Must read: The connection between GWX’s 3035583 and 2952664

Topic

New Reply

Excellent detective work by Andrew Orlowski at The Register.
[See the full post at: Must read: The connection between GWX’s 3035583 and 2952664]

Reply | Quote

Replies

Wow….”How Microsoft copied malware techniques…”

What more need be said?

Reply | Quote

Yep. That’s stating the obvious, to a first approximation anyway, far as I’m concerned.

What wasn’t obvious (at least to me) is the complicity of KB 2952664.

BTW, the discussion between Mary Jo, Paul and Leo in this week’s Windows Weekly is absolutely right-on.

Reply | Quote

Right on in what way?

To me it sounded like they were advocating the position that user error was responsible for unintended Win 10 installations.

Reply | Quote

They talked about the interaction between the two KBs – and gave a long list of changes….

(Don’t think they said user error was responsible… I’ll have to go back and read it.)

Reply | Quote

I’ve been using the term “GWX Virus” for a while. Nice to see an article explaining what this menace does. Now I’m hoping that Mr. Orlowski will do some research into the Cortana Virus.

Reply | Quote

I think Eric was referring to the Windows Weekly discussion, and I also got the impression from that that Paul and Mary Jo thought it was at least *possible* that it was mostly (if not entirely) a “user error” thing, albeit against a background where MSFT was setting things up to make those kinds of “errors” easy to inadvertently make.

Reply | Quote

I’ve said here before that Microsoft has become the single greatest threat to the security and integrity of my Windows 7 systems. It’s my opinion that Orlowski’s work tends to support my position.

Reply | Quote

Ah, now that is true. In the end, I think Paul and Mary Jo (and Leo!) decided that it’s just, simply, impossible to tell if somebody clicked something – even three or six months ago. If I hadn’t seen it myself, I wouldn’t have believed it. And it’s important to remember that Win10 did NOT install on my VM. It failed to install (although I did nothing to bring it on).

Reply | Quote

Wow just… wow. I’ve been using the phrase ‘malware distributor’ to describe microsoft for a while now and i’m not entirely sure i’m happy to get confirmation. I had to use powershell commands to strip out the various instances of package_2952664. I’m sure it’s still lurking in the registry though.

The windows weekly cast was also extremely interesting to watch – their initial scepticism turning to outright horror over what microsoft have been up to. They weren’t very clued up on Josh Mayfield’s gwx control panel though, not realising that it does a lot more than what they thought it did. Speaking of… Josh deserves some sort of humanitarian award for making that, or at least lots of free beers, please buy him lots of beers when you see him.

Reply | Quote

That’s correct…it was the video presentation that left that impression. Makes me wonder if they hang out at sevenforums…

Reply | Quote

Frankly, I must admit I was not very surprised by the article in the “Register” as I felt GWX was behaving very much like malware. If it walks like a duck; it’s a duck! I really feel disappointed at MS resorting to tactics like these even if they can get away with it. Just because you think you can get away with doing something does not make doing it right. There has to be some moral center of gravity to guide one’s behavior. That said, I have been skeptical regarding the wisdom of installing the March IE11 cumulative security update (KB3139929) because of the possibility of opening up a “new vector” in the GWX assault games. I know you have recommended we hold our nose and install the update but does this new info change your opinion in any way. The apparent new propensity of MS to abuse security updates with potential nagware additions is very troubling in my opinion.

Reply | Quote

I’ve never met Josh face-to-face. (I’m something of a recluse.) But I’m going back to his site and making another donation. No telling how much time he’s put into GWX Control Panel. It’s a tremendous product.

Reply | Quote

Or a donation! Of course. I shall do that promptly, thanks for the reminder.

Reply | Quote

He’s earned it.

Reply | Quote

Excellent find Woody! I knew about the inter-relation between the 2 patches as KB2952664 is a pre-requisite for the Windows 10 upgrade adware according to the official documentation which I found generally accurate but difficult to be understood in the finest detail which may be this way on purpose. What I didn’t realise though was how a newer version of KB2952664 reinstalls KB3035583 although we fully understood here how KB2952664 changes every time to avoid being hidden/blocked by the user. KB3035583 does not change.
I think the article over-reacts in recommending dangerous procedures for the deletion of the CBS registry keys which is extremely dangerous and can mess up the whole Windows Update mechanism. I do all the time registry changes in professional setting, many undocumented but time tested, however CBS is one of the areas where the end-user or system administrator should not interfere directly, but by using Microsoft’s APIs and commands like dism.exe, pkmgr.exe, wusa.exe when the normal uninstallation procedures from Control Panel fail.
I still think Josh’s approach for blocking GWX is the correct one making it easy for everyone to implement fully supported and documented functionality.

Reply | Quote

(GWX Control Panel) ‘It’s a tremendous product.’
Guaranteed it is. Next move, Microsoft acquires it for an undisclosed amount and discontinues it 🙂

Reply | Quote

I’m not recommending that people zap their registry keys. But it is an interesting observation….

Reply | Quote

It is not you Woody, it is The Register.

Reply | Quote

This is what The Register says:
Unless the user gets rid of ALL of the “Get Windows 10” system updates and its helpers, the GWX popup will persist. These are:

KB2952664
KB3035583
C:WindowsSystem32GWX
C:WindowsSoftwareDistributionDownload*KB2952664*
C:WindowsSoftwareDistributionDownload*KB3035583*
ALL registry entries for KB2952664 and
(optionally) KB3035583

Reply | Quote

I hope this whole disaster goes away when we hit July 30. After all, if people have to pay for it, and Microsoft still force-push it, there could be some lawsuits coming.

(Sadly, I still think at that point Microsoft will just extend the free period for either another 12 months or will just make upgrades free forever and we’ll be stuck in this hell forever.)

Reply | Quote

I have had it with Microsoft. When my Vista is no longer supported early next year I am going to purchase an Apple Computer. I know I will need to reconfigure all my files to Apple’s format, but it will be worth it.

Reply | Quote