Brinkmann, Horowitz: Are remnants of the despised “GWX” Gets Windows 10 campaign still on your Win7 computer?

Topic

New Reply

This is… disturbing. Yesterday, Michael Horowitz published a detailed rundown of GWX remnants still on a Win7 PC. … today, I took a glance at the
[See the full post at: Brinkmann, Horowitz: Are remnants of the despised “GWX” Gets Windows 10 campaign still on your Win7 computer?]

9 users thanked author for this post.

ve2mrx, banzaigtv, Karlston, Great Lake Bunyip, GreatAndPowerfulTech, Elly, SueW, Myst, wdburt1

Reply | Quote

Replies

There were kb3184143 patches released by Microsoft to remove the triggers and accompanying cruft for Windows 7 and 8. Both available here:
microsoft kb3184143 patches
The amount of times I’ve seen $BT folder in the Windows directory in W7 PC’s..
It’s more than likely care-free owners who just use their PC’s for whatever and don’t pay attention to Tech sites and AskWoody.

Keeping IT Lean, Clean and Mean!

6 users thanked author for this post.

Great Lake Bunyip, abbodi86, HiFlyer, ch100, Michael432, woody

Reply | Quote

Good point. I haven’t seen any independent reports of problems.

Guess we’ll find out sooner or later….

2 users thanked author for this post.

HiFlyer, Myst

Reply | Quote

Steve Gibson offers a util to check if win 10 upgrade is enabled on your pc

https://www.grc.com/never10.htm

9 users thanked author for this post.

geekdom, MrToad28, Great Lake Bunyip, lanceboil, Joulia.S, HiFlyer, SueW, Myst, Mark

Reply | Quote

Guess thats one main reason i still have the GWX control panel still activated on my pc. No remnants in mine

4 users thanked author for this post.

ve2mrx, Great Lake Bunyip, HiFlyer, Mark

Reply | Quote

Gunter Born doesn’t have a translation on his English German-language blog. He translates most, but not all, entries to there. Use Google Translate if you want to understand it; I don’t read German.
MVP Edit: FTFY

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

1 user thanked author for this post.

HiFlyer

Reply | Quote

WildBill wrote:

#311120

Try translator ‘deepl.com’.   I find it much better that Google.

 

 

Reply | Quote

I’ve never uninstalled or disabled GWX Control Panel, and I have no intention of ever doing so. This article explains why!

2 users thanked author for this post.

Steve, HiFlyer

Reply | Quote

Seff wrote:

#311138

Me too.

Reply | Quote

Simple solution really. Set Windows Update to NEVER…. Disable Windows Update service Forget about Microsoft updates completely. They will create more hassle and reduce system reliability than the supposed security improvements are worth.

Proof positive. My 130 client computers have not had an update in 20 months now and the result is smooth running, no problems what so ever. Oh, stop using IE and use Chrome instead, and remove Adobe Reader, Adobe Flash and Java.

CT

9 users thanked author for this post.

MrToad28, Karlston, Great Lake Bunyip, lanceboil, HiFlyer, Elly, wdburt1, Myst, Seff

Reply | Quote

Good to hear that your systems are still running ok, CT. It’s an option that will become increasingly significant as we approach January 2020, and one I’m still considering depending on how Windows 10 performs between now and then.

Reply | Quote

This essentially means Jan 2020, has come and gone for us. Win7 will live on for many years.

CT

6 users thanked author for this post.

MrToad28, SueW, Myst, lanceboil, HiFlyer, Elly

Reply | Quote

Same here. Win7 64 ‘home premium’. Just a home user/browser/few programs. Have followed Woody’s advice from the first appearance of KB2952664, but I stopped installing even the stand-alone security updates more than a year ago and still have smooth, fast, reliable operation. IE explorer disabled. Windows update disabled. Only adobe product is photoshop4. Malwarebytes free.  Oh yes, just like Bart & Milhouse, I always click on every flashing banner! Thanks Woody, & all who offer such useful advice…

Reply | Quote

@Canadian Tech: set Windows Update to NEVER is not possible for PC with the Home edition. For them the solution is not simple, it is absent.

1x Linux Mint 19.1 | 1x Linux antiX

Reply | Quote

CT is not talking about Windows 10, which I assume you are. My Windows 7 x64 Home edition PCs are set to “Never check for updates” every month, until it’s stated here that it’s time to install the month’s updates. Windows 10 is the only version of Windows that precludes this.

6 users thanked author for this post.

MrToad28, SueW, Myst, wdburt1, HiFlyer, Elly

Reply | Quote

I found the same on a Win7 Home Premium 64-bit laptop just two weeks ago.  Most updates had stalled some time previously because of corruptions to several system files, and the machine was rather neglected, though still working – slowly.

After a thorough clean-up, removing several AV programs, 30 copies of one printer(!),  suspect applications and running AV, chkdsk and sfc scans, I started to apply the outstanding important Windows updates to be told it was updating to Windows 10!  Luckily I was able to hit cancel in double-quick time and then ran GWX_control_panel to neutralise it.  I also removed (via WUSA /uninstall) all 20 or so copies of KB2952664 ‘just in case’.   Panic over for now, but I needed to lie down there for a while!

Tony H.
Bristol, UK

3 users thanked author for this post.

Elly, SueW, Cybertooth

Reply | Quote

Horowitz apparently has a machine that he was not paying much attention to. Do not know what ‘all’ November 2018 patches mean. He needs to be specific. We have multiple Win 7 machines, both x64 and x86, with no problems as Horowitz described at all. Seems like Horowitz missed a collection of M$ malware patches from the last 4 years or so.

Reply | Quote

It’s entirely possible – happens to the best of us. But those Monthly Rollups are supposed to be, uh, Rollups, aren’t they?

Sorry. Rhetorical question. 🙂

Reply | Quote

This PC is the exception, not the rule. As for updates, on Dec 3, 2018 Windows Update was run and all available patches were installed. That said, the computer did go long stretches without any Windows patches. The previous run of Windows Update was Feb. 2018

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

2 users thanked author for this post.

Steve, Microfix

Reply | Quote

aha! you have kb2952664 installed which is an assistant for GWX, if I’m not mistaken.
kb971033 is the activation patch which has been giving some devices problems also.

Keeping IT Lean, Clean and Mean!

Reply | Quote

Hi Michael432,

You will be wanting to use my CMD file to automatically remove all installed versions of KB3150513, KB2952664, KB2977759. For example, there could be dozens of versions if KB2952664 installed on your computer. You may optionally want to use my other CMD file which uninstalls other updates which installed telemetry.

Here is a link to my AskWoody Dropbox folder:

https://www.dropbox.com/sh/sonx6ep8xziig8j/AADeG486PARTPLqB54NWZhm5a

The README.txt file contains notes about my CMD files and usage instructions.

The CMD files to check for and to remove the three infamous telemetry updates, KB3150513, KB2952664 and KB2977759, is in the “WIN7 — KB3150513, KB2952664, KB2977759” folder.

The “WIN7 — Additional telemetry” folder contains CMD files to check for and optionally remove other updates which installed telemetry.

Best regards,

–GTP

 

Reply | Quote

GoneToPlaid, you may find this web page interesting.
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-updating-in-2018/291a9582-17a7-4942-8145-8d9f68265189?messageId=2f46cef5-da27-431d-8c6f-b5e7b2b89246

It is my posting which explains how to re-install Windows with the aim of installing all security updates up to and including May 2017, then never again. In effect, by following this pretty detailed process, you avoid ever installing any non-security update that was issued after Dec 31, 2014. That is when Win7 development ended and all this nonsense began.

CT

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

Thank you CT, for throwing that link up. I’ve copied it fresh again. Haven’t needed to recently, but I still refer people to your directions when required.

2 users thanked author for this post.

Microfix, Canadian Tech

Reply | Quote

Thanks. I bookmarked your link.

Reply | Quote

I see GWX folders and references on Windows 7 machines quite often. I didn’t think the service was running any more and appears to me to be left over remnants of the GWX age. There is also a hidden folder on the root of C: drives called “$GetCurrent” which is also left over from the GWX process.

Red Ruffnsore

Reply | Quote

Much ado about nothing. Judging from some of the comments here and on the Ghacks site, I get the strong impression Horowitz’s PC isn’t patched properly.

1x Linux Mint 19.1 | 1x Linux antiX

Reply | Quote

Can you blame him if his PC isn’t up to date on patches? A lot of people are hesitant to allow automatic Windows updates because of the underhanded things Microsoft did to try to get people on Windows 10.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

3 users thanked author for this post.

Elly, CADesertRat, Myst

Reply | Quote

@MrJimPhelps: I am by no means a Windows or PC expert, and am part of the AskWoody group B i.e. choosy about which updates I install. I still managed to get rid of all the GWX c*** except for an empty GWX folder in System32.

So, I am somewhat surprised that Horowitz, who is undoubtedly far more knowledgeable than me about Windows and all things PC, would not have been able to patch his own PC properly. But then, I guess everything is possible where MS is concerned.

1x Linux Mint 19.1 | 1x Linux antiX

Reply | Quote

I would think this is a fluke, something went wrong with GWX removal way back when.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

2 users thanked author for this post.

Microfix, satrow

Reply | Quote

Yes, we can blame him. If Horowitz proposes to speak with some kind of authority, then he needs to do his research before he posts articles of this kind. Behavior such as this does nothing positive for one’s reputation.

1 user thanked author for this post.

Klaas Vaak

Reply | Quote

Welllllllll… I wouldn’t cast that kind of aspersion.

If Michael has installed the latest Win7 Monthly Rollup, he could reasonably expect that it covers pertinent previous patches — including, notably, the patches that obliterate GWX.

5 users thanked author for this post.

David F, Myst, lanceboil, Sessh, Elly

Reply | Quote

@Woody: I disagree. Horowitz is an expert, in any case more than many, and certainly more than the average Windows home user. With his report he has created an upheaval by giving the impression there is a good chance that GWX bug is still around on most computers. That is pertinently not the case, and where it is still present it is because (a) certain patch(es) has/have not been installed.

So, Anonymous’s comment has nothing to do with “aspersion” but merely with an observation that causing such a storm in a tea cup is not what one may expect from someone like Horowitz. S’all.

1x Linux Mint 19.1 | 1x Linux antiX

Reply | Quote

I don’t really read tech articles much for Windows stuff unless I am looking for something specific, but I know both Horowitz and Brinkmann are both referenced here quite often and I do not get the impression either one are anything less than power users who know their way around Windows.

So, knowing that they are not amateurs, I must side with them and Woody on this one. If one installs a rollup of patches, you shouldn’t have to comb through the file system, task scheduler and whatever else to make sure they worked. That is absurd.

If something in those patches was supposed to remove GWX and, upon installing said patches, GWX was not removed, that means two things; 1. the patch failed to do it’s job and 2. it is reasonable to assume that if this happened once, it has also happened to others. How many others is anyone’s best guess, but I do not think it is wrong to report it as was done here nor does it, in any way, damage whatever credibility these two tech writers have accrued.

I have not patched since June of 2017 and I will remove June’s patch eventually to roll back to May of 2017 and stay there. There is nothing GWX anywhere on my system.

2 users thanked author for this post.

Canadian Tech, Elly

Reply | Quote

@Sessh: the fact that Horowitz is (or may be) a power user does not mean by definition that everything he does or writes is perfect. As far as I know, nothing and nobody in the world is perfect, nor has there ever been a perfect human being.

Taking that as a starting point, I fail to understand that a power user like Horowitz is able, or perhaps willing, to create what is obviously a storm in a tea cup when most non-techies who religiously perform their patches without giving it too much thought, and who certainly did not “comb through the file system, task scheduler and whatever else to make sure they worked”, find their computers clean.

Still, if your appreciation of a power user is that that behaviour is normal/acceptable, then fine, I just beg to differ.

1x Linux Mint 19.1 | 1x Linux antiX

Reply | Quote

It’ll certainly not damage his reputation when it comes to his push for better router security:
https://routersecurity.org/ the guy is, in my book, a great advocate. Just needs louder shouts from around the interweb.

Keeping IT Lean, Clean and Mean!

3 users thanked author for this post.

Kirsty, Elly, SueW

Reply | Quote

@Microfix: he might be a great router expert, but routers are not the topic here. Fr Windows he has not impressed me with this storm in a tea cup.

1x Linux Mint 19.1 | 1x Linux antiX

Reply | Quote

Regardless of reasons, it’s probably best to do a little checking to see if files, folders, and tasks related to GWX are on your system. Sometimes prevention measures don’t work.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

2 users thanked author for this post.

Myst, SueW

Reply | Quote

Steve Gibson`s  “never 10”  software is free.

Reply | Quote

MS released KB3184143 to supposedly remove the vestiges of GWX. And anyone on Automatic updates should should have received it through WU.
But there were a lot of people hiding anything even vaguely related to GWX so they may have hidden it and not have applied that patch.

Also, I had a friend that bought a new Win computer (don’t remember if it was 7 or 8.1) early on in the GWX campaign. The upgrade to Win10 came as a CHECKED update in the OPTIONAL updates! I had a fit with it b/c the computer, on Auto updates by default, started the upgrade immediately after initial startup. I had to do a Factory Restore and get rid of the upgrade before I connected it back up to the Internet.

Anyone doing a Factory Restore on that computer might run into the same thing.

6 users thanked author for this post.

Myst, Great Lake Bunyip, Elly, woody, Mr. Natural, geekdom

Reply | Quote

Here’s the MS Update Catalog link to KB3184143, in case Windows Update does not offer it:

http://www.catalog.update.microsoft.com/Search.aspx?q=3184143

5 users thanked author for this post.

Myst, Great Lake Bunyip, geekdom, Mr. Natural, woody

Reply | Quote

Win7 Pro on all of my computers, Group B, and updated through Nov 2018. I installed KB3184143 back in 2016 to remove GWX, which it did. Anyway, there are no traces of GWX on my computers.

2 users thanked author for this post.

Myst, SueW

Reply | Quote

Separately, what is up with today’s two new security patches, KB931906 and KB2758694, which just showed up in Windows Update on my Win7 computers? Not sure if KB931906 is rated critical, but KB2758694 is rated critical. It appears that these are older updates which Microsoft is pushing again to all Win7 computers.

1 user thanked author for this post.

woody

Reply | Quote

By Jove, looks like we have a bunch of incoming Previews….

I’ll get that posted right away. Thanks!

Reply | Quote

GWX folders in ProgramData and AppData\Local can be deleted. Even if a task is scheduled, it can’t run if the file is gone. I’ll also start deleting the Task Scheduler GWX folder also.

Thanks for the tip!

GreatAndPowerfulTech

Reply | Quote

If GWX folders are found on a pc then there will also be registry entries for GWX as well. I’ve seen them. The usual edit the registry at your own risk disclaimer.

Red Ruffnsore

Reply | Quote

Win 7 Home Premium, Group B.

I try to be a fastidious installer of all the Woody-recommended updates (for Group B), and my update history doesn’t include 3184143. Did I miss one?

In any case, I used GWX Control Panel back when, but never ran it in “monitor” mode, and hadn’t run it in eons, but I just pulled it up, and it reports that I have no Win10 Download folders — along with all the rest of the usual No’s.

I’m assuming there’s no reason for me to run 3184143 at this point, but am open to advice to the contrary.

Reply | Quote

I have 2 Win 7 Ultimate 64 systems.  A year or so ago, I installed & used GRC’s “Never10” utility to turn off GWX.  It worked.  But in Dec I started experiencing the classic intense disk activity shortly after startup that reminded me of GWX.  ???

Investigating, saw GWXConfigManager running.  Also noted CompatTelRunner was re-enabled (I’d disabled it previously).  Looked further and saw the GWX scheduled tasks were back in place (which I’d disabled previously).

I re-ran GRC’s Never10 & it confirmed the reg entries to disable Win10 upgrade were still in place.  Head-scratching ensued.

So, whatever MS installed in the Nov updates re-enabled some of GWX – and completely ignored the reg entries that are supposed to prevent this.

I went ahead and manually removed GWX scheduled tasks and disabled the GWX executables.   No more crazy disk activity – at least until MS installs another update to their malware.

1 user thanked author for this post.

SueW

Reply | Quote

You might want to try blocking CompatTelRunner with an outbound firewall rule which prevents it from phoning home. The procedure is documented here in the section on blocking programs

https://www.michaelhorowitz.com/KillingWindowsUpdate.php

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

Microfix

Reply | Quote

Do not just block it, delete it outright or lookup how to get rid of it in a more normal procedure.

Reply | Quote

Do you have KB3184143 (the GWX removal tool) installed on your computer?

Reply | Quote

As a non-techy who is a little less non-techy than family and friends, I’ve been handed several different computers that had not been used ‘for a while’ and found GWX on them. Surprise! I don’t criticize people, ’cause I figure we are all doing the best we can. These may have been the type of people that Microsoft wanted to force into updating to avoid the spread of mal-ware… but their choice is to avoid updating, as it has ’cause way more problems.

It is good that an expert does not jump over problems that personal computer users may encounter, by dismissing them by saying it would have been solved if they had updated fully. That is Microsoft’s pat answer, and following their directions caused all kinds of problems… leading to the next recommendation to get a new computer that will be compatible. Instead, through what I’ve learned here, they are still using the same old computers without any issues, completely contrary to Microsoft’s pat advice.

One Windows 7 laptop out of our family/friends group did finally bit the dust. Apparently placing it on the trunk of a car, having it slide off, and then driven over, was what it took to kill it. So backing up provided an example of the importance of backing up … (the computer, not the car).

Non-techy Win 10 Pro and Linux Mint experimenter

2 users thanked author for this post.

Steve S., wdburt1

Reply | Quote

Does @Microfix ‘s observation in #post-311339 give the full explanation. It appears @michael432 installed “all available patches” including two that are on the no-go list.

If there is a deeper issue under discussion, please help me recognize it.

Reply | Quote

One more year, just hang in there 😀

p.s. idon’t agree with the amount of exaggeration in this matter

1 user thanked author for this post.

Microfix

Reply | Quote

I checked my two HP and one Lenovo, all Win7Prox64, and found this issue does not hit me.

Reply | Quote

Something else to be on the lookout for:

I wouldn’t be surprised if MS is already preparing a nice little ‘surprise’ for all remaining Windows 7 users  – possibly a non removable message in the bottom right hand corner of the screen – or worse, a ‘popup’ or ‘flyout’ message (similar to the ones in Windows 10 when you disconnect a removable drive, etc.) that keeps appearing over and over to remind you that Windows 7 is reaching EOL next January and you should ‘upgrade’ to Windows 10.

No doubt it will be slipped into an important or security update or, at the very least, it’ll be a separate update marked as important and ticked to install by default, of course.

PC1: Gigabyte B560M D2V Motherboard, Intel i5 11400 CPU, 16GB RAM, NVIDIA GeForce GTX 1650 Graphics Card, 1x Samsung 870 EVO 250GB SSD, 1x Samsung 860 EVO 250GB SSD, Windows 10 Professional 22H2 64bit.
PC2: Asus H81M-PLUS Motherboard, Intel i3-4160 CPU, 16GB RAM, NVIDIA GeForce GTX 1050 Graphics Card, 1x Samsung 870 EVO 250GB SSD, 1x Samsung 860 EVO 250GB SSD, Windows 10 Home 22H2 64bit.

3 users thanked author for this post.

HiFlyer, Karlston, Bill C.

Reply | Quote

And those of us who religiously watch for DEFCON 3 (or 4, or 5) will already be made aware of this and know what to do, thanks to AskWoody.com!

Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'

1 user thanked author for this post.

Microfix

Reply | Quote

Hi everyone,

I still have KB3184143 (the GWX uninstaller) installed on all of my Win 7 Group B computers. As mentioned, I am updated through November, yet no GWX stuff has showed up on any of my computers. I have two questions for everyone…

For those of you who are seeing new GWX stuff showing up, is KB3184143 listed in your installed updates under Programs & Features > View installed updates?

And for those who are seeing new GWX stuff, are you on Group A, or are you on Group B?

1 user thanked author for this post.

Bill C.

Reply | Quote

Hi GoneToPlaid, I looked into this laptop to help describe another data point. It shows this KB3184143 was installed 21-Sep-2016. This predates my reading at AskWoody. I have followed Group A since learning of it. I do not recognize GWX activity in normal use.

I do keep several updates “Hidden”. Whenever there is discussion of a service stack that fails to mind its manners, I have done a full cycle of “Restoring” all hidden items in the Windows 7 section of that list, then hiding again everything not desired. This is overkill for what is needed, but it has given me opportunity to see that Windows Update will still offer many of these updates unless they are specifically hidden.

So no, I do not see any GWX items show up under normal use. But I can create a use where the associated updates will show up, unrequested. I hope I have followed your thoughts, and added useful information.

Reply | Quote

GoneToPlaid,

From a practical point of view, if one finds  KB2952664 is still installed and not KB3184143, before installing the latter should one first delete KB2952664? Any other steps that might be also necessary to finish the job?  Thanks.

Group B, Windows 7 Pro Sp1, x64.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Windows 7Pro-64_SP1, Group B, WU for .NET and Office 2010 (MSI version).

I am not sure my experience is routine, but after finding lots of churning and CPU cycles, I did research and learned about GWX (hence my presence here). I uninstalled all the GWX and telemetry updates, I then removed the GWX folders and disabled, and later totally deleted the tasks for GWX. As I caught the infection early, it has not yet created the large data repositories like the hidden folder on the root of C: drives called “$GetCurrent” or “$BT” or the blocks of upgrade files. I installed the GWX Control Panel and it said nothing was detected. When it was released, I also installed the KB3184143 GWX removal tool. I have run the scripots to see if KB2952664 was on the machine and get a negative.

As I kept reading I found other components and repositories of the GWX data and compatibility logs. These were also deleted. I still run the GWX Control Panel as it provides a quick indicator of changes to the WU, but I still check after each monthly patch session or any software upgrades to ensure WU is set to never. I have also disabled IE from auto-updating.

I wonder if the telemetry that was recently included in the roll-ups, utilize some of the GWX analytical and appraisal tools that might have remained even after the removal of GWX system.

Reply | Quote

OscarCP wrote:

GoneToPlaid, From a practical point of view, if one finds KB2952664 is still installed and not KB3184143, before installing the latter should one first delete KB2952664? Any other steps that might be also necessary to finish the job? Thanks. Group B, Windows 7 Pro Sp1, x64.

Hi OscarCP,

Now that is a really good question. Let’s think this through…

KB3184143 kills GWX, yet will not uninstall any and all installed versions of KB2952664. So the first thing to do is to install KB3184143 to kill GWX. After killing GWX, KB3184143 remains installed on your computer. Perhaps KB3184143 remains installed as a flag to Microsoft that the user does not want to upgrade to Windows 10 — ever?

After installing KB3184143, and rebooting if asked, then you can run my CMD file for removing all instances of the three infamous telemetry updates which includes KB2952664. Note that all instances of a given telemetry update must be uninstalled, before proceeding to uninstalling all instances of the next telemetry update. Since there are three telemetry updates to be uninstalled, my CMD file must be run three times (if all three telemetry updates are reported as being installed) and with a reboot after each run (just pay attention to the instructions which my CMD file displays) in order to remove all instances of all three telemetry updates.

After the above is done, run my CMD file one final time (as a sanity check) so that you can confirm that all three telemetry updates are no longer installed on your computer. My CMD file will report if these three telemetry updates truly have been removed from your computer.

Best regards,

–GTP

 

1 user thanked author for this post.

OscarCP

Reply | Quote

Bill C. wrote:

…When it was released, I also installed the KB3184143 GWX removal tool. I have run the scripts to see if KB2952664 was on the machine and get a negative. As I kept reading I found other components and repositories of the GWX data and compatibility logs. These were also deleted. I still run the GWX Control Panel as it provides a quick indicator of changes to the WU, but I still check after each monthly patch session or any software upgrades to ensure WU is set to never. I have also disabled IE from auto-updating. I wonder if the telemetry that was recently included in the roll-ups, utilize some of the GWX analytical and appraisal tools that might have remained even after the removal of GWX system.

Your last sentence in particular caught my attention. I too installed the KB3184143 GWX removal tool. It remains installed. Yet it is rumored that recent windows security only updates supposedly have KB2952664 or some other telemetry baked in? I haven’t seen any telemetry activity on my Windows 7 Group B computers which are updated through November 2018. I don’t see any active telemetry related tasks, and I am not seeing my computers making connections to Microsoft’s telemetry servers.

So this gets me to thinking. If KB3184143 is installed, its presence is clearly telling Microsoft that the user has no desire to upgrade to Windows 10. If KB3184143 is not installed, maybe this is why some users are seeing a sudden reactivation of GWX? If it really is the latter, then this would seem to stoke fears that Microsoft may have intentions of forcing Windows 10 on all Windows 7 users who did not install KB3184143. I’m just throwing this out there as food for thought.

1 user thanked author for this post.

Bill C.

Reply | Quote

I believe it’s the Rollup updates, not the Security Only updates, that have KB 2952664 – or some variation of it – incorporated in them.

Reply | Quote

DrBonzo wrote:

I believe it’s the Rollup updates, not the Security Only updates, that have KB 2952664 – or some variation of it – incorporated in them.

Hmm…perhaps the Group A Rollup updates have KB2952664 baked in, yet KB2952664 doesn’t show up in the list of installed updates? That would be interesting news.

I wonder what my CMD file will report. I would love for a Windows 7 Group A user, whose computer is fully updated and who always avoided installing KB2952664, to run my CMD file to see if DISM reports that KB2952664 is in fact installed even if KB2952664 is not listed under installed updates. This is my $64 thousand dollar question.

Reply | Quote

As the DISM command syntax contains the logic “find the string of characters that matches KB2952664”, I interpolate that it scans the same database used by the Installed Updates display. In different words, it searches for the title, not the functionality.

I will not claim your $64,000 prize. Although I fit your described classification, Group A through December 2018, including the suspect function contained in the cumulative rollup, I also might have changed the criteria by running @abbodi86 ‘s “W10tel” executable found in AKB2000012.

In any case, when I run the single line command (elevated)
dism /online /get-packages | findstr KB2952664
it returns an empty result. No joy.

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

Since the 2018-09 Preview Rollup and the 2018-10 Monthly Rollup, the KB2952664 functionality has been included in the Group A patches – not the KB2952664 separate distinct patch. The evidence is in the appearance of KB3150513 in Windows Update, which will not appear without the KB2952664 functionality installed. It was not added to the Group B Security-only patches to my knowledge. I believe we had this discussion before back in October.

KB2952664 and it’s Win8.1 KB22976978 equivalent have NEVER been installed on any of my machines. I am patching Group A, and I have seen KB3150513 appear (and be immediately hidden) in WU on my machines. I am also running @abbodi86 ‘s script to neutralize the telemetry in an attempt to remain in Group A.

2 users thanked author for this post.

abbodi86, satrow

Reply | Quote

GoneToPlaid,

Thanks for your timely advice.

I just checked and found that I do have installed bad KB2952664, but not good KB3184143 (which I am installing right after I finish writing this). Also not  installed, the other two bad ones you mentioned: KB3150513 and  KB2977759.

So this is a bit different from the situation for which you have recommended using your script. Any advice on this? Thanks again.

After two attempts (the first from an MS site where, it turned out, only the x86 version was available), I found the Catalog correct page and downloaded KB3184143, x64 plus an executable file (gwxwu_4e813955262d8e9d497a10018c36299ac02fce5e.exe). Not sure what to do with it… It was together with the .msu file, but it looks, from the name, that it is meant for Windows 8.1…

Group B, Windows 7 Pro SP1, x64, I-7 “sandy bridge”.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

W7x64 KB3184143

Reply | Quote

Thanks satrow, I found it, as you can see in my answer to GoneToPlaid above, but also found an unexpected executable with it that I downloaded as well and is a bit of mystery to me what to do with it, right now.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Not sure, but I think that the EXE maybe does additional cleanup? I don’t know. Anyway, here is another Microsoft link for KB3184143 which doesn’t include a separate EXE file:

https://www.microsoft.com/en-us/download/details.aspx?id=53859

 

Reply | Quote

The gwxwu_4e813955262d8e9d497a10018c36299ac02fce5e.exe is exactly the same W7x64 file as the GWXWU.exe contained within the Windows6.1-KB3184143-x64.msu installer file I linked the download page of. Also packaged in that .msu are several other files (see image), including a PkgInstallOrder.txt:

Reply | Quote

Hi OscarCP,

satrow’s link for the x64 of KB3184143 is correct. Get that puppy installed and reboot if asked to do so, and then run my CMD file to wipe out all installed instances of KB2952664. I am curious about how many instances of KB2952664 which my CMD file reports are installed. For example, on one Win7 laptop computer in which I messed up and unknowingly installed KB2952664, nine other versions of KB2952664 were silently installed during the next several months before I caught my error.

You mentioned: “Also not  installed, the other two bad ones you mentioned: KB3150513 and  KB2977759.” Oops. My bad. I went back through my old notes and saw that KB2977759 is an early version of KB2952664, and that neither requires the other to be installed.

Best regards,

–GTP

 

Reply | Quote

GoneToPlsid, Thanks.

I guess I do not need to run your CMD script then. But what should I do with that pesky executable? (See my earlier reply).

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

You still need to run my CMD script to wipe out KB2952664 after you deal with installing KB3184143. I posted an alternative Microsoft link for KB3184143 which doesn’t additionally include a separate EXE file. Maybe satrow can shed some light about the EXE file, in terms of whether you run the EXE file first or after installing KB3184143.

1 user thanked author for this post.

OscarCP

Reply | Quote

Ahah! I just looked at the internals of the EXE. What it does is to clean up and remove GWX scheduled tasks and GWX registry stuff, the install packages for GWX, and other GWX stuff. Thus, you run the EXE after first installing KB3184143. Nothing is reported after running the EXE (I just ran it.).

Reply | Quote

GoneToPlaid,

That is good news! Since the executable gets rid of all remnants of GWX, am I guessing correctly that I still may have to run the CMD script after running the .exe file to make sure KB2952664 is gone for good? Even when the .exec has “8.1” at the beginning of its name?

Thanks for your patience and advice.

Group B, Windows 7 Pro, SP1,x64.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Hi OscarCP,

Yes, you need to run my CMD script to remove all installed instances of KB2952664. I hope that you will report back about how many instances of KB2952664 were removed, as this information will roughly indicate how long you unknowingly had KB2952664 installed on your computer.

And you are most welcome!

Best regards,

–GTP

 

1 user thanked author for this post.

OscarCP

Reply | Quote

GoneToPlaid,

I’ll do that and let you know how it went.

Thanks again.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

In cases where there are 2 files that are downloaded, one being a .exe file, and the other, say, a .msu file (as in the present case), simply download both to the same folder (downloads folder, desktop, or some other folder you have or make that’s convenient), and install the .msu file. In the process of installation the .msu file will cause the .exe file to execute. If you watch your monitor closely you’ll often see a small command line box show up for a fraction of a second or so as the .exe file executes. It should not be necessary to separately run the .exe file manually, although I don’t suppose it will hurt anything if you do.

2 users thanked author for this post.

OscarCP, satrow

Reply | Quote

Mission accomplished!

This is what I did just now, and what happened, blow by blow:

(1) Created a recovery point.(Just in case…)

(2) Istalled KB3184143
Restarted the computer: went through the “do not turn your computer” routine.
(3) Run the “.exe” file. (unnecessarily, it seems, but my machine is still breathing…)

(4) Run GoneToPlaid CMD “search and destroy” script to see if there are some
instances of KB2952664 and the other bad hidden spies still around and uninstall them. Three found, listed below, but not deleted by the script.

Then run the other script, to see if the first one had missing something. No: same story.

(5) Restarted the computer again, because I could. Oddly enough, it went once more through the “do not turn your computer” routine…

(6) And here I am. The PC lives! (For now.)

Also: The CMD script did not delete KB2999226 & KB3118401 – To be deleted manually, later.
Failed to delete KB3021917 with error level 3010.

Keep the Win 10 and Office 365 enablers? I do not see Windows 10 or Office 365 ever getting into my elderly machine, even if I wanted to use them, which I do not. I already have Windows 7 and Office 2010 running on it, so… No. They’ll go out of support in the not too distant future, but it is still NO.

Thanks to GoneToPlaid, satrow and DrBonzo for helping out. I hope this sub-series of entries that started with my first one asking for help with this issues may be of some use to others who read all that has been written here as a result.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

You could try manually uninstalling KB3118401, KB3021917 and KB2999226 via Programs and Features > View installed updates. They could be permanently baked into the computer if you ran Disk Cleanup and cleaned up Windows Updates to get more free space on your hard drive. If this is the case, then these updates can not be be easily uninstalled. If these updates can’t be uninstalled, it is no big deal if you are opted out of CEIP. These updates do seem to honor your CEIP settings in terms of not sending telemetry if you are opted out of CEIP.

1 user thanked author for this post.

OscarCP

Reply | Quote

KB3118401 and/or KB2999226 are part of Microsoft Visual C++ 2015/2017 Redistributable, they are needed to run programs compiled by this version, and should not be removed at all
even Office 2016/2019 need it

5 users thanked author for this post.

Microfix, satrow, PKCano, OscarCP, ch100

Reply | Quote

This Group W-er is watching the re-run of the circus… again? with amazement!
Numbers don’t lie – people behind the numbers do!
Patches do patch – but do you know what the ‘secret sauce’ is in there?

Reply | Quote

GoneToPlaid wrote:

Your last sentence in particular caught my attention. I too installed the KB3184143 GWX removal tool. It remains installed. Yet it is rumored that recent windows security only updates supposedly have KB2952664 or some other telemetry baked in? I haven’t seen any telemetry activity on my Windows 7 Group B computers which are updated through November 2018. I don’t see any active telemetry related tasks, and I am not seeing my computers making connections to Microsoft’s telemetry servers.

If I remember correctly, the various telemetry updates of the past were not solely GWX specific. I believe the long range plan of MS (alluded to but never specifically said) was to also use the transmitted data to report on errors and also patch installations going forward. As such I do believe that the GWX specific issues were removed by the GWX removal patch, but other capabilities may remain. Unfortunately my habit of doing late night research and testing got the better of me when I removed the last vestige of GWX I found using the Process Explorer applet from Sysinternals. There was an unnamed, unknown task in my Windows task library. It was grouped with the CEIP ones.

I had used CEIP up until the GWX/Telemetry issue began to surface. I disabled them. However the unnamed one remained enabled. Not until doing some testing with the Process Explorer did I discover the linkage of the unnamed task to the GWX or Telemetry tasks. I then disabled it like the CEIP tasks.

Unfortunately, I did not document it in my notes.

My initial comments were about Rollups, not the Security Only patches. I have not found any changes with recent Group B patches that would point to telemetry being present. Possibly if they are, they are honoring the various task settings of disabled, as I see no new tasks or changes to settings. Additionally when I disable some tasks, I also disable (by editing) the task trigger (just in case).

BTW, Thanks, as your scripts have proven very useful.

1 user thanked author for this post.

OscarCP

Reply | Quote

A reminder to install KB3184143, then remove/hide/block the KB2952664 (for Win7), KB2976978 (for Win8/8.1) and KB3150513 updates.

see this attached pic: I have KB3184143 installed on a Win7 computer and KB2952664 & KB3150513 are not installed.

Reply | Quote