | Quote

Looks like I followed MrBrian’s AND PKCano’s advice for Group A. All 4 Important updates & no Recommended updates, skipping the .NET Framework for 4.7.1, KB4033369. The .NET Framework Rollup, KB4055266, was applied. I hope not downloading KB4077561 for the PIC/APIC bug doesn’t bite me, but I’m backed up & can start over if it does. Cheers!

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

I skipped installing KB4033369 as well.

Reply | Quote

I didn’t mention anything about .NET Framework updates in my advice because the existing Group A and Group B instructions should be sufficient for .NET Framework updates. I installed the Windows 7 January 2018 .NET Framework monthly rollup a few weeks ago.

3 users thanked author for this post.

Lori, woody, WildBill

Reply | Quote

Shouldn’t the Win7 Group B recommendation also include KB4056897? I mean, KB4073578 fixes the unbootable state issues with some AMD CPUs, and I guess it doesn’t harm to also have it on Intel, but without KB4056897, you’re not actually getting the security patches, KB4073578 doesn’t include them, right?

Reply | Quote

anonymous wrote:

you’re not actually getting the security patches, KB4073578 doesn’t include them, right?

Wrong. KB4073578 replaces KB4056897

Reply | Quote

PKCano wrote:

anonymous wrote:

you’re not actually getting the security patches, KB4073578 doesn’t include them, right?

Wrong. KB4073578 replaces KB4056897

Hm… The info doesn’t say that, whether on the MS site or in the Update Catalog. But this was probably mentioned before? Either way, AKB2000003 should be edited to remove that first one then.

Reply | Quote

Flash Player update is out
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180004

3 users thanked author for this post.

SueW, MrBrian, woody

Reply | Quote

Can someone please tell me the difference between KB4056894 and KB4057400?

Reply | Quote

I’m a bit confused. I do security-only updates for Windows 7 64bit. On two computers with Intel processors the January Rollup shows in Windows Update and I’ve just installed the security-only updates with no problem. On two computers with AMD processors (rather elderly Turion & Athlon), compatible antivirus and the QualityCompat registry key, the January Rollup has never appeared in Windows Update, although .NET updates, MSRT and Office updates do. Does this mean I shouldn’t install the January security-only KB4073578?

Reply | Quote

I’m on win7 x64, group B. I went with MrBrians advice and installed KB4073578 despite having an intel processor (4690k)

No problems , but I note in “installed updates” it’s listed as “Update for Microsoft Windows” rather than “Security Update for Microsoft Windows”

Should I be concerned or just ignore it and get on about my business?

Long time reader, 1st post, huge thanks to Woody and everyone who helps out here 🙂

2 users thanked author for this post.

SueW, MrBrian

Reply | Quote

anonymous wrote:

I’m on win7 x64, group B. I went with MrBrians advice and installed KB4073578 despite having an intel processor (4690k)

No problems , but I note in “installed updates” it’s listed as “Update for Microsoft Windows” rather than “Security Update for Microsoft Windows”

Should I be concerned or just ignore it and get on about my business? Long time reader, 1st post, huge thanks to Woody and everyone who helps out here

Based on analysis of the contents of KB4073578 vs. KB4056897, the files in these updates are identical, except that KB4073578 contains some newer file versions. You can convince yourself that KB4073578 contains security-related updates by using InSpectre or a similar program to check for the presence of Windows Meltdown/Spectre mitigations after you install it and restart your computer.

Thanks for posting your feedback :).

3 users thanked author for this post.

HiFlyer, SueW, Wibbly

Reply | Quote

I’ll do that, thanks (not anon anymore, I signed up, probably about time) 😀

Reply | Quote

MrBrian wrote:

anonymous wrote:

I’m on win7 x64, group B. I went with MrBrians advice and installed KB4073578 despite having an intel processor (4690k) No problems , but I note in “installed updates” it’s listed as “Update for Microsoft Windows” rather than “Security Update for Microsoft Windows” Should I be concerned or just ignore it and get on about my business? Long time reader, 1st post, huge thanks to Woody and everyone who helps out here

Based on analysis of the contents of KB4073578 vs. KB4056897, the files in these updates are identical, except that KB4073578 contains some newer file versions. You can convince yourself that KB4073578 contains security-related updates by using InSpectre or a similar program to check for the presence of Windows Meltdown/Spectre mitigations after you install it and restart your computer. Thanks for posting your feedback :).

 

Thanks again. InSpectre tells me I’m protected against Meltdown now so that’s good. Spectre is greyed out as there has been no microcode and bios update for my motherboard, so I believe that is all as expected. 🙂
Thank you for the help, very much appreciated.

Reply | Quote

I’m a bit confused. I do security-only updates for Windows 7 64bit. On two computers with Intel processors the January Rollup shows in Windows Update and I’ve just installed the security-only updates with no problem. On two computers with AMD processors (rather elderly Turion & Athlon), compatible antivirus and the QualityCompat registry key, the January Rollup has never appeared in Windows Update, although .NET updates, MSRT and Office updates do. Does this mean I shouldn’t install the January security-only KB4073578?

Sorry if this appears twice. The first attempt seemed to fail.

Reply | Quote

Moonbear wrote:

Can someone please tell me the difference between KB4056894 and KB4057400?

KB4056894 is the January 2018 Windows monthly rollup, while KB4057400 is the January 2018 Windows preview monthly rollup. Windows Update is (properly) preventing KB4056894 from being offered to some users because of the AMD processor issue. KB4057400 has fixes for the AMD processor issue. That’s why I recommended that Windows 7 Group A should install KB4056894 if it’s offered by Windows Update, and if it’s not, then install KB4057400 if it’s offered by Windows Update.

Reply | Quote

MrBrian

I do have a AMD processor.
This is what came down the trough.
Important…………… KB4055532 Checked
Important…………… KB4056894 Checked *
Recommended……. KB4033342 Unchecked
Important MSRT…… KB890830  Checked

Optional……………. KB4057400 Unchecked *
Optional……………. KB4057270 Unchecked

* I have both KB4056894 & KB4057400 patches. Do I install both?
Besides those two patch, what other patches do I need to install?

Thanks,

Sparky

Dell, W10 Professional, 64-bit, Intel Core i7 Quad, Group A

HP, W7 Home Premium, 64-bit, AMD Phenom II, Group A

Reply | Quote

Sparky wrote:

MrBrian

I do have a AMD processor.
This is what came down the trough.
Important…………… KB4055532 Checked
Important…………… KB4056894 Checked *
Recommended……. KB4033342 Unchecked
Important MSRT…… KB890830 Checked

Optional……………. KB4057400 Unchecked *
Optional……………. KB4057270 Unchecked

* I have both KB4056894 & KB4057400 patches. Do I install both?
Besides those two patch, what other patches do I need to install?

Thanks,

Sparky

Your AMD cpu seems not affected (per WU detection metadata), that’s why you get KB4056894

but just to be safe, either install the preview KB4057400 or wait for the next tuesday security rollup

1 user thanked author for this post.

Sparky

Reply | Quote

Thanks @MrBrian I’m getting KB4056894 in WU dated January 4th so I was worried that I had missed an update revision. Is there anything I can look for that would tell me the chances of the updates bricking my (at this point, ancient) Intel machine?

Reply | Quote

Moonbear wrote:

Thanks @mrbrian I’m getting KB4056894 in WU dated January 4th so I was worried that I had missed an update revision. Is there anything I can look for that would tell me the chances of the updates bricking my (at this point, ancient) Intel machine?

KB4056894 hasn’t been revised. Windows Update isn’t blacklisting KB4056894 for your computer, so that’s a good sign. However, given this month’s Windows Meltdown/Spectre mitigation incompatibilities with some software, it’s good to follow Woody’s advice about making a full backup first before installing the Windows updates.

Reply | Quote

Again thank you @Mr.Brian. Your answers and explanations are always straight forward and easy to follow. As for KB4056894 not being blacklisted for my computer, as far as I can tell, its never been blacklisted, even before I got the registry key fix and I’ve never been able figure out why. On top of that I’ve seen a couple posts saying that the security only patches are causing less problems. Do you have any thoughts on that?

Reply | Quote

I got brave and installed Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1 updates for Windows 7 SP1 and Server 2008 R2 SP1 (KB 4055532) but I didn’t get the screen to “restart now” but I restarted it anyway to be safe. All is a-ok as far as I can tell.

Strange thing is history shows KB4055532 BUT installed updates show KB4054998. Mark up another day I’m confused.

Reply | Quote

anonymous wrote:

I got brave and installed Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1 updates for Windows 7 SP1 and Server 2008 R2 SP1 (KB 4055532) but I didn’t get the screen to “restart now” but I restarted it anyway to be safe. All is a-ok as far as I can tell.
Strange thing is history shows KB4055532 BUT installed updates show KB4054998. Mark up another day I’m confused.

A reboot is usually not required for .NET installs.
The .NET Rollup has separate patches for multiple versions of .NET. You will only see the Rollup number in WU, but it installs the particular patch for your version and that is what shows up in Update History or Installed Updates.

1 user thanked author for this post.

jburk07

Reply | Quote

anonymous wrote:

Strange thing is history shows KB4055532 BUT installed updates show KB4054998. Mark up another day I’m confused.

It is confusing indeed. One shows the “parent” update, and the other shows the “child” updates. Look at the “Microsoft Update Catalog” section of https://blogs.msdn.microsoft.com/dotnet/2018/01/09/net-framework-january-2018-security-and-quality-rollup/ to see if you understand what I mean by parent vs. child update in this context.

1 user thanked author for this post.

jburk07

Reply | Quote

Got it.  Thank you very much everyone!

Reply | Quote

Sparky wrote:

MrBrian

I do have a AMD processor. This is what came down the trough.

I would install the three updates that are checked by default. You could choose to substitute KB4057400 for KB4056894 if you want to (abbodi86’s advice). There’s no need to install both KB4057400 and KB4056894.

1 user thanked author for this post.

Sparky

Reply | Quote

Since sparky is asking a similar question that I relate to I would like to ask which WU should I download for my computer.  I have an Intel Core i5 Processor Desk Top (Lenova) with Windows 7 Professional, 64 Bit.  KB4056894 is checked on my Update list but it will not install.  KB4057400 is on my Update list unchecked.  If KB4056894 won’t install, should I try to install KB4057400 instead or wait and hope that Microsoft gets their act together.  I have found a lot of other individuals are having this same installation problem with KB4056894.

Reply | Quote

Please read @MrBrian ‘s instructions

Reply | Quote

? says:

group B security only:

installed KB4056897 on win 7 x32 and KB4073578 Intel Pentium 4 Northwood 3.06 HT. runs fine, seems to boot a bit slower after patches.

installed KB4073578 and KB4056897 on AMD AthlonX2. first run the KB4056897 bricked it. Uninstalled KB4056897 and then reversed the order of updates. KB4073578 first, then Kb4056897. runs fine, also seems to boot a bit slower.

did the IE security patch (KB4056568) on 1/25/2018. no ill effects

also did .NetKB4055532 which morphed into KB4074880 (.Net v3.5.1) seems to work ok.

guess i’m done ’till the next crisis?

side note my linux has two Spectre mitigations just now, USN-3560-1:QEMU update and USN:3561 Libvirt update so i’m off to do that now…

thank you

 

 

Reply | Quote

Moonbear wrote:

Thanks @mrbrian I’m getting KB4056849 in WU dated January 4th so I was worried that I had missed an update revision. Is there anything I can look for that would tell me the chances of the updates bricking my (at this point, ancient) Intel machine?

Did you mean KB4056894, the Jan Rollup for Win7?

Reply | Quote

Yes @PKCano, I meant KB4056894. I can’t believe I did that, thanks for the catch.

Reply | Quote

I updated two Intel CPU Win 7 computers: 4056897 and 4056568 with no problems.

I’ve done one Win 7  AMD. I installed 4073578 first and rebooted then followed with the two other Security patches 4056897 and 4056568 again with no problem.

If I can pry my husband’s netbook away from him, it is AMD, I’ll do his Win 7 the way I did my desktop AMD: 4073578 first followed by the two other patches.

Reply | Quote

For Win7 x64 with ITEL processor Group B: I attempted to install 4056897, 4073578 and 4056568 all downloaded from the links in Forums Topic: 2000003. The IE11 update was successful – the other 2 failed. I initially did all 3 at once. I tried to install 4086897 by itself and it failed again. I thought I would go to MS Update catalog & download both from there, but I could only find WMSRT from my usual search entry. Helpful suggestions would be greatly appreciated……

Reply | Quote

anonymous wrote:

I tried to install 4086897 by itself and it failed again.

The links on this website are direct download links to the MS Catalog. The recommendation in the blog is to install KB4073578 and Kb4056568 ignoring KB4056897.

Reply | Quote

Reply to #165813 PKCano

I uninstalled KB4056568 on the chance that order of update installation mattered. Following @mrbrian’s instructions, I started with KB4073578. The update failed again.

Any additional ideas?

Reply | Quote

bonbon wrote:

Since sparky is asking a similar question that I relate to I would like to ask which WU should I download for my computer. I have an Intel Core i5 Processor Desk Top (Lenova) with Windows 7 Professional, 64 Bit. KB4056894 is checked on my Update list but it will not install. KB4057400 is on my Update list unchecked. If KB4056894 won’t install, should I try to install KB4057400 instead or wait and hope that Microsoft gets their act together. I have found a lot of other individuals are having this same installation problem with KB4056894.

In your case, I would try installing KB4057400.

Reply | Quote

Update:  I tried installing KB4057400 (per your recommendation) and the same thing happened with this update that happened with KB4056894.  The update proceeds to a restart and then we get a “Failure Configuring Windows Updates–Reverting” message at Windows startup.  Now I have 2 updates that won’t install.  EGADS!!

Reply | Quote

UPDATE:  I tried installing KB4057400 (as you recommended) and the same thing happened with this update that happened with update KB4056894.  The update proceeds to a restart and then I get a FAILURE CONFIGURING WINDOWS UPDATES–REVERTING message at Windows startup.  Now it appears I have 2 Windows updates that won’t install.  (All of my other updates have installed) This is getting crazy.   If you have any other ideas or suggestions, please let me know.  Thanks!

Reply | Quote

Some posts in this topic mention installing both KB4073578 and KB4056897. That does not follow the advice I gave in this topic, but if you want to install both anyway, then I recommend installing KB4073578 before installing KB4056897.

1 user thanked author for this post.

SueW

Reply | Quote

Moonbear wrote:

Again thank you @Mr.Brian. Your answers and explanations are always straight forward and easy to follow. As for KB4056894 not being blacklisted for my computer, as far as I can tell, its never been blacklisted, even before I got the registry key fix and I’ve never been able figure out why. On top of that I’ve seen a couple posts saying that the security only patches are causing less problems. Do you have any thoughts on that?

You’re welcome :).

The issue lists for KB4056894 and KB4056897 are the same; I don’t have any further information on that matter.

 

Reply | Quote

Ok, Thanks just the same. I do have one more question, people are saying their going to wait for the February patches, what will that do? wouldn’t that just make for a bigger mess when things finally start getting patched since the Spectre/Meltdown fixes are still necessary?

Reply | Quote

I’m running the AMD Phenom II X2 555 Black Edition processor on Windows 7 SP1 32-bit.

I’m using the newest free versions of Avast Antivirus and Malwarebytes Anti-Malware. Avast didn’t set the registry key (google KB4072699 for more info) after updating the program. However, Malwarebytes did set the registry key. Why didn’t Avast set the registry key? Isn’t it a problem that there are multiple programs that set the registry key? One program may be compatible, but another program may not.

Is there a guide to uninstall the rollup if the system fails to boot? The system protection max usage is only 3% (1.02 GB) on the [C:] HDD. The [C:] HDD has 17.0 GB free of 40.0 GB. Should I increase the disk space for the system restore points? How much?

I’m in Group A. I’m going to wait for the February 2018 rollup instead of installing the January 2018 KB4056894 rollup in Windows Update. I need more time to backup the system. Thanks.

Reply | Quote

morat wrote:

Is there a guide to uninstall the rollup if the system fails to boot?

You could try this DISM command.

1 user thanked author for this post.

morat

Reply | Quote

Moonbear wrote:

Ok, Thanks just the same. I do have one more question, people are saying their going to wait for the February patches, what will that do? wouldn’t that just make for a bigger mess when things finally start getting patched since the Spectre/Meltdown fixes are still necessary?

Waiting might give more time for newer versions of incompatible third-party software to be released. Also, for Windows 8.1, the next rollup should fix the PIC/APIC interrupt controllers issue without resorting to installing KB4077561. But yeah, sooner or later, if one wants to continue to install updates, the Meltdown/Spectre Windows updates should be installed.

Reply | Quote

Ok, that makes sense. I’d like to run one more thing by you, as I’ve been reading these posts about systems auto rebooting and blue-screening, I started wondering, would unchecking automatic restart in system protection do anything at all to mitigate any of the problems the patches are causing? (Sorry about all the questions.)

Reply | Quote

Moonbear wrote:

I’d like to run one more thing by you, as I’ve been reading these posts about systems auto rebooting and blue-screening, I started wondering, would unchecking automatic restart in system protection do anything at all to mitigate any of the problems the patches are causing

I believe it would make no difference.

Reply | Quote

Sadly, I expected that to be the case. That would be just way too easy wouldn’t it?

Reply | Quote

Throughout this whole mess has there ever been anything written that specifically details what makes the patches themselves crash/brick Intel machines? I understand why the firmware updates would do this since that is deeper in the system, but I can’t remember seeing anything about why the patches would.

Reply | Quote

It’s a little late now, being a few days after MS-Defcon went to 3, but… well, I didn’t try updating ’till now, so I didn’t discover the issue until now either.

The January rollup for Windows 8.1 x64 contains updated versions of two of the three files that need to be patched for custom themes.  Other versions of Windows probably have the same issue, but I haven’t tried any of them, so I can’t be sure.

If you use a custom theme and you use one of the various patchers out there to enable this rather than the UXThemes service, be aware that this update will undo some of that patching… and Windows 8.1 does not cope well with this.

Windows 7 would just load a MS signed theme when the user-specified theme would no longer work because the patches had been undone; Windows 8.1 boots to a black screen (only the mouse arrow is visible) and just leaves it at that.  It did this even though I had selected the default Windows theme before installing the patch the second time around; it still didn’t work, for reasons that elude me.

I’ve usually gone the patching route rather than the UXThemes service route; patching works in Safe Mode flawlessly, and I don’t remember if the same is true of the service.  It’s been a long time since I’ve thought about this, but it seems to me that the service is not loaded in Safe Mode, meaning that Safe Mode will not be available… well, ever, if you have a custom theme.  Trying to boot into Safe Mode will just give you that delightful black screen where all you can see is the mouse pointer and the “Safe mode” watermarks on the corners.

If not for that, I would almost certainly have gone for the UXThemes method, since it allows the files to be patched without malfunctioning.

None of this would be necessary if MS had not decided to enforce signature checking on themes.  There’s no executable code in a theme, so there’s no good reason why a simple theme file would have to be digitally signed by MS.  They’re trying to prevent people from having control over how the computer screen they stare at all day looks… if it doesn’t match Microsoft’s branding efforts for Windows, you can’t have it.  Even if it hurts your eyes and looks terrible to you, you are supposed to put up with it because MS said your computer has to look how they want it to, even if you’re the only one who ever sees it.

It really annoys me that they did this.  It’s just such a… I’m struggling to figure out how to say this and remain within the decorous language rules… I seldom use that kind of language even when allowed to, but sometimes there’s not really any other way of putting it that will accurately convey what I am thinking. It’s a real $epithet move.

It started with either Vista or 7… not sure which it was, but it’s been a while that MS has been trying to deny people control over how their PCs look.

1 user thanked author for this post.

Cybertooth

Reply | Quote

^^ That was me… yarr.

Got it!

1 user thanked author for this post.

Ascaris

Reply | Quote

Not used to this new system, however will do my best.    I’m searching for “safe” or “not safe” for the following 2 patches:

KB4055532   and KB4056894

Also I don’t have an update for the cumulative IE11 , so don’t know which one it would be.  I would like to get the few I’m trying to research now so I can get this done ASAP.   Any and all help is most appreciated.   I think I only have one other one to try to check out.  I don’t (to my knowledge) have any of the issues with processor type.   Help from one of our MVP’s would be most welcome.

P.S.  When I first tried to find a post to “reply” to, there was nothing there, which is the reason for this one not being “addressed” to anyone.   Apologies for that.

Windows 7 Home Premium, Group A,  x64.

Reply | Quote

walker wrote:

Not used to this new system, however will do my best. I’m searching for “safe” or “not safe” for the following 2 patches: KB4055532 and KB4056894

On the front blog page @MrBrian says

Windows 7 Monthly Rollup (“Group A”) – recommended:

If Windows Update offers KB4056894 then install it. If Windows Update doesn’t offer KB4056894, then if Windows Update offers KB4057400 then install it. If neither update is offered, then wait for the February 2018 Windows updates.

KB4057400 (if you need it) will be in the “optional” list and you will have to CHECK the box and then click on OK at the bottom of the window.

KB4055532 is the .NET Rollup and it’s OK to install.

1 user thanked author for this post.

walker

Reply | Quote

@PKCano:  Thank you so much for the detailed information.   It was “perfect”, and I appreciate your prompt response.   I may have asked this question elsewhere, just recently, however found this answer just now.  What a relief!    This addresses it all, and I can’t begin to say “thank you” enough.    🙂

 

Reply | Quote

Moonbear wrote:

Throughout this whole mess has there ever been anything written that specifically details what makes the patches themselves crash/brick Intel machines? I understand why the firmware updates would do this since that is deeper in the system, but I can’t remember seeing anything about why the patches would.

From https://support.microsoft.com/en-ca/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software: “The compatibility issue arises when antivirus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot.”

Reply | Quote

Thank you once again @MrBrian. After reading the article you linked I realized that I had read it when it was first published. Then I guess I completely forgot about it. In this case though I’m glad I did because reading it again made me start thinking about something: if the registry key fixes the compatibility issues that cause the blue-screening, why do/can the systems still crash?

Reply | Quote

System is Windows 7 Pro SP2 x64 with IE11. Gigabyte MB with Intel Core i7-2600K processor .

Had to send my system off for maintenance for the last week.

Was following this site and had not installed any January updates (KB4056894 was checked but I was waiting) and still on .Net Framework ver 3.5.1.

When system returned, shop had performed all updates!

So far system seems to work.

Update History shows KB4056894 had Failed to install, but KB4057400 did install. In the Installed/Uninstall area it only shows KB4057400, no sign or reappearance of KB4056894 – is this OK?

They also installed whatever was awaiting regarding .NET Framework 4.7.1 per below:

The Update History area shows KB4o55532, KB4033342, and Preview KB4057270

In the .NET Framework 4.7.1 Installed/Uninstall area I show KB4074880 and KB4054852

In the Windows Installed/Uninstall area I show KB4054998 (info says its related to .NET 3.5.1 and included in Preview KB4057270 previously part of KB4055532 – both installed above!)

Does this sound correct? Why do none of the History KB’s match the Installed/Uninstallable KB’s?

I was happy at .NET 3.5.1, should I leave this alone or Uninstall the KB’s available?

 

Reply | Quote

Post #166118

anonymous wrote:

Update History shows KB4056894 had Failed to install, but KB4057400 did install. In the Installed/Uninstall area it only shows KB4057400, no sign or reappearance of KB4056894 – is this OK?

This should be fine. KB4057400 has fixes for some of the problems in KB4056894.

The .Net Framework updates should be OK as well.

Reply | Quote

bonbon wrote:

UPDATE: I tried installing KB4057400 (as you recommended) and the same thing happened with this update that happened with update KB4056894. The update proceeds to a restart and then I get a FAILURE CONFIGURING WINDOWS UPDATES–REVERTING message at Windows startup.

Read @MrBrian ‘s recommendations for Win7 Group A on the main bolg post – wait for Feb updates.

Reply | Quote

? says:

I just finished updating the last Windows 7 machine, and I had KB2952664 in optional updates. I didn’t see a version number, I’ve hidden it every time it has been offered over the last couple of years. So, I hid it once again. Wish they would quit sending it…

2 users thanked author for this post.

JDeC, SueW

Reply | Quote

Moonbear wrote:

Thank you once again @mrbrian. After reading the article you linked I realized that I had read it when it was first published. Then I guess I completely forgot about it. In this case though I’m glad I did because reading it again made me start thinking about something: if the registry key fixes the compatibility issues that cause the blue-screening, why do/can the systems still crash?

You’re welcome :).

If you’re refering to the AMD processor issue, see https://arstechnica.com/gadgets/2018/01/bad-docs-and-blue-screens-make-microsoft-suspend-spectre-patch-for-amd-machines/.

1 user thanked author for this post.

walker

Reply | Quote

Not exactly, I guess what I’m asking is what makes the patches fail if a given machine (regardless of processor type) has all the correct settings needed in order for them to work?

Reply | Quote

Moonbear wrote:

Not exactly, I guess what I’m asking is what makes the patches fail if a given machine (regardless of processor type) has all the correct settings needed in order for them to work?

It is not just the AV that is a problem, though that was a prominent application. One possibility is you have another program(s) that makes what is an illegal call to the kernel. Consider updating your other programs – browsers or anything else that has a later version. You should do that anyway, for security reasons.

Reply | Quote

Okay, thats the piece I was missing. I thought the AV was the only problem. Thank you @PKCano.

Reply | Quote

i guess i am late to the party.  Win7/64 Intel i7.  i followed MrBrian’s Group B recommendations after doing an OS backup using Macrium.  Computer rebooted twice, then all seems to be ok.

HOWEVER, i now see a new small file on my desktop called desktop.ini.  is this something normal?  does it need to stay on my desktop, or can i move it someplace else (and where)?

many thanks to Woody and all of you for holding our hands through these update nightmares!

Reply | Quote

anonymous wrote:

HOWEVER, i now see a new small file on my desktop called desktop.ini. is this something normal? does it need to stay on my desktop, or can i move it someplace else (and where)?

You see the desktop.ini because you are showing “system protected” files.
Go to Control PaneFolder Options
On the “View” tab, you want to “show hidden fiesl and folders” and check the box to “hide protected operating system files”
That should make the .ini file go away.

Reply | Quote

anonymous wrote:

HOWEVER, i now see a new small file on my desktop called desktop.ini. is this something normal? does it need to stay on my desktop, or can i move it someplace else (and where)?

You see the desktop.ini because you are showing “system protected” files.
Go to Control PaneFolder Options
On the “View” tab, you want to “show hidden fiesl and folders” and check the box to “hide protected operating system files”
That should make the .ini file go away.

just to clarify… i didn’t change any file/folder view settings.  did the updates change the settings?

and the desktop.ini file icon is ON my desktop, not in any folder.

EDIT html to text (copy>paste issue?)

Reply | Quote

Regarding this reply from PKCano:   It is not just the AV that is a problem, though that was a prominent application. One possibility is you have another program(s) that makes what is an illegal call to the kernel. Consider updating your other programs – browsers or anything else that has a later version. You should do that anyway, for security reasons.

My AV program has a software updater tool that notifies me when updates are available, so I’m fairly confident I have the most current versions. I have followed suggestions from previous posts and still cannot get updates to install (Win7 Group B). Guess I will wait until Feb???

Edit to remove HTML

Reply | Quote

Re: anonymous at link 166451

My AV program has a software updater tool that notifies me when updates are available, so I’m fairly confident I have the most current versions.

I don’t have an explanation as to why, but I had to completely delete my AV program. It was up to date as to its definitions, but it had no clue about the needed registry key. I installed the same program’s newest version and it installed the required key without any problem.

Non-techy Win 10 Pro and Linux Mint experimenter

Reply | Quote

What’s the consensus now regarding Net Framework 4.7.1 (kb4055266), which update is offering me for my 8.1 system. Is it safe to download ( obviously “safe” with regards to M$ can be regarded as a bit tautological?)

Reply | Quote

We understand your trepidation about any & all MS updates. I have Windows 8.1 & installed KB4055266. No problems… so far. However, the January problems & Woody’s recommendation to do a full system image backup convinced me to download & use Macrium Reflect. If something kicks my system’s cyberbutt, I can restore & start over. I though for a moment you were referring to KB4033369, listed in Recommended as “.NET Framework 4.7.1”. PKCano recommended not to install it; except for 2 specific patches I skip, I’m usually brave enough to install Recommended patches as well as Important. However, with January’s havoc & panic, I’m taking his advice this month. If February patches are uneventful (in this short month, they’d better be), I’ll install KB4033369 along with February’s patches in March.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

A new post I wrote: Getting out of a no-boot situation after installing Windows updates.

5 users thanked author for this post.

SueW, JDeC, WildBill, Cascadian, jburk07

Reply | Quote

2010 Toshiba Laptop running Intel Pentium dual core processor Win7 SP1 HE

Installed Security update only KB4073578
IE 11 KB4056568
Security and Quality Rollup for Net Framework KB4055532

Ran Gibson’s Inspectre App and all looks good.

Thank you Woody, Mr. Brian and PKCano for all your input and all for their questions and experiences. Very Helpful.

2 users thanked author for this post.

SueW, MrBrian

Reply | Quote

A 2012 HP laptop found its way to me (Win 7 Pro SP1 x64 with an Intel i73820QM and Nvidia 650M GPU & a 512 GB Samsung 850 Pro system drive). The only browser used is Firefox ESR with uBlock Origin, NoScript, HTTPS Everywhere and Privacy Badger. Antimalware are Avira Free, Malwarebytes Pro and the Windows Firewall Control (from BiniSoft). The owner reports that there has never been a malware infection.

The issue: with KB4056897 (and KB4056568) installed, the unit took a significant performance hit.  This machine is often used to transcode multimedia files, so with the “Meltdown” protection enabled, its utility is greatly compromised. (It also runs about 10 C hotter, which is particularly concerning as the consumer HPs have undernourished cooling systems.)

Running GRC’s InSpectre as Administrator and using it to toggle the Registry setting to disable Meltdown protection restores the processor’s speed and power (and lowers the operating temperature).

One thing that I have not tried is replacing KB4056897 with KB4073578, but I fail see how that might make a difference.

Since (to date) there are no known exploits of Meltdown in the wild, the browser is locked-down and this machine’s operator is extremely careful, I am tempted to leave the Meltdown Registry key set to disabled for the present (subject to change, should an exploit in the wild be discovered), which the owner would prefer (other than yanking KB4056897 altogether).

Any input from @MrBrian, @abbodi86, PKCano, Noel Carboni, othr MVPs or, of course, Da Boss: would be greatly appreciated.

1 user thanked author for this post.

Fritz

Reply | Quote

AJNorth wrote:

Any input from @mrbrian, @abbodi86, PKCano, Noel Carboni, othr MVPs or, of course, Da Boss: would be greatly appreciated.

I’ll try not to be offended by that. 😉

1 user thanked author for this post.

AJNorth

Reply | Quote

moonbear wrote:

if the registry key fixes the compatibility issues that cause the blue-screening, why do/can the systems still crash?

Hi moonbear, love your handle.

Not trying to be pedantic, but just to be clear… the registry key doesn’t actually fix anything. The registry key is meant to be set by the installed AV program to indicate to the Windows OS that operation of the installed AV scanner is compatible with Microsoft’s latest patches (e.g., the AV scanner is not using funky calls to kernel memory).

The upshot of this is that if someone was using an incompatible version of an AV scanner, but manually set the reg key and installed the latest patches anyway…
as any underlying compatibility issues would not have been fixed prior to patch installation, the user would be risking the very system crash/BSOD situation that the reg key is attempting to prevent.

Hope this helps.

4 users thanked author for this post.

SueW, Moonbear, Elly, MrBrian

Reply | Quote

AJNorth wrote:

Since (to date) there are no known exploits of Meltdown in the wild, the browser is locked-down and this machine’s operator is extremely careful, I am tempted to leave the Meltdown Registry key set to disabled for the present (subject to change, should an exploit in the wild be discovered), which the owner would prefer (other than yanking KB4056897 altogether).

In that case, I might also be tempted to leave the Meltdown mitigation disabled, at least for now.

1 user thanked author for this post.

AJNorth

Reply | Quote

Has this ever finally been sorted out?  Topic 2000003 is still showing KB4056897.

PKCano wrote:

anonymous wrote:

you’re not actually getting the security patches, KB4073578 doesn’t include them, right?

Wrong. KB4073578 replaces KB4056897

Hm… The info doesn’t say that, whether on the MS site or in the Update Catalog. But this was probably mentioned before? Either way, AKB2000003 should be edited to remove that first one then.

Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

Reply | Quote

@Charlie:  Hope it is edited, if necessary, so we have the best, updated version.  I assume this is for the Group B group only?

Reply | Quote

Charlie wrote:

Hm… The info doesn’t say that, whether on the MS site or in the Update Catalog. But this was probably mentioned before? Either way, AKB2000003 should be edited to remove that first one then.

KB4056897 is not bad.
KB4056897 will work fine for non-AMD machines. It just doesn’t have the extra fix included.
KB4073578 covers both bases,Intel and AMD. That’s why we recommend it and why it replaces KB4056897.

3 users thanked author for this post.

JDeC, Charlie, walker

Reply | Quote

Yes it is for Group B.  I’ve just downloaded what’s still unchanged in Topic 2000003, and saved them.  I don’t have an AMD processor so it would seem I don’t need the KB4073578.  I’m holding off installing them until I hopefully get a definite answer.  But time’s getting short.

Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

1 user thanked author for this post.

JDeC

Reply | Quote

Thanks PKCano, that’s what I needed to see.

Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

Reply | Quote

Charlie wrote:

I’m holding off installing them until I hopefully get a definite answer. But time’s getting short.

That IS a definite answer. Install KB4073578.

3 users thanked author for this post.

SueW, JDeC, WildBill

Reply | Quote

Re: Elly at link 166532

I checked and my AV program had installed the required registry key. The AV software update tool was in reference to PKCano’s suggestion that one should update other programs and browsers – anything in addition to your AV program that has a later version. I updated my browser and one other program. Still had the MS updates fail.

Reply | Quote

@PKCano, Will KB4073578 work with the January rollup as well as the stadalone security patch?

Reply | Quote

Moonbear wrote:

@pkcano, Will KB4073578 work with the January rollup as well as the stadalone security patch?

If you have not installed Jan patches, install EITHER the Preview KB4057400 (if you are doing Group A) OR the Security-Only KB4073578 (if you are doing Group B). You don’t need both.

If you already installed the Rollup KB4056894 or the original Security-onlyKB4056897  and you have no problems, you don’t need to do anything.

1 user thanked author for this post.

Moonbear

Reply | Quote

Ok, thanks PK I’ll install the preview then.

Reply | Quote

I am in the BGroup with Win7.  I have not installed anything from January yet.  Am I correct in assuming that I could install KB4056897 and NOT the later KB4073578 (1/12) in order to get January security updates WITHOUT the Intel “fix”???

Reply | Quote

dwindstr wrote:

I am in the BGroup with Win7. I have not installed anything from January yet. Am I correct in assuming that I could install KB4056897 and NOT the later KB4073578 (1/12) in order to get January security updates WITHOUT the Intel “fix”???

All of the January updates (the Rollup and both security-only_ contain the Intel fis.

1 user thanked author for this post.

dwindstr

Reply | Quote

@PKCano, Since I have KB4057400 installed as of 20 minutes ago will I need to install updates once we reach ms-defcon 3 for February?

Reply | Quote

dwindstr wrote:

I am in the BGroup with Win7. I have not installed anything from January yet. Am I correct in assuming that I could install KB4056897 and NOT the later KB4073578 (1/12) in order to get January security updates WITHOUT the Intel “fix”???

You mean the AMD fix?

Reply | Quote

PKCano explained it very well in report #16671.  This should have cleared things up for everyone.

Note to PKCano – Your reply to mine wasn’t there when I started writing my message.  When I hit submit, your reply 16671 was already there.  It happens, sorry for the confusion it may have created.

Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

Reply | Quote

Installed KB4077561, KB4056568. Wasn’t offered KB4056895 or KB4057401. But installed KB4055266 for .NET frame 4.71 thru WU (was checked). Computer is running fine, but noticed later that you said not to install .NET frame 4.71 updates. Didn’t install optional unchecked .NET frame KB4033369 .  (Antivirus registry item present). Do I need to uninstall KB4055266, or let it be?

Should we be getting clean scans with Steve Gibson’s new “InSpectre” utility, or not until Feb. updates? Mine says protected against Meltdown, not for Spectre. Performance good. Thanks.

Never made any Intel or Bios changes, or installed any other updates after the December WU.

Windows 8.1, 64-bit, Home edition. Intel i5 core 4200U, Haswell ULT.

Reply | Quote

If you are not having any problems, I would just let things stay as they are and wait for the DEFCON-3 on Feb patches.

1 user thanked author for this post.

Lori

Reply | Quote

Reply to #165870 amraybt

I have the required ‘Quality Compat’ registry key. Thx for the suggestion.

Reply | Quote