Replies

Except for Niubi, I have all the same tools and none have gone missing. I do not have Core Isolation enabled, but did have a scanner driver conveniently removed by Microsoft a few months back that had been working just fine for about 1.5 years. I’m assuming it was because MS had begun enforcing CRC integrity checks – the driver is one that I had hacked so it would run under Win 10.

Some of my extreme hacking and pen test tools disappeared awhile back (these were not kiddie scripting tools). Even my EICAR test file disappeared.

EICAR Test File

My AV software didn’t do it, so I assume MS must have. Even though I use 3rd party AV, MS apparently runs defender background scans every now and then without notification (and without it being enabled to do so in settings).

I’d be very interested in what you discover. You didn’t happen to have an Explorer crash around that time did you? There’s a bug in Explorer that rears its’ ugly head under certain circumstances. If multiple Explorer windows are open with large directory listings (not in details view), a copy/move operation can result in disappearing directories and files. Usually, just before it happens, listings become slow to navigate.

I thought I was the only one left who uses Resource Hacker. It’s one of those tools that you don’t need often, but when you do, it’s one of the best still available. I’m betting that you also have Frhed in your war chest.

– Another Old Geek –

1 user thanked author for this post.

windbg

A bit late to the party here (health problems), but I had 1G FIOS installed in mid January. As part of the package, I received a Verizon CR1000A router and extender, both rent free. The CR1000A has 2-2.5gb ports and 1 10gb port. It has a MOCA adapter built-in (Ethernet over COAX for TV STB).

Initially, I was getting 900 Mbps in both directions (wired with a Realtek 2.5Gbps NIC). Verizon pushed a router firmware update and now I rarely hit 900 down and cannot break 500 on the up link. Like you, I suspect that there’s some hidden QOS setting that favors wireless to the detriment of wired. I’ve had Verizon managers and technicians at the house multiple times. They acknowledge the problem, but don’t know how to fix it. They claim that being oversubscribed/provisioned is not the problem. On-line support is useless – if the connection from the router to their server works, then the problem must be me even though it’s their hardware.

If I swap their router with my Netgear Nighthawk R8000, I can get 900 in both directions. Put their router back (which is a better router) and speeds suck. By the way, as of last year, it’s no longer required to have Verizon branded hardware for the TV channel guide or content – any MoCA 2.5 Network Adapter will suffice.

On a whim, I put my Netgear router out front and plugged the Verizon router into the Netgear. I expected double NATing, but to my surprise, the network configured itself. My Netgear router was assigned 10.0 private addressing and the Verizon equipment retained 192.168. I only did this for speed testing and didn’t check the topology or security. I’m not sure if Verizon can push firmware updates to their router and STB in this configuration.

I’ve tried Intel and Realtek NICs and still have the same problem with the Verizon router. My Ethernet cables are CAT 6/7. IPv6 enabled/disabled makes no difference. My desktop also has WiFi 6, but I have the radio turned off.

As a side note, people with Verizon FIOS using Intel NICs and Wifi need to be aware of this Intel technical bulletin:

Disabling TCP-IPv6 Checksum Offload Capability

Read the bulletin, then download and run the PS script. If this is too difficult/confusing, I wrote a step-by-step how to document and work-around should someone need it.

IPv6 is now enabled by default for Verizon hardware and it should work given that the IETF made a draft in 1998 and ratified it as an Internet Standard in 2017 (/snarky). There’s an unacceptable amount of TCP “resends” on the Verizon uplink (3-15%) that also impacts speed. Since I’m now retired, Verizon support won’t allow me to speak to level 2 tech to present my findings and proof that a problem exists upstream.

3 users thanked author for this post.

TechTango, windbg, SupremeLaW

Since you have an X570 chipset, I’m assuming you have either a 3000 or 5000 series Ryzen processor (I have both). AMD fixes vulnerabilities, but OEMs (ASUS, MSI, etc) must implement it for the mobos they produce and, as you’ve probably observed, OEMs aren’t particularly timely at doing so.

In response to CVE-2021-26346, on January 10 AMD published:

Security Advisory AMD SB-1301

In it, AMD states “The AGESA versions listed below have been released to the Original Equipment Manufacturers (OEM) to mitigate these issues.” If you look under the “Mitigation” heading, you’ll see that 3000/5000 CPUs have “N/A” under them. I haven’t a clue as to whether this means “Not Available” or “Not Applicable”.

When issues such as this arise, I’m sure OEMs prioritize enterprise, workstation and business SKUs over general consumer and gamer SKUs which are less likely to be targeted, especially when the attack vector is local (hence the lower security threat). Like you, I just updated firmware to 1.2.0.8 on an MSI ACE X570 (a premium board). The firmware is dated March 3 and came with a similar helpful readme /sarcasm:

“This BIOS fixes the following problem of the previous version: – Update to AGESA ComboAm4v2PI 1.2.0.8.”

I agree with you. OEM communication skills leave something to be desired when consumer products and security are involved. However, like EricB above, I’ll not lose any sleep over this for the same reasons, but I’d still feel better knowing that all the doors are locked.

Very interesting. Precisely one of the scenarios I wanted to test. Mismatch and 22H2. Apparently, the conditional triggering a BSOD is a wee bit more complex than anticipated based on what MS disclosed thus far. I now wonder if reversing file locations would change the outcome.

reboot
if (a and b) BSOD;
where “a” is the mismatch and “b” is unknown

Of course, the “b” could turn out to be something simple such as having a hid device connected during the patch reboot process.

In a couple of forums on different sites, there are people who experienced the BSOD and claimed to have put the OS back into a bootable state by:

1) Booting into safe mode, then
2) SFC /scannow as Admin

If credible, you probably would have experienced less nail biting while patching. (Regardless of the precautions you took, I still award you kudos for being a brave lad.)

Like you, I’d like to know how the mismatch happened on the ThinkPad in the 1st place and also why this wasn’t corrected by KB5019959. Weird? Yeah, I agree.

1 user thanked author for this post.

WCHS

Ah … Good catch. That makes perfect sense. The access time probably changed during the reboot process of the update and is likely tied to Windows file integrity checks during the boot process rather than the update itself.

I’m curious to know if running DISM and SFC prior to applying the patch would fix problems that folks might have beforehand. Also, wasn’t it the purpose of cumulative updates to eliminate patch level, version discrepancies. How did this even happen?

Fortunately, the problem isn’t widespread. I personally have not fielded any calls so far from people experiencing the issue, but my sample size isn’t as large as it used to be either.

I’m a little late to the party, but decided to sacrifice one of my Win 10 Pro 21H2 production desktops (AMD) earlier than planned. Note that this machine is fully patched – Windows, firmware (UEFI/BIOS) and 3P drivers.

BEFORE Dec Cumulative Update KB5021233:

1. hidparse.sys present in both directories
2. Version 10.0 19041.2251 and same file size for both
3. Creation and Modified date on both the same (Nov 14)

Nov 14 is the date that I applied November Cumulative KB5019959 which clearly updated the files in both locations.

AFTER successful Dec Cumulative Update KB5021233:

1. hidparse.sys still present in both directories
2. Version 10.0 19041.2251 and same file size for both (no change)
3. Creation and Modified date on both unchanged (Nov 14)

HOWEVER, KB5021233 DID “touch” both files because the Access timestamp has been changed to when the update occurred (Dec 24, 7:27PM). When KB5021233 peeks into hidparse.sys, what’s it looking for and what does it do if it finds it? Your guess is as good as mine. Microsoft, you need to do better.

Conclusion? Well, always remember that anecdotal evidence doesn’t prove anything (but can be helpful for some). Personally, if I had only one computer, lacked technical acumen, or had no tech support should things go south, I’d probably not throw caution to the wind just yet and wait for Sue’s guidance. Blue screens can definitely ruin your holiday plans.

3 users thanked author for this post.

CyberguyJ, JohnV, Deo

When I first read this post I was horrified. The idea of a remote, unattended BIOS update scared the you know what out of me. Now, however, I’m just confused.

1) Are BIOS updates part of the Patch Tuesday process????
2) If Windows provides BIOS updates, does it install them automatically?
3) Do you have 3rd party software pushing BIOS updates?

I’m assuming the workstation is your sacrificial lamb for testing purposes, but could you provide a bit of context? Inquiring minds gotta know …..

(Just now as I’m writing this post, I received a replacement closed caption phone via Fedex. The reason was because of a failed BIOS update initiated remotely by the provider.)

Usually, the license is valid, but only for the region/use for which it was intended. Microsoft can, at it’s discretion, invalidate the license. The seller isn’t supposed to offer those licenses for sale in the US consumer market, for example.

Sort of a gray area that MS seems to tolerate for the most part although every now and then they do stomp on one of those sellers. Talk to any legitimate retailer or computer reseller and they’ll have very strong opinions.

If MS is making a product available at a discount, they generally let you know about it through press releases or retailers. Otherwise, buyer beware especially if the seller is outside your country. On the other hand, you may never have a problem with activation, but I wouldn’t bet on it unless told otherwise by a MS employee.

1 user thanked author for this post.

OscarCP

I wonder if this is an Explorer related issue. I get some odd bugs occurring now and then that “refresh” doesn’t solve when manipulating files. For example, library icons disappear from the left Explorer panel, files that are copied/moved don’t immediately show up in the listing unless I move to a higher level directory then back.

It’s almost like the Windows sometimes forgets to refresh the display after actions are performed (e.g. copying), or maybe gives it a lower priority. Could it be, for example, that the display doesn’t refresh until disk caches are flushed?

One of the options in my desktop right-click menu is “Restart Explorer” which usually resolves issues when I’m in a rush.

Which begs the question, why? Made me smile though.

On a more serious note, I may have to do this in the near future to resurrect some 32 bit hardware. After a Win update in late December, MS conveniently removed the drivers I had hacked for one of my scanners and now won’t let me reinstall them due to CRC enforcement according to the error. I didn’t discover this until April 14 when I tried to use the scanner for tax purposes and found that the drivers had disappeared (Win 10 Pro – secure boot, UEFI no CSM). Had to brute force install drivers for a sealed box, HP Scanjet 8300 that I had hanging around.

For my Windows 95 entertainment, I do this:
Github: Windows 95 javascript app

Works good and also on MAC/Linux. I’ll bet a few of you know the interface by rote memory.

I’ve noticed this for quite some time in Explorer, but not on the desktop. Is your system doing something in background (e.g. scans, indexing) when this happens?

IE has and will always leave a bad taste in my mouth. As a web site developer, the shenanigans MS pulled in the early browser wars irked me to no end. Always having to write two branches of code – one standards compliant and the other MS proprietary. Thanks for nothing MS.

Good riddance IE – you will NOT be missed.

1 user thanked author for this post.

Mele20

As of 12:10PM EST, MS is still reporting Outlook outages. Cloudfare has fixed their large outage.

Same here (video encoding- GTX 1070 OC) and also offloading to the GPU with simulation software. Keeps my NH-D15 busy (5800x) with temps approaching 70.

I’m old school like you. For my machines, I set a 250GB OS partition which contains the OS and A-V software – nothing else. Windows “libraries” (video, music, docs) are moved to separate data drives. “Program Files” are installed elsewhere. I have a dedicated drive for sim software and dedicated dev partition for servers (Apache, MySQL) and IDEs. The end result is quite similar to your setup.

While I do this for I/O reasons, there are also other considerations (data recovery for example). Up until a few years ago, my standard config was mirrored OS drives and a large drive array for everything else. For my recent builds, I no longer have any spinning rust and thus no drive arrays.

When I build machines, my primary goals are stability, longevity, ease of recovery, and then performance. My current daily driver only has 3 PCIe 4 NVMe slots, but I have more that 1.25 million files/data sets.

I now opt for the largest NVMe drives I can afford (1TB at this point). My prior builds had 250GB boot/OS drives; my current has a 1TB NVMe boot drive with dedicated 250GB OS partition and 1TB NVMe data drive. Why? Performance (I/O) and longevity (TBW) of larger NVMe drives was too great to ignore. For less demanding storage, I use SSDs which can be easily moved between computers.

I also agree with you regarding swap files and never use the OS partition/drive for this purpose. With 32GB RAM, however, I’ve not observed the swap file(s) being used with one exception.