Sledgehammer - Windows 10 Update Control

Discussion in 'MDL Projects and Applications' started by pf100, Nov 28, 2016.

  1. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    178
    169
    10
    Thanks. I trust your knowledge of scripting and task creation, so I was obviously barking up the wrong tree thinking it was because wdu.cmd was missing. Hopefully, I didn't mislead anyone on the subject.

    That was good to recommend changes to help diagnose the task creation error.

    @Homer712 is probably on 2.7.3rc1a rather than rc1, which would be why the applicable lines are 405-406 instead of lines 403-404 in your source code for rc1. When I compiled the Windows Installer File, I made the commentary changes below to the Sledgehammer.cmd script and added the "a" in the version number so it would be distinguished from rc1, as explained in
    https://forums.mydigitallife.net/th...-10-update-control.72203/page-89#post-1650375
    (In the scripts, the line 3 title is "Sledgehammer 2.7.3" for rc1 and "Sledgehammer 2.7.3 rc1a" for rc1a. These comment changes would have added two lines total, changing the line numbering of 403-404 to 405-406:

    6 Thanks to Carlos Detweiller @ MDL for the idea to hide the Windows Update page in the Windows Settings app while updates disabled and visible while updates enabled so that settings doesn't close.
    7 ;Thanks to RetiredGeek at askwoody.com forum for original ideas on how to get MS-DEFCON rating.

    24 ;Only use Windows Update Blocker v1.0 with this script, NOT v1.1!
    25 Only use Windows Update Blocker v1.1 with this script. DO NOT edit the included wub.ini. Don't run the script without included wub.ini.
    (On the point about missing a Windows Defender definition update once in a while, did you think I was right about "what's the worst that can happen" or about "underappreciating the severity of the issue"? Kind of opposites :).)
     
  2. Homer712

    Homer712 MDL Member

    Oct 22, 2018
    117
    45
    10
    Correct, I am running rc1a. So, downloaded rc1 via link in post #1697 and assume that you can just replace existing Sledgehammer.cmd with the new one.

    I also followed this post, any changes to be made here?

    image_112.png
     
  3. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    178
    169
    10
    All of the WUB 1.1 aspects are already incorporated in the rc1a Windows installer file which I linked to in post #1773 and was mirrored on mega.nz in the next post. If you would like, you can copy the rc1 sledgehammer.cmd over the rc1a sledgehammer.cmd that's installed with the installer. But the resulting sledgehammer.cmd would erroneously warn not to use WUB 1.1 and also reference MS-Defcon which is no longer used. It would jive with @rpo last suggestion for line changes, but you already know where those go now. (You could also copy the uninstaller.cmd from post #1697 over the rc1a uninstaller, but you might end up looping your question about why the last line is rem'd.)
    _______________________________________________

    I think this thread has become a little convoluted since version 2.7.2 was released in May 2020 on page 1. For convenience, these are the changes since then:

    1. (Official) 2.7.3 rc1 sledgehammer.cmd script and wub v1.1 fix, all to be copied into and used with 2.7.2, with instructions, post #1697, Oct 2020, https://forums.mydigitallife.net/th...-10-update-control.72203/page-85#post-1626994

    2. (Unofficial) 2.7.3 rc1a compiled Windows Installer file, incorporating all of above, posts #1773-1775, Mar 2021,
    https://forums.mydigitallife.net/th...-10-update-control.72203/page-89#post-1650375
    (Minor script changes from rc1: Title change in line 3 to "Sledgehammer 2.7.3 rc1a", changes to "thanks" in lines 6 & 7 based on pf100 comments in post #1697, and correction on caution for version of WUB in lines 24 & 25)

    3. (Suggested change) Display error message for Schtasks by replacing two lines of the sledgehammer,cmd script (lines 397-398 for 2.7.2, lines 403-404 for 2.7.3 rc1, or lines 405-406 for 2.7.3 rc1a), post #1795, Apr 2021,
    https://forums.mydigitallife.net/th...-10-update-control.72203/page-90#post-1656445
     
  4. Homer712

    Homer712 MDL Member

    Oct 22, 2018
    117
    45
    10
    LockFiles Task.png @Whistler4 Thank you for the very easy to follow post above.

    In an attempt to get back on the same page with everyone else:
    1. Completely uninstalled Sledgehammer rc1a which I was running.
    2. Followed step #1 above and instructions in post #1697 to install rc1.
    3. Followed step #3 above and changed lines 403-404 of Sledgehammer.cmd.

    Everything running perfectly. Only remaining issue (believe this was brought up in the past) is the "Last Run Result" (0x1) for the "LockFiles" task (the Defender task is missing because I "rem" that out).
     
  5. thiih_

    thiih_ MDL Novice

    Mar 22, 2008
    13
    5
    0
    I use a simple powershell script to run Windows Update / Microsoft Store without running all sledgehammer script everytime I want to check updates.. place it in sledgehammer folder and run it through vbs script.
    I have two scripts (one for WU and another for Store) and they "talk" to each other, when one closes it checks if the other one is running and don't stop wuauserv service, otherwise, wuauserv is stopped.

    #Requires -RunAsAdministrator
    $CurrentDir = Split-Path $PSCommandPath -Parent
    $WUB = "$CurrentDir\bin\wub.exe"
    $wumgr = "$CurrentDir\bin\wumgr.exe"

    # Starts Windows Update Service and Open WUMGR
    Start-Process -FilePath $wub -ArgumentList "/e" -WAIT
    Start-Process -FilePath $wumgr -ArgumentList "-update -online 7971f918-a847-4430-9279-4a52d1efe18d -provisioned"
    sleep 5

    # Loop for verify if process are still running
    while (Get-Process -Name *wumgr*)
    {
    if ((Get-Service -Name wuauserv).Status -ne 'Running')
    {
    Start-Process -FilePath $wub -ArgumentList "/e" -WAIT
    }
    Sleep 5
    }

    if (Get-Process -Name *Winstore*)
    {
    EXIT
    }
    Start-Process -FilePath $wub -ArgumentList "/d /p" -WAIT
    EXIT

    for the defender definition update "issue", maybe a simple change in wdu.cmd double checking updates would solve this (the updates, not events or update failure/abort info), like:

    instead of:
    Code:
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
    wub.exe /d /p
    exit /b %errorlevel%
    
    change it to something like:

    Code:
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
    timeout /t 5
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
    wub.exe /d /p
    exit /b %errorlevel%
    
     
  6. rpo

    rpo MDL Expert

    Jan 3, 2010
    1,178
    1,002
    60
    @pf100
    In my opinion there is some redundancy whith LockFiles.cmd and code in sledgemammer.cmd; redundancy means problem when updating. I suggest a minor change for LockFiles.cmd :
    Code:
    ::Allow only LockFiles task to run this file::
    whoami /user /nh | find /i "S-1-5-18" || exit
    cd /d "%~dp0"
    wmic cpu get AddressWidth /value|find "32">nul&&set PROCESSOR_ARCHITECTURE=X86||set PROCESSOR_ARCHITECTURE=AMD64
    if %PROCESSOR_ARCHITECTURE%==AMD64 (
     set "nsudovar=NSudoCx64.exe"
    ) else (
     set "nsudovar=NSudoc.exe"
    )
    ::::::::::::::::::::::::::::
    ::Set list (s32list) of update hijacker files to be disabled, then disable everything in the list.
    set s32list=EOSNotify.exe WaaSMedic.exe WaasMedicSvc.dll WaaSMedicPS.dll WaaSAssessment.dll UsoClient.exe
    set s32list=%s32list% SIHClient.exe MusNotificationUx.exe MusNotification.exe osrss.dll
    set s32=%systemroot%\System32
    ::If "s32list" files were previously renamed by script, restore original file names
    for %%# in (%s32list%) do (
    ren "%s32%\%%#"-backup "%%#"
    if exist "%s32%\%%#" del "%s32%\%%#"-backup /f /q
    )
    ::Lock files
    for %%# in (%s32list%) do (
    takeown /f "%s32%\%%#" /a
    icacls "%s32%\%%#" /reset
    if exist "%s32%\%%#" %nsudovar% -ShowWindowMode:Hide -Wait -U:T -P:E "%systemroot%\System32\icacls.exe" "%s32%\%%#" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18 >nul 2>&1
    )
    ::If files in "s32list" aren't locked for whatever reason, rename them.
    for %%# in (%s32list%) do (
    ren "%s32%\%%#" "%%#"-backup
    if exist "%s32%\%%#"-backup del "%s32%\%%#" /f /q
    )
    exit /b 0
    The change consists in defining the nsudovar variable and executing iacls.exe with trustedintaller priviledge when needed.
    And the corresponding code in sledgehammer.cmd is replaced by :
    start "LockFiles" /wait ".\bin\LockFiles.cmd"
     
  7. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    12,173
    56,244
    340
    Is AskWoody Defcon system still used? because there was a recent design change yesterday or so
     
  8. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    4,578
    4,607
    150
    In 2.7.2 - Yes.
    2.7.3 RC1 does not use it.

    A design change would therefore break 2.7.2.
     
  9. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    178
    169
    10
    I agree that it doesn't need to be shown automatically. I can understand that it would be nice if Sledgehammer did it all. But the Sledgehammer interface already has a variety of menu selections, most that are highly useful. Adding another menu number for MS-DEFCON might add unnecessary complexity. And I'm not sure anyone wants an added screen to display in the sequence.

    Personally, I visit AskWoody toward the end of the month to check the MS-DEFCON level and patch advice, and that's what triggers my use of Sledgehammer anyway.
     
  10. rpo

    rpo MDL Expert

    Jan 3, 2010
    1,178
    1,002
    60
    False problem : @pf100 removed the programmatic interface to get the MS-DEFCON rating by replacing it by a browser call (cf line 250 of the script) as explained in the first post :
    "Changed option to view current MS-DEFCON rating in script to opening MS-DEFCON rating in browser instead."
     
  11. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    178
    169
    10
    Right. Both the internal MS-DEFCON display and the subsequent browser call replacement worked for me. I think the question raised was whether the automatic display of MS-DEFCON was significant value added and should be continued or not.
     
  12. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    4,578
    4,607
    150
    Personally, I don't need it, and actually hate programs or installers force-opening URLs without my consent.
     
  13. dkn849

    dkn849 MDL Novice

    May 31, 2021
    3
    0
    0
    Does the Microsoft Update Health Service (uhssvc.exe) need to be disabled, and does the script do that? If so then how?
     
  14. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    178
    169
    10
    #1817 Whistler4, Jun 1, 2021
    Last edited: Jun 1, 2021
    Just checked, and Microsoft Update Health Service is running (Automatic Delayed Start Startup Type) in my 20H2 Windows version with Sledgehammer active and effective. So, no, I don't think it needs to be disabled.

    Edit: Correction - I answered too soon. It shouldn't be running or installed. See post below.
     
  15. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    12,173
    56,244
    340
    uhssvc = KB4023057

    it should not be installed in the first place
     
  16. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    178
    169
    10
    Duh, yeah! Thanks! I've been blocking/hiding that update forever. I must have forgotten and let it slip through.
     
  17. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    178
    169
    10
    Deleted.