September Patch Tuesday rolling out

Topic

New Reply

The September 2019 patches are out, and there’s a bumper crop: 216 separate patches in the Catalog 80 identified security holes (CVEs) Two listed as “
[See the full post at: September Patch Tuesday rolling out]

7 users thanked author for this post.

wEarwOlf505cole, siqueirajr4, abbodi86, AJNorth, Fred, geekdom, walker

Reply | Quote

Replies

[PKCano]

The 2019-09 Security-only Update and IE11 Cumulative Update have been added to AKB2000003  for Group B patchers (and anyone else who needs them).

NOTE: The links in AKB2000003 are direct download links to the MS Update Catalog.
NOTE: Win7 Security-only KB4516033 contains KB2952664 functionality “Compatibility Appraiser”
UPDATE: NOTE: Win8.1 Security-only KB4516064 also contains the telemetry functionality.

*************
Another version of KB4474419 v.3 has been released on Sept Patch Tuesday.
UPDATE: Install this patch before the Servicing Stack See @abbodi86 #1948298.

This security update was updated September 10, 2019 to include boot manager files to avoid startup failures on versions Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.

*************
There are new Servicing Stack Updates for:
Win7:  KB4516655 –  Download 32-bit or 64-bit
Win8.1:  KB4512938 – Download 32-bit or 64-bit

• This reply was modified 3 years, 9 months ago by PKCano.
• This reply was modified 3 years, 9 months ago by PKCano.

13 users thanked author for this post.

SueW, plodr, LH, Sinclair, abbodi86, AJNorth, columbia2011, Fred, samak, lanceboil, woody, walker, Hopper15

Reply | Quote

So I’m not seeing the new Servicing Stack update KB4516655 for Win7 in my Windows Updater.

Is this a MS Catalog download only, and if so, download and install before installing the other KB’s appearing in the Windows Updater?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

[geekdom]

KB4516655 won’t appear until the updates in the queue are installed; the queue needs to be empty.

Have you installed the updates in the update queue?

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox115.0b2 MicrosoftDefender

• This reply was modified 3 years, 9 months ago by geekdom.
• This reply was modified 3 years, 9 months ago by geekdom.

1 user thanked author for this post.

pmcjr6142

Reply | Quote

No, I have not installed anything yet. I’m also Group A.

For past Servicing Stack updates, PK Cano has always recommended they be installed first and by themselves.
Is this still the case?

If yes, do we simply obtain the SS Update from the Catalog and manually install? Or is this where we need to hide all updates to make this appear then install then unhide the other updates?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

For past Servicing Stack updates, PK Cano has always recommended they be installed first and by themselves.
Is this still the case?

Group A (SMQR) needs all the patches installed in the WU queue first then, and only then, will the SSU be displayed for installation!

Keeping IT Lean, Clean and Mean!

1 user thanked author for this post.

pmcjr6142

Reply | Quote

Yes, Servicing Stack updates need to be installed first, and by themselves. A reboot may or may not be required. Note that there is also a new version 3 update for SHA-2, which also must be installed by itself, and which does require a reboot.

I am Group B with Win7 computers. Today I installed September’s Servicing Stack update, the version 3 SHA-2 update, and then the September SO update. All went well and without issues. I will post about this. Yet everyone note that we are at Defcon 2 and that I ignored Defcon 2 in order to test the September Group B side of things for September. I have not installed or tested any September IE or .NET updates since I prefer to wait a while in order to see reports about any issues.

2 users thanked author for this post.

SueW, TaskForce141

Reply | Quote

[geekdom]

Microsoft went against the usual convention of installing Servicing Stack Update first. Read here:
https://www.askwoody.com/forums/topic/september-patch-tuesday-rolling-out/#post-1948298

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox115.0b2 MicrosoftDefender

• This reply was modified 3 years, 9 months ago by geekdom.
• This reply was modified 3 years, 9 months ago by geekdom.

Reply | Quote

Regardless of Group A or B, the other patches (Windows, Office, .Net, etc.) are not going to show up unless the August service stack patch is installed first. Until that is done, Windows Update will tell you that your PC “is up to date” and there are “no updates for your computer”. Not true, but you need to install the SSH  patch to make that change to “updates waiting to be installed”.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Other patches show before the Servicing Stack Update. Read here:
https://www.askwoody.com/forums/topic/september-patch-tuesday-rolling-out/#post-1947026

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox115.0b2 MicrosoftDefender

1 user thanked author for this post.

OscarCP

Reply | Quote

Geekdom: my own experience was as I just described it and, compared to yours, a fairly different. one. It looks like what happens does vary from user to user…

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

[Geo]

Ivanti mentions in September patch tuesday notations: “Microsoft continues to adjust their software update process, releasing service stack updates for all operating systems this month. Usually these release for one or a couple of Windows editions, so for all Windows OSs to be impacted by this one is a bit out of the ordinary. A couple of things to note about servicing stack updates. They are rated as Critical but are not resolving security vulnerabilities. They are also not part of the cumulative update chain. Servicing stack updates are a separate update that needs to be installed outside of the normal cumulative or security-only bundle. This is a critical update to Microsoft’s update system within the OS. This means some changes are coming down the line and there will be a point where you cannot apply the Windows updates on the system if the servicing stack update is not applied. The shortest we have seen from availability to enforcement is two months. Our guidance is to begin testing as soon as possible and plan to have these in place before November to be on the safe side. Before October would be best case on the off-chance Microsoft enforces these changes sooner.”

• This reply was modified 3 years, 9 months ago by Geo.

1 user thanked author for this post.

TaskForce141

Reply | Quote

SearchUI fix worked for me.

Incidentally O&O Shutp10 was patched today to fix the patch that was patched today. (Yeah, that confused me typing it.)

2 users thanked author for this post.

Steve S., Fred

Reply | Quote

September Beta Test Report Windows 7 x64 Updates

Important
– September 2019 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 SP1 and Server 2008 R2 SP1 (KB4514602)
– September 2019 Security Monthly Quality Rollup Windows7 for x64 (KB4516065)
– September 2019 Security Update for Windows 7 for x64 (KB4474419)

Updates installed without error and the system rebooted without error.

Prompted/Checked for updates. (“Check for updates but let me choose whether to download and install them” is set. Normally, I have to click the button to check for updates, even with this setting, but this time I was prompted with an update. It was already at the gate.)

Important
– September 2019 Servicing Stack Update for Windows 7 for x64-based Systems (KB4516655)

Update installed without error. Although reboot not required, I rebooted, and the system rebooted without error.

Checked for updates and no further updates.

Nice.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox115.0b2 MicrosoftDefender

6 users thanked author for this post.

SueW, TaskForce141, Geo, Charlie, Myst, AJNorth

Reply | Quote

important note: the newly released KB4516655 servicing stack update supersedes/replaces the KB4490628 servicing stack update.

so KB4490628 is no longer needed

1 user thanked author for this post.

Microfix

Reply | Quote

Wonderful!  And you didn’t have to dig up some three year old file to make everything work!…?

Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

Reply | Quote

Warning for group B Windows 7 users!

After the “July 9, 2019—KB4507456 (Security-only update)”, there is another “security-only” update that contains telemetry.

It is the “September 10, 2019—KB4516033 (Security-only update)”.

It replaces infamous KB2952664 and contains telemetry. Unfortunately, there is no “file information” in MS update description, but some info can be found at http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=03092e33-5b1d-4cc9-bcf9-578e906cefb2 (in “Package details”->”This update replaces the following updates” there is KB2952664 listed).
It applies to both x64 and x86-based systems.

I have found that it contains the following files :
File;Version
centel.dll;10.0.18362.1015
gentel.dll;10.0.18362.1015
appraiser.sdb;not applicable
appraiser_data.ini;not applicable
appraiser_telemetryrunlist.xml;not applicable
aeinv.dll;10.0.18362.1015
aeinv.mof;not applicable
aepic.dll;10.0.18362.1015
acmigration.dll;10.0.18362.1015
aitstatic.exe;10.0.18362.1015
api-ms-win-downlevel-advapi32-l1-1-1.dll;10.0.14393.0
api-ms-win-downlevel-advapi32-l4-1-0.dll;10.0.14393.0
api-ms-win-downlevel-kernel32-l1-1-0.dll;10.0.14393.0
api-ms-win-downlevel-kernel32-l2-1-0.dll;10.0.14393.0
api-ms-win-downlevel-ole32-l1-1-1.dll;10.0.14393.0
api-ms-win-downlevel-user32-l1-1-1.dll;10.0.14393.0
api-ms-win-downlevel-version-l1-1-0.dll;10.0.14393.0
appraiser.dll;10.0.18362.1015
compatprovider.dll;10.0.14393.0
compattelemetry.inf;not applicable
compattelrunner.exe;10.0.18362.1015
devinv.dll;10.0.18362.1015
diagtrack.dll;10.0.10586.10007
diagtrackrunner.exe;10.0.10586.8
dismapi.dll;10.0.18362.1015
dismcore.dll;10.0.18362.1015
dismcoreps.dll;10.0.18362.1015
dismprov.dll;10.0.18362.1015
ffuprovider.dll;10.0.9896.0
folderprovider.dll;10.0.18362.1015
frxmain.sdb;not applicable
imagingprovider.dll;10.0.18362.1015
invagent.dll;10.0.18362.1015
logprovider.dll;10.0.18362.1015
nxquery.inf;not applicable
nxquery.sys;not applicable
vhdprovider.dll;10.0.18362.1015
wimprovider.dll;10.0.18362.1015

Sorry for posting it twice (here and https://www.askwoody.com/forums/topic/ms-defcon-2-get-windows-automatic-update-locked-down/#post-1947029), but I started making my post just before this topic (I think more appropiate for such post) was created.

12 users thanked author for this post.

FakeNinja, Charlie, plodr, phaolo, Microfix, lanceboil, Sinclair, AJNorth, PKCano, samak, geekdom, woody

Reply | Quote

Oh fiddlesticks.

Not again.

Reply | Quote

? says:

excellent work and thank you, saved me the trouble of looking it up. and thanks PK for posting the links for the other needed September patches just above this good news! so, where do we go from here?

2 users thanked author for this post.

Microfix, Fred

Reply | Quote

so, where do we go from here?

Into the basement for shelter!

8 users thanked author for this post.

SueW, FakeNinja, Charlie, Myst, abbodi86, woody, walker, geekdom

Reply | Quote

? says:

again, thank you for helping us\me navigate the muddy waters of dear microsoft. gotta love their ways. maybe there are last minute big bonuses out for the get-rid-of-win7-users-at-all-costs bounty program up in Redmond? so what if some of us just wanted to get to EOL in a peaceful and orderly fashion?

 

1 user thanked author for this post.

Charlie

Reply | Quote

Well that’s just another month of Windows 7 “Security Only’ Patching that I’m skipping and on to Oct 2019 to see if that’s Telemetry Free.

I’m not really that worried for one of my Windows 7 laptops that came with a Windows 8 Pro License that the Laptop’s OEM factory downgraded to Windows 7 Pro via Pro OS version degrade rights. That’s getting Windows 8 Pro and updated in place to 8.1 anyways.

So Spy in the buttermilk, shoo, Spy, shoo! And Skip, Skip, Skip to the Loo and Flush that update right on down!

Reply | Quote

I can also “downgrade” my dad’s Toshiba C55dt touchscreen late 2013 laptop from Win8.1 Home to Win7 home premium as there are specific Win7, 8.1 & 10 downloads available for my dad’s laptop on the Toshiba/Dynabook support site 🙂

Reply | Quote

Yes anyone can downgrade if they have the Image/Media it’s just the matter of the Licensing check and there may be a problem with that. But usually it’s only officially the Pro versions of Windows with the automatic downgrade rights so if you can get the Pro upgrade license add that to the windows 8.1 home key and register the upgrade to Pro then it’s probably OK as far  as licensing to do that. And to downgrade a windows 8/8.1 Pro(or higher) license requires some active license key for 8/8.1 Pro/Higher than Pro variant.

Now going from Windows 7 Pro to Windows XP Pro is possible with a Windows 7 pro key/7 Pro Upgrade license Key.  But that’s really not going forward at this point in time.

Having the Image downloads available is nice and can be done but how do you get around the licensing checks.

I have a Toshiba Satellite C655 with a first generation core i3(Arrandale/Mobile) CPU and that laptop has a Windows 7 Pro upgrade license from Windows 7 home that I purchased later on. but no Windows 8/8.1 license so that’s going to require purchasing a Windows 8/8.1 (Home/Pro) OEM Key license anyways but the laptop is not worth that added expense so it’s Linux Mint for that laptop after Jan 2020.

The good thing about Retail “OEM” Windows 8/8.1 license keys are that they are very inexpensive currently, even the Pro/Above edition Keys or even retail DVDs(Rare now). But the problem with that is the Laptop’s needed drivers to match the specific hardware on the laptop.  So that has to be available as well And I have been looking at Dynadook’s(Formally Toshiba) and their documentation is not in good shape for my C655 laptop  that’s 2010 and that’s really not worth attempting any sorts of extra time other than to try a Linux Distro and hope that the wifi works.

1 user thanked author for this post.

TaskForce141

Reply | Quote

I have a dell 120, mint worked fine. the usual problem with wireless card in dells. Do a search on that and its easily fixed. Unfortunately, I dont remember the steps. You’ll need an ethernet connection,though.

1 user thanked author for this post.

TaskForce141

Reply | Quote

Well, then there’s the potential issue that even when you do have the downgrade right with the included product key, that product key might still not be valid for the downgraded versions.

This is rare but can happen. Seen with OEM embedded Windows 8 Pro product key, reinstalling 7 Pro after disk replacement. (Hadn’t complained about the key with the old HDD, either.)

Really looks like clean-installing 7 with updates might be getting even more difficult from now on.

Carl D wrote:

After reading this marathon thread am I the only one who thinks Microsoft is going for a ‘last ditch effort’ to seriously mess up Windows 7 prior to end of patching next January?

Can’t tell if it’s on purpose, given how the Windows 10 updates seem to go – like https://www.askwoody.com/2019/so-did-ms-fix-the-win10-1903-searchui-exe-redlining-bug-or-not/ and all the older ones…

So if it all were on purpose, I’d have to conclude that Microsoft really wants to get out of the desktop operating systems business but is prevented from just coming out and saying that officially?

Reply | Quote

? says:

again post #1947051, thank you putting the info up and so quickly. i spent some time looking at the files that the September Security Only patch installs and wondering how much space they take and how much resources they use and how all these files from/for windows 10 make the last few months of windows 7 “better” for the user. i know i can “neutralize,” some of their functions, but the only way to remove them is to do a clean install.

Reply | Quote

Yeah, the September Win7 SO update KB4516033 does replace a bunch of files which are related to telemetry. Yet on my Win7 Group B computers, CEIP optout is still being honored, and I do not see any new tasks or other tasks in Task Scheduler which were re-enabled and which are related to telemetry.

3 users thanked author for this post.

SueW, TaskForce141, AJNorth

Reply | Quote

[Fred]

I installed the cumulative update for W10.1903  KB4515384  manually;
The version of Windows I had clearly needed a gross of repares/updates….

1* Cortana’s SearchUI.exe was not replaced, so the former renamed searchui.exe will stay renamed. No peaking in memory (yet)
2* The rest of the patches seem to work out correct (fingers crossed);
it brought the W10H1903 to build version 18362.356
3* For W10.v1903 there is a specific new servicing stack too :
“windows10.0-kb4515383-x64”

info at:
https://www.ghacks.net/2019/09/10/microsoft-windows-security-updates-september-2019-overview/

* _ the metaverse is poisonous _ *

• This reply was modified 3 years, 9 months ago by Fred.

2 users thanked author for this post.

siqueirajr4, Mr. Natural

Reply | Quote

in fact, nearly all Windows versions (including Win7 & 8.1 and their Server 2008 R2/2012 R2 counterparts) as well as older Win10 versions have gotten new servicing stack updates this September

woody – this is unrelated but check out this recent article (and video) from ZDNet:
https://www.zdnet.com/article/microsofts-top-lawyer-trumps-huawei-ban-makes-no-sense/

2 users thanked author for this post.

Fred, woody

Reply | Quote

[Barry]

Installed all updates on my 1903 Home machine. They all installed fine,restarted fine with no apparent problems.

 

Barry
Windows 11 v22H2

• This reply was modified 3 years, 9 months ago by Barry.

1 user thanked author for this post.

Fred

Reply | Quote

Windows 8.1 x86, all updates installed no issues

Worth noting that Win 8.1 and 10 got new .NET updates, whereas Win 7 only got new update bundle (the actual .NET updates are all from previous months)

regarding Win 7 SO KB4516033 and telemetry, just neutralize it 🙂

4 users thanked author for this post.

SueW, Microfix, woody, PKCano

Reply | Quote

abbodi86: As an expert on Telemetry in windows updates, there is the following user comment (3rd down at time of writing) at Ghacks (https://www.ghacks.net/2019/09/10/microsoft-windows-security-updates-september-2019-overview/) from “Belga” which states “Added two telemetry tasks under Win 8.1!, as was the case under Win 7!” which might interest you.

I know nothing about this myself. It may or may not be true, but I just thought I would pass it on.

2 users thanked author for this post.

Microfix, PKCano

Reply | Quote

Thanks, i’m actually aware of that
but there are unfortunately very little interest in Windows 8.1 (here or in the world)

2 users thanked author for this post.

Microfix, PKCano

Reply | Quote

Where MSRT? (kb890830)

Reply | Quote

Agreed. I don’t install it any longer, but it is noticeable by its absence.

Reply | Quote

Good grief… another SHA-2 patch, a new servicing stack update and the return of telemetry (admittedly easily disabled). Another fun month awaits eh? I will not miss my patching headaches come january 2020.

1 user thanked author for this post.

Charlie

Reply | Quote

Once a DLL is installed on your system and even if a registry key is set to disable that service that does not mean that some other software can link into that DLL and pull in that symbol table and call those public functions. And MS has even better than just the symbol tables it has the source code and that includes the private unpublished functions and method calls as well.

I guess that wire-shark or some other software can track some traffic but that requires hooks into the OS provided by MS and the only way around that is a firewall router running it’s own processor/OS and code to check the packets and other such traffic. But MS can have loads of ways to hide traffic and any hidden OS functionality calling any code that’s installed on the system regardless of any registry settings.

1 user thanked author for this post.

TaskForce141

Reply | Quote

A software load Microsoft file to force running and sending telemetry to Microsoft
why anyone would code such software?

Reply | Quote

Also worth noting, Windows 7 SSU KB4516655 contain new file ExtendedSecurityUpdatesAI.dll

as the name suggest, it’s ment to handle the upcoming Extended Security Updates after Januay 2020

they are using the same approach like Windows 10 v1607 (SupplementalServicingAI.dll), which checks if the system is eligible for installing updates
since CloverTrail devices are still eligible for any Edition (not just Enterprise LTSB 2016), up to 2023

this restriction approch is solid, but can be workarouned by installing the updates offline (i.e. integration prior installation, or after installation by booting to WinPE)

back to Windows 7, we cannot know how it will work until it become effective 🙂
although, i sense that Windows Embedded Standard 7 extra support might make it easier (since it share the exact same updates with regular Windows 7)

4 users thanked author for this post.

TaskForce141, Microfix, woody, PKCano

Reply | Quote

“ExtendedSecurityUpdatesAI.dll”

That’s for the Enterprise/Volume Licensing customers that can purchase from MS Extended Windows 7 security updates until 2023. So none of the Non Enterprise/Volume licensees will get that offered.

But really it’s not hard for MS to offer that for their big customers as the Windows 8 OS Kernel is for the most part just the Windows 7 Kernel with TIFKAM on top and Windows 8.1 is the same as 8 mostly as far as the Windows OS Kernel is concerned as well.

Windows 8.1 license keys are still in the retail channels with the Pro versions being very affordable and after that’s installed there is third party software that will tackle TIFKAM and make the UI look and act like Windows 7’s UI. So consumers still have options for Windows 8/8.1 as long as there are still the available 8/8.1 license keys in the retail channels.

But those Enterprise/Volume licensing customers probably have some very expensive bespoke mission critical software that’s only been vetted/certified for Windows 7 so that’s more expensive to those clients to vett/certify, all at once, for a newer OS so MS is offering them the option to purchase extended security updates for Windows 7 Enterprise/Volume Licensing editions until 2023. It’s XP all over again but Mission Critical Software vetting/certification costs are one of the reasons that many stayed on XP and took their time converting to Windows 7. And I’ll bet that it’s the very same businesses/governmental institutions that stayed on XP the longest that will be staying on Windows 7 past Jan 2020.

1 user thanked author for this post.

woody

Reply | Quote

[warrenrumak]

The part about the Windows 8.1 kernel being “just the Windows 7 kernel” is grossly inaccurate.  It contained a lot of major refactoring work to split everything up into proper layered components (i.e. all the new files with names like api-ms-win-core-sysinfo-l1-2-0.dll).  There’s the AppContainer security model, the new “pico process” model that was later used to implement WSL, AppLocker, Control Flow Guard, and a whole bunch of other lower level stuff.  I could go on about performance improvements in the memory manager, too, to say nothing of all the more highly visible stuff like built-in USB 3 support.

Where I work, Windows 7 (and Server 2008 R2) has long been banned from use in secure environments because it lacks a lot of modern security infrastructure in the kernel.  Even if Windows itself gets patches to fix security vulnerabilities, there is still a ton of third-party software that is riddled with bugs that an attacker can exploit a system with.  The protections introduced in Windows 8 and 8.1 close off entire classes of attacks against third-party software that don’t depend on exploiting Windows itself.

People would’ve noticed & appreciated this stuff a lot more if Microsoft hadn’t thoroughly messed up the user interface.

• This reply was modified 3 years, 9 months ago by warrenrumak.

6 users thanked author for this post.

TaskForce141, PKCano, abbodi86, Microfix, woody, AJNorth

Reply | Quote

My W10 Home is now 18.362356 with No Issues as usual in my Ethernet-to-AT&T Uverse setup..

Settings Update History (3) shows Sept Cum Update, Net Frmwk 3.5/4.8, and Adobe Flash (via Edge, I think).

Control Panel (4) adds KB4515383 Svc Stack…. MSRT in Settings “Other Updates” last shows date of Aug Cum Update = 8/13/19, so maybe in a follow-up.

 

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

Reply | Quote

Windows Vista 32 (aka Windows Server 2008), W7 Starter 32, W7 64.
ALL UPDATES AUTO / MANUAL, 32-BIT & 64-BIT, INSTALLED OK.

Reply | Quote

Microsoft has updated description of KB4516033 and KB4516065. They added file information and acknowledged the following issue:

After installing this update, you may receive an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in Event Log related to cryptnet.dll.

Links to update description and file information for each patch:

For KB4516033:

https://support.microsoft.com/en-us/help/4516033

https://download.microsoft.com/download/6/3/6/636df5b4-609a-4780-8348-1a39a6b15f08/4516033.csv

For KB4516065:

https://support.microsoft.com/en-us/help/4516065

https://download.microsoft.com/download/1/6/0/1603b576-6404-453a-905c-83d5eee371d6/4516065.csv

1 user thanked author for this post.

woody

Reply | Quote

Initial Report: Installation date 10th/11th September 2019
SMQR (Group A) from WU patches on the following three MSFT OSes.

Win7 Pro x86:
KB4474419 SHA2 v3 code signing support
KB4516065 SMQR September
KB4516655 SSU September

Win7 Pro x64:
KB4474419 SHA2 v3 code signing support
KB4516065 SMQR September
KB4474419 SSU September

W8.1 Pro x64:
KB4516115 Adobe Flash Player Update
KB4516067 SMQR September
KB4512938 Replacement SSU September

All systems exhibited NO system errors via event viewer post updates.

Post patch telemetry Checks:
HINT: As ‘Diagtrack’ service is completely removed on our systems:

COMPUTER MANAGEMENT:
Computer Management/ System Tools/ Performance/ Data collector Sessions/ AIT and SQMLogger
Computer Management/ System Tools/ Performance/ Startup Event Trace Sessions/ AIT and SQMLogger

NO change and ALL still disabled.

TASK SCHEDULER:
Application Experience (NO change all disabled)
Autochk (NO change, disabled)
CEIP (NO change, disabled)
Maintenance/ WinSAT (NO change, disabled)

SFC showed NO integrity violations an all devices.

SMQR Patching FTW!

Keeping IT Lean, Clean and Mean!

4 users thanked author for this post.

TaskForce141, AJNorth, abbodi86, woody

Reply | Quote

Can you confirm that the telemetry routines are installed with this month’s Win8.1 Security-only patch? (Just hoping.) 🙂

Reply | Quote

Only do SMQR patches no group B (gave that up over a year ago, too much hassle)
I’ll say this though, disabling diagtrack service completely in W7/W8 works without affecting integrity which may seem a ruthless method to avoid telemetry but, if needs must 🙂
DISM online will no doubt re-introduce the diagtrack service.

Keeping IT Lean, Clean and Mean!

1 user thanked author for this post.

woody

Reply | Quote

@microfix – It looks like you are installing the SSU AFTER the SMQR. Is that correct? Also, are you installing manually or are you letting Windows Update install everything? Thanks

Reply | Quote

Hey everyone. New guy here so I’m hoping I’m posting in the right place. Several of us on Reddit as experiencing start menu issues with KB4515384. When you click the start button and being to type to search for something, nothing happens at all. Uninstalling the CU fixes it.

I would copy the links to the threads but I didn’t know if that was against rules or not.

Reply | Quote

Please provide the links when you are posting information from other sites. It prevents us from waisting our time duplicating efforts/investigation.

Reply | Quote

PKCano wrote:

Please provide the links when you are posting information from other sites. It prevents us from waisting our time duplicating efforts/investigation.

https://www.reddit.com/r/sysadmin/comments/d2cqf0/kb4515384_anyone_else_having_start_menu_issues/

https://www.reddit.com/r/Windows10/comments/d2m2ue/i_installed_kb4515384_and_search_is_completely/

3 users thanked author for this post.

woody, Microfix, PKCano

Reply | Quote

So no MRT for September on Win7 Home SP1, Win7 Pro SP1, or Win10 v1903? Perhaps it comes with later updates?

3 users thanked author for this post.

wEarwOlf505cole, Geo, woody

Reply | Quote

Thabks to @PKCano (and @garf02 at MDL forums)
https://www.askwoody.com/forums/topic/servicing-stack-update-kb4516655-failed/#post-1948115

Windows 7 SSU KB4516655 is signed sha-2 only
meaning, it will require first to have KB4474419 installed and ready

so much for SSU install-first logic 😮

i believe KB4474419 don’t require any SSU to get installed, but will have to verify that

7 users thanked author for this post.

Charlie, woody, Microfix, Myst, PKCano, fernlady, geekdom

Reply | Quote

I finished testing

on clean installed Windows 7, KB4474419 can be installed directly (no SSU required)

however, SSU KB4490628 is still needed (before or after KB4474419)

otherwise, SSU KB4516655 will fail with error 0x80092004 – CRYPT_E_NOT_FOUND

did MS actually tested this scenario before they dare to supersede KB4490628?

i expect or hope they fix this mess, by releasing and keeping any new SSU as SHA1 signed (like KB4490628)

6 users thanked author for this post.

Volume Z, woody, columbia2011, AJNorth, geekdom, PKCano

Reply | Quote

KB4490628 was released March 2019:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4490628

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox115.0b2 MicrosoftDefender

Reply | Quote

[PKCano]

That is correct. And it needs to be installed on the computer before the Sept SSU.
You srill need KB3133977. KB4490628 and KB4474419 before the Sept updates.
KB3133977  was installed on this computer in 2016.
Here is my update history:

• This reply was modified 3 years, 9 months ago by PKCano.
• This reply was modified 3 years, 9 months ago by PKCano.

1 user thanked author for this post.

abbodi86

Reply | Quote

The MS support page for the September Win 7 Rollup (KB4516065) says that Both the SHA-2 and SSU (KB4474419 v-3, and KB4516655, respectively) should be installed immediately followed by a restart before the Rollup is installed.

And yet it seems as though a few people in this thread are reporting successful results by installing the Rollup first followed by the SHA-2 and SSU.

Maybe the order of the Rollup and combined SHA-2 and SSU doesn’t matter?

Reply | Quote

[abbodi86]

The order does matter if you are installing updates for the first time

for now, September Monthly Rollup (or Security Only update) do not require SSU KB4516655

they only need:
SSU KB4490628
SHA KB4474419 (any version would work)
EFI KB3133977 (if the system is UEFI, and it’s just precaution requirement, KB4474419-v3 supposedly fix the booting files issue)

KB4516655 cannot be installed until KB4474419 is completely installed (which will require rebooting to finish)

the SSU requirement might change next month(s)

• This reply was modified 3 years, 9 months ago by abbodi86.

2 users thanked author for this post.

PKCano, DrBonzo

Reply | Quote

Also see 1948832 for a sequence that worked.

1 user thanked author for this post.

DrBonzo

Reply | Quote

[KP]

Super, it fixed my 80092004.

1) KB4490628 – install successful
2) KB4512506 – reported already installed
3) KB4512486 – Security Only – install successful
4) KB4512506 – Monthly Cumulative Update – install successful

Super Thanks

Deserves mention in Patch Watch, @PatchLady

• This reply was modified 3 years, 8 months ago by KP.
• This reply was modified 3 years, 8 months ago by KP.

1 user thanked author for this post.

Fred

Reply | Quote

[KP]

Update to 2). It s/b

2) KB4474419 – already reported installed

• This reply was modified 3 years, 8 months ago by KP.

Reply | Quote

At least they updated the SHA-2 FAQ article to specify that SSU KB4490628 is strictly needed, and a restart is required after KB4474419
https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus

Reply | Quote

Something I noticed, after installing 4516033 (security only) and 4516046 (IE) on my Win 7 32-bit I saw audit failure entries for appidapi.dll and appid.sys in event logs, 2 each, but for the files in \SoftwareDistribution\Download not the installed ones in System32. A search turns up a similar event when updating in March, may have mentioned it here, or it may have been mentioned as known back then, seem to recall something?

Did a sfc /scannow while I was at it and it said it found some problems that it couldn’t fix, and while checking the log I saw that the problems had to do with files with telemetry and diagnostics in the path, usually .json files. (May well be the first time I run that command though, so no idea when it would have started detecting that.)

— Cavalary

Reply | Quote

[EP]

WHAT! KB4474419 got yet another re-release this September (as V3)?

didn’t see that one coming

• This reply was modified 3 years, 9 months ago by EP.

Reply | Quote

And it needs to be installed BEFORE the SSU!

1 user thanked author for this post.

Lori

Reply | Quote

Thank you PK for confirming my notes. I’m not the brightest light bulb but sometimes I get things right. Sitting back relaxing waiting for the DeFcon number to go up.

Reply | Quote

Not necessarily. You need some version of it before the SSU, but doesn’t have to be the last one if you don’t have the problems it fixes (or claims to fix).

— Cavalary

Reply | Quote

I don’t think so, as long as one already has the v2 SHA-2 update already installed. I installed the Sept SSU on my Win7 computers first. No reboot was required. Then I installed the v3 version of the SHA-2 update, which in all cases did require a reboot. After that, I installed the Sept SO update which of course required a reboot.

All of my computers are Win7 Group B.

 

2 users thanked author for this post.

SueW, AJNorth

Reply | Quote

You might be interested in this information.

1 user thanked author for this post.

AJNorth

Reply | Quote

Do we need the bitlocker patch for KB4516065? I don’t see it mentioned in the how to section of the support page. Only says KB4474419 and KB4516655 are needed.

Reply | Quote

If the Bitlocker patch wasn’t installed back in 2016, it should have been installed with the Aug. updates. You don’t need to install it again.

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

I skipped the August rollup and the bitlocker patch due to the problems people were having. I only installed KB4474419 in August.

Reply | Quote

? says:

oh, darn i forgot to install the bitlocker kb 3133977 from what three years ago? and the August sha v-2 plus IE, and SO installed just so fine? funny how disk cleanup\DISM removes the March KB4474419 sha-v1 and i wonder if after applying the the third try latest sha-v3 if the August sha-v2 will go away during cleanup? and as for installing this month’s Security Only WinX telemetry files at this late stage of the game, well i’m with the person who posted yesterday up above saying “Spy in the buttermilk…”

i guess i’m off the the local Micro Center for more Win 7 EOL last stand supplies becuase based on Microsoft’s less than stellar performances over the last few years i think the real fun is only just beginning…

Reply | Quote

Not sure this is the place to ask this, but I’m having a heck of a time
trying to figure out how to download and manually install a patch. What
I usually end up doing is clicking on “check for updates” and taking
everything Microsoft gives me after the newsletter says it’s okay. I do
have automatic updates turned off and get nothing from Microsoft without
checking for updates. Checking on the forum gives me no information I
can use or understand. Thought I was an Intermediate, but feel a lot like a novice.

If someone could steer me toward the answer on the forum or provide a short
“go by”, it would be so much appreciated.

Reply | Quote

Go to the MS Update Catalog.
Enter the patch number (without the KB), for example 3133977.
It will take you to a list of the OSs that are elegible for that patch.
Be sure you choose the right OS and the right bitedness for your computer(x86=32-bit, x64=64-bit)
Click on download and save the file to your computer.
Double click on the file and follow the instructions.

1 user thanked author for this post.

DnnSmm

Reply | Quote

or if you are using Win7 or Win8.1 visit: AKB2000003

Keeping IT Lean, Clean and Mean!

1 user thanked author for this post.

PKCano

Reply | Quote

Another notice, regarding msu files download links from MU catalog

this month 1809 cumulative KB4512578 have issues downloading the x64 msu file
the default link we get from catalog

sometimes

gives corrupted smaller file 227.87 MB

http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4512578-x64_f4b0236517a3cbe635660042e4052971cf4307cb.msu

to make sure you get the correct file, add fg.ds. prefix

http://fg.ds.download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4512578-x64_f4b0236517a3cbe635660042e4052971cf4307cb.msu

maybe there are other files affected, but this is the one i saw reports about and vrified myself

1 user thanked author for this post.

PKCano

Reply | Quote

Group A,  Win7X64, Home Premium, home user.  AMD.  Took everything.  No problems so far to report.

2 users thanked author for this post.

Myst, fernlady

Reply | Quote

Hi Geo, when you took everything and restarted:

Was it a normal looking restart, or one of those unusual double restarts?

After allowing things to settle in, did you run an additional “check for updates” that returned an empty queue?

I’m asking because of the discussion over a new SSU further up this page. Thanks for posting. (I will be waiting on these updates or I would also share my own experience)

Reply | Quote

See #1948625.
I used Windows Update to do the Group A installations.
The Sept SSU does not show up until the Importnat queue is empty (as usual) and has t be installed by itself.
No double boot during one install, it just has to be two installs b/c the SSU shows up after all the rest and a reboot.

1 user thanked author for this post.

Myst

Reply | Quote

Thank you PKCano, that is the the way I read your discussion. Because of the need for a second check from an empty queue, I wondered if Geo had found the same, did not find the same, or had not done the additional check. I presume that all machines that are set the same, would see the same.

Reply | Quote

[Geo]

After updating I had a normal restart.  Afterwards the SSU showed up and I downloaded that.  Same thing normal restart.  Group A, W7X64, home premium, home user.  AMD.

• This reply was modified 3 years, 9 months ago by Geo.

2 users thanked author for this post.

TaskForce141, Myst

Reply | Quote

[GoneToPlaid]

Hi everyone,

Following are my notes about installing the Sept updates on my Win7 Group B computers.

First, note that we are at Defcon 2 for all September updates.

Second, most of you all probably do know to wait 10 minutes after rebooting your computer, if an installed update told you that you must reboot your computer, before proceeding to install additional updates. The reason for the 10 minute time delay is to allow Windows to have fully completed its three stages of the OS boot process.

Third, updates during the past few months do have a bug which you may or may not experience. After installing an update and clicking on the Restart button which is presented by the update’s installation process, please instead click on Cancel. Then reboot your computer via the start menu’s Start >> Shut down >> Restart method. Doing so will prevent a potential hang when rebooting, and will prevent erroneous Event Viewer messages that the installed update failed.

Fourth, I have no idea about what bugs (if any) are in the Group A September Monthly Rollup for Win7 computers. Microsoft does have a track record of late for breaking things in IE.

With the above said, we are at Defcon 2! Do not install updates until Woody moves us to either Defcon 3 or 4.

Today I decided to install some of the September updates on my Win7 Group B computers. The updates were installed in the following order as detailed.

KB4516655 — September Servicing Stack update for Windows Update. This update installed just fine, and it did not require me to reboot my Win7 computers. You can get KB4516655 straight from Microsoft at:

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4516655

KB4474419 — Version 3 of the SHA-2 update with the same KB number. KB4474419 was updated on September 10, 2019 to include boot manager files to avoid startup failures on versions Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2. Seriously? Really? One would think that Microsoft would have thought to make sure that KB4474419 included boot manager files which are needed for EFI boot in KB4474419’s first incarnation! Or am I just too stupid to understand how Microsoft does anything. Anyway, this update must be installed by itself, as in not installing any other updates at the same time. You will have to reboot your computer after installing this update. You can get KB4474419 straight from Microsoft at:

https://www.catalog.update.microsoft.com/search.aspx?q=kb4474419

Presently, I do think that the above two updates are not safe to install. In my opinion, the KB4474419 September Servicing Stack is a no-brainer to go ahead and install. I also think that KB4474419, the version 3 of the SHA-2 is a no-brainer to go ahead and install since it belatedly includes the boot manager files which are needed in order to prevent boot failures for some Win7 computers. When booting vie EFI, if Windows can’t find it or if the required files were not updated in the EFI boot partition, then Windows will not boot. Recovery from this scenario can be a royal pain.

Again, we are at Defcon 2. The above two updates, at least to me, appear to be safe to install, as in no issues whatsoever.

The next item is the September Win7 SO update, KB4516033. This update provides protections against a new subclass of speculative execution side-channel vulnerabilities. This update also provides important security updates for a lot of core Windows stuff. I had no issues installing this update on my Win7 computers. Yet I do note that my Win7 computers were running noticeably slower for around a half hour after installing the Sept Win7 SO update. Maybe Windows Indexing was running? Maybe .NET had to re-optimize all programs which use .NET? I don’t know, and I don’t care since this slowdown went away sometime around a half hour to an hour later. My money is on .NET performing re-optimization of programs which use .NET.

Anyway, the Win7 September SO appears (at the time being) to be okay to install. Yet I do NOT recommend that you install it until Woody gives the all clear via his Defcon system. You can get KB4516033 straight from Microsoft at:

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4516033

• This reply was modified 3 years, 9 months ago by GoneToPlaid. Reason: fix a typo

3 users thanked author for this post.

SueW, TaskForce141, AJNorth

Reply | Quote

Greetings GTP,

Presently, I do think that the above two updates are not safe to install.

With respect, might you have intended to convey that those two updates are safe to install?

 

Or am I just too stupid to understand how Microsoft does anything.

Well, once again I shall invoke that classic routine from more than eight decades ago:  “Who’s on first?”

Cheers,

AJN

Reply | Quote

Hi AJNorth,

Yep, a typo. I meant to say that the September servicing stack update and the v3 SHA-2 update do appear to be safe to install. Thank you for catching that error.

Best regards,

–GTP

 

1 user thanked author for this post.

AJNorth

Reply | Quote

Hi GTP, thank you for your excellent post of installing the Group B patches. While I see you mention the 10 minute wait after an install, I will not argue. If people are willing to wait 10 minutes then great. I never have. Three to four minutes or when the hard drive light stops flickering wildly is sufficient for me. I have not had any failed installations and I do occasionally examine the event logs. It is never a patch I just installed if there are any errors, they are the same “dumb” errors MS had on this computer for years, like it could not find a printer port because there isn’t one nor a printer.

“…note that my Win7 computers were running noticeably slower for around a half hour after installing the Sept Win7 SO update. Maybe Windows Indexing was running? Maybe .NET had to re-optimize all programs which use .NET?” That is a good observation and assumption. I have wondered the same. It could be Windows Indexing and if any .NETs were installed the “NGEN” would run the MSCORSVW process and rebuild the .NET image. I post this every time I have a .NET in a patch month and force .NET to rebuild NOW! not later in 30 minutes:
http://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx

Lastly, don’t forget to let the computer sit 45 minutes to allow “Process Idle Tasks” to initiate, or force it manually like the .NET NGEN with this administrative command prompt command: rundll32 advapi32.dll, ProcessIdleTasks

Thank you again GTP. Your posts are always thought out, very informative and well done. I see you post frequently and you have helped a lot of people here.

2 users thanked author for this post.

SueW, GoneToPlaid

Reply | Quote

Hello GTP and Admins. When I posted the command to force Idle Tasks I did not have a space after the comma. Does your Web Software do corrections?

The Administrative Command is: rundll32 advapi32.dll,ProcessIdleTasks

A space between rundll32 and advapi32,dll a comma, no space, then ProcessIdleTasks

With capital letters for the words, Process Idle and Tasks.

Thank you.

Reply | Quote

[geekdom]

After you post, you have 15 minutes to edit your post.

Edited to add: unless you are anonymous and under that circumstance you cannot edit a post.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox115.0b2 MicrosoftDefender

• This reply was modified 3 years, 9 months ago by geekdom.

Reply | Quote

I meant to say that I think that the servicing stack update and the version 3 of the SHA-2 update are safe to install.

Reply | Quote

Phew!

After reading this marathon thread am I the only one who thinks Microsoft is going for a ‘last ditch effort’ to seriously mess up Windows 7 prior to end of patching next January?

Why else would they go to so much trouble with this SHA-2 business and all the other ‘botched’ updates (and procedures for getting around them which mostly need to be figured out by trial and error) for an operating system with 4 months left until end of life?

This isn’t really surprising when you look at their past efforts to mess up Windows 7 since the release of Windows 10 over 4 years ago.

Hold on to your hats, I believe the worst is yet to come over the next 4 months…

PC1: Gigabyte B560M D2V Motherboard, Intel i5 11400 CPU, 16GB RAM, NVIDIA GeForce GTX 1650 Graphics Card, 1x Samsung 870 EVO 250GB SSD, 1x Samsung 860 EVO 250GB SSD, Windows 10 Professional 22H2 64bit.
PC2: Asus H81M-PLUS Motherboard, Intel i3-4160 CPU, 16GB RAM, NVIDIA GeForce GTX 1050 Graphics Card, 1x Samsung 870 EVO 250GB SSD, 1x Samsung 860 EVO 250GB SSD, Windows 10 Home 22H2 64bit.

1 user thanked author for this post.

TaskForce141

Reply | Quote

[abbodi86]

Carl D wrote:

Phew!

After reading this marathon thread am I the only one who thinks Microsoft is going for a ‘last ditch effort’ to seriously mess up Windows 7 prior to end of patching next January?

Why else would they go to so much trouble with this SHA-2 business and all the other ‘botched’ updates (and procedures for getting around them which mostly need to be figured out by trial and error) for an operating system with 4 months left until end of life?

This isn’t really surprising when you look at their past efforts to mess up Windows 7 since the release of Windows 10 over 4 years ago.

Hold on to your hats, I believe the worst is yet to come over the next 4 months…

Windows 7 Embedded is still supported to October 2021 (that’s 22 months beyond January 2020)

they also need to secure and lockdown update mechanism for the Extended Security Updates offer (specially for the virtual Azure cloud instances)

based on the new SSU KB4516655, this mechanism will mostly depend on special certificates chain to determine eligibility

• This reply was modified 3 years, 9 months ago by abbodi86.

6 users thanked author for this post.

AJNorth, TaskForce141, woody, Myst, Microfix, PKCano

Reply | Quote

I really do not think that Microsoft will sabotage W7 for nefarious reasons. They probably have their less skilled, less experienced coders on it, but these individuals are still going to see W7 through to EOL with a degree of professionalism and pride.

The worst that is yet to come is more likely going to be the barrage of ads promoting W10 that all W7 and W8 users will be subjected to. Not so subtle references to how important updates are to securing ‘your personal computing experience’. It’s going to be all about marketing, not sabotage.

Also, MS is counting on the W7 requisite hardware to not last much longer as they have the new hardware under wraps – W10 only.

FWIW: This is pure speculation on my part, but I think that Microsoft will quietly treat W8 as abandon-ware soon after W7 eol. The outcome of this, even with so few users … uncertain.

2 users thanked author for this post.

abbodi86, PKCano

Reply | Quote

Interestingly, my two Dell XPS computers (a desktop and a laptop), both Win 7 Home x64 SP1, required KB3046017 downloaded and installed prior to downloading and installing the new SSU, but after installing the first three updates (monthly update, daily virus definitions, and latest version of the prior old SSU). My HP desktop with Win 7 Pro x64 SP1 did not require the old KB3046017 update. I wonder what that was all about.

 

Reply | Quote

Installed windows 10 update 1903 this morning slowed machine down made outlook 2010 crash had to reverse update is this a common problem

Reply | Quote

It seems the Search function is causing some 1903 machines to redline. This may be what you experienced. Best to wait for now on the Sept. update.

Reply | Quote

Hmm, Windows Update does not have the MSRT (malicious software removal tool), KB890830, for September 2019.  I cannot recall a month where this ubiquitous update has not been offered.

Reply | Quote

According to Microsoft, https://support.microsoft.com/en-us/help/890830/remove-specific-prevalent-malware-with-windows-malicious-software-remo

“No update is available for September 2019.” That answers the question of why MSRT hasn’t appeared in Windows Updates for September.

Win 10 ver. 22H2 x64

3 users thanked author for this post.

SueW, columbia2011, b

Reply | Quote

[Geo]

Group A , Win7X64,  home premium, home user, AMD.  Did update.  I don’t  take the the .net updates.  Did other updates.  Normal restart.  Went back in and the SSU update showed up.  Downloaded the SSU.  Once again normal restart. No problems. I also never take any previews.

• This reply was modified 3 years, 9 months ago by Geo.
• This reply was modified 3 years, 9 months ago by Geo.

1 user thanked author for this post.

geekdom

Reply | Quote

Woody, this may be outside of your realm but my event viewer shows multiple, continuing and completely unauthorized access of my W7 Pro   (Dell XPS 8700) machine since I deleted the Dell Utilities found to have RCE vulnerabilities.

Just today‘s samples include those shown below.   Dell heatedly denies making any unauthorized access to machine.   Any suggestions?

Either way, continuing thanks for your help thus far and your web site.

Bob Meijer

Driver Management has concluded the process to add Service BCMH43XX for Device Instance ID USB\VID_0846&PID_9011\6&320464AE&0&1

Driver Management has concluded the process to add Service vwifibus for Device Instance ID USB\VID_0846&PID_9011\6&320464AE&0&1

The Background Intelligent Transfer Service service entered the running state.

The SoftThinks Agent Service service entered the running state.

The Microsoft .NET Framework NGEN v4.0.30319_X86 service entered the running state.

Driver Management concluded the process to install driver FileRepository\bcmwlhigh6.inf_amd64_neutral_0a0bdc44d6d79ff2\bcmwlhigh6.inf for Device Instance ID USB\VID_0846&PID_9011\6&320464AE&0&1

Reply | Quote

Bob, you should be able to remove the Dell support and similar via programs and features uninstall.

See: How to Uninstall Dell Support Center, https://www.dell.com/support/article/us/en/04/sln113650/how-to-uninstall-dell-support-center?lang=en from DELL Support.

“The SoftThinks Agent Service service entered the running state.” this is a DELL backup program.

Softthinks Agent Service, https://www.dell.com/community/Windows-10/Softthinks-Agent-Service/td-p/4734765 from DELL-Jesse L Moderator.
“SoftThinks Agent Service, a component of the Dell DataSafe Local Backup utility.” and “If you do not plan on using the program you could uninstall it and it should remove the Agent as well.”

If you have already uninstalled these items from your DELL, you may consider:

1) in file manager, look for any leftover files or folders that dealt with the items you uninstalled. You may find a few left behind. Double check they are those files with an internet search and if they are left behind, delete them.

2)Run Ccleaner (version 5.29 or 5.30 prior to AVAST) and have it clean your drive. After deletion of temp files, etc., run the registry cleaner portion of Ccleaner. It will probably find left over registry entries. I have used Ccleaner since version 1.x and it is a very well behaved program. I, my relatives and friends all use it and I used it daily at work (computer repairs).

3) in Ccleaner tools, startup, windows look for any startup items you do not need starting every time and disable. In tools, startup, Scheduled Tasks, look and see if anything catches your eye there.

4) WHILE IN Ccleaner, go to tools startup, Browser Plugins and see if any add-ons or plug-ins catch your eye you do not want for each browser you may have.

I have used Ccleaner to clean and remove old items and even malware.

I hope this helps you.

Reply | Quote

Please stay on topic
This thresd is about September Patch Tuesday, NOT Dell Utilities.
Off-topic posts are subject ot removal.

Reply | Quote

Bob Meijer, PKCano is right. This Dell issue is getting a little off topic. You might want to start a new topic or have yours moved. If you or they do, I will find it and continue to try and help.

Reply | Quote

Applied the KB4515384 Cumulative Update to 4 machines using Win 10 1903.  On 3 of the 4 machines, it made Pin Login Unavailable.  I uninstalled the update on 1 machine, and it did not fix the problem.  I’ve tried numerous suggested fixes/changes in Group Policy, etc., and nothing has fixed the problem.  No other problems have been noted yet.

Reply | Quote

There are other details to getting to this point, but found a solution, after trying 10-15 other suggestions.  Delete the contents of the folder C:\Windows\ServiceProfile\LocalServices\AppData\Local\Microsoft\Ngc , then reboot, and your prompted for the Pin login again.  Don’t know why it’s requiring a 6 digit PIN, because I’ve never set that rule.  The files in the Ngc folder will be rebuilt when you reboot.

1 user thanked author for this post.

woody

Reply | Quote

See https://www.askwoody.com/2019/yet-another-bug-with-this-months-win10-1903-cumulative-update-pin-knockout/

Could you elaborate (over on that thread) what exactly “Pin Login Unavailable” means? Did you lose your old PIN? Did you try to create a new PIN and had problems?

Reply | Quote

Win10 1803 64 bit.  Downloaded and installed KB4512576 SSU and KB4516058 September update, stable for 3 days.  Used WU Mgr and installed September Office 2013 updates, no issues.

Reply | Quote

Windows 7 Pro SP1 x64 KB4516065, kb4516655 and KB4474419 installed last week and have not had any issues with these patches at all. Happy Days! albeit numbered

1 user thanked author for this post.

Myst

Reply | Quote

In reference to KB4516655 for Win 7:  I checked my Windows Update (WU) to see if this was on the list.  It is currently not on WU but I have the other updates as mentioned by Susan Bradley on the Windows Secret newsletter today.  Based upon my reading of discussion in forums on this topic, I know that I need to install KB4516655, by itself, before doing the other Sept updates when given the all clear by Woody.  I believe that KB4474419 should be installed before this update. Is that correct?   Already have KB4490628-installed in March.  I am just trying to make sure that I am interpreting the responses on the forum correctly.  Thank you to all of you who make this site the best for Windows information.

Reply | Quote

I have been letting Windows Update do the installing and had no problems.
See the install order in post #1948625 above.
I know this is not the usual order, but it works without any trouble.

Servicing Stack KB4516655 will not show up in Windows Update Important queue until all other updates have been installed or hidden.

Reply | Quote

Thanks for your response.  Operating system:  Win 7 Pro.  I checked for KB3133977 and appear not have it installed.  I looked up KB3133977  and it includes Win 7 Pro in the applies to section.  It appears that this is for BitLocker.  I do not use, as far as I know, Bitlocker.  The KB article says that if you have an ASUS mainboard, there are issues with this update.  I have a ASUS P8P67 with an Intel Core I7 @2600 which is probably why I did not install KB3133977.  However I have installed KB4490628 successfully and KB4474419.  Now WU is showing KB4474419 again, which Susan Bradley pointed out in the Ask Woody Pluss newsletter this morning.  I plan to install KB4474419, Sept 10, 2019 version, before doing the rest of the updates.  I did research on KB4516655 and found that “There are no prerequisites to apply this update.” in the KB article.   Since KB4516655 replaces KB4490628 and I have successfully installed KB4490628, can I just install the KB4516655 and avoid the issues with ASUS motherboards and KB3133977?  Thanks very much.

Reply | Quote

To install KB3133977:  instructions for ASUS motherboards are linked here.
You can try to install Servicing Stack KB4516655.
FYI, there have bee three versions of KB4474419, dated 3/11, 8/12 and 9/9.

Reply | Quote

Hi RM,

You really do need to install the Bitlocker update KB3133977, yet only after you have printed the ASUS instructions which PKCano linked to. You probably will not experience this issue, unless you took special steps to install Windows 7 to use EFI boot. Anyway, the ASUS fix for this issue is easy to implement so long as you have full access to your computer’s BIOS.

PKCano also mentioned that there are three versions of KB4474419, dated 3/11, 8/12 and 9/9. The previous two versions were superseded by the latest 2019-09-09 version. You only need to install the latest v3 version which you can get from here:

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4474419

In the above link, look at the top third of the list for the appropriate update for your version of Windows 7 which is dated 9/9/2019.

Best regards,

–GTP

 

Reply | Quote

Windows 10 1809. KB4512578 scare me.

Highlights :

Updates for verifying user names and passwords

What exactly does this patch do ? Afraid to be locked out of my pc after applying the patch (I have no user-password).

https://support.microsoft.com/en-us/help/4512578/windows-10-update-kb4512578

Reply | Quote

Make a full disk image.
Install the CU
Restore the image if necessary.

Reply | Quote

[Alex5723]

PKCano wrote:

Make a full disk image.
Install the CU
Restore the image if necessary.

I have a full image with daily incremental updates, but still curious what exactly verifying user names and passwords mean.
Anyway, we are still at Defcon 2 🙂

• This reply was modified 3 years, 8 months ago by Alex5723.

Reply | Quote

Well, I installed that last week on my 1809 system… and stopped being able to authenticate to Office 365 with Outlook or other MS Office applications. No new mail in Outlook, …

Not restricted to MAPI – Outlook cannot authenticate with other protocols either.

Still working: OneDrive, Teams, browsers (haven’t tried IE or Edge), Thunderbird, LibreOffice, etc. Oh and all other computers tried so far.

Reply | Quote

Oh well, whatever it was, it got fixed after the Office applications got today’s Click-to-Run update.

Had to do a full repair to get that to install successfully though, so don’t try that on a slow line or a metered connection – it apparently redownloaded the entire MS Office suite…

Reply | Quote

I installed the September updates for a Win7 x64 machine and noticed 2 issues:

1) The HIPS protection is constantly popping up now because of applications wanting to terminate taskhost.exe. This includes common applications like 7-Zip and MPC-HC.

2) Speaking of MPC-HC, video doesn’t resize when going fullscreen.

With both of these combined, it feels like there’s some fundamental behavior the patch changed.

Anyone else get these issues?

Reply | Quote

I tried uninstalling the monthly roll-up. That fixed #1, but #2 remains. I also uninstalled the .NET security rollup but that didn’t fix #2, so I’m not sure what else it could be… unless it’s something crazy like the office updates screwing with it.

Reply | Quote

A report from the field:

Thirteen Win 7 Pro x64 machines have been successfully updated.  The installation procedure for each update (installed in descending order):

All applications were closed and all antimalware temporarily disabled.

Upon installation, if a “Restart Now” box appeared, it was cancelled and the Process Explorer opened (run as Administrator), with the TrustedInstaller monitored until its activity ceased.

A manual restart was then performed, and the ProcessExplorer reopened (as before), monitoring the TrustedInstaller until its activity again ceased.  The next update was then installed.

KB4474419 x64 (SEPTEMBER 2019 SHA-2 Code Signing Support for Windows 7 – V. 3)

KB4516655 x64 (SEPTEMBER 2019 Servicing Stack Update for Windows 7)

KB4516046 x64 (SEPTEMBER 2019 Win 7 IE Cumulative Security Update)

KB4516033 x64 (SEPTEMBER 2019 Win 7 Security Only Quality Update)

The .NET updates for 4.7.2 and below will be installed at Defcon 3 or above (.NET 4.8 has yet to be installed).

After the last update (KB4516033) was installed and the Process Explorer showed that the TrustedInstaller had finished, one more restart was performed.  Several apps were then tested; no issues were found.

(Note: in an earlier post above, ‘anonymous’ reported issues with 7-Zip and MPC-HC after updating.  All thirteen machines have 7-Zip x64 installed (v. 19.00), and three have MPC-HC Portable (v. 1.8.7 x64); none appear to have any difficulties with either one).

 

After machine number thirteen was completed, a wee tad of bourbon was applied (to the tech, that is — for medicinal purposes only).

1 user thanked author for this post.

SueW

Reply | Quote

Hi AJ,

Thanks for responding. Interesting you have 1.8.7. The latest stable release on the main website is 1.7.13 and that one had issues. I added MPC-BE to the machine since it’s a fork that’s still being developed and that one worked fine (regarding the full screen video).

As for 7-Zip, did the machines you worked on have HIPS protection? The machine was giving prompts about allowing 7-Zip and other applications to terminate taskhost.

After uninstalling the Sep 2019 monthly rollup, behavior went back to before.

Reply | Quote

Greetings,

You’re more than welcome.

It is interesting that the MPC-HC home site is not offering the latest version, so below are two links to the current version.

Via Softpedia (which also offer the portable version, which I prefer):

https://www.softpedia.com/get/Multimedia/Video/Video-Players/Media-Player-Classic-Home-Cinema.shtml

and MajorGeeks: http://www.majorgeeks.com/files/details/media_player_classic_home_cinema.html .

I was unaware of the MPC-BE fork, which looks interesting; thanks.

The only HIPS protection on these machines is that provided by WinPatrol and / or Malwarebytes Premium (other anti-malware also have this feature, including Avira and Comodo).  Which are you using?

Taskhost.exe is a core system-level process for Win 7 (you can read more about it at https://www.ghacks.net/2010/05/12/taskhost-exe-process-explained/).

As it runs in multiple instances, that 7-Zip and some other apps are killing them after the update is very puzzling, and one I have neither seen nor can replicate.  If you suspect that this somehow has to do with HIPS protection, then you might try disabling it and see if that eliminates to problem (with the update installed).

Another possibility is that there is a malware infection involving taskhost.exe that is triggered by cartain apps (you can do some searches about that online; here is one example: https://www.bleepingcomputer.com/virus-removal/remove-taskhostw.exe-and-windows-update-checker-miner).

Good luck.

Reply | Quote

It’s an old one. It’s Outpost Firewall Pro’s HIPS system.

7-Zip functioned regardless of whether I allowed or blocked it from terminating taskhost. I don’t recall actually seeing the the process list change when I allowed it.

I tried with 3 applications, and they all involved file handling, so I wonder if the commonality was the three applications using some windows filehandling API/function that was causing that behavior (and the Sep update changing that API/function).

Reply | Quote

Have you tried utilizing the built-in System File Checker (SFC) tool (sfc /scannow)?

It can cure a great many disparate issues affecting Windows.

In addition, there is an augmentation to it known as DISM (Deployment Imiging Service and Management).  Though it is a feature in WIN 7 and above, for WIN 7 one needs to first download the System Update Readiness Tool to use it.

Here are some how-to articles.  I strongly recommend perusing them, perhaps even a few times, before beginning; also, creating your own outline of procedural steps and writing it down can be exceedingly helpful (recall the old Chinese proverb, “Measure twice; cut once.”):

https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system

https://www.lifewire.com/how-to-use-sfc-scannow-to-repair-windows-system-files-2626161

https://neosmart.net/wiki/sfc/

https://www.ghacks.net/2018/03/16/use-dism-to-fix-issues-sfc-cant/

https://www.howtogeek.com/222532/how-to-repair-corrupted-windows-system-files-with-the-sfc-and-dism-commands/

Hope this proves useful; good luck.

AJN

Reply | Quote

Microsoft has just released newer IE patch for the following versions of Windows: 7, 8.1, Server 2008, Server 2008 R2, Server 2012, Embedded Standard 7, Embeded Standard 8. It replaces KB4516046 (the Patch Tuesday one, group B). It seems to be patch for CVE-2019-1367 (remote code execution). It is Catalog-only update.

Source:

https://support.microsoft.com/en-us/help/4522007/cumulative-security-update-for-internet-explorer

Link to catalog:

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4522007

Notice: we are still on DEFCON2 with Patch Tuesday updates and KB4522007 has just been released, so there may be (unknown yet) issues with it.

3 users thanked author for this post.

abbodi86, woody, Microfix

Reply | Quote

CVE-2019-1367 link partial quoting:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system…..

Keeping IT Lean, Clean and Mean!

1 user thanked author for this post.

woody

Reply | Quote

My MBR was destroyed by KB4512506 and since then I have not installed any updates and hidden it.

My update panel is showing

2019-09 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 and Server 2008 R2 for x64 (KB4514602)
Download size: 33.5 MB

2019-09 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4516065)
Download size: 288.9 MB

2019-09 Security Update for Windows 7 for x64-based Systems (KB4474419)
Download size: 53.2 MB

Security Update for Windows 7 for x64-based Systems (KB2532531)
Download size: 406 KB

Security Update for Windows 7 for x64-based Systems (KB2912390)
Download size: 2.8 MB

Security Update for Windows 7 for x64-based Systems (KB3035126)
Download size: 535 KB

Security Update for Windows 7 for x64-based Systems (KB3110329)
Download size: 16.1 MB

Security Update for Windows 7 for x64-based Systems (KB3156016)
Download size: 735 KB

Windows Malicious Software Removal Tool x64 – June 2019 (KB890830)
Download size: 44.5 MB

Am I safe to install these as the complete destruction of the MBR has made me slightly hesitant
Many thanks

Reply | Quote

There are some things you need to know about installing KB4512506. If you were not aware of them, you may have experienced a problem.

First, there were some prerequsites for installing KB4512506. KB3133977 (a 2016 Bitlocker patch), KB4474419 (SHA-2 Coding dated 8/12 but better 9/9/2019), and KB4490628 (April 2019 Servicing Stack). There was a caution on installing KB3133977 if you have an ASUS motherboard. That may have been the problem you ran into. See #1940976 and the Blog Article here, both contain the link to the solution which was caused by ASUS.

Going forward from there:
Win7 Monthly Rollups are CUMULATIVE. That means that this month’s 2019-09 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4516065) will contain all past months’ Rollups. Which means KB4516065 contains KB4512506. So you will need to resolve the problem with the latter before you install the former.

If you uninstalled KB4512506 to solve your problem, that would account for the older updates showing up. Once you reinstll KB4512506, they will probably disappear.

Now for the September updates:
We are still on DEFCON-2, which means WAIT to install them.
I have installed KB4516065 CU, KB4474419 SHA-2, MSRT, and KB4516655 SSU on a test VM without any problems. But that is in a TEST environment, not on production machines.

Reply | Quote

In Response to PK Cano post number 1952969 and Gone to Plaid post number 1953363:  Sorry for the late response but had another crisis (non computer) to deal with.  I managed to print the ASUS bios update directions and tried to follow them.  The directions are for UEFI BIOS.  When I was able to check the bios on my computer I found that they are EFI BIOS and the directions do not work.   My EFI bios does not have any listings for secure boot under all category headings including Advanced.  So my question is:  Since my computer is running EFI bios, do I need to install KB3133977 since it appears to be for UEFI bios? In other words, what do I do now?  Thanks very much for your assistance on this topic.

Reply | Quote

If you do not feel the instructions apply to your computer, you should be able to install KB3133977.

Reply | Quote

UEFI and EFI are the same thing. Since you don’t see any Secure Boot option in your BIOS, this would indicate that ASUS did not enable Secure Boot within your computer’s BIOS for Windows 7. As PKCano mentioned, you can install KB3133977. If you upgrade to Win8.1 or Win10, then Secure Boot would get enabled in the BIOS.

Reply | Quote

reply to PKCano post #1964746 and Gone to Plaid post #1964783:  After checking my BIOS again, I came to the conclusion that the BIOS on my computer was released before ASUS went to the Secure BOOT configuration. The computer is not a factory computer but a computer I had custom built to meet my requirements for CAD/CAE and it was probably built before Secure Boot.  I installed KB3133977 and the computer rebooted without any immediate issues.  Now I am ready to be able to install the updates for Sept when given the OK from Woody.  Thank you very much for assisting me with this issue.  It is appreciated.

Reply | Quote

Hi RM,

Are you on Group A or Group B? Just curious. Either way and now that you installed KB3133977, go ahead and install these two updates, in this order:

KB4516655 (the September Windows Update Servicing Stack Update). No reboot should be required.

KB4474419-v3 (version 3 of the SHA-2 Code Signing Update). This update does require a reboot. When asked to reboot, click Cancel in order to close Windows Update. Then reboot your computer. This method gets around a bug (actually a hang) which is seen on some computers if you instead click on the Restart button in Windows Update.

I am on Group B. I then installed kb4516033 (September Security Only Update) without any issues. If you are on Group A, wait for the all clear before installing KB4516065 (September Monthly Rollup).

I have installed the September IE Cumulative Update with no issues. I have not updated .NET since I like to wait a month or two in order to see if anything hits the fan with .NET updates.

Best regards,

–GTP

 

Reply | Quote

This is a reminder that we are still on DEFCON-2 and September patches have not been given the go-ahead yet.

Reply | Quote