Sledgehammer - Windows 10 Update Control

Discussion in 'MDL Projects and Applications' started by pf100, Nov 28, 2016.

  1. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    173
    154
    10
    Thanks. I trust your knowledge of scripting and task creation, so I was obviously barking up the wrong tree thinking it was because wdu.cmd was missing. Hopefully, I didn't mislead anyone on the subject.

    That was good to recommend changes to help diagnose the task creation error.

    @Homer712 is probably on 2.7.3rc1a rather than rc1, which would be why the applicable lines are 405-406 instead of lines 403-404 in your source code for rc1. When I compiled the Windows Installer File, I made the commentary changes below to the Sledgehammer.cmd script and added the "a" in the version number so it would be distinguished from rc1, as explained in
    https://forums.mydigitallife.net/th...-10-update-control.72203/page-89#post-1650375
    (In the scripts, the line 3 title is "Sledgehammer 2.7.3" for rc1 and "Sledgehammer 2.7.3 rc1a" for rc1a. These comment changes would have added two lines total, changing the line numbering of 403-404 to 405-406:

    6 Thanks to Carlos Detweiller @ MDL for the idea to hide the Windows Update page in the Windows Settings app while updates disabled and visible while updates enabled so that settings doesn't close.
    7 ;Thanks to RetiredGeek at askwoody.com forum for original ideas on how to get MS-DEFCON rating.

    24 ;Only use Windows Update Blocker v1.0 with this script, NOT v1.1!
    25 Only use Windows Update Blocker v1.1 with this script. DO NOT edit the included wub.ini. Don't run the script without included wub.ini.
    (On the point about missing a Windows Defender definition update once in a while, did you think I was right about "what's the worst that can happen" or about "underappreciating the severity of the issue"? Kind of opposites :).)
     
  2. Homer712

    Homer712 MDL Member

    Oct 22, 2018
    115
    37
    10
    Correct, I am running rc1a. So, downloaded rc1 via link in post #1697 and assume that you can just replace existing Sledgehammer.cmd with the new one.

    I also followed this post, any changes to be made here?

    image_112.png
     
  3. Whistler4

    Whistler4 MDL Member

    Jul 30, 2015
    173
    154
    10
    All of the WUB 1.1 aspects are already incorporated in the rc1a Windows installer file which I linked to in post #1773 and was mirrored on mega.nz in the next post. If you would like, you can copy the rc1 sledgehammer.cmd over the rc1a sledgehammer.cmd that's installed with the installer. But the resulting sledgehammer.cmd would erroneously warn not to use WUB 1.1 and also reference MS-Defcon which is no longer used. It would jive with @rpo last suggestion for line changes, but you already know where those go now. (You could also copy the uninstaller.cmd from post #1697 over the rc1a uninstaller, but you might end up looping your question about why the last line is rem'd.)
    _______________________________________________

    I think this thread has become a little convoluted since version 2.7.2 was released in May 2020 on page 1. For convenience, these are the changes since then:

    1. (Official) 2.7.3 rc1 sledgehammer.cmd script and wub v1.1 fix, all to be copied into and used with 2.7.2, with instructions, post #1697, Oct 2020, https://forums.mydigitallife.net/th...-10-update-control.72203/page-85#post-1626994

    2. (Unofficial) 2.7.3 rc1a compiled Windows Installer file, incorporating all of above, posts #1773-1775, Mar 2021,
    https://forums.mydigitallife.net/th...-10-update-control.72203/page-89#post-1650375
    (Minor script changes from rc1: Title change in line 3 to "Sledgehammer 2.7.3 rc1a", changes to "thanks" in lines 6 & 7 based on pf100 comments in post #1697, and correction on caution for version of WUB in lines 24 & 25)

    3. (Suggested change) Display error message for Schtasks by replacing two lines of the sledgehammer,cmd script (lines 397-398 for 2.7.2, lines 403-404 for 2.7.3 rc1, or lines 405-406 for 2.7.3 rc1a), post #1795, Apr 2021,
    https://forums.mydigitallife.net/th...-10-update-control.72203/page-90#post-1656445
     
  4. Homer712

    Homer712 MDL Member

    Oct 22, 2018
    115
    37
    10
    LockFiles Task.png @Whistler4 Thank you for the very easy to follow post above.

    In an attempt to get back on the same page with everyone else:
    1. Completely uninstalled Sledgehammer rc1a which I was running.
    2. Followed step #1 above and instructions in post #1697 to install rc1.
    3. Followed step #3 above and changed lines 403-404 of Sledgehammer.cmd.

    Everything running perfectly. Only remaining issue (believe this was brought up in the past) is the "Last Run Result" (0x1) for the "LockFiles" task (the Defender task is missing because I "rem" that out).
     
  5. thiih_

    thiih_ MDL Novice

    Mar 22, 2008
    13
    4
    0
    I use a simple powershell script to run Windows Update / Microsoft Store without running all sledgehammer script everytime I want to check updates.. place it in sledgehammer folder and run it through vbs script.
    I have two scripts (one for WU and another for Store) and they "talk" to each other, when one closes it checks if the other one is running and don't stop wuauserv service, otherwise, wuauserv is stopped.

    #Requires -RunAsAdministrator
    $CurrentDir = Split-Path $PSCommandPath -Parent
    $WUB = "$CurrentDir\bin\wub.exe"
    $wumgr = "$CurrentDir\bin\wumgr.exe"

    # Starts Windows Update Service and Open WUMGR
    Start-Process -FilePath $wub -ArgumentList "/e" -WAIT
    Start-Process -FilePath $wumgr -ArgumentList "-update -online 7971f918-a847-4430-9279-4a52d1efe18d -provisioned"
    sleep 5

    # Loop for verify if process are still running
    while (Get-Process -Name *wumgr*)
    {
    if ((Get-Service -Name wuauserv).Status -ne 'Running')
    {
    Start-Process -FilePath $wub -ArgumentList "/e" -WAIT
    }
    Sleep 5
    }

    if (Get-Process -Name *Winstore*)
    {
    EXIT
    }
    Start-Process -FilePath $wub -ArgumentList "/d /p" -WAIT
    EXIT

    for the defender definition update "issue", maybe a simple change in wdu.cmd double checking updates would solve this (the updates, not events or update failure/abort info), like:

    instead of:
    Code:
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
    wub.exe /d /p
    exit /b %errorlevel%
    
    change it to something like:

    Code:
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
    timeout /t 5
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
    wub.exe /d /p
    exit /b %errorlevel%
    
     
  6. rpo

    rpo MDL Expert

    Jan 3, 2010
    1,157
    973
    60
    @pf100
    In my opinion there is some redundancy whith LockFiles.cmd and code in sledgemammer.cmd; redundancy means problem when updating. I suggest a minor change for LockFiles.cmd :
    Code:
    ::Allow only LockFiles task to run this file::
    whoami /user /nh | find /i "S-1-5-18" || exit
    cd /d "%~dp0"
    wmic cpu get AddressWidth /value|find "32">nul&&set PROCESSOR_ARCHITECTURE=X86||set PROCESSOR_ARCHITECTURE=AMD64
    if %PROCESSOR_ARCHITECTURE%==AMD64 (
     set "nsudovar=NSudoCx64.exe"
    ) else (
     set "nsudovar=NSudoc.exe"
    )
    ::::::::::::::::::::::::::::
    ::Set list (s32list) of update hijacker files to be disabled, then disable everything in the list.
    set s32list=EOSNotify.exe WaaSMedic.exe WaasMedicSvc.dll WaaSMedicPS.dll WaaSAssessment.dll UsoClient.exe
    set s32list=%s32list% SIHClient.exe MusNotificationUx.exe MusNotification.exe osrss.dll
    set s32=%systemroot%\System32
    ::If "s32list" files were previously renamed by script, restore original file names
    for %%# in (%s32list%) do (
    ren "%s32%\%%#"-backup "%%#"
    if exist "%s32%\%%#" del "%s32%\%%#"-backup /f /q
    )
    ::Lock files
    for %%# in (%s32list%) do (
    takeown /f "%s32%\%%#" /a
    icacls "%s32%\%%#" /reset
    if exist "%s32%\%%#" %nsudovar% -ShowWindowMode:Hide -Wait -U:T -P:E "%systemroot%\System32\icacls.exe" "%s32%\%%#" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18 >nul 2>&1
    )
    ::If files in "s32list" aren't locked for whatever reason, rename them.
    for %%# in (%s32list%) do (
    ren "%s32%\%%#" "%%#"-backup
    if exist "%s32%\%%#"-backup del "%s32%\%%#" /f /q
    )
    exit /b 0
    The change consists in defining the nsudovar variable and executing iacls.exe with trustedintaller priviledge when needed.
    And the corresponding code in sledgehammer.cmd is replaced by :
    start "LockFiles" /wait ".\bin\LockFiles.cmd"