As I mentioned in a 1/5 blog post, major vulnerabilities for Intel and Amd processors emerged over the holidays. KB4056892 addresses them, at least in part. But running the Get-SpeculationControlSetting PowerShell script (available within the PS window for download) is disturbing. It shows that on most machines a firmware/BIOS update from the PC or motherboard vendor is also required to patch these vulnerabilities. Among the more details on KB4056892 Wintel vulnerabilities I provide here is unwelcome news that few such updates are available. In fact, many hardware vendors haven’t released such updates, particularly for older systems. Let me elaborate…
Here Are More Details on KB4056892 Wintel Vulnerabilities
Right now, my only fully-patched system is my Surface Pro 3. It is fully patched because MS released the firmware updates at the same time they let go of related Windows OS and application updates on 1/3. None of my other systems currently qualifies, even though the newest ones are only 12 to 24 months old. To illustrate a complete patch, output from the PowerShell script on the Surface Pro 3 is quite revealing, on a variety of topics:
PS Script output for fully-patched Surface Pro 3.
[Please click image for full-sized view.]
Here’s what this output tells me:
1. It shows the sequence of activities necessary to run the Get-SpeculationControlSetting script, which include obtaining and installing the NuGet package provider to handle its installation.
2. It names the two vulnerabilities involved: branch target injection (BTI), and kernel VA shadow (KVAS). It also identifies their IDs in Mitre’s Common Vulnerabilities and Exposures (CVE) database — namely CVE-2017-5715 and CVE-2017-5754, respectively.
3. It shows that for BTI, that both hardware and Windows OS support are present, thanks to KB4056892 and a same-day firmware update for the Surface Pro 3.
4. The Windows OS is patched for KVAS (2nd group of green lines).
What About Systems Missing HW Support for BTI?
Alas, the 7 remaining systems here at Chez Tittel all produce the same depressing (or scary) results. I show the PS script output for my production desktop, built in January 2016 from 2015 parts. It tells a different story:
PS Script output for partly-patched homebrew desktop with Asrock Extreme7+ mobo, i7-6700, etc.
[Please click image for full-sized view.]
As the red lines in that output indicate, a few things are missing. Here’s what it says, in a form parallel to the preceding screen capture:
1. Same sequence of activities to make Get-SpeculationControlSetting script work.
2. Same recitation of vulnerability info.
3. Alas, no hardware support for BTI means Windows OS support is disabled.
4. Indeed, KB4056892 addresses the KVAS vulnerability.
Hopefully, I don’t have to explain why I’m checking the Asrock, Dell and Lenovo sites daily for updates to affected systems’ firmware. If your PCs are in the same boat, you should probably be doing the same. I’ll be patching those systems as soon as updates appear, and you should do likewise for yours.
[Note Added 1/12/18 9 AM]
Last night, when I ran Dell Update on my Venue Pro 11, I found a BIOS update for that machine. In the meantime, I’ve not only updated my BIOS to version A22 (dated 1/2, released 1/10), I’ve also upgraded that machine to the latest Insider Preview (Build 17074.1000). Happily, despite a couple of scares, the BIOS update didn’t brick the Dell unit — as reported for other Dell PCs recently — and the OS upgrade installed successfully, too. A quick run of the Get-SpeculationControl PS script shows all-green status for both vulnerabilities now, too. One more Dell, two more Asrock mobo PCs, and two more Lenovo laptops to go! Stay tuned…
[NOTE Added 1/16/18 9:40 AM]
Aryeh Goretsky of ESET created, and is maintaining, a database of all vendors with Meltdown/Spectre responses on the record. There are currently 210 entries in this list (which includes links to their info and responses) as I write this note. This is absolutely, positively the BEST and MOST COMPREHENSIVE coverage of the vendor responses that I’ve found or seen so far. Check it out: “Meltdown and Spectre CPU Vulnerabilities: What You Need to Know.” I’m blown away by the time and effort that went into putting this together…]
[NOTE Added 1/17/18 9 AM]
ComputerWorld Editor extraordinaire Val Potter touts Steve Gibson’s utility named InSpectre (get it?) that puts an approachable face on the Get-SpeculationControlSettings PS script. If you want your users (or friends, family, and other hangers-on) to do their own Spectre/Meltdown checks, this little tool will make it much easier for them to run the check and to interpret the results. To wit:
Behind the scenes, Windows runs all kinds of background tasks to keep things working smoothly — in theory, at least. However, users on TenForums.com report that thumbnails keep disappearing. Because thumbnails provide visual cues to the contents of photographs and images, users depend on them to identify and work with photos and graphics. Alas, deleting thumbnails means they must be rebuilt. No big deal for those with hundreds to thousands of images. But a big problem, for those with tens of thousands or more. In fact, users with large photo or image collections report that thumbnails get deleted before the thumbnail cache can be completely rebuilt. Unfortunately, this stymies their use completely, too. Luckily, a simple reghack fixes unwanted Win10 thumbnail deletions quickly and easily.
A RegHack Fixes Unwanted Win10 Thumbnail Deletions. How so?
As it happens, the Automatic Maintenance task is the culprit. Apparently, it includes instructions to empty the Thumbnail Cache each time it runs. Because that task runs daily by default, it’s clobbering thumbnail cache contents daily as well. You can check your settings at Control Panel → All Control Panel Items → Security and Maintenance →Automatic Maintenance. Alternatively, type “maint” into the Cortana search box and a link labeled “Change Automatic Maintenance Settings” should pop up automatically.
This screen cap shows the default settings for Automatic Maintenance.
Fortunately, you can disable thumbnail cache deletion with a single registry hack (aka RegHack). Details in the section that follows.
Thanks to some excellent sleuthing work from TenForums user ylm, we now know that the “SilentCleanup” task is our culprit. It appears within Windows Task Scheduler as Microsoft → Windows → DiskCleanup. Here’s how to disable thumbnail deletion in this task:
1. Launch Regedit.exe
2. Browse to HKLM\Software\Microsoft\Windows\
3. Set the Autoruns DWORD to 0 (zero)
4. Reboot the PC
Once enacted, this change stops Automatic Maintenance from deleting the thumbnail cache. Problem solved. For those with big photo or image collections, this can remove a major cause for irritation. Ditto for IT pros who manage PCs for people who work with photos or images on the job! If you fall into either category, this reghack is worth trying out.
Over the holidays, news emerged about a horrible flaw in x86 processors. Alas, it affects Intel and AMD hardware alike. This is hardware level stuff that will change layouts for future processors, because it exposes PCs to deep security vulnerabilities. In the meantime, users must accept performance hits on Intel processors from 5 to 30 percent! See this story at The Register for more details on what’s being called the “kernel memory leaking” Intel processor design flaw. Upgrade all Win10 PCs under your control to Build 16299.192 or higher ASAP.
You want Winver to report 16299.192 or a higher-numbered version to make sure the fix is installed.
Install Now: KB4056892 Fixes Critical Win10 Security Bugs!!
By default, Windows Update should happily install the afore-named update. Or, you can grab it from the Microsoft Update Catalog, and install it manually. Companies and organizations should rush it into compatibility testing ASAP. The same urgency applies to its deployment, too. This one is worth jumping the usual queue to accommodate, as admonitions from many security experts and recent calls to action will demonstrate.
Ultimately, PC vendors will also have to publish firmware updates to help address this issue. In fact, MS has already published firmware updates for its Surface family of products. Other motherboard and system vendors should soon follow suit. Be sure to check related websites for those updates, too!
On Another Subject Altogether…
I was surprised and pleased to have received an email from Microsoft on January 2, informing me that I’ve been chosen as a Windows Insider MVP for 2018. That means I’ll get more exposure to information about Windows 10 and related products and platforms directly from the source. Hopefully, I’ll be able to share some of that news with my readers and add to the flow of news and info on this blog and elsewhere. I’m still figuring out what all this means, but I’ll happily share what I can with all of you going forward.
[Shout out to Shawn Brink at TenForums.com whose 1/3 “Kernel memory leaking Intel processor design flaw” Windows 10 News post alerted me to this issue. Thanks!]
This is my last post for 2017, so it’s apt to reflect on the reigning desktop OS this year. We’ve worked our way through two Creators updates (Versions 1703 and 1709), each of which brought changes. Some of the big improvements have included mixed reality, OneDrive files on demand, and fluent design. It’s been strange to see PowerShell supplant Cmd.exe on the Winkey-X menu. (However, it’s easy enough to reverse this change in the Settings menus.) All in all, it’s been a big year for changes. In my own opinion, most of those changes have been for the better. But Windows 10 for 2017 has also seen its share of controversy and slams.
Plusses and Minuses Aplenty in Windows 10 for 2017
I follows the user forums at TenForums.com reasonably closely. I have probably read more than five thousand threads over the past year. People have found plenty of reasons to like Win10, but also many reasons to dislike or denigrate Microsoft’s current desktop OS. On the whole, I think that the plusses probably outweigh the minuses. The inescapable reality, however, is that for good or ill Windows 10 is the desktop OS that the vast majority of users must work with day-in and day-out.
Lord knows, I’ve had my share of mystery issues and frustrating gotchas with Win10 in 2017. But the OS keeps working, and I remain able to get my work done, obstacles and impediments notwithstanding. To those who get seriously worked up about such things I say: “My sympathies. Let’s find a workaround, or some kind of solution.” Yes, Win10 can be difficult and frustrating. But with relatively new capabilities like the in-place upgrade install (which replaces a hinky or questionable OS but leaves files and applications alone), there isn’t much that such a fix can’t address on most Windows PCs.
What to Make of Changes, Problems, and More
There’s still a lot to learn, and a lot to like, about Windows 10 for workday and personal use. Thus, as 2017 draws to a close, I’ll quote the memorable words of my old friend and CAD engineer George Osborne who would always say goodbye on Fridays with the same words. “I’ll see you here next Monday, unless a better offer comes along!” In this case, swap 2018 for next Monday because I’m pretty sure that Windows 10 will still be the market leading desktop OS once the New Year has rung in.
In the meantime, have a happy New Year, and enjoy the last few days of this one. I’ll be tackling problems and issues, reporting on new tools and technologies, and in general chasing down Windows 10 news once again on January 5, when we return from our family vacation.
Huh! I learned something interesting yesterday, thanks to some nice sleuthing work from my frequent Win10 collaborator, Kari Finn. We’d been chatting earlier in the week, and he’d asked me to open an ISO file to examine its contents. When I right-clicked on it, the “Mount” entry in the context menu had gone missing. Then when I double-clicked the file, and 7-Zip opened, we both knew that I’d allowed that program to over-ride the default file association when it had been installed last year. Undoing 7Zip ISO association forced me to dig into the new UWP way of doing things in Win10, so I thought I’d share that here for the benefit of other old-timers like me who might not have done it that way just yet themselves.
Undoing 7Zip ISO Association: Here’s How…
Basically, there are two ways to do this. The first one simply relies on using the Open with… element from the context menu in File Explorer. Launch this by right-clicking any ISO file, and then something like this window will pop up:
If you click the checkbox in this window, you’ll change the file association, too.
The second way to make this change is a bit more convoluted. Nevertheless, I wanted to learn how to do it the UWP way in Windows 10. This takes you through a four-item sequence of selections. Settings → Apps → Default Apps → Set defaults by app → Windows Disc Image Burner (!). Finally, you’ll see associations for the .img and .iso (Disc Image File) file types. This is where you can make sure that, as shown, Windows Explorer appears as the default (I manually switched it from 7Zip, in my case).
I prefer the preceding method, because it involves half the clicks.
And now, much to my relief, when I double-click on an .iso file in File Explorer, it simply mounts the file and opens a virtual drive to display its contents. Sweet!
I’m something of a compulsive on the subject of conserving and cleaning Windows disk space. That’s why I’ve blogged many times here on various techniques for space recovery in Windows 10 (and earlier OSes). I was both surprised and pleased to realize that MS had slipped a new cleanup into Win10. Access it through Settings → System → Storage Sense → Change how we free up space. When you perform this Win10 Settings System Storage Sense file clean-up, you’ll see a screen like this one:
You must turn Storage Sense on for this to work, and force the clean-up by clicking the “Clean now” button at bottom.
Running the Win10 Settings System Storage Sense File Clean-up
As the image caption relates, you must first enable Storage Sense to use this tool. Then, it will run automatically whenever a drive gets low on storage space. Alternatively, you can force the clean-up to run any time you like. Simply visit this window, then click the “Clean now” button and off it goes. Note also the checkboxes for:
- temporary files
- recycle bin files over 30 days old
- Downloads contents over 30 days old
Only the first two are checked by default, but you can grab some disk space back by clicking the third checkbox, too. I just ran it on a few systems to check it out. It reclaimed anywhere from 179 MB to as much as 24.9 GB on a system I upgraded yesterday to Insider Preview Build 17063. Note the additional information that shows up about the clean-up in that Redstone 4 code base. This may become generally available after MS releases the Spring update. Notice that it skips empty items (unlike Disk Cleanup) and shows only items from which space may be reclaimed. As far as I can tell, though, this is just another way to do what Disk Cleanup already did. Does this spell immanent retirement for Disk Cleanup? Could be!
Thanks and happy holidays to Sergey Tkachenko, whose recent article “How to Free Up Drive Space in Windows 10” alerted me to this feature. He’s something of a Windows space hound, too!
Life has been rough for owners of PCs running (slightly) vintage AMD graphics cards. When used along with the Fall Creators Update, those with Radeon HD 2000, 3000 or 4000 graphic cards have troubles. They recently received AMD driver version 18.104.22.168 through Windows Update. Normally, that’s a good thing. But this time, users found themselves unable to use favorite screen resolutions, or facing a black screen instead of a GUI interface. Released on 12/19/2017, KB4057291 fixes Win10 AMD GPU issues like these, and lets users return to life and work. This item should be readily available to those affected through Windows Update. It may also be downloaded from the Microsoft Update Catalog and installed manually.
This update is available through WU or, as shown here, from the Update Catalog.
[Click image to see full-sized view.]
When KB4057291 Fixes Win10 AMD GPU Issues, What Happens?
The workaround discovered while others were sussing out this problem and learning how to cope illuminates MS’ own solution. Savvy hardware troubleshooters quickly figured out that rolling back to older driver versions would restore normal operations. Alas, MS would then erroneously detect the driver as out-of-date, unless users instructed WU not to download drivers. (Available using the “Exclude drivers from quality updates” policy option in the Group Policy editor.) Unless overridden, WU overwrites the fix with the wrong update again, and puts users back to square one.
Needless to say, this situation needed an immediate fix. Hence, the out-of-cycle release in which KB4057291 fixes Win10 AMD GPU issues, as now explained. The new KB provides updated intelligence regarding AMD graphics cards, so that systems with older cards don’t download and try to use a newer driver that doesn’t work properly (or provide the expected screen resolutions). Multi-monitor support issues are also fixed, according to Ghacks.net.
Today, the GUI stuff gets most of the glory in Windows 10. Even so, friend and occasional guest blogger Kari Finn reminded me this morning that “real nerds do it at the command line!” I’ve been a user of the myriad of net commands there since first getting to know Windows back in the 3.x days. But I’d totally forgotten that the Net User command controls user access hours. He reminded me of this in a TenForums.com post this morning that includes some peachy examples, too. Here they are, captured in graphic form (to grab the text to play with, visit the original):
You can get fancy with the time controls in NET USER if you like!
How the Net User Command Controls User Access Hours
Some of the niggling syntax details aside, it’s simply a matter of specifying day of week and time window to limit user hours with this command. You can use either 24 hour values for time ( from 0-24, with 01 for 1) or 12 hour values to which you must add AM or PM (1AM, 6PM. The days of the week may be spelled out, or abbreviated as M (Monday), T (Tuesday), W (Wednesday), Th (Thursday), F (Friday), Sa (Saturday) and Su (Sunday). For the complete skinny on this command, check out the Command Line Reference entry for “Net user” online.
The original blog post observes, quite correctly, that this approach works best for ordinary user accounts that lack administrative privileges. Why? Because anyone with such privileges need only wait for their time window to open up, at which point they can exercise those privileges to change the hours associated with their own account. I like to think of it as a variation on the old lyric: “Who’s keeping time with the time-keeper’s daughter while the time keeper’s out keeping time?”
Levity aside, there’s a lot of power and capability in the Net commands for Windows. Thus, I will probably find myself returning to them from time to time. Next up, in fact, will probably be the network shell, aka Netsh. Stay tuned!
Here’s a nifty utility you may want to add to your Win10 desktops. It’s called CapsLock Indicator, and it shows persistent visual cues in the Notification area of the Win10 taskbar. To be more specific, it shows the state of three keys: Caps Lock (C), Num Lock (N), and Scroll Lock (S). Simply put: CapsLock Indicator shows key states for those three keys. It’s a petite (119 KB) little utility that does the job quite nicely, from German developer Jonas Kohl. Here’s what the UI looks like:
You can decide which of the three keys you want shown, then manage their appearance and status change behavior.
When CapsLock Indicator Shows Key States, What Happens?
By default the key indicators show up as white text against a purple background. (The program provides controls for most of these things.) When you click a lock key, it changes background from purple to green with a white outline. This makes it easy to tell with a glance if the key is on or off. I don’t use the Scroll lock key myself, so I turned it off in the UI. In other words, I unchecked the box next to “Scroll lock” in the upper left UI pane. Other than that, I only had to drag the C and N icons from the pop-up notification area onto the static notification area on the toolbar to keep them visible all the time.
This ia great tool, especially for touch typists like me who get discombobulated when Caps Lock or Num Lock get turned on unintentionally, or get left on longer than I need them activated. It’s nice to know what’s what, and this tool helps provide that info without forcing me to check lights on the keyboard. If you like this behavior as much as I do, grab yourself a copy today. It’s free.
I’ve been switching over from a test desktop to a Dell All-in-One for Insider Preview testing and experimentation. We’ve moved the Asrock Z97 Killer with i7 4770K CPU, 32 GB RAM, and 500 GB mSATA SSD, upstairs. In return, I’ve picked up and fixed his Dell XPS 2720 All-in-One touchscreen PC for use in my office. In whipping the Dell into shape, I’ve recalled one plus from buying a PC or laptop from a big-name vendor. (At my house that means Dell, Lenovo and Microsoft right now.) Those big outfits can afford to automate and simplify device maintenance and upkeep. That’s why I say “When updating drivers check vendor support.”
When Updating Drivers Check Vendor Support Gets You Tailored Advice
On the Dell machine, I can check drivers quite simply. I just right-click the Dell Update icon in the toolbar, then select “Dell Online Support” from the pop-up menu. It works with a utility called Dell System Detect to read the PC’s asset code from firmware, to look up its purported hardware configuration. When I go to its Drivers & Downloads page, I only need click on a button labeled “Detect Drivers” to have it scan for and recommend any pending updates.
Once the wireless adapter is put to work, the apparent device discrepancy is resolved.
This time around, Dell found that I needed a new AHCI driver for storage, and it said I also needed a Wireless 1703 WiFi + Bluetooth driver. The AHCI driver install went without a hitch, but the wireless networking drivers failed to install. As it happens, that machine has a Killer (Atheros) N-1202 WiFi+Bluetooth adapter. I was using a wired connection, which turns off the wireless adapter. As soon as I disconnected the wired link and switched over to wireless, the scan correctly identified the networking hardware in use and reported all drivers up-to-date.
This goes to show several important things about such driver scans:
- They usually work reasonably well, but they’re not perfect.
- The user must still understand certain basics of hardware operation on the target PC for best results.
- Vendors don’t always keep up with the most current or latest and greatest drivers. They favor stability over currency, for very good reason (fewer support calls that way).
That’s why I also use the Windows Update MiniTool (aka WUMT) to check drivers on the PCs I maintain. On a follow-up check, thankfully, WUMT found nothing pending that Dell’s facility missed.
Outside the Dell Umbrella
On my Surface Pro 3, drivers come from the OS source itself, because Microsoft made that hardware as well as the OS. That’s usually right on the money in terms of driver currency and distribution. For my two Lenovo laptops, the company’s System Update utility does a pretty good job of keeping up with their drivers, too. Even on two of my desktops, both of which feature Asrock motherboards, that company’s App Shop app does a good job of keeping up with drivers plus BIOS and firmware updates. I might also observe that turning to the device maker is always a good strategy for chasing down drivers. That makes my assertion “When updating drivers check vendor support” true, even for homebrew or no-name systems and components.