News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Born: Microsoft incorrectly signed the MSRT update that’s been bouncing around. It’s fixed now.

    Home Forums AskWoody blog Born: Microsoft incorrectly signed the MSRT update that’s been bouncing around. It’s fixed now.

    This topic contains 19 replies, has 12 voices, and was last updated by  Speccy 2 weeks, 5 days ago.

    • Author
      Posts
    • #2005424 Reply

      woody
      Da Boss

      News on that infuriating MSRT update bug. If you recall, the version of KB 890830 that arrived on Patch Tuesday was all over the map. As I said in Com
      [See the full post at: Born: Microsoft incorrectly signed the MSRT update that’s been bouncing around. It’s fixed now.]

      2 users thanked author for this post.
    • #2005427 Reply

      Hopper15
      AskWoody Lounger

      This was happening to me on Windows 8.1 as well.

    • #2005430 Reply

      Speccy
      AskWoody Lounger

      With all due respect, Gunter’s article is inaccurate: the Catalog “Last Updated” date disparity (12 Nov for Win8.1/10 and 13 Nov for Win7/Server 2008/R2) has nothing to do with the issue and it certainly does NOT mean that (quoting) “Microsoft has updated the package for Windows 7 and Server 2008/r2 and replaced the faulty certificate.“: the binaries are exactly the same (digitally signed November 7, 2019).
      MSRT
      There was no “faulty certificate”, nor was it replaced: the root cause of the issues IS the [lack of] SHA-2 support (and probably some metadata glitches on WU) – as I explained here.

      • This reply was modified 3 weeks, 1 day ago by  Speccy.
      • This reply was modified 3 weeks, 1 day ago by  Speccy. Reason: Added minor clarification (digitally signed package date)
      Attachments:
      6 users thanked author for this post.
      • #2005438 Reply

        woody
        Da Boss

        OMG. Here’s your conclusion:

        Last month’s MSRT (v5.76, Oct, 2019) was still SHA-256 and SHA-1 signed, but this month’s MSRT (v5.77, Nov, 2019) is NOT SHA-1 signed (only SHA-256 signed) – and that seems to be the core reason for the reported errors…

        WU might have (had?) a conflict issue (metadata?) with that, since it was offering MSRT on Tuesday but not yesterday (Nov 13, 2019)… don’t know if Microsoft fixed it already but, whatever the reason is, MSRT may be manually downloaded from the Catalog (here) and, for sure, it will execute properly if BOTH the SHA-2 support and SSU updates have been installed.

        And I can confirm that the binaries are the same — at least the binary in the latest version of the patch is signed November 7.

        4 users thanked author for this post.
    • #2005458 Reply

      howardagoldberg
      AskWoody Plus

      UPDATE: @speccy has observed that the problem isn’t with the certificate, but with our old friend the SHA-2 signing problem with Win7 patches. Looks like he’s right. Read more here.

      Well, if that is true – then my comment in this thread: https://www.askwoody.com/forums/topic/november-2019-patch-tuesday-arrives/

      ‘At any rate, it looks like the issue is with WU trying to install the November MSRT before installing the SSU, and MSRT needed SSU to be installed first …’

      May have been the issue. Interesting …

      3 users thanked author for this post.
    • #2005465 Reply

      PKCano
      Da Boss

      Yesterday, the MSRT failed on my Win7.
      I installed the Nov Cu KB4525235 and the SSU KB4523206 (KB4490628 and KB4516655 and the 4474419s all versions had been installed previously).
      Went back twice, later and much later, and the MSRT failed again both times.
      I concluded it was not the SSUs being the problem.

      4 users thanked author for this post.
      • #2005524 Reply

        Speccy
        AskWoody Lounger

        A couple more hints on what might have happened (and partially explain why different people are having seemingly random results with WU offering/not offering MSRT upon multiple executions, errors thrown, etc.)…

        1) From the KB890830 FAQs:

        Q8: Why do not I see the tool on Microsoft Update, Windows Update, or Automatic Updates?
        A8: (…) If you have already run the current version of the tool from Windows Update, Microsoft Update, Automatic Updates, or from either of the other two release mechanisms, it will not be reoffered on Windows Update or Automatic Updates.

        Q9: How do Microsoft Update, Windows Update, and Automatic Updates determine who the tool is offered to?
        A9: (…) The users have not already run the current version of the tool.

        2) From the KB891716 FAQs:

        Q2. How do I verify that the removal tool has run on a client computer?
        A2. You can examine the [Version REG_SZ] value data for the [HKLM\SOFTWARE\Microsoft\RemovalTools\MRT] registry entry to verify the execution of the tool. (…)
        Every time that the tool is run, the tool records a GUID in the registry to indicate that it has been executed:

        1ED49A70-3903-4C40-B575-93F3DD50B283 (November 2019)
        E63797FA-851A-4E25-8DA1-D453DD437525 (October 2019)

        This occurs regardless of the results of the execution.

        3 users thanked author for this post.
        • #2005835 Reply

          woody
          Da Boss

          Any idea if the GUID update in the Registry happens AFTER MSRT runs successfully? (In other words, can you rely on the entry?) Asking for a friend. 🙂

          • #2006222 Reply

            Speccy
            AskWoody Lounger

            When manually executed, the KB890830 package will simply unpack MRT.exe to the %WINDIR%\System32 folder and exit the thread, transferring control to it.

            Then the %WINDIR%\System32\MRT.exe process will start executing, writing

            ---------------------------------------------------------------------------------------
            Microsoft Windows Malicious Software Removal Tool v5.77, November 2019 (build 5.77.16547.2)
            Started On Sat Nov 16 11:15:52 2019
            
            Engine: 1.1.16500.1
            Signatures: 1.305.993.0
            MpGear: 1.1.16330.1
            Run Mode: Interactive Graphical Mode
            

            into the %WINDIR%\debug\mrt.log file. Once you press the ‘Next’ button twice, the tool will start scanning (a Quick Scan, by default, if not otherwise selected).

            During the scanning process the ‘Version’ REG_SZ registry value remains unaltered: the GUID update in the Registry only happens near the end (when the scanning process finishes – either normally or, presumably, also through an exception catching mechanism if an error occurs and the application ends abnormally):
            MRT-monitoring
            Then the tool waits for the user input:
            MRT-execution
            Once the ‘Finish’ button is pressed, the %WINDIR%\debug\mrt.log file is appended with the collected results (and the heartbeat “phone home” attempt occurs – successfully or not, depending if you allow it or not to happen):

            Results Summary:
            ----------------
            No infection found.
            Failed to submit clean hearbeat MAPS report: 0x80072EE7
            Microsoft Windows Malicious Software Removal Tool Finished On Sat Nov 16 11:28:40 2019
            
            
            Return code: 0 (0x0)
            Attachments:
            1 user thanked author for this post.
    • #2005466 Reply

      Seff
      AskWoody Plus

      I haven’t been offered the MSRT on either of my Windows 7 machines yet, indeed on one the only update offered is the monthly rollup. On the other, I’ve also been offered 3 Office 2010 updates – one of which (KB4484127) has now become unchecked.

      • #2005571 Reply

        Pierre77
        AskWoody Plus

        I concur with that. JFTR I installed KB4525235 on a test laptop (W7 Home Premium x64) and after a required reboot was then presented with KB4523206 which was a SSU update. Installed it without having to reboot.

    • #2005556 Reply

      CADesertRat
      AskWoody Plus

      So far this discussion has been about the MSRT for W7. Yesterday 11/13/19 I got a CU/SSU and MSRT on 1809 and all installed but the MSRT failed. So my assumption is that MSRT is failing on every version of windows. Is that correct?

      Seems odd that after all these years that MS has been doing great with MSRT, all of a sudden MSRT is as screwed up as the rest of MS’s updates. Month by month things aren’t getting better, they are getting worse.

      Don't take yourself so seriously, no one else does 🙂
      4 Win 10 Pro currently 1809 (3 Desktops, 1 Laptop).

    • #2005683 Reply

      dgreen
      AskWoody Lounger

      I stopped installing and started hiding MSRT updates in Feb. this year.
      My reason was nothing more than just a “gut” feeling.
      I’m glad I did.

      Dell Inspiron 660 (new hard drive installed and Windows 7 reloaded Nov. 2017)
      Windows 7 Home Premium 64 bit SP 1 GROUP A
      Processor: Intel i3-3240 (ivy bridge 3rd generation)
      chipset Intel (R) 7 series/C216
      chipset family SATA AHCI Controller -1 E02
      NIC Realtek PCLE GBE Family Controller
      MSE antivirus (has new name now)
      Chrome browser
      DSL via ethernet (landline)

      • This reply was modified 3 weeks ago by  dgreen.
      3 users thanked author for this post.
    • #2006396 Reply

      ch100
      AskWoody_MVP

      The KB90830 MSRT November 2019 for Windows 7 and 2008 R2 is not “fixed”, but removed from Windows Update/expired from WSUS.
      This is the only reason why it is not seen as failing anymore.
      It is no longer offered.
      There was a workaround for the failing installation, which was mentioned before by someone else.
      By “installing” manually, which means running the executable from the Catalog, the broken patch was no longer offered by Windows Update as it was seen as previously installed successfully.
      All of the above do not apply to later versions of Windows.

      While I don’t completely understand the reasons for the Windows update failures, I would say with a high degree of certainty that it is related to the WU agent not understanding the new signing mechanism for this update. It is likely that we will see either a new version of the WU agent released soon, or as an intermediate solution, a new release of the MSRT using the previous signing implementation.

      2 users thanked author for this post.
      • #2006643 Reply

        Speccy
        AskWoody Lounger

        “(…) I would say with a high degree of certainty that it is related to the WU agent not understanding the new signing mechanism for this update. It is likely that we will see either a new version of the WU agent released soon, or as an intermediate solution, a new release of the MSRT using the previous signing implementation.”

        I agree. It is also my understanding about what might have happened – you nailed it! 😉

        (emphasis above, on the possibility of an upcoming, new MSRT to be released soon: it has happened before [December 2008, August 2005] and, in fact, currently the Catalog is not “offering” KB890830 for Windows 7/Server 2008/R2 [that, basically, was the same unique binary currently being offered only for Windows 8.1/10/Server 2012/R2/Server 2016] anymore…)

        1 user thanked author for this post.
    • #2006479 Reply

      JohnW248
      AskWoody Plus

      Maybe the headline should be changed from “fixed” to “gone”.  It worked on an 8.1 pro machine but failed on a Win 7 Pro laptop and then magically disappeared from six other machines.  I did download the .msi version from the catalog but really didn’t run it just changed the registry.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Born: Microsoft incorrectly signed the MSRT update that’s been bouncing around. It’s fixed now.

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.