News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Brinkmann, Horowitz: Are remnants of the despised “GWX” Gets Windows 10 campaign still on your Win7 computer?

    Home Forums AskWoody blog Brinkmann, Horowitz: Are remnants of the despised “GWX” Gets Windows 10 campaign still on your Win7 computer?

    Viewing 32 reply threads
    • Author
      Posts
      • #311038 Reply
        woody
        Da Boss

        This is… disturbing. Yesterday, Michael Horowitz published a detailed rundown of GWX remnants still on a Win7 PC. … today, I took a glance at the
        [See the full post at: Brinkmann, Horowitz: Are remnants of the despised “GWX” Gets Windows 10 campaign still on your Win7 computer?]

        9 users thanked author for this post.
      • #311051 Reply
        Microfix
        AskWoody MVP

        There were kb3184143 patches released by Microsoft to remove the triggers and accompanying cruft for Windows 7 and 8. Both available here:
        microsoft kb3184143 patches
        The amount of times I’ve seen $BT folder in the Windows directory in W7 PC’s..
        It’s more than likely care-free owners who just use their PC’s for whatever and don’t pay attention to Tech sites and AskWoody.

        Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
        6 users thanked author for this post.
        • #311210 Reply
          woody
          Da Boss

          Good point. I haven’t seen any independent reports of problems.

          Guess we’ll find out sooner or later….

          2 users thanked author for this post.
      • #311060 Reply
        anonymous
        Guest

        Steve Gibson offers a util to check if win 10 upgrade is enabled on your pc

        https://www.grc.com/never10.htm

        9 users thanked author for this post.
      • #311073 Reply
        anonymous
        Guest

        Guess thats one main reason i still have the GWX control panel still activated on my pc. No remnants in mine

        4 users thanked author for this post.
      • #311120 Reply
        WildBill
        AskWoody Plus

        Gunter Born doesn’t have a translation on his English German-language blog. He translates most, but not all, entries to there. Use Google Translate if you want to understand it; I don’t read German.
        MVP Edit: FTFY

        Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V2004. As long as it's a Lot Less Buggy!
        Wild Bill Rides Again...

        1 user thanked author for this post.
      • #311138 Reply
        Seff
        AskWoody Plus

        I’ve never uninstalled or disabled GWX Control Panel, and I have no intention of ever doing so. This article explains why!

        2 users thanked author for this post.
      • #311139 Reply
        Canadian Tech
        AskWoody_MVP

        Simple solution really. Set Windows Update to NEVER…. Disable Windows Update service Forget about Microsoft updates completely. They will create more hassle and reduce system reliability than the supposed security improvements are worth.

        Proof positive. My 130 client computers have not had an update in 20 months now and the result is smooth running, no problems what so ever. Oh, stop using IE and use Chrome instead, and remove Adobe Reader, Adobe Flash and Java.

        CT

        9 users thanked author for this post.
        • #311227 Reply
          Seff
          AskWoody Plus

          Good to hear that your systems are still running ok, CT. It’s an option that will become increasingly significant as we approach January 2020, and one I’m still considering depending on how Windows 10 performs between now and then.

        • #311237 Reply
          anonymous
          Guest

          Same here. Win7 64 ‘home premium’. Just a home user/browser/few programs. Have followed Woody’s advice from the first appearance of KB2952664, but I stopped installing even the stand-alone security updates more than a year ago and still have smooth, fast, reliable operation. IE explorer disabled. Windows update disabled. Only adobe product is photoshop4. Malwarebytes free.  Oh yes, just like Bart & Milhouse, I always click on every flashing banner! Thanks Woody, & all who offer such useful advice…

        • #311303 Reply
          Klaas Vaak
          AskWoody Lounger

          @Canadian Tech: set Windows Update to NEVER is not possible for PC with the Home edition. For them the solution is not simple, it is absent.

          1x Linux Mint 19.1 | 1x Linux antiX

          • #311342 Reply
            Seff
            AskWoody Plus

            CT is not talking about Windows 10, which I assume you are. My Windows 7 x64 Home edition PCs are set to “Never check for updates” every month, until it’s stated here that it’s time to install the month’s updates. Windows 10 is the only version of Windows that precludes this.

            6 users thanked author for this post.
      • #311141 Reply
        anonymous
        Guest

        I found the same on a Win7 Home Premium 64-bit laptop just two weeks ago.  Most updates had stalled some time previously because of corruptions to several system files, and the machine was rather neglected, though still working – slowly.

        After a thorough clean-up, removing several AV programs, 30 copies of one printer(!),  suspect applications and running AV, chkdsk and sfc scans, I started to apply the outstanding important Windows updates to be told it was updating to Windows 10!  Luckily I was able to hit cancel in double-quick time and then ran GWX_control_panel to neutralise it.  I also removed (via WUSA /uninstall) all 20 or so copies of KB2952664 ‘just in case’.   Panic over for now, but I needed to lie down there for a while!

        Tony H.
        Bristol, UK

        3 users thanked author for this post.
      • #311159 Reply
        anonymous
        Guest

        Horowitz apparently has a machine that he was not paying much attention to. Do not know what ‘all’ November 2018 patches mean. He needs to be specific. We have multiple Win 7 machines, both x64 and x86, with no problems as Horowitz described at all. Seems like Horowitz missed a collection of M$ malware patches from the last 4 years or so.

        • #311302 Reply
          woody
          Da Boss

          It’s entirely possible – happens to the best of us. But those Monthly Rollups are supposed to be, uh, Rollups, aren’t they?

          Sorry. Rhetorical question. 🙂

        • #311334 Reply
          Michael432
          AskWoody_MVP

          This PC is the exception, not the rule. As for updates, on Dec 3, 2018 Windows Update was run and all available patches were installed. That said, the computer did go long stretches without any Windows patches. The previous run of Windows Update was Feb. 2018

          WindwsUpdateHistory

          Get up to speed on router security at RouterSecurity.org

          Attachments:
          2 users thanked author for this post.
          • #311339 Reply
            Microfix
            AskWoody MVP

            aha! you have kb2952664 installed which is an assistant for GWX, if I’m not mistaken.
            kb971033 is the activation patch which has been giving some devices problems also.

            Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
          • #311589 Reply
            GoneToPlaid
            AskWoody Lounger

            Hi Michael432,

            You will be wanting to use my CMD file to automatically remove all installed versions of KB3150513, KB2952664, KB2977759. For example, there could be dozens of versions if KB2952664 installed on your computer. You may optionally want to use my other CMD file which uninstalls other updates which installed telemetry.

            Here is a link to my AskWoody Dropbox folder:

            https://www.dropbox.com/sh/sonx6ep8xziig8j/AADeG486PARTPLqB54NWZhm5a

            The README.txt file contains notes about my CMD files and usage instructions.

            The CMD files to check for and to remove the three infamous telemetry updates, KB3150513, KB2952664 and KB2977759, is in the “WIN7 — KB3150513, KB2952664, KB2977759” folder.

            The “WIN7 — Additional telemetry” folder contains CMD files to check for and optionally remove other updates which installed telemetry.

            Best regards,

            –GTP

             

      • #311180 Reply
        Mr. Natural
        AskWoody Plus

        I see GWX folders and references on Windows 7 machines quite often. I didn’t think the service was running any more and appears to me to be left over remnants of the GWX age. There is also a hidden folder on the root of C: drives called “$GetCurrent” which is also left over from the GWX process.

        Red Ruffnsore

      • #311181 Reply
        Klaas Vaak
        AskWoody Lounger

        Much ado about nothing. Judging from some of the comments here and on the Ghacks site, I get the strong impression Horowitz’s PC isn’t patched properly.

        1x Linux Mint 19.1 | 1x Linux antiX

        • #311189 Reply
          MrJimPhelps
          AskWoody_MVP

          Can you blame him if his PC isn’t up to date on patches? A lot of people are hesitant to allow automatic Windows updates because of the underhanded things Microsoft did to try to get people on Windows 10.

          Group "L" (Linux Mint)
          with Windows 8.1 running in a VM
          3 users thanked author for this post.
          • #311232 Reply
            Klaas Vaak
            AskWoody Lounger

            @MrJimPhelps: I am by no means a Windows or PC expert, and am part of the AskWoody group B i.e. choosy about which updates I install. I still managed to get rid of all the GWX c*** except for an empty GWX folder in System32.

            So, I am somewhat surprised that Horowitz, who is undoubtedly far more knowledgeable than me about Windows and all things PC, would not have been able to patch his own PC properly. But then, I guess everything is possible where MS is concerned.

            1x Linux Mint 19.1 | 1x Linux antiX

            • #311337 Reply
              Michael432
              AskWoody_MVP

              I would think this is a fluke, something went wrong with GWX removal way back when.

              Get up to speed on router security at RouterSecurity.org

              2 users thanked author for this post.
          • #311233 Reply
            anonymous
            Guest

            Yes, we can blame him. If Horowitz proposes to speak with some kind of authority, then he needs to do his research before he posts articles of this kind. Behavior such as this does nothing positive for one’s reputation.

            1 user thanked author for this post.
            • #311304 Reply
              woody
              Da Boss

              Welllllllll… I wouldn’t cast that kind of aspersion.

              If Michael has installed the latest Win7 Monthly Rollup, he could reasonably expect that it covers pertinent previous patches — including, notably, the patches that obliterate GWX.

              5 users thanked author for this post.
              • #311318 Reply
                Klaas Vaak
                AskWoody Lounger

                @Woody: I disagree. Horowitz is an expert, in any case more than many, and certainly more than the average Windows home user. With his report he has created an upheaval by giving the impression there is a good chance that GWX bug is still around on most computers. That is pertinently not the case, and where it is still present it is because (a) certain patch(es) has/have not been installed.

                So, Anonymous’s comment has nothing to do with “aspersion” but merely with an observation that causing such a storm in a tea cup is not what one may expect from someone like Horowitz. S’all.

                1x Linux Mint 19.1 | 1x Linux antiX

              • #311408 Reply
                Sessh
                AskWoody Lounger

                I don’t really read tech articles much for Windows stuff unless I am looking for something specific, but I know both Horowitz and Brinkmann are both referenced here quite often and I do not get the impression either one are anything less than power users who know their way around Windows.

                So, knowing that they are not amateurs, I must side with them and Woody on this one. If one installs a rollup of patches, you shouldn’t have to comb through the file system, task scheduler and whatever else to make sure they worked. That is absurd.

                If something in those patches was supposed to remove GWX and, upon installing said patches, GWX was not removed, that means two things; 1. the patch failed to do it’s job and 2. it is reasonable to assume that if this happened once, it has also happened to others. How many others is anyone’s best guess, but I do not think it is wrong to report it as was done here nor does it, in any way, damage whatever credibility these two tech writers have accrued.

                I have not patched since June of 2017 and I will remove June’s patch eventually to roll back to May of 2017 and stay there. There is nothing GWX anywhere on my system.

                2 users thanked author for this post.
              • #311835 Reply
                Klaas Vaak
                AskWoody Lounger

                @Sessh: the fact that Horowitz is (or may be) a power user does not mean by definition that everything he does or writes is perfect. As far as I know, nothing and nobody in the world is perfect, nor has there ever been a perfect human being.

                Taking that as a starting point, I fail to understand that a power user like Horowitz is able, or perhaps willing, to create what is obviously a storm in a tea cup when most non-techies who religiously perform their patches without giving it too much thought, and who certainly did not “comb through the file system, task scheduler and whatever else to make sure they worked”, find their computers clean.

                Still, if your appreciation of a power user is that that behaviour is normal/acceptable, then fine, I just beg to differ.

                1x Linux Mint 19.1 | 1x Linux antiX

            • #311317 Reply
              Microfix
              AskWoody MVP

              It’ll certainly not damage his reputation when it comes to his push for better router security:
              https://routersecurity.org/ the guy is, in my book, a great advocate. Just needs louder shouts from around the interweb.

              Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
              3 users thanked author for this post.
              • #311327 Reply
                Klaas Vaak
                AskWoody Lounger

                @Microfix: he might be a great router expert, but routers are not the topic here. Fr Windows he has not impressed me with this storm in a tea cup.

                1x Linux Mint 19.1 | 1x Linux antiX

      • #311182 Reply
        geekdom
        AskWoody Plus

        Regardless of reasons, it’s probably best to do a little checking to see if files, folders, and tasks related to GWX are on your system. Sometimes prevention measures don’t work.

        G{ot backup} TestBeta
        offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 WindowsDefender
        online▸ Win10Pro 1909.18363.1139 x64 i5-9400 RAM16GB HDD Firefox82.0 WindowsDefender
        TargetReleaseVersion=1909
        WUMgr
        2 users thanked author for this post.
      • #311183 Reply
        Geo
        AskWoody Plus

        Steve Gibson`s  “never 10”  software is free.

      • #311188 Reply
        PKCano
        Da Boss

        MS released KB3184143 to supposedly remove the vestiges of GWX. And anyone on Automatic updates should should have received it through WU.
        But there were a lot of people hiding anything even vaguely related to GWX so they may have hidden it and not have applied that patch.

        Also, I had a friend that bought a new Win computer (don’t remember if it was 7 or 8.1) early on in the GWX campaign. The upgrade to Win10 came as a CHECKED update in the OPTIONAL updates! I had a fit with it b/c the computer, on Auto updates by default, started the upgrade immediately after initial startup. I had to do a Factory Restore and get rid of the upgrade before I connected it back up to the Internet.

        Anyone doing a Factory Restore on that computer might run into the same thing.

        6 users thanked author for this post.
      • #311220 Reply
        GoneToPlaid
        AskWoody Lounger

        Win7 Pro on all of my computers, Group B, and updated through Nov 2018. I installed KB3184143 back in 2016 to remove GWX, which it did. Anyway, there are no traces of GWX on my computers.

        2 users thanked author for this post.
      • #311228 Reply
        GoneToPlaid
        AskWoody Lounger

        Separately, what is up with today’s two new security patches, KB931906 and KB2758694, which just showed up in Windows Update on my Win7 computers? Not sure if KB931906 is rated critical, but KB2758694 is rated critical. It appears that these are older updates which Microsoft is pushing again to all Win7 computers.

        1 user thanked author for this post.
        • #311307 Reply
          woody
          Da Boss

          By Jove, looks like we have a bunch of incoming Previews….

          I’ll get that posted right away. Thanks!

      • #311250 Reply
        GreatAndPowerfulTech
        AskWoody Plus

        GWX folders in ProgramData and AppData\Local can be deleted. Even if a task is scheduled, it can’t run if the file is gone. I’ll also start deleting the Task Scheduler GWX folder also.

        Thanks for the tip!

        GreatAndPowerfulTech

        • #311432 Reply
          Mr. Natural
          AskWoody Plus

          If GWX folders are found on a pc then there will also be registry entries for GWX as well. I’ve seen them. The usual edit the registry at your own risk disclaimer.

          Red Ruffnsore

      • #311254 Reply
        byteme
        AskWoody Plus

        Win 7 Home Premium, Group B.

        I try to be a fastidious installer of all the Woody-recommended updates (for Group B), and my update history doesn’t include 3184143. Did I miss one?

        In any case, I used GWX Control Panel back when, but never ran it in “monitor” mode, and hadn’t run it in eons, but I just pulled it up, and it reports that I have no Win10 Download folders — along with all the rest of the usual No’s.

        I’m assuming there’s no reason for me to run 3184143 at this point, but am open to advice to the contrary.

      • #311258 Reply
        anonymous
        Guest

        I have 2 Win 7 Ultimate 64 systems.  A year or so ago, I installed & used GRC’s “Never10” utility to turn off GWX.  It worked.  But in Dec I started experiencing the classic intense disk activity shortly after startup that reminded me of GWX.  ???

        Investigating, saw GWXConfigManager running.  Also noted CompatTelRunner was re-enabled (I’d disabled it previously).  Looked further and saw the GWX scheduled tasks were back in place (which I’d disabled previously).

        I re-ran GRC’s Never10 & it confirmed the reg entries to disable Win10 upgrade were still in place.  Head-scratching ensued.

        So, whatever MS installed in the Nov updates re-enabled some of GWX – and completely ignored the reg entries that are supposed to prevent this.

        I went ahead and manually removed GWX scheduled tasks and disabled the GWX executables.   No more crazy disk activity – at least until MS installs another update to their malware.

        1 user thanked author for this post.
        • #311340 Reply
          Michael432
          AskWoody_MVP

          You might want to try blocking CompatTelRunner with an outbound firewall rule which prevents it from phoning home. The procedure is documented here in the section on blocking programs

          https://www.michaelhorowitz.com/KillingWindowsUpdate.php

          Get up to speed on router security at RouterSecurity.org

          1 user thanked author for this post.
          • #311590 Reply
            anonymous
            Guest

            Do not just block it, delete it outright or lookup how to get rid of it in a more normal procedure.

        • #311737 Reply
          GoneToPlaid
          AskWoody Lounger

          Do you have KB3184143 (the GWX removal tool) installed on your computer?

      • #311380 Reply
        Elly
        AskWoody MVP

        As a non-techy who is a little less non-techy than family and friends, I’ve been handed several different computers that had not been used ‘for a while’ and found GWX on them. Surprise! I don’t criticize people, ’cause I figure we are all doing the best we can. These may have been the type of people that Microsoft wanted to force into updating to avoid the spread of mal-ware… but their choice is to avoid updating, as it has ’cause way more problems.

        It is good that an expert does not jump over problems that personal computer users may encounter, by dismissing them by saying it would have been solved if they had updated fully. That is Microsoft’s pat answer, and following their directions caused all kinds of problems… leading to the next recommendation to get a new computer that will be compatible. Instead, through what I’ve learned here, they are still using the same old computers without any issues, completely contrary to Microsoft’s pat advice.

        One Windows 7 laptop out of our family/friends group did finally bit the dust. Apparently placing it on the trunk of a car, having it slide off, and then driven over, was what it took to kill it. So backing up provided an example of the importance of backing up … (the computer, not the car).

        Non-techy Win 10 Pro and Linux Mint experimenter

        2 users thanked author for this post.
      • #311403 Reply
        anonymous
        Guest

        Does @Microfix ‘s observation in #post-311339 give the full explanation. It appears @michael432 installed “all available patches” including two that are on the no-go list.

        If there is a deeper issue under discussion, please help me recognize it.

      • #311412 Reply
        abbodi86
        AskWoody_MVP

        One more year, just hang in there 😀

        p.s. idon’t agree with the amount of exaggeration in this matter

        1 user thanked author for this post.
      • #311459 Reply
        anonymous
        Guest

        I checked my two HP and one Lenovo, all Win7Prox64, and found this issue does not hit me.

      • #311513 Reply
        Carl D
        AskWoody Lounger

        Something else to be on the lookout for:

        I wouldn’t be surprised if MS is already preparing a nice little ‘surprise’ for all remaining Windows 7 users  – possibly a non removable message in the bottom right hand corner of the screen – or worse, a ‘popup’ or ‘flyout’ message (similar to the ones in Windows 10 when you disconnect a removable drive, etc.) that keeps appearing over and over to remind you that Windows 7 is reaching EOL next January and you should ‘upgrade’ to Windows 10.

        No doubt it will be slipped into an important or security update or, at the very least, it’ll be a separate update marked as important and ticked to install by default, of course.

        Gigabyte GA-B250M-D3H Motherboard, Intel i5-7600 CPU, 32GB RAM, NVIDIA GeForce GTX 1050 Graphics Card, 1x Samsung 860 EVO 250GB SSD, 1x Samsung 850 EVO 250GB SSD, Windows 10 Professional 2004 64bit.

        3 users thanked author for this post.
        • #312229 Reply
          SueW
          AskWoody Plus

          And those of us who religiously watch for DEFCON 3 (or 4, or 5) will already be made aware of this and know what to do, thanks to AskWoody.com!

          Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'
          1 user thanked author for this post.
      • #311564 Reply
        GoneToPlaid
        AskWoody Lounger

        Hi everyone,

        I still have KB3184143 (the GWX uninstaller) installed on all of my Win 7 Group B computers. As mentioned, I am updated through November, yet no GWX stuff has showed up on any of my computers. I have two questions for everyone…

        For those of you who are seeing new GWX stuff showing up, is KB3184143 listed in your installed updates under Programs & Features > View installed updates?

        And for those who are seeing new GWX stuff, are you on Group A, or are you on Group B?

        1 user thanked author for this post.
        • #311597 Reply
          anonymous
          Guest

          Hi GoneToPlaid, I looked into this laptop to help describe another data point. It shows this KB3184143 was installed 21-Sep-2016. This predates my reading at AskWoody. I have followed Group A since learning of it. I do not recognize GWX activity in normal use.

          I do keep several updates “Hidden”. Whenever there is discussion of a service stack that fails to mind its manners, I have done a full cycle of “Restoring” all hidden items in the Windows 7 section of that list, then hiding again everything not desired. This is overkill for what is needed, but it has given me opportunity to see that Windows Update will still offer many of these updates unless they are specifically hidden.

          So no, I do not see any GWX items show up under normal use. But I can create a use where the associated updates will show up, unrequested. I hope I have followed your thoughts, and added useful information.

        • #311618 Reply
          OscarCP
          AskWoody Plus

          GoneToPlaid,

          From a practical point of view, if one finds  KB2952664 is still installed and not KB3184143, before installing the latter should one first delete KB2952664? Any other steps that might be also necessary to finish the job?  Thanks.

          Group B, Windows 7 Pro Sp1, x64.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

      • #311609 Reply
        Bill C.
        AskWoody Plus

        Windows 7Pro-64_SP1, Group B, WU for .NET and Office 2010 (MSI version).

        I am not sure my experience is routine, but after finding lots of churning and CPU cycles, I did research and learned about GWX (hence my presence here). I uninstalled all the GWX and telemetry updates, I then removed the GWX folders and disabled, and later totally deleted the tasks for GWX. As I caught the infection early, it has not yet created the large data repositories like the hidden folder on the root of C: drives called “$GetCurrent” or “$BT” or the blocks of upgrade files. I installed the GWX Control Panel and it said nothing was detected. When it was released, I also installed the KB3184143 GWX removal tool. I have run the scripots to see if KB2952664 was on the machine and get a negative.

        As I kept reading I found other components and repositories of the GWX data and compatibility logs. These were also deleted. I still run the GWX Control Panel as it provides a quick indicator of changes to the WU, but I still check after each monthly patch session or any software upgrades to ensure WU is set to never. I have also disabled IE from auto-updating.

        I wonder if the telemetry that was recently included in the roll-ups, utilize some of the GWX analytical and appraisal tools that might have remained even after the removal of GWX system.

      • #311689 Reply
        GoneToPlaid
        AskWoody Lounger

        GoneToPlaid, From a practical point of view, if one finds KB2952664 is still installed and not KB3184143, before installing the latter should one first delete KB2952664? Any other steps that might be also necessary to finish the job? Thanks. Group B, Windows 7 Pro Sp1, x64.

        Hi OscarCP,

        Now that is a really good question. Let’s think this through…

        KB3184143 kills GWX, yet will not uninstall any and all installed versions of KB2952664. So the first thing to do is to install KB3184143 to kill GWX. After killing GWX, KB3184143 remains installed on your computer. Perhaps KB3184143 remains installed as a flag to Microsoft that the user does not want to upgrade to Windows 10 — ever?

        After installing KB3184143, and rebooting if asked, then you can run my CMD file for removing all instances of the three infamous telemetry updates which includes KB2952664. Note that all instances of a given telemetry update must be uninstalled, before proceeding to uninstalling all instances of the next telemetry update. Since there are three telemetry updates to be uninstalled, my CMD file must be run three times (if all three telemetry updates are reported as being installed) and with a reboot after each run (just pay attention to the instructions which my CMD file displays) in order to remove all instances of all three telemetry updates.

        After the above is done, run my CMD file one final time (as a sanity check) so that you can confirm that all three telemetry updates are no longer installed on your computer. My CMD file will report if these three telemetry updates truly have been removed from your computer.

        Best regards,

        –GTP

         

        1 user thanked author for this post.
      • #311717 Reply
        GoneToPlaid
        AskWoody Lounger

        …When it was released, I also installed the KB3184143 GWX removal tool. I have run the scripts to see if KB2952664 was on the machine and get a negative. As I kept reading I found other components and repositories of the GWX data and compatibility logs. These were also deleted. I still run the GWX Control Panel as it provides a quick indicator of changes to the WU, but I still check after each monthly patch session or any software upgrades to ensure WU is set to never. I have also disabled IE from auto-updating. I wonder if the telemetry that was recently included in the roll-ups, utilize some of the GWX analytical and appraisal tools that might have remained even after the removal of GWX system.

        Your last sentence in particular caught my attention. I too installed the KB3184143 GWX removal tool. It remains installed. Yet it is rumored that recent windows security only updates supposedly have KB2952664 or some other telemetry baked in? I haven’t seen any telemetry activity on my Windows 7 Group B computers which are updated through November 2018. I don’t see any active telemetry related tasks, and I am not seeing my computers making connections to Microsoft’s telemetry servers.

        So this gets me to thinking. If KB3184143 is installed, its presence is clearly telling Microsoft that the user has no desire to upgrade to Windows 10. If KB3184143 is not installed, maybe this is why some users are seeing a sudden reactivation of GWX? If it really is the latter, then this would seem to stoke fears that Microsoft may have intentions of forcing Windows 10 on all Windows 7 users who did not install KB3184143. I’m just throwing this out there as food for thought.

        1 user thanked author for this post.
        • #311728 Reply
          DrBonzo
          AskWoody Plus

          I believe it’s the Rollup updates, not the Security Only updates, that have KB 2952664 – or some variation of it – incorporated in them.

      • #311745 Reply
        GoneToPlaid
        AskWoody Lounger

        I believe it’s the Rollup updates, not the Security Only updates, that have KB 2952664 – or some variation of it – incorporated in them.

        Hmm…perhaps the Group A Rollup updates have KB2952664 baked in, yet KB2952664 doesn’t show up in the list of installed updates? That would be interesting news.

        I wonder what my CMD file will report. I would love for a Windows 7 Group A user, whose computer is fully updated and who always avoided installing KB2952664, to run my CMD file to see if DISM reports that KB2952664 is in fact installed even if KB2952664 is not listed under installed updates. This is my $64 thousand dollar question.

        • #311771 Reply
          anonymous
          Guest

          As the DISM command syntax contains the logic “find the string of characters that matches KB2952664”, I interpolate that it scans the same database used by the Installed Updates display. In different words, it searches for the title, not the functionality.

          I will not claim your $64,000 prize. Although I fit your described classification, Group A through December 2018, including the suspect function contained in the cumulative rollup, I also might have changed the criteria by running @abbodi86 ‘s “W10tel” executable found in AKB2000012.

          In any case, when I run the single line command (elevated)
          dism /online /get-packages | findstr KB2952664
          it returns an empty result. No joy.

          1 user thanked author for this post.
        • #311860 Reply
          PKCano
          Da Boss

          Since the 2018-09 Preview Rollup and the 2018-10 Monthly Rollup, the KB2952664 functionality has been included in the Group A patches – not the KB2952664 separate distinct patch. The evidence is in the appearance of KB3150513 in Windows Update, which will not appear without the KB2952664 functionality installed. It was not added to the Group B Security-only patches to my knowledge. I believe we had this discussion before back in October.

          KB2952664 and it’s Win8.1 KB22976978 equivalent have NEVER been installed on any of my machines. I am patching Group A, and I have seen KB3150513 appear (and be immediately hidden) in WU on my machines. I am also running @abbodi86 ‘s script to neutralize the telemetry in an attempt to remain in Group A.

          2 users thanked author for this post.
      • #311749 Reply
        OscarCP
        AskWoody Plus

        GoneToPlaid,

        Thanks for your timely advice.

        I just checked and found that I do have installed bad KB2952664, but not good KB3184143 (which I am installing right after I finish writing this). Also not  installed, the other two bad ones you mentioned: KB3150513 and  KB2977759.

        So this is a bit different from the situation for which you have recommended using your script. Any advice on this? Thanks again.

        After two attempts (the first from an MS site where, it turned out, only the x86 version was available), I found the Catalog correct page and downloaded KB3184143, x64 plus an executable file (gwxwu_4e813955262d8e9d497a10018c36299ac02fce5e.exe). Not sure what to do with it… It was together with the .msu file, but it looks, from the name, that it is meant for Windows 8.1…

        Group B, Windows 7 Pro SP1, x64, I-7 “sandy bridge”.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        • #311757 Reply
          satrow
          AskWoody MVP
          • #311765 Reply
            OscarCP
            AskWoody Plus

            Thanks satrow, I found it, as you can see in my answer to GoneToPlaid above, but also found an unexpected executable with it that I downloaded as well and is a bit of mystery to me what to do with it, right now.

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

            • #311769 Reply
              GoneToPlaid
              AskWoody Lounger

              Not sure, but I think that the EXE maybe does additional cleanup? I don’t know. Anyway, here is another Microsoft link for KB3184143 which doesn’t include a separate EXE file:

              https://www.microsoft.com/en-us/download/details.aspx?id=53859

               

            • #311797 Reply
              satrow
              AskWoody MVP

              The gwxwu_4e813955262d8e9d497a10018c36299ac02fce5e.exe is exactly the same W7x64 file as the GWXWU.exe contained within the Windows6.1-KB3184143-x64.msu installer file I linked the download page of. Also packaged in that .msu are several other files (see image), including a PkgInstallOrder.txt:

              MSU_Install_Order

              Attachments:
        • #311766 Reply
          GoneToPlaid
          AskWoody Lounger

          Hi OscarCP,

          satrow’s link for the x64 of KB3184143 is correct. Get that puppy installed and reboot if asked to do so, and then run my CMD file to wipe out all installed instances of KB2952664. I am curious about how many instances of KB2952664 which my CMD file reports are installed. For example, on one Win7 laptop computer in which I messed up and unknowingly installed KB2952664, nine other versions of KB2952664 were silently installed during the next several months before I caught my error.

          You mentioned: “Also not  installed, the other two bad ones you mentioned: KB3150513 and  KB2977759.” Oops. My bad. I went back through my old notes and saw that KB2977759 is an early version of KB2952664, and that neither requires the other to be installed.

          Best regards,

          –GTP

           

          • #311768 Reply
            OscarCP
            AskWoody Plus

            GoneToPlsid, Thanks.

            I guess I do not need to run your CMD script then. But what should I do with that pesky executable? (See my earlier reply).

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

            • #311770 Reply
              GoneToPlaid
              AskWoody Lounger

              You still need to run my CMD script to wipe out KB2952664 after you deal with installing KB3184143. I posted an alternative Microsoft link for KB3184143 which doesn’t additionally include a separate EXE file. Maybe satrow can shed some light about the EXE file, in terms of whether you run the EXE file first or after installing KB3184143.

              1 user thanked author for this post.
            • #311772 Reply
              GoneToPlaid
              AskWoody Lounger

              Ahah! I just looked at the internals of the EXE. What it does is to clean up and remove GWX scheduled tasks and GWX registry stuff, the install packages for GWX, and other GWX stuff. Thus, you run the EXE after first installing KB3184143. Nothing is reported after running the EXE (I just ran it.).

              • #311774 Reply
                OscarCP
                AskWoody Plus

                GoneToPlaid,

                That is good news! Since the executable gets rid of all remnants of GWX, am I guessing correctly that I still may have to run the CMD script after running the .exe file to make sure KB2952664 is gone for good? Even when the .exec has “8.1” at the beginning of its name?

                Thanks for your patience and advice.

                Group B, Windows 7 Pro, SP1,x64.

                Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

              • #311776 Reply
                GoneToPlaid
                AskWoody Lounger

                Hi OscarCP,

                Yes, you need to run my CMD script to remove all installed instances of KB2952664. I hope that you will report back about how many instances of KB2952664 were removed, as this information will roughly indicate how long you unknowingly had KB2952664 installed on your computer.

                And you are most welcome!

                Best regards,

                –GTP

                 

                1 user thanked author for this post.
              • #311781 Reply
                OscarCP
                AskWoody Plus

                GoneToPlaid,

                I’ll do that and let you know how it went.

                Thanks again.

                Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

              • #311795 Reply
                DrBonzo
                AskWoody Plus

                In cases where there are 2 files that are downloaded, one being a .exe file, and the other, say, a .msu file (as in the present case), simply download both to the same folder (downloads folder, desktop, or some other folder you have or make that’s convenient), and install the .msu file. In the process of installation the .msu file will cause the .exe file to execute. If you watch your monitor closely you’ll often see a small command line box show up for a fraction of a second or so as the .exe file executes. It should not be necessary to separately run the .exe file manually, although I don’t suppose it will hurt anything if you do.

                2 users thanked author for this post.
              • #311813 Reply
                OscarCP
                AskWoody Plus

                Mission accomplished!

                This is what I did just now, and what happened, blow by blow:

                (1) Created a recovery point.(Just in case…)

                (2) Istalled KB3184143
                Restarted the computer: went through the “do not turn your computer” routine.
                (3) Run the “.exe” file. (unnecessarily, it seems, but my machine is still breathing…)

                (4) Run GoneToPlaid CMD “search and destroy” script to see if there are some
                instances of KB2952664 and the other bad hidden spies still around and uninstall them. Three found, listed below, but not deleted by the script.

                Then run the other script, to see if the first one had missing something. No: same story.

                (5) Restarted the computer again, because I could. Oddly enough, it went once more through the “do not turn your computer” routine…

                (6) And here I am. The PC lives! (For now.)

                Also: The CMD script did not delete KB2999226 & KB3118401 – To be deleted manually, later.
                Failed to delete KB3021917 with error level 3010.

                Keep the Win 10 and Office 365 enablers? I do not see Windows 10 or Office 365 ever getting into my elderly machine, even if I wanted to use them, which I do not. I already have Windows 7 and Office 2010 running on it, so… No. They’ll go out of support in the not too distant future, but it is still NO.

                Thanks to GoneToPlaid, satrow and DrBonzo for helping out. I hope this sub-series of entries that started with my first one asking for help with this issues may be of some use to others who read all that has been written here as a result.

                Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

              • #312055 Reply
                GoneToPlaid
                AskWoody Lounger

                You could try manually uninstalling KB3118401, KB3021917 and KB2999226 via Programs and Features > View installed updates. They could be permanently baked into the computer if you ran Disk Cleanup and cleaned up Windows Updates to get more free space on your hard drive. If this is the case, then these updates can not be be easily uninstalled. If these updates can’t be uninstalled, it is no big deal if you are opted out of CEIP. These updates do seem to honor your CEIP settings in terms of not sending telemetry if you are opted out of CEIP.

                1 user thanked author for this post.
              • #312557 Reply
                abbodi86
                AskWoody_MVP

                KB3118401 and/or KB2999226 are part of Microsoft Visual C++ 2015/2017 Redistributable, they are needed to run programs compiled by this version, and should not be removed at all
                even Office 2016/2019 need it

                5 users thanked author for this post.
      • #311796 Reply
        anonymous
        Guest

        This Group W-er is watching the re-run of the circus… again? with amazement!
        Numbers don’t lie – people behind the numbers do!
        Patches do patch – but do you know what the ‘secret sauce’ is in there?

      • #312386 Reply
        Bill C.
        AskWoody Plus

        Your last sentence in particular caught my attention. I too installed the KB3184143 GWX removal tool. It remains installed. Yet it is rumored that recent windows security only updates supposedly have KB2952664 or some other telemetry baked in? I haven’t seen any telemetry activity on my Windows 7 Group B computers which are updated through November 2018. I don’t see any active telemetry related tasks, and I am not seeing my computers making connections to Microsoft’s telemetry servers.

        If I remember correctly, the various telemetry updates of the past were not solely GWX specific. I believe the long range plan of MS (alluded to but never specifically said) was to also use the transmitted data to report on errors and also patch installations going forward. As such I do believe that the GWX specific issues were removed by the GWX removal patch, but other capabilities may remain. Unfortunately my habit of doing late night research and testing got the better of me when I removed the last vestige of GWX I found using the Process Explorer applet from Sysinternals. There was an unnamed, unknown task in my Windows task library. It was grouped with the CEIP ones.

        I had used CEIP up until the GWX/Telemetry issue began to surface. I disabled them. However the unnamed one remained enabled. Not until doing some testing with the Process Explorer did I discover the linkage of the unnamed task to the GWX or Telemetry tasks. I then disabled it like the CEIP tasks.

        Unfortunately, I did not document it in my notes.

        My initial comments were about Rollups, not the Security Only patches. I have not found any changes with recent Group B patches that would point to telemetry being present. Possibly if they are, they are honoring the various task settings of disabled, as I see no new tasks or changes to settings. Additionally when I disable some tasks, I also disable (by editing) the task trigger (just in case).

        BTW, Thanks, as your scripts have proven very useful.

        1 user thanked author for this post.
      • #313870 Reply
        EP
        AskWoody_MVP

        A reminder to install KB3184143, then remove/hide/block the KB2952664 (for Win7), KB2976978 (for Win8/8.1) and KB3150513 updates.

        see this attached pic: I have KB3184143 installed on a Win7 computer and KB2952664 & KB3150513 are not installed.

        KB3184143updateinstalled

        Attachments:
    Viewing 32 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Brinkmann, Horowitz: Are remnants of the despised “GWX” Gets Windows 10 campaign still on your Win7 computer?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.