Sledgehammer - Windows 10 Update Control

Discussion in 'MDL Projects and Applications' started by pf100, Nov 28, 2016.

  1. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    3,685
    3,409
    120
    I don't think it's intentional to foil the operation of the tool, more like collateral damage from updating. That's where a "check and reapply" routing will come in handy.
     
  2. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,820
    2,737
    60
    I just took a break from working on the re-deny permissions task (and a lot of other things) earlier today. And what I meant about not being surprised at what they're doing is because I know they'd like to completely lock down all system files. They would completely deny access to those files like android and ios does if they could, but they can't. There are a lot of tricks they could do as discussed in the "the future of controlling updates" thread in my signature and I doubt there's much they could do that hasn't already been discussed. I feel like I'm ready for whatever they can throw at me, but I guess time will tell. Resetting some update hijacker file permissions is pretty lame on their part so it's possible they may have added functionality to those files. I'm not sure what they thought that would accomplish. Pretty sure there's no scenario where those system files disable themselves, so I guess they're just covering their bases by updating them and doing a little more to make damn sure windows will force you to update.
     
  3. freevista

    freevista MDL Junior Member

    Jan 14, 2009
    99
    39
    0
    It might also be related to some slight changes to the WaaS (Windows as a Service), caused by COVID-19. They announced extending the corporate support for old versions, and suspending the forced update of 1809 Home/Pro versions that are still left. Sledgehammer might not be on their map at all.
     
  4. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,820
    2,737
    60
    I don't think they're targeting me either. And thanks for reporting the permissons issue. I'll give you credit in the next update. And when I said they're trying to make damn sure you update, that would include them extending the period between updates, but still making sure you do it on their timeframe. It's all speculation at this point so I'll just concern myself with fixing permissions.
     
  5. Homer712

    Homer712 MDL Junior Member

    Oct 22, 2018
    72
    17
    0
    This would be one of those "oh by the way, I just noticed" things. I tend to watch things going on in Windows 10 (1909) and have noticed the following a couple of times, and it seems opposite to how things are set up to work.

    Normally, when I start up my laptop in the morning, Sledgehammer does it's thing and after a while I end up with the latest Defender definition being installed. Every so often, I end up with two sets of Defender definitions installed, about ten minutes apart, even though it should be hours before Sledgehammer's scheduled next check.

    Any ideas?
     

    Attached Files:

  6. TimMan

    TimMan MDL Novice

    May 21, 2020
    2
    0
    0
    I am a new follower to this whole discussion, so I cannot add anything except: pf100, THANK YOU.(And to your frequent collaborators.) I'm not a tech wiz, but I've learned a lot and have a lot more to learn. My Win7 computers have done everything I need from a computer without problems, but I had to get a new Win10 machine recently for another project. So for the past weeks of my confinement (pandemic related, I'm not in jail) I have been setting up the new computer alongside my wife's Win10 that I never paid any attention to. I think I've found a great security/firewall service, and setup-wise I just want to assure that I keep the basics and get rid of the rest of Win10's junk, including updates.

    So I've got the latest Sledgehammer running. I can report only one issue at this time: the WDU task reports 0x1 on both computers, which I think is failure - but maybe that's what it is supposed to be! Can you let me know if you get the time to write?

    In any case, so far MS has not penetrated the walls with any new updates - other than their planned and staged takeover. No new file downloads as far as I can tell - I check Sys32 every day. I also have a few services disabled and blocked apart from whatever Sledgehammer does. There are new services that popping up and some changes I have found in the registry, but again nothing that looks or feels like a new update.

    So apart from the one question about the WDU task reporting 0x1, I'll stay up to date with this site. And even if I'm not a "geek" I'd be happy to be an Average Joe tester if that could help you in any way.

    In any case, don't forget the primary message in this post: THANK YOU!
     
  7. Homer712

    Homer712 MDL Junior Member

    Oct 22, 2018
    72
    17
    0
    And again this afternoon . . .

    The only thing I can think of is that last night I uninstalled O&O Shut Up 10. I reverted all settings back to "factory default" before uninstalling as I was going to try out SmartApp (by the same folks that make cleanmgr+) as it seemed to be more detailed/controlled/specific in what it did.
     

    Attached Files:

  8. Homer712

    Homer712 MDL Junior Member

    Oct 22, 2018
    72
    17
    0
    And just to make sure, I just checked the Windows Update Service and it is indeed disabled.
     

    Attached Files:

  9. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,820
    2,737
    60
    The WDU task checks to see if Windows Defender (windefend) is running and if not it cancels the update and reports error level 1 (0x1). I assume you either have a third party antivirus or Defender is otherwise disabled. I'm glad the script is working well for you.
    Windows Defender can update without the Windows Update Service, but the script starts the service whether it's disabled or not just long enough to update it and stops it immediately after, which is the fastest and least bandwidth intensive way to do it. Looking at your info earlier, it's possible that defender updates after a reboot or logoff/logon and then again 5-10 minutes later if an update is available 5-10 minutes after the first check. That either shouldn't happen or happen only rarely. If it happens a lot, something is making defender do an update check besides what the script is doing, which checks every 6 hours.
     
  10. TimMan

    TimMan MDL Novice

    May 21, 2020
    2
    0
    0
    Yes, I am using a third-party security package. Defender indicates that it is running in Services but seems to just be incorporated into the third-party setup. I might also note that, from my limited experience, a good third-party security package is worth the price and the extensive effort it takes to get the settings where you want them. Just find a company that is NOT closely attached to Microsoft and does NOT come pre-installed on a new computer.

    Thanks again pf100. I'll sleep better knowing that the "0x1" doesn't seem to be a problem. And I'll assume that that particular task does not need to be disabled unless you tell me otherwise. (I have not checked yet to see if it even can be disabled.)
     
  11. Homer712

    Homer712 MDL Junior Member

    Oct 22, 2018
    72
    17
    0
    Not sure what it was (and may never know, this is Windows10 of course!) but I had Macrium Reflect images that allowed me to go back to the 17th of the month and that seemed to do the trick. The only change between when I posted the issue and now is the fact that I had uninstalled O&O Shut Up. Left it installed and everything is back to normal. Strange!
     

    Attached Files:

  12. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,820
    2,737
    60
    #1512 pf100, May 23, 2020
    Last edited: May 27, 2020
    (OP)
    I thought I'd post the progress of the next v2.7.1 sledgehammer update

    Things finished:
    1) run a task at boot and logon that checks update hijacker file permissions and if not locked as expected then lock them
    2) fixed ms-defcon code for Windows 10 20H1+

    Things not finished:
    1) I'm having problems creating the LockFiles task creation from the script. This was the part of the update I thought would be easiest. Nope. :)

    Testing new script now. Looks good.
     
  13. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,820
    2,737
    60
    The problem i was having with task creation was that the new LockFiles task wouldn't show up in task scheduler even though it was there until I rebooted and it then became visible. I solved it by deleting any existing same named task before creating it. Makes no sense to me but it works and is the way the script has handled the other tasks up until now and I forgot because it makes no sense, so whatever.

    Someone asked me in a private message how to handle driver updates with the script. I explained by just telling them how I handle a new windows install with the script, so I'll post my answer here because I'm not sure of what percentage of people who use the script are aware of this.

    "This is how I do drivers after a clean install. I do a clean install while not connected to the internet. Then I run sledgehammer to the first screen to stop forced updates, that way no updates can start until I allow it, then I connect to the internet. Then I check for updates with sledgehammer and while it's checking I install dot net 3.5. Then when sledgehammer is done checking for updates it'll show you all the available drivers and updates too. You can then hide the drivers that you don't want and allow the ones you do want. If you want all of them just install them all."

    I should add that any drivers I for sure never want installed whether the script is installed or not, I block with GPO. I've ran some hardware that requires specific drivers so they have to be added to GPO.
    1. With gpedit.msc, Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions.
    2. Double-click on "Prevent installation of devices that match any of these device IDs".
    3. Add Hardware ID's of device driver installation(s) to block from device manager's, Details > Hardware Ids (pasting ID's to notepad to post in GPO works very well).
     
  14. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,820
    2,737
    60
  15. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,820
    2,737
    60
    If you're not connected to internet you can bypass the internet check and continue at the start of the script on the warning screen. Other than that I've seen nothing like what you describe.
     
  16. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    3,685
    3,409
    120
    #1517 Carlos Detweiller, May 28, 2020
    Last edited: May 28, 2020
    At first, 2.7.1 worked. The Defcon fetching seems to work, but is slow and the value is only shown a few seconds before scrolling off screen.

    Currently, I cannot get it to work, anymore, it only shows the following:
    sledge271error.jpg


    Edit: I don't understand. The Windows Update Service does not exist anymore, it has been completely uninstalled, not only disabled? How could that happen?
     
  17. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,820
    2,737
    60
    I'll take a look. Thanks for the report.
    The script doesn't uninstall any services. Never has. Not sure why that would happen.
     
  18. freevista

    freevista MDL Junior Member

    Jan 14, 2009
    99
    39
    0
    #1519 freevista, May 28, 2020
    Last edited: May 28, 2020
    This might have happened to me once too.. Try to start powershell.exe. If if crashes, your PowerShell installation might be (temporarily) broken. That causes all sorts of issues, like Event Viewer not working correcly. It may be related to updating .NET (did you patch .NET recently?). If the computer has not yet done the ngen.exe complilation (which happens every time after .NET is updated), PowerShell might not work (PowerShell depends on .NET). Try running maintenance from Security and Maintenance, or sfc /scannow.

    Edit: You could also try to start the '.NET Framework NGEN' tasks in Microsoft/Windows/.NET Framework, in Task Scheduler.
     
  19. freevista

    freevista MDL Junior Member

    Jan 14, 2009
    99
    39
    0
    #1520 freevista, May 28, 2020
    Last edited: May 28, 2020
    Looks like v2.7.1 / LockFiles is working. But one suggestion: is running the task 'at log on of any user' a bit overkill? At system startup should be enough. And actually the same goes for Wub_task.

    Edit: But I don't quite understand what you are trying to do with this:

    Code:
    icacls %systemroot%\System32\SIHClient.exe >nul 2>&1
    if %errorlevel% neq 0 goto okay
    :okay
    :: Update hijacker file permissions are locked. No action needed.
    
    Re-running LockFiles.cmd re-locks the files like it should, it does not skip to 'okay'. Why do you have this check in the first place? And checking just one hijacker file like this may not be enough, if you thought about making the script faster with re-runs?