Win7 security patch KB3146706 causing problems?

Topic

New Reply

I’m seeing lots of reports of MS16-044 / KB 3146706 throwing errors – most commonly blue screen 0x0000006B – that go away if the patch is removed. Rem
[See the full post at: Win7 security patch KB3146706 causing problems?]

Reply | Quote

Replies

Confirming your observation, Woody, as of 4/15 this is how we’re seeing the patch initially presented in Windows Update:

http://Noel.ProDigitalSoftware.com/ForumPosts/Win7/SecurityPatchUnchecked.png

I asked some users… It’s a testament to how strongly we’re all conditioned from a lifetime of Windows Updates that many people’s first response to seeing an unchecked update is generally not “better avoid this”, but rather, “Gee, look at that. Well, I’ll go ahead and select that one too, what could go wrong?”

…go wrong?
…go wrong?
…go wrong?

-Noel

Reply | Quote

My WU is set to check for updates only. Wednesday it showed there were eight important updates that were all checked, and one optional update that wasn’t. On Thursday morning all the updates were sill showing, but KB3146706 no longer had a check mark next to it.

Reply | Quote

HA! I’m still tickled by all the people who are posting about their delays in seeing Win7 patches – when I most definitely do NOT recommend that people install Win7 patches at this time.

Now it should be obvious why….

Reply | Quote

Woody, KB3146706 came in with the other Win 7 updates on my machine as”unchecked”. It goes without saying when you give the OK, if still unchecked it gets hidden.

iPhone 13, 2019 iMac(SSD)

Reply | Quote

I bet Microsoft pulls it over the weekend.

I feel sorry for the folks in China who have installed it already. Highly likely it’s a conflict with a program that’s widely used in China – just like the Brazilian blue screen three years ago.

Reply | Quote

https://social.technet.microsoft.com/Forums/en-US/7a681da9-d1d3-4566-a13d-55af0de0f2a5/problem-with-application-hangs-due-to-emet-55-eaf-mitigation-after-windows-7-april-2016-updates?forum=emet

Apparently, there is a problem with updates KB3146706 and KB3147071 for users with 32-bit Windows 7 with EMET, and EAF mitigation is enabled.

Maybe lots of folks in China have this configuration.

Reply | Quote

Well, it’s strange it’s always the OLE patch that have the same problem on and on and on

Reply | Quote

Woody, In case you don’t already know it, the 4-14-16 Windows Secrets/Susan Bradley article says to Install KB3146706. Who knew??

Reply | Quote

Since when does not selecting an update by putting a mark in the checkbox lead to it being hidden?

That doesn’t seem to go without saying, unless you’re using the terms less strictly than I am (as in, “hidden” meaning it shows up in the list that appears when you choose “Restore hidden updates”.

-Noel

Reply | Quote

“Hidden” has a precise definition. No, it’s not hidden automatically. It’s just ignored.

Reply | Quote

I’m sure this will come as a surprise to Susan…

Reply | Quote

There is a slight problem with hiding updates which get pulled or modified and pulled like 2952664. They cannot be restored and are left as phantom entry in the WU database. I am wondering how good this is for the WU performance in general or if it matters at all. This is the main reason why I keep insisting in my replies that hiding updates is not the best practice.

Reply | Quote

There are reports about this patch increasing the reboot time too.
Not sure if being unchecked makes it a candidate for pulling. There are few explanations for this, the one preferred by Susan seems to be throttling server-side. However this should appear in the logs as “regulation”.
There are also the current Office Update patches. Last month all update non-security patches were not ticked by default although rated as important. This month instead, the March 2016 patches are ticked, while the April 2016 Office Updates are not ticked. It may just be Microsoft doing additional testing post-release which is not quite “normal” to say so, although there is not much normality left in the WU update process in general.

Reply | Quote

Once again, another prime example of Microsoft’s incompetence… I’m starting to wonder if Microsoft is doing this stuff just to boost numbers & know full well of the problems these updates are causing, for example the pulled patches you mentioned in a previous article Woody. It’s starting to look like it’s about time to just hit the ‘never’ option on Windows Update, I mean seriously, the patches are causing more problems than what the patches are trying to prevent. Like you said in one article Woody, pardon me if I butcher this, it’s just about time that the risks are less harmful than the potential damage the patches are doing.

Reply | Quote

In this statement, “It goes without saying when you give the OK, if still unchecked it gets hidden,”
I’m not sure, but I think Paul meant: When Woody gives the okay for folks to install this month’s patches (his Defcon system), if the patch is still unchecked on Paul’s machine when he runs Windows Update at that time, he will put it into the “hidden” category of patches.

I don’t think he was intimating that leaving the patch sitting unchecked in his Windows Update list would automatically move it over into the “hidden” patches area.

Reply | Quote

Unchecked in my list of updates on a win 7 machine
However I have a non-security item KB3148851 that is checked.

Reply | Quote

Hi Woody. In most cases I follow your lead and wait until the “Defcon” relaxes, but I also check this site every month as well.
https://isc.sans.edu/mspatchdays.html?viewday=2016-04-12

They put up a summary of each Microsoft patch Tuesday, along with status codes for each bulletin that indicate any “Critical” or “Patch Now”, as well as if any known exploits are circulating.

I left KB3146706 alone, as it requires user interaction, rather than any remote exploit. Upon rechecking for updates, it is now un-checked. I will definitely wait now!

FYI, I did go ahead and pull the trigger on the critical updates and nothing bad happened … yet 🙂

Reply | Quote

Yep, I watch the ISC Storm Center closely, too. They’re geared toward large systems – corporate admins – but their info is excellent for everybody, and highly reliable.

In addition to watching their Patch warnings, I also watch known exploits. So far this month, only one patch covers a security hole that has a known exploit – KB 3148522 . I talked about that one extensively in my InfoWorld coverage. I still haven’t seen any massive attacks.

Reply | Quote

There’s no question in my mind that the security patches do MUCH more good than harm – if you wait to see if other folks have run into problems.

Reply | Quote

It’s certainly possible – and something I’m always concerned about.

Reply | Quote

While this is not a typical configuration, EMET is a Microsoft security enhancement product and all patches should be tested against it. I think we had patches in the past either pulled or re-released due to issues with EMET.

Reply | Quote

I pulled the trigger earlier on all the important security updates aside from this one and that one for the Russian time zones (can’t remember the KB number for that one off-hand). So far so good.

Reply | Quote

Here KB3146706 as well as KB3148198 fail to install on my Windows 7SP1 64-BIT. This occurs with both together and independently. On reboot after update the install finalization climbs to 90% and then states failure, reboots and corrects accordingly.
KB3148198 is the “big” IE cumulative update (50MB+) and I’m worried about possible security implications system-wide even if I never use IE (ver. 11 here) as such (I’ve even disabled it).
Ever since 2001, be it with Win95, XP and then Win7 I have never encountered such a problematic Windows Update process.

Off topic : I’ve discovered this site recently and I really appreciate it, the topics, the way woody is committed to facts and not only to theory is splendid.

Reply | Quote

Woody,

I installed KB3146706 before reading your article here.

– Win 7×64 Home Premium OEM

I always wait until the following weekend after multiple “Patch Tue” WU deployment’s
before installing them to give me some time to read the MS bulletins and check out the online “buzz” about the install’s.

I also Clone my main/OS HDD before installing multiple WU’s for a fast rollback option.

However, I missed your article and blog thread about this KB yesterday, didn’t check in here before installing (shame on me) :d .

Yesterday (Sat 04/16 U.S. time), I downloaded and installed 10 “Important” updates (no
Optional WU’s installed at that time).

I noticed before downloading and installing, my WU page (WUAPP) was indicating “11 Important WU’s” available, etc.

After installing the 10 Imp WU’s, restarting, all was well. I noticed that KB3146706 was
still there, uninstalled but unchecked by Windows.

For some reason, I had an I.Q. brain-fade moment :d , and checked & installed KB3146706, forgetting the rule that another member here mentioned about default-unchecked WU’s.

It appears to have installed ok, no BSOD, all indicies’ ok (CPU, boot time, all programs
working ok, etc).

I did see the long “install” time with KB3146706 during the “Configuring Windows, do not turn off computer” step when Windows was shutting down the PC after clicking the “Restart required to compelte install…” button on the WU page.

That step took about an hour to complete but there were no install errors during any of
the install steps.

My question is more about general WU uninstall’s:

When referring to a single WU that the user would like to uninstall, is there any
difference between uninstalling the single WU via the Control Panel > Uninstall option,
and rolling back the HDD with a Clone or Image restoration (for the purpose of removing the single WU) ?

Is the WU “uninstall” action reliable in uninstalling a WU? I haven’t done that in a
long time and was curious as to your take on it.

Reply | Quote

Thank you Poohsticks…I had no idea my comment re: hiding an unchecked update would be misinterpreted. What you said is exactly what I meant and what I will do. To me, an unchecked update means MS could care less whether you install it or not. I choose not and to “manually” hide it.

iPhone 13, 2019 iMac(SSD)

Reply | Quote

Uninstalling a Windows Update is generally quite reliable, except not all patches can be uninstalled! Rolling back to an earlier snapshot of the hard drive has the expected side-effects, particularly any change you made in the interim are wiped out.

Reply | Quote

Thanks for the info. If a WU can’t be uninstalled (via Control Panel > Uninstall), does Windows generate an error message notifying the user that it can’t be uninstalled?

HDD rollback, true. I have my frequently-edited/changed items backed up separately for HDD rollback recovery when needed.

Reply | Quote

Woody: I understand that the current advice is to not install ANY of the updates. Does this include the Win. Malware/Software Removal Tool x 64 for April? I’m assuming that it does.

Thank you once again for the exceptional information you provide to us all for protection.

We all owe you a debt of gratitude for your wonderful guidance!! You are the BEST!! 🙂

Reply | Quote

MSRT and Windows Defender updates are always good – and they always install themselves, whether you select them or not, whether Auto Update is running or not.

Reply | Quote

If memory serves, if a Windows Update can’t be uninstalled, it won’t appear in the Installed list.

Reply | Quote

@ch100,

Are you saying that updates that are left in the main update list (they are left sitting there — they aren’t installed, they aren’t hidden, they simply have no action taken on them at all)

are treated differently than updates that are actively hidden by the computer owner

if Microsoft later pulls or modifies those updates?

—
In the last year, I have noticed that Microsoft has frequently removed updates that were in my “hidden” area (that I had actively chosen to hide), and sometimes Microsoft puts them (or a redesigned version that has the same kb number) back on my normal Windows Update list, and sometimes Microsoft just makes them disappear entirely.

And other people have commented that they’ve noticed the same thing (hidden updates are simply removed from the hidden list, or are popped back onto the normal list).

Due to that behavior, I have assumed that Microsoft has *full* control over the updates that the user has “hidden”.

But it seems that you saying that “hiding” updates removes some of Microsoft’s ability to control or remove them, and screws with the Windows Update functionality/smooth running.

When you say they are left as a phantom entry in the WU database, what can be done about it? …Running the administrator-level of disk cleanup that cleans out Windows Update files?
I have always been hesitant to do the nuclear-level disk cleanup options for several reasons, including the situation that my current computer seems to be uncomfortable with having its past cleared out entirely, and the situation when I first naively encountered this past year’s get-Win-10 malarkey and I had to uninstall the first dodgy update, which had the unintended effect of deleting my computer’s entire update “history” to that point.

Reply | Quote

@John W,

That’s a great find, I am glad to add that resource to my list that I check every month before installing the new patches!

Here are the other ones that I look at:
https://www.askwoody.com/2015/msdefcon-4-patch-watch-kb-3101488-clean/#comment-66301

Reply | Quote

Recently running WU scans on all my Win7 computers have offered KB3146706 UNchecked (not installed by default). On the other hand, running a WU scan on a Win8.1 laptop offers KB3146706 “checked”.

Can anyone see if the problems with KB3146706 affect other versions of Windows besides Win7 SP1 (like Vista or Win8.1)?

Reply | Quote

If an update cannot be uninstalled, when you right-click on it to uninstall, you just cannot. There is no way to make an error and crash the system with such an update. There are not many of those though, they are generally core system updates or servicing stack updates. Most updates can be installed and if you restart immediately after uninstalling, there are very limited chances of creating any problems.

Reply | Quote

If it installs on its own in a Windows Update session even if not selected by the computer user, does it get removed from the list of currently-available Windows Updates?

I am pretty sure that it does stay in my list of available updates, after I’m done updating in a particular updating session, when I do a final Windows Update check to make sure I got everything that I wanted to for that month.

I check for updates manually, and my recollection is that when I don’t select/install the MSRT update for a particular month, over the course of further months it remains in the list of available updates, with the same, old, month’s name (such as “February”, even though now it’s April) on it, until I do select it and run it.

My memory on past instances is foggy, but for the past 2 months, I have not chosen that update during my monthly Windows Update session, and if it would be of interest, I could report back after my next Windows Update check (in early May before the first Patch Tuesday) to say what name and date the MRST entry on my WU list shows.

Reply | Quote

Woody:

Thank you so much for the Okay on the MSRT. I’ve always installed the Win Defender (at least I’ve gotten that one straight). I’m making myself a note on the MSRT immediately.

Thank you once again for your invaluable help! 🙂

Reply | Quote

@poohsticks “Are you saying that updates that are left in the main update list (they are left sitting there — they aren’t installed, they aren’t hidden, they simply have no action taken on them at all) are treated differently than updates that are actively hidden by the computer owner if Microsoft later pulls or modifies those updates?”

Short answer yes. For the details see my previous reply which I will try to explain again.
When an update is hidden, normally it can be restored and brought back in the main list later. If that same update is removed by Microsoft, when the user tries to unhide/restore it, there is no reference to it at Microsoft and that update cannot be unhidden, while it remains in the database as what I called a “phantom” entry not referenced by Microsoft. This can cause issues further when svchost.exe and TrustedInstaller.exe are doing their calculations. And we already established that the design of the svchost.exe process while functional, is not optimised. This would just add to the overhead already existing in the WU. I have no way to verify this, it is just speculation based on my own observation and research.
The database which is only a cache can be reset by stopping Windows Update and BITS services, deleting the SoftwareDistribution folder and restarting the services. This is known procedure when Windows Update gets corrupted but recommended to be used only as last resort because there is a price to be paid for following this procedure. All updating history is lost and the database has to be rebuilt from Windows Update while comparing with the existing updates already installed and this takes hours.

Reply | Quote

PS It was meant to say “Most updates can be UNinstalled and if you restart immediately after uninstalling, there are very limited chances of creating any problems.”

Reply | Quote

Older version of MSRT should not stay in the list as those updates are cumulative. The newest of them replaces all older versions. Only if you hide the latest one you would see the immediate next newest which was not installed. This procedure is useful only for testing purpose. I think the best approach is as Woody recommends and install all MSRT as they are released. They are very much like antivirus definitions only that they do a one off scanning when “installed”.

Reply | Quote

Since allowing 3 PCS at home to install KB3148198 IE 11 security patch for a browser I detest and don’t even use (the clunkiest browser of the lot), my 2004 Dell Latitude rebooted the first time but subsequently froze up while installing WIFI component and would proceeded no further in the boot process. I used system restore TWICE before realizing it wasn’t a “vicious tax-preparer’s nightmare (Apr 13) virus” but that (lightbulb! … epiphany!) after installing this dread update, my PC again froze up. So I went back to restore point once again and “hid” the offending update. Then tonight my NEW (1yo) Dell Inspiron R17 laptop after months of continuous smooth and swift response was of a sudden loading all screwy and slow, so I am restoring prior to this (AHA!!! you again) “Critical IE 11 Update KN3148198” FIE ON IT!

Reply | Quote

Paul, please be aware that many of those updates which are unchecked at a certain time can become checked later. There are few identified reasons and possible many more unidentified reasons for that behaviour. The update can be throttled due to high load, can be reassessed by Microsoft due to conflicting reports about its reliability and side effects or can be anything else known only to those working at Microsoft in this area.
I believe hiding updates is not good practice except for short time during testing various scenarios. This is because it can easily break the Windows Update mechanism and we can see that we have a lot of users replying here having many Windows Update issues. Most of them tend to override the default behaviour by selectively installing and hiding undesired patches.
It does not harm to leave updates in the main list visible, manually checked and installed when needed and unchecked when not needed.

Reply | Quote

CH100 wrote, “When an update is hidden, normally it can be restored and brought back in the main list later.
If that same update is removed by Microsoft, when the user tries to unhide/restore it, there is no reference to it at Microsoft and that update cannot be unhidden….”

When I’ve noticed over the past year that Microsoft has actually removed updates several times from my “hidden” updates area, I have assumed that this meant that Microsoft was able to control the updates that had been hidden by the user. Perhaps their abilities on this front have progressed in recent times?

Before this past year, I haven’t needed to hide any updates besides the ones for various non-Microsoft drivers (that experts advise to get from the computer or component manufacturer than from Windows Update), so I haven’t run into problems where I had hidden an update, later wanted to restore it, but found that it was actually no longer in the main Windows Update library.

I suppose that if hiding updates (which I only do to tidy up the main list and to help me see what I am doing as I research each new update that I am presented with at my monthly manual update) might cause Windows Updates to have some problems down the road, then the unwanted updates can just be left, uninstalled, in the main list, month after month.

Reply | Quote

I have not hidden the MSRT update, as far as I recall — I just left it sitting there in the main list.

I’m pretty sure that I observed that the month/date on it stayed as it originally was and did not get replaced with the latest month’s version. (I can check on this and return to leave a comment here the next time I run Windows Update, which will be in early May.)

I know that it’s a one-time antivirus sort of scanner.
By the time I go through my monthly manual update, it is nearly 4 weeks after the Patch Tuesday in question, and surely the newest viruses would have been known about for long enough that my Norton Security program would also have had them in its sights by that point.

I am also, due to the apparently massive change in their ethical/commercial behaviors, much less trusting of MS in every way. Sad to say that I am leaning towards feeling that I am not sure what that update/check is actually beavering away doing, with no overt signals, no running commentary, no final report at the end, never any finding of any “virus”, but with data transmission.

To say that no one should avoid downloading it unless for testing purposes seems a bit dramatic to me — are lots of viruses getting through on systems that are continuously “protected” by decent, paid anti-virus/security programs like the one that I use, but which have not run MSRT for a couple of months?

How does one find out if MSRT has ever removed anything from one’s computer — why is it so mysterious and silent? Harrumph to them, I say.

🙂

Reply | Quote

A cautionary tale re my home PC…
Usually I wait for Woody’s all-clear or, at the very least, until my office PC has had its updates running ok for a while (the office systems administrator is an auto-update man, but such is life). However, yesterday I downloaded an ‘optional’ Microsoft Security Essentials update but omitted to return to the previous tab to de-select the automatically selected ‘important’ updates. (My excuse is that tea was ready.) So I let the rest of the April updates happen…silly me! The result was that my display changed to the old classic view, with a square ‘start’ button and white task bar, and a pop-up message noted that “Windows could not connect to the System Event Notification Service service.” The culprit appears to be KB3146706, which I have uninstalled.

Reply | Quote

Obvious… for who? 🙂

Reply | Quote

When you uninstalled it, did your system go back to normal?

Reply | Quote

I’ve never seen a confirmed problem with MSRT.

Reply | Quote

It looks like there’s a problem – probably localized, but possibly widespread – with KB 3146706. People should wait a while to see what ugly things raise their heads.

Reply | Quote

Just clarifying. The “testing” word was referring to hiding a newer version to see what else is behind it, the so called superseded update which is normally not visible. Not to the MSRT patch itself.

Reply | Quote

Yes, after an initial hiccup on re-start: the usual log-in screen appeared with two logos (one for me and one for my wife); I clicked on mine and the screen message appeared, “Password is incorrect” with a cross in red. That was odd, because the system hadn’t asked for a password and I hadn’t entered one. I clicked ok, up came a screen with only my logo and space underneath for my password, which I entered and then got my usual desktop with everything apparently working as normal.

Reply | Quote

Just wanted to check in to say that I unhid this update just now to see if its status had been changed at all… it’s still unchecked by default for me when I unhid it, but still apparently being offered via WU. No problems with any of the other updates so far though, at least not on my machine.

Reply | Quote

Well this month of patching is the worst month. With this bad patch and the WU debacle, it’s really a black patching’s tuesday cycle

Reply | Quote

KB3146706 was still offered checked to my Vista box today. After installing it and rebooting, the system audio failed to start and I got the classic view and Event Notification message like Gord above. In my case I had to uninstall and reboot twice to return to normal. Then I recalled reading a reddit thread earlier about KB3146706 that mentioned EMET, and the poster suspected an incompatibility with the patch. I run EMET but I had modified the default system settings. So, I returned the settings to default, reinstalled the patch, rebooted, restored EMET to my modified settings, and… it works. So far.

Reply | Quote

On April 17, Walker asked you if your current advice not to install any of the updates included the Malware Software Removal Tool (MSRT). You replied: “MSRT and Windows Defender updates are always good – and they always install themselves, whether you select them or not, whether Auto Update is running or not.”

Did you really mean MSRT or did you mean MSE (Microsoft Security Essentials)? I have never seen MSRT install itself when not selected and especially when Never check for updates is chosen.

Reply | Quote

There’s some open question about that. I’d welcome any and all observations.

Reply | Quote

I’m with Jim on this one Woody. I have 3rd party AV running along with MWB so I never bother running the MSRT.

It shows up in the list every month and regardless of how many individual patches I install along the way it’s still there when the name changes the following month.

Reply | Quote

I am now reporting back about the MSRT entry’s name/month/date in my list of Windows Updates.

(I decided to run Windows Update tonight instead of waiting until the first week of May, just as a test to see how long it would take my computer. I got curious after reading how it’s taking so long for so many people!
Mine took about 45 minutes tonight, which is about 15 minutes more than it took 2 weeks ago.)

My earlier recollection, that I thought that the MSRT entry retained its *old* month’s name into the future if I didn’t download it for a while,
seems NOT to be correct,
at least currently – based on the Windows Update trial that I have conducted this evening.
I have not run MSRT for the past 2 months, and tonight in my Windows Update the MSRT entry is termed “April” and is dated April 12th.)
In the past, I thought I had noticed that the old month stayed in the description, but it looks like I was wrong about that.

Reply | Quote

Tonight I got curious and ran Windows Update outside of my usual monthly schedule just to see if it would take my Win 7 computer as long as it’s taking for a lot of other people’s right now,
(it took 45 minutes tonight, compared to 30 minutes 2 weeks ago before the April patch Tuesdays)
and, as a part of firing it up tonight, I decided to unhide all my hidden updates, and let them breathe again by reclaiming their spots on the normal list. 🙂

In case it will help my Windows Updates not to get tied up in knots with dead-ends and such, from this point on, I’ll just keep the updates that I don’t want to install in the main list, and not use the hidden area at all.

I’ve got a spreadsheet with information on the kb numbers that I’m avoiding installing, so I’ll closely follow that every month as my main list of updates grows due to the deliberately not-installed ones.

—-
It’s getting to the point where the emotions last year of confusion, surprise, consternation, then annoyance, are turning into much harder, angrier, cynical feelings towards MS, as that corporation deliberately sucks up so much of my “free time” in this irritating number-soup jumble of patches and cat-and-mouse game about win10 that I don’t understand, don’t want to understand, don’t want to have occupying my thoughts in any way, yet they do.

Thanks again to Woody and everyone else here who flag up important things, describe what they have experienced, patiently explain simple procedures and concepts, etc.!

Reply | Quote

MSRT has a different scope that MSE. They are not related in any other way that they are both provided by Microsoft. Process Monitor will show what files are scanned by MSRT.

Reply | Quote

Apparently nobody at Microsoft has taken notice of this particular issue with EMET, because the patches haven’t yet been pulled or re-issued.

I’m sure there will be more issues with OLE-related patches if someone doesn’t get their head out of their collective you-know-what and gets to work on a fix.

I know 32-bit is on its way out, but c’mon! Are you listening, Microsoft?!?

Reply | Quote

We ran this update on our systems Asus B75-M LE CS/M and it is bricking them. It’s causing a “Insert proper boot media” error and completely killing Windows.

We found reimaging and hiding this update stops this from happening.

Reply | Quote