Earlier this week, Update Tuesday occurred, bringing with it anywhere from one to two dozen updates (more for machines with MS Office installed, less for those without). As is my usual practice, I updated the half-dozen plus computers here in the house, and watched them go through the update process. This time around, the usual monthly installment of the Windows Malicious Software removal tool came up in the number three spot as the process chunked through its sequence of applying those updates. I couldn’t help but notice that while this element usually takes minutes to grind to completion on most PCs, it was taking an inordinately long time on one of my PCs (the production machine, wouldn’t you know it?) — about an hour, in fact, by the time it was finished.
This is pretty much standard text for the MRT, as it’s usually abbreviated, repeated like clockwork every month.
This caused me to do a little digging to learn more about the tool, and how it works. Along the way I came across a couple of useful resources I’d like to share:
1. The Microsoft Safety & Security Center has a page (and a download link for the standalone version) on the MRT entitled “Malicious Software Removal Tool”
2. MS Support offers an informative page entitled “How to troubleshoot an error when you run the Microsoft Windows Malicious Software Removal Tool”
Among other things, I learned that the program writes to a log file each time it runs, and that log file is named mrt.log, which resides in the
%systemroot%\debug directory (that environment variable translates into “C:\Windows” on most PCs, BTW). My thinking was that the program took such a long time to complete because it found something interesting, so I hoped that a gander at the log file would show me what, if anything, the program had found. Alas, it showed only a return code of 0 which, as all long-time Windows-heads know, means successful completion and thus also, no errors found (or fixed).
I did observe something else interesting, though: despite the documentation indicating that MRT runs only when its downloaded from the Windows Update center, my MRT log shows it running several times a day, every day, for only a few seconds at a time (typically, 2 or 3). It looks like MRT must be scheduled to run on a regular basis — how else to explain the recurring, multiple-times-a-day log entries? So, although I didn’t find any problems reported from running the MRT after the last updates, I did learn something interesting about the program and its behavior.
I ran across an interesting story on Neowin this morning. Entitled “New Intel drivers give up to 30% performance boost for Surface Pro 3,” it actually covers more than just the latest Microsoft flagship tablet. In fact, any PC with a newer graphics chipset (actually, anything Haswell or newer) that’s rated as an Intel HD 4400 or better, or HD 5000 or better, can benefit from these drivers. Thus, in fact, my Fujitsu Q704 tablet is one of numerous newer Intel-chip-equipped tablets, ultrabooks, and notebooks that is able to exploit the new driver’s abilities. For a complete list of the processors affected, check out this Intel list (i7 CPUs, other lists are available for i5, i3, and so forth through the ARK home). Very conveniently also, this driver was pushed out as a part of the September 9 “Update Tuesday” elements released just yesterday through Windows Update. Here’s what the details Window for that update looks like therein:
It’s unusual for a driver update to confer double-digit performance gains, let alone 30%!
How much of a boost can these new drivers confer? According to the Neowin story, “The update is said to improve performance by up to 30% in some activities which is a solid increase for a simple driver update.” To my way of thinking this makes them unusually worth applying to those PCs that sport the requisite graphics circuitry. This means that admins whose users’ PCs qualify will probably want to fast-track this particular update. ‘Nuff said.
The IFA took place in Berlin, Germany last week, where Intel took the opportunity to share a lot more information about its latest upcoming family of mobile processors. (IFA is German, and stands for “Internationale Funkaustellung” which, literally translated, means “International Broadcast Exhibition,” and is rendered at AcronymFinder more verbosely as “International Fair of Broadcasting Services.”) This CPU family was initially introduced under the Broadwell name at CompuTex in Tapei earlier this summer in June, but is only now getting more complete disclosure from Intel as the Core M Processor line, along with disclosure of numerous Core M based tablets, convertibles and ultrabooks from a variety of OEMs as well. The image at the left below is an enhanced photo of the Broadwell die (source: Intel).
The biggest news about the Core M family is that its wattage ranges are low, low, low. At the same time that Intel is touting these chips as running up to 50 percent faster for compute-intensive loads, and up to 40 percent faster for graphics performance, as compared to Haswell models, the processor package itself is 50 percent smaller than its predecessor. This means that the rated power consumption levels for these chips– rated at 4.5 W across the board — is low enough to enable designs that don’t require fans for active cooling, and better still, mean big boosts for battery life in wafer-thin tablets, convertibles, and ultrabooks.
Several OEMs got up on stage with Intel at IFA to proffer a variety of Broadwell designs, too, most of which are slated for delivery in mid- to late-October 2014:
- Acer is preparing the Aspire Switch 11, a 2-in-1 device (a tablet with 11.6″ display and a keyboard dock) for market delivery.
- Asus is preparing its ZenBook UX305 a 13″ ultrabook with a QHD display for October delivery, and had already announced its Transformer Book T300FA 2-in-1 device at Computex last June.
- Dell is offering a business class 2-in-1 called the Latitude 13 7000 Series with a 13″ HD display.
- HP is planning two 2-in-1 ENVY x2 models, in 13.3″ and 15.6″ form factors.
- Lenovo is preparing a new ThinkPad Helix 2-in-1 model with an 11.6″ full HD display and two different keyboard docks (the Pro model features the little red rubber trackbump so beloved of many ThinkPad users).
This promises to make October an interesting month for prospective Windows tablet buyers, with a particular emphasis on more-business focused models from Dell, HP, and Lenovo in the mix. Methinks that the Surface Pro 3 is going to get a run for its money from a series of even thinner and lighter 2-in-1 models with superior battery life.
In the ongoing battle to increase system stability on my production PC, I’ve found a new point of interest and attack in the Reliability Monitor log for my primary production PC — namely, Secunia PSI. In this case, PSI stands for “Personal Software Inspector:” basically, it monitors the applications installed on an individual PC, and checks their version numbers, patches and updates applied, and so forth, against its database of what’s most current (or what needs to be applied to protect against known vulnerabilities). Now that I’ve eliminated an earlier problem as reported in my 8/22 blog entitled “Chronic OneDrive/SkyDrive Problems Widespread” which had my PC experience daily Appcrash events for OneDrive, PSI has jumped to the top of my “what’s causing problems now?” queue. This recent weekly Reliability Monitor log shows that OneDrive is no longer crashing, but that PSI is happily taking its place:
For what turns out to be API compatibility reasons, PSI stops working when it’s asked to run a scan on a Windows 8.1 PC
A little research on the PSI forums at secunia.com showed me that changing the application’s compatibility settings to Windows 7 (and also selecting the “Run this program as an administrator” checkbox) would do away with these issues. And sure enough, the foregoing monitor log shows that since making those changes on Wednesday, the problem has not recurred, despite numerous subsequent invocations of the program to try to provoke the error again. Here’s a screen cap of what’s required (and what’s apparently working):
Two quick tweaks on the Compatibility tab called up by right-clicking the psi.exe exe file, then selecting Properties, does the trick.
This is just another daily step in the relentless pursuit of supreme system stability on a modern Windows PC. Don’t we all wish such manueverings were unnecessary? But then, this is simply business as usual in my world, and the worlds of those charged with taking care of user machines.
One final note: though the license terms mean that enterprise admins are unlikely to use PSI, and will probably use the Corporate Software Inspector (CSI) version instead, they should take cheer from the lack of such stability complaints against that product. Concerted search/research and an examination of the CSI user forms at Secunia indicate that the corporate version of the program is not subject to these stability problems, nor are any contortions therefore necessary to repair or mitigate them, either.
In the wake of a series of botched Windows Updates that started on August 12 (our first “Update Tuesday” if you like the new nomenclature, or our most recent “Patch Tuesday” if you prefer the old), MS re-released another update yesterday. This one’s an optional update rollup that applies to Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2. It’s named KB2975719, and it now shows a release date of September 2, 2014. Unlike earlier re-released update 2982791 (about which I blogged on August 29), it’s not necessary nor recommended to first uninstall the August 12 version of this same update before installing the September 2 version. Nevertheless, a restart is required once the update is complete.
Another reissued August 2014 update, this time for the “functionality rollup.”
The elements included in the rollup are depicted on the KB page as follows:
Most of these changes are pretty minor, or affect only a small subset of Windows users. There’s info about when the last time Windows Update was run, and the last time updates were downloaded (item 1). The Precision Touchpad is a kind of touchpad (found primarily in the Surface Pro 3) for which some nice functionality changes are provided (users must have a “Mouse and touchpad” entry in PC Settings to take advantage of item 2). Only those who use or need the Russian currency symbol will benefit from item 3, and item 4 is primarily aimed at making Miracast receivers discoverable via Wi-Fi for multimedia use. Item 5 permits use of “Date taken” and GPS info for MP4 files for Windows Runtime and Win32 APIs, and Item 6 cuts down on message traffic for SharePoint Online site access. Mostly a ho-hum, IMHO. But there it is, so admins will want to grab and test this one for upcoming scheduled releases, and make sure to omit the August 12 version of the same KB item from their future testing and deployments.
With the introduction of Windows Server 2012 R2 in October 2013, Microsoft first introduced what it called “extended replication” for Hyper-V. This facility permits any Hyper-V VM to be directed to two different replication targets, which usually means a local target for immediate access, rebuild, and recovery; and a cloud-based target for off-site protection, disaster recovery, and so forth. In July, 2014, as an outcome of Microsoft’s acquisition of InMage Systems, the company’s Azure Site Recovery now supports a variety of hybrid cloud-based business continuity solutions that not only encompass on-premises Hyper-V clouds, and Microsoft Azure, but that also extend to enterprise private clouds, active workloads, and hosted clouds in the Azure environment. Furthermore, the company’s self-described strategy is “…to provide hybrid cloud business continuity solutions for any customer IT environment, be it Windows or Linux, physical or virtualized on Hyper-V, VMware, or others.”
Sometimes, bullet-speak is helpful when decoding complex services, such as DRaaS.
Let’s unpack these bullets so as to better understand what’s going on here:
- Automated protection and replication of VMs: users can established and control automation policies for replication and recovery; integrates with Hyper-V Replica, System Center, and SQL Server AlwaysOn.
- Remote Health Monitoring: Uses System Center Virtual Machine Manager to continuously and remotely monitor cloud health from within Azure.
- Customizable recovery plans: buyers can choose to replicate to their own private clouds at a lower price, or to replicate to Azure based private clouds at a higher price (see below for some details).
- No-impact recovery plan testing: Replication and testing imposes no impact on primary private cloud VMs and host machines; test as often as you like without worrying about impacts on users or consumers of cloud-based services and data.
- Orchestrated recovery when needed: This MS DRaaS (Disaster Recovery as a Service) offering enables orchestrated recovery for virtual machines for quick service restoration, even for complex, multi-tiered workloads. This comes courtesy of the Azure management portal, which enables creation of recovery plans, then handles their automation and implementation.
- Replicate to — and recover in — Azure: Lets the Azure cloud function as the “replication site” for recovery operations, to avoid costs associated with creating and maintaining an actual disaster recovery site. Though it’s a higher-priced option, published prices are cheap (though they’re linked to a trial period, and will obviously go up thereafter, where final rates are not so readily available).
A free trial is available on the afore-linked page for easy “try it before you buy it” use, and pricing is surprisingly affordable (though costs vary by geographic region; I used my location in the US West to produce these examples):
- $16 per VM per month for customer owned/hosted targets
- $27 per VM per month for site recovery to Azure sites, where additional monthly storage fees will also be incurred for over 100 GB per VM.
- Pricing after the trial period ends is not readily available, though you can use the Azure Calculator to make that determination given a fairly detailed inventory of your workloads, plus storage and bandwidth consumption needs.
This is a pretty interesting offering, and is bound to set the bar for other major cloud vendors and to give smaller players who first jumped into DRaaS some powerful food for thought. It’s definitely worth checking out.
On August 18, I blogged about the withdrawal of a series of updates originally released on August 12 — most notably, KB2982791. At that time, MS recommended that IT admins at least consider uninstalling any or all of KB2982791, KB297028, KB2975719, and KB2975331, especially those who might experience an 0×50 Stop error (aka “Blue Screen of Death” or BSOD).
Out with the old, in with the new: KB2982791 gives way to KB2993651.
Here’s what MS is now saying in its more detailed TechNet discussion of MS14-045 from the “Update FAQ” section about a replacement update KB2993651 pushed out of band, or OOB, on August 27 (emphasis via light-gray background in the following quote is mine, to highlight the discussion that follows it):
Why was this bulletin revised on August 27, 2014? What happened to the original 2982791 security update?
To address known issues with security update 2982791, Microsoft rereleased MS14-045 to replace the 2982791 update with the 2993651 update for all supported releases of Microsoft Windows. Microsoft expired update 2982791 on August 15, 2014. All customers should apply the 2993651 update, which replaces the expired 2982791 update. Microsoft strongly recommends that customers who have not uninstalled the 2982791 update do so prior to applying the 2993651 update.
I already successfully installed the original 2982791 security update and am not experiencing any difficulties. Should I apply the replacement update (2993651) released on August 27, 2014?
Yes. All customers should apply the 2993651 update, which replaces the expired 2982791 update. Customers do not need to uninstall the expired 2982791 update before applying the 2993651 update; however, Microsoft strongly recommends it. Customers who do not remove the expired update will retain a listing for 2982791 under installed updates in Control Panel.
I uninstalled the original 2982791 security update. Should I apply the August 27, 2014 rereleased update (2993651)?
Yes. To be protected from CVE-2014-0318 and CVE-2014-1819, all customers should apply the rereleased update (2993651), which replaces the expired 2982791 update.
Here are the important takeaways from this out-of-band update that should be of particular interest to Windows administrators, particularly those charged with maintaining Windows images for users in an enterprise setting:
- If you haven’t yet deployed (or tested) KB2982791, don’t bother. It is completely supplanted by KB2993651.
- Users whose PCs have KB2982791 already installed will be best served by first uninstalling that update, then installing KB2993651 instead.
- In environments where users may have BYOD notebooks, tablets, laptops, and so forth running Windows, they may need to be informed about proper handling of KB2993651 and KB2982791. Such information should include brief instructions on how to uninstall the obsolete update prior to installing its replacement.
One of the sites I scan regularly for fodder for this very blog is MajorGeeks.com (MG), a well-curated site of mostly free (some shareware) Windows tools and utilities. I’ve been a devoted and enthusiastic user of Piriform’s CCleaner for many years now, so I was more than curious to see a story at MG entitled “Has Piriform pulled the ‘Slim’ version of CCleaner?” dated 8/26/2014 this morning. It explains the following chronology observed at the Piriform website of late:
1. Until about a month ago, Piriform made a free version of its CCleaner utility available with some minor hoops to jump through to get it (you had to know where to look for it, click through some “calls to buy” a fee-based version, and so forth)
2. Over the past month, Piriform added bundleware to its free CCleaner version, but allowed users to wait 5 days to obtain a link to download a non-encumbered version of the program. According to the author of the MG article (see comments following article text) that bundleware is a notorious advertising software module known as OpenCandy (see also Malwaretips.com “How to remove PUP.Optional.OpenCandy“).
3. According to MG, the non-encumbered (“Bundleware free Slim”) version of CCleaner is no longer available, so users have no choice but to download the encumbered version.
AdwCleaner turns up some unwanted registry keys, and a few sneaky browser extensions.
Nothing loath, I used the AdwCleaner tool to inspect my system and, sure enough, it found some minor traces of OpenCandy on my system (and I double-checked to make sure that CCleaner provides no opportunities for users to opt out of its installation, nor does it even inform them that this “bundleware” is being installed). I’m appalled and distraught, primarily because I’ve recommended CCleaner to many of my readers without knowing that the program has started to include questionable payloads along with its advertised/documented capabilities. Sigh.
MG goes onto recommend Wise Disk Cleaner as an alternative disk cleaner, noting that it finds and cleans more files than CCleaner does (and sure enough, it located about 712 MB more stuff on my system to get rid of, even after running the latest CCleaner version on that PC: 4.17.4808). I hesitate to unstintingly recommend this tool without spending more time with it myself, though I am comfortable with passing MG’s own recommendation onto readers, having observed them to be very careful about choosing and recommending software themselves over the 10 years or so I’ve been paying attention to the site. As for myself, I need to clean after OpenCandy on my system(s) with CCleaner, and then get to know Wise Disk Cleaner a bit better. Stay tuned!
[Note added 8/28/2014: The "Slim" (adware-free) version of CCleaner has returned to the Piriform.com website. Timothy Tibbetts (author of the MG article that spawned this blog post) says this about its appearance as of 9:52 AM (CDT) this morning:
Within 24 hours, they have put the new version of Slim up for download. For those who commented below and didn’t understand why this was written, here’s why; We have been listing CCleaner for as long as I remember. 10+ years maybe? There’s a system: Standard and Portable get released and the Slim version remains available one version back for exactly 5 days. This time the Slim version was not available for download at all and that has never happened. Ever. Oddly enough another first, the download for Slim re-appeared with the new version the next day. Again, this has never happened. Was it a response to this article? I’ll never know. Only time we ever heard from the guy (I mean Piriform) was for a cease and desist.
As long as users know they should only grab and use the Slim version going forward, I guess there's no reason not to stay with that version. I don't recommend the standard version any more, though. If you want to do that, you must visit the CCleaner - Download Builds page to grab the Slim version of the program: you can't find it on the regular download page. 'Nuff said.]
Only the “Slim” versions of CCleaner omit OpenCandy
The news sites are abuzz with word from the official Chinese Xinhua News Agency yesterday (August 24) that Chinese engineers are crafting their own home-grown operating system for desktop PCs and mobile devices. The Xinhua English newsfeed prominently features a piece entitled “Chinese OS expected to debut in October,” that includes language to the effect that “… the OS will be first seen on desktop devices and later expanded to smartphones and other mobile device” according to Ni Guangnan of the Chinese Academy of Engineering.
Could an “official state OS” be in the offing in China?
In recent months, China has announced it would not adopt Windows 8 for any of its computers, citing nonspecific concerns about security and confidentiality that many industry observers believe speak to the Chinese government’s fears that MS may otherwise enable eavesdropping for a variety of clandestine US interests and agencies. Microsoft is also the focus of an anti-trust investigation currently underway in China. Further, it turns out that Mr. Guangnan is none other than a co-founder of Lenovo, himself a man who remains active on the Chinese technology scene, and still enjoys close ties to the regime, which he believes “should lead the project going forward” (this is a quote attributed to him in a CNN story “China develops Windows and Android killer” 8/25/2014).
This story is getting lots of airplay, and while details are scarce and sometimes contradictory, it’s hard not to perceive this news as something of a pre-emptive strike of sorts, both against Microsoft and the US Government. Paul Thurrott, at WindowsITPro, reports that though an October release date has been mentioned, the initial planned OS won’t be complete by that time, and that delivery of the mobile version of this presumptive OS might not be ready for another three to five years. It should be interesting to see what emerges from development efforts now underway, and how they are received in China and elsewhere. One thing’s for sure: life in Redmond just got a lot more interesting for the operating systems team.
OK, I confess: I don’t always look at the Windows Reliability Monitor as often as I should. But when I did recently, I discovered an issue on my primary production Windows 8.1 desktop that further research showed me is pretty widespread. If you try a Google search on “SkyDrive appcrash” or “SkyDrive crashes daily” you’ll get a quick sense that what I’m asserting here — namely, that SkyDrive (formerly known as OneDrive) experiences frequent and regular stability problems on some Windows 8.1 (and other Windows versions’) installations — is more than just an isolated phenomenon. Here’s a weekly summary snapshot for the last week of July from the Reliability Monitor that illustrates what this PC has been experiencing over the past 5 weeks, during which time my stability index has wavered between a low of 2.2 and a high of 3.8:
For the week of 7/27, 12 critical events, of which 7 came from OneDrive.
Aside from establishing a new and unwelcome low-water mark for the reliability metric on any Windows OS I’ve operated, my research indicates that hundreds of users have been experiencing the same kinds of problems on some PCs, going back to the release of Update 1 in April 2014 (though there are some similar reports that predate this update, the volume increases markedly after April 9 when Windows 8.1 Update 1 was pushed out). Numerous causes are suggested that range from a corrupt or broken SkyDrive runtime environment, to issues with access to the OneDrive cloud (http://onedrive.live.com) related to SSH certificates and/or Trusted Web site status, to problems with OneDrive synchronization between local file copies and copies in the cloud.
None of the easy fixes suggested on social.microsoft.com or elsewhere appeared to work for me, until I took the tried-and-true approach to fixing broken applications/services. After uninstalling OneDrive via the “Programs and Features” applet in Control Panel, then downloading and reinstalling the current version from the PC|Mac download page — even though this resulted in a warning that I was replacing a newer version of the application with an older one (the download is designed for Windows 7 and 8, not 8.1, because OneDrive is pre-installed in the Windows 8.1 Update 1 image) — my problems appear to have abated.
This does not seem to be a universal issue for all PCs running Windows 8.1 Update 1, but it clearly afflicts some non-zero subset of such machines. Of the four tablets and notebooks I’ve got running that Windows version, and the four desktops likewise, Murphy’s Law apparently dictates that only my production PC be the one that’s thus afflicted. Go figure. As for myself, I’m keeping my fingers crossed that the fix just finally applied will fix my issues for once and for all. We’ll see!