Sledgehammer - Windows 10 Update Control

Discussion in 'MDL Projects and Applications' started by pf100, Nov 28, 2016.

  1. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    204
    194
    10
    #2041 Whistler4, Jul 14, 2023
    Last edited: Jul 14, 2023
    Ha-ha! I mean, :eek:! Thanks for the vote of confidence. But I really don't have the skill to write all the necessary code or to fix bugs that will invariably crop up because of unforeseen circumstances or MS countermeasures. @rpo, just a shot in the dark, but wouldn't you or @Carlos Detweiller or @thiih_ be better and more appropriate? I just try to help out here and there.

    Also, the reason I use Sledgehammer is to keep from automatically updating until I'm ready. Unfortunately, I'm not interested in playing cat and mouse with MS latest Windows versions (I'm still on Win 10), so there would always be the latest Windows versions that Sledgehammer doesn't work right on.

    I have tried to help @pf100 in the past with my opinion on the best user interface experience (menu order, etc.), and I wrote the initial FAQ for @pf100 approval and posting. (The FAQ is based on questions asked in this thread that I categorized, but the answers are @pf100's replies and his edited explanations. He's the mastermind of Sledgehammer. I just tried to reduce the number of times he had to address repeat questions.) I also was able to compile the last RC into a windows setup file using Inno. But I still have questions myself about how WuMgr or WUMT repel automatic updates when used alone. Also, it seems PowerShell is the direction the newest versions may be headed, and I know less about that. While I can follow command scripts and batch files, I'm not the one who should lead this project.

    Volunteers are still needed. Help!
     
  2. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    204
    194
    10
    #2042 Whistler4, Jul 14, 2023
    Last edited: Jul 14, 2023
    For perspective to give you hope, I'm using Sledgehammer Version 2.7.3 rc1a Windows Setup installation on five Win 10 Pro machines: three are 22H2 that I update monthly with WuMgr. One other machine is 1709 that I use for my HTPC, and one is 1909 because the laptop hardware is unable to run on any later Windows Update. And I rarely reboot the two older versions. The point is that Sledgehammer is successfully keeping all of them from automatically updating. So, 2.7.3 rc1a can work effectively on those Windows versions.
     
  3. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    204
    194
    10
    Yeah, it appears that resolved the issue that @pf100 had with the complexity of the LockFiles.cmd: "It would be difficult to check for any error in any operation of any command in LockFiles.cmd, only that LockFiles.cmd ran to the end and finished."

    Even when Task Scheduler shows that LockFiles.cmd hasn't completed successfully, Sledgehammer still works for me. Perhaps masking this task's failure is similar to ignoring or excluding some Windows Event errors that become nuisance warnings.
     
  4. Dave Schaack

    Dave Schaack MDL Novice

    Mar 4, 2021
    11
    4
    0
    I have worked quite a bit on this. I do not have an answer as to how Microsoft successfully attacked one of my machines. However, I have some information that suggests what I might have done wrong to enable it, and how to avoid it. And it is consistent with what you say above.

    To answer your earlier question (I REALLY appreciate your help, by the way) I am also running Version 2.7.3 rc1a. I was uncertain about that because the text "2.7.2" also appears some places in my setup. Looking into the actual Sledgehammer.cmd file answered the question.

    You also asked (essentially) why I did not run WuMgr periodically. The reason is that I didn't want ANY updates and my understanding was that if I exited the Sledgehammer script at the earliest opportunity, that is exactly what I would get. Thus, I was completely unfamiliar with WuMgr.

    Before I installed Sledgehammer the first time, I had read through the message thread completely, at least once. I did read and understand about the "exit /b 0" issue back then, but I had completely forgotten about it until you mentioned it. After your response, I ran through the tests that https://forums.mydigitallife.net/members/184194/ had suggested when he was asked about it. Those tests were passed successfully.

    Reading through the message thread and examining the documentation did not give me a clear understanding of how to use Sledgehammer because of the many references to third party programs that the reader was assumed to already be familiar with. Now recently, when I looked into WuMgr, I found the situation there to be about 10 times worse! I have very little understanding of what is going on with that, but I have some suggestive results to share from it.

    As I previously mentioned, I have three more or less identical tiny laptops that I use for various sorts of data acquisition. Because they are attached to hardware, they sometimes need to be rebooted to reset that hardware even when Windows does not itself need a reboot.

    System A is my oldest system and is the one I use for most development work related to these machines. I purchased this system new in 2020. When I now look at the Update History in WuMgr, I find that I did a feature update to Win 10, Version 2004 on March 8, 2021. That update was successful. I also see a long string of Windows Defender updates beginning on that date. Clearly that is the date that I installed Sledgehammer on that machine. It has successfully avoided any updates since then. This is what we all expected and desired.

    System B was purchased used a little over a year ago and was put into service soon after. Windows 10 home had been installed by the seller; I no longer remember what version it was or if I might have upgraded it before installing Sledgehammer. This system was then connected to the internet 24/7 for weeks or months at a time. I used it successfully for a few months last year and then for about six weeks this year. At one point some weeks ago, I rebooted it and Windows did a quick update. Very surprising, and not good. What I should have done at that point was to run Sledgehammer again and examine what WuMgr said, but I did not know any of that so I pressed on. Within a couple of weeks I got two more updates on rebooting, and the system is now at 22H2.

    System C was purchased a few weeks after system B, and it was delivered with Windows 10S. I therefore upgraded to Windows 10 Home (21H2) and once that process appeared to be complete, I installed Sledgehammer. Just recently on a reboot this system appeared to perform a quick Windows update just like System B had done to begin its trouble. However, when we look at the Update History in WuMgr we find something interesting:

    (No recent update)
    8/5/2022: Feature update to Win 10 21H2 In progress ...
    8/5/2022: 2021-09 Update for Win 10 Ver. 2004 In progress ...

    Evidently the update to Win 10 Home (21H2) was not complete when I installed Sledgehammer. That was not obvious to me -- the computer was ready for use. Also, the recent "update" did not do anything, probably because the computer was not connected to the internet at the time. However Windows was trying to do something -- could it be that it was trying to complete the updates listed above? Seems likely to me.

    The first time I looked at that output from WuMgr, the updates in progress had exclamation points associated with them. When I looked again later they did not. I don't know what that means.

    This all suggests to me two things: (1) When first installing Sledgehammer, it is important to run WuMgr to ensure that the updates you think you did have in fact been accomplished before locking the system down, and (2) Windows might have an unknown hijacker that it uses when it gets really desperate to complete an update. That latter, of course, is just a conjecture on my part.
     
  5. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    204
    194
    10
    #2045 Whistler4, Jul 20, 2023
    Last edited: Jul 20, 2023
    Very nice description of your testing and analysis! Some of your unexpected Windows update experience might continue to be a mystery, but you're probably on the right track. I think it's important to be disconnected from the Internet at the earliest version stage to be sure Windows doesn't automatically grab updates until Sledgehammer or another update blocker is running. (That's why Sledgehammer gives you the disconnection option when uninstalling it.) So, Sledgehammer was intended to allow the user to manually update according to the user's desire and not permanently disable updates. (Note the original name of WUMT Wrapper Script.) But it can be used to simply stop updates, too, assuming MS doesn't sneak something through. When you run Sledgehammer, the second screen ("Welcome to manual updates!") warns that you should either hide or install WuMgr updates that are offered or there's a risk of unexpected updates. But @pf100 said that warning was mainly an abundance of caution.

    I was just checking my WuMgr update history list, and I also have some "In-progress" updates, primarily KB4023057 which is a Windows update facilitator that MS continually changes and pushes -- it refuses to stay hidden. You might also notice failed updates in history that later list as installed (because of rebooting, etc.), so I don't know if there's any real significance to "failed" or "in progress" in update history.

    The Sledgehammer script has been, I'm sure, a labor of love for @pf100, but it requires extensive work and testing, and he has other priorities and challenges like most of us do. So, I don't know whether the script will continue to be updated or not. Meanwhile, Windows continues to change. WuMgr has its issues, but it all works for me for now in Win 10 with Sledgehammer. I reckon I'll need a new solution sometime in the future.

    I agree that it's a good idea to run WuMgr to check what's going on and perhaps hide new updates you don't want. So far, I don't think that new hijackers are getting through if the older version being protected doesn't get updates, but MS can sneak anything through with a security update. I use AskWoody patch watch for reviewing updates for problems about a month after MS release.
     
  6. Dave Schaack

    Dave Schaack MDL Novice

    Mar 4, 2021
    11
    4
    0
    Updated Information:
    Since my System B was made useless for part of its purpose by the unwanted update to 22H2, I moved that portion of the application to my System A, currently running ver. 2004. That system has therefore recently been connected to the internet 24/7 for up to weeks at a time, mostly while doing nothing (that I know about). I decided to actually run my application only intermittently, rather than continuously, as I had done previously, but I left the system connected to the internet to avoid annoying problems with getting it reconnected. I knew I was taking a risk ...

    A couple of days ago I heard the tone that I get when a USB connected piece of hardware is disconnected, but no such disconnection had actually occurred. Being suspicious, I decided to run Sledgehammer again and look at what WuMgr had to say. Sure enough, there was an update to 22H2 "pending". There were also updates pending for a driver and for the Malware Removal Tool. I hid these updates in WuMgr and survived a reboot with no damage.

    It seems clear that the protection offered by Sledgehammer is incomplete, and that one MUST periodically run WuMgr to check for and hold off the updates that Windows is still insisting on providing. Together, the combination of Sledgehammer and WuMgr still seems to be effective..
     
  7. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    204
    194
    10
  8. Carlos Detweiller

    Carlos Detweiller Emperor of Ice-Cream

    Dec 21, 2012
    6,452
    7,200
    210
    Which is exactly what he said?
     
  9. Dave Schaack

    Dave Schaack MDL Novice

    Mar 4, 2021
    11
    4
    0
    Today I received a notification that Windows Defender had removed a threat from my daily driver laptop. I had never noticed anything like that before; it has always said something to the effect that no threats were found.

    Looking into the details, I found that it claimed to have removed something it calls Trojan:Win32/Vigorf.A which it further says is contained in the file Sledgehammer_2.7.3 rc1a.exe!

    Now on this laptop, I have not been running Sledgehammer. In fact, I never installed it, but I did download it in the past when I was investigating it for use with my other laptops as I have previously described.

    Does anyone know anything about this -- Microsoft now has identified Sledgehammer as malware? Is the fact that the file was just stored on my disk, rather than having been installed significant?
     
  10. Carlos Detweiller

    Carlos Detweiller Emperor of Ice-Cream

    Dec 21, 2012
    6,452
    7,200
    210
    They have, they do, they always will. It is a hacktool after all, intended for making Windows Update nonfunctional (and unable to restore itself). This could be potentially used for malicious purposes.
     
  11. BT 1

    BT 1 MDL Junior Member

    Feb 16, 2017
    78
    8
    0
    Yes, it is.
    Defender scans everything if you do not have made exceptions.

    But, Sledgehammer is ok, no worries.
     
  12. Dave Schaack

    Dave Schaack MDL Novice

    Mar 4, 2021
    11
    4
    0
    Well, OK, that makes some sense. But this file had been sitting in my downloads folder for over 2 years. Only now it notices it? How does that work? And more important, how does one ensure that Windows Defender does not eliminate Sledgehammer going forward?
     
  13. Carlos Detweiller

    Carlos Detweiller Emperor of Ice-Cream

    Dec 21, 2012
    6,452
    7,200
    210
    The file you mentioned seems to be just the installer. The official releases have been targeted long ago. Seems someone came upon this new customized installer and reported it. Then, it got detection signatures and is now known to Defender.

    Exclude its whole installation directory (in Program Files).
     
  14. Dave Schaack

    Dave Schaack MDL Novice

    Mar 4, 2021
    11
    4
    0
    Right, it was just the installer. I'll research the "exclude". Thanks for the response.
     
  15. nicolast

    nicolast MDL Novice

    Jan 8, 2020
    27
    9
    0
    Hi,
    thanks to the programmer for making this script.

    I use another method to disable Windows Updates.
    In Gpedit, I type a fake server in Specify intranet Microsoft update service location.
    This enables me to check manually for updates, there's a new option in Windows updates: check online updates from Microsoft Update.

    However, I'm still interested in the part of the sledgehammer which enables Windows Defender to check for updates every 6 hours as my workaround 's drawback is that Windows Defender doesn't get updated.
    Is that possible to give me only part of the script that enables Windows Defender getting updating through Windows Update service (instead of MMPC) every 6 hours without disabling Windows updates at all.

    Thanks
    Have a nice day.