Sledgehammer - Windows 10 Update Control

Discussion in 'MDL Projects and Applications' started by pf100, Nov 28, 2016.

  1. thiih_

    thiih_ MDL Novice

    Mar 22, 2008
    27
    19
    0
    #1881 thiih_, Oct 22, 2021
    Last edited: Oct 22, 2021
    I didn't change anything except updating WUB to 1.1 and blocking wuauserv/usosvc services...
    my "wub.ini"
    [Service_List]
    ; 2=Auto
    ; 3=Manual
    ; 4=Disabled
    ; dosvc=2,4
    ; bits=2,4
    wuauserv=2,4
    usosvc=2,4

    and change WDU.bat to check the updates TWICE:
    ::Enable Windows Update service and update Defender, then disable Update Service::
    wub.exe /e
    timeout /t 10
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
    timeout /t 10
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

    wub.exe /d /p
    exit /b %errorlevel%


    And I have these changes running since... always, and it works! I follow this thread almost every week to see if something changes on the script or the windows update method. I'm a programmer, following the roots of my dad (Cobol, Visual Basic, Visual Studio, Flutter and mainly Delphi), so I'm very familiar with scripts vbs/cmd/bat files and how these stuff works, in fact I love writing scripts, everthing that I can automated I have a script to it

    So I know that everything is as it should be with your script and the changes I made.
    But as I said, its not a big deal for me, I just got curious why it did updated. It has been always working, I was holding up the last update because of the Print Bug, but it got updated.
     
  2. pf100

    pf100 Duct Tape Coder

    Oct 22, 2010
    2,059
    3,346
    90
    Don't get me wrong, I encourage people to modify and/or fork the script, and I'm not trying to give you a hard time about it.
    It concerns me that you doubled (or more) the amount of time that wuauserv is enabled for Defender updates.
    It's safer to prevent unwanted forced updates by updating defender through MMPC with wuauserv disabled, but doing so makes the defender updates much larger in size which can have a huge impact for people with limited or expensive bandwidth. By enabling wuauserv just long enough to update defender the way I have done it with the WDU task and the accompanying "Sledgehammer\bin\WDU.cmd" file, it addresses this concern. The problem is if you leave wuauserv on too long, forced updates can occur, and I suspect that what you have done here might be why it happened, but I don't know that for sure because I don't know what length of time leaving it on will allow a forced update to happen. I have meticulously gone over every aspect of this script to ensure its proper operation, but never took into account defender updates twice in a row every time a defender update is scheduled. For example, if you run the signature update command twice can it cause a condition where the second instance can be in a prolonged wait state because the first command is still doing something even though it shouldn't be? I don't know because I never tested that scenario.
    What problem were you having that made you run the command twice?
     
  3. thiih_

    thiih_ MDL Novice

    Mar 22, 2008
    27
    19
    0
  4. pf100

    pf100 Duct Tape Coder

    Oct 22, 2010
    2,059
    3,346
    90
    @thiih_
    Automatic driver updates can override the script and automatically install after a clean OS install the first time a manual update check is run with the script, but every time after that you can select which drivers to install with the script as far as I know. Although I know how and I could, I have decided to not override this behavior. It's better to have the drivers offered than to block them and the drivers to not be offered.

    Homer712 had lots of issues I never heard of from anyone else, but I think changes I made to the script to accommodate his issues helped the script.

    MMPC defender updates are usually behind Microsoft defender updates for some reason, and besides the much larger download size is another reason I don't like using it and are reasons I don't use MMPC defender updates with the script.

    Yes, I'm feeling a hell of a lot better, thanks for asking.
     
  5. thiih_

    thiih_ MDL Novice

    Mar 22, 2008
    27
    19
    0
    Indeed, you are right. Thats why I apply some Reg changes / GPO policies on my side to block drivers update in addition to Sledgehammer script, but depending on the system config, I left the drivers being updated by windows update (usually on older systems).

    I just tested a Hyper-V machine with a clean install and original Sledgehammer installed. Then I run the commands:

    -SignatureUpdate -mmpc command gives me that there is no update
    -SignatureUpdate command gives me an update

    But the info obtain from "Get-MpComputerStatus" before and after are identical. So maybe its just a "flag" misleading to an update that has been already done.

    I'll keep testing with mmpc.
     
  6. pf100

    pf100 Duct Tape Coder

    Oct 22, 2010
    2,059
    3,346
    90
    It just depends. MMPC can be behind ms update, but ms update is never behind MMPC.
     
  7. pf100

    pf100 Duct Tape Coder

    Oct 22, 2010
    2,059
    3,346
    90
    I just had an issue today with Windows 11 where a recent .net update wouldn't install with script 2.7.3 so I uninstalled the script, rebooted, and the update still wouldn't install through settings.
    So then I ran script 2.7.2 and the update still wouldn't install so I uninstalled the script, rebooted and it still wouldn't install through settings.
    Then I rebooted again while the script was uninstalled and the update installed through settings.
    It may have installed with the script that time, but right now I have no way of knowing if that's so or not.

    So there is a problem but I don't know if it's an actual windows 11 problem or not.
    I do know the script isn't breaking anything, so we'll see how things go in the near future.
    If the script needs to be modified I will fix it.
    Right now I don't know if anything needs to be done though.
    If anyone has any information or thoughts about Windows 11 and updates I'd like to hear it.
    I'll be asking around to try to find out more, so if you're having a problem installing an update just uninstall the script, reboot, and try again through settings.
    Like I said, I don't know if uninstalling the script is necessary because I don't have enough information yet.
     
  8. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    4,932
    5,110
    150
    #1888 Carlos Detweiller, Oct 30, 2021
    Last edited: Oct 30, 2021
    For new dev builds, the script needs a slight overhaul. That's due to the removal of the wmic tool.

    Sledgehammer 2.7.3-rc1 has wmic calls in three locations:

    1. Line 105, for getting the OS build number.
    Code:
    for /f "tokens=2 delims==" %%a in ('wmic path Win32_OperatingSystem get BuildNumber /value') do (
      set /a WinBuild=%%a
    )
    
    2. Line 115, for querying the CPU architecture.
    Code:
    wmic cpu get AddressWidth /value|find "32">nul&&set PROCESSOR_ARCHITECTURE=X86||set PROCESSOR_ARCHITECTURE=AMD64
    3. Line 416, for getting the status of the wuauserv service.
    Code:
    WMIC Service WHERE "Name = 'Wuauserv'" GET Started | find /i "%status%" >nul && exit /b || (timeout /t 1 >nul & goto :wuauserv1)

    Replacements possible with VBScript or PS.

    o_O


    Edit: @abbodi1406 @mxman2k

    Maybe you have proposals for alternatives so the script can be repaired? Sorry for bothering you.
     
  9. Nocturnal_ru

    Nocturnal_ru MDL Novice

    Aug 14, 2017
    10
    0
    0
    Can I use Sledgehammer to update between major version of win, for example 2004->21H1? Or i should to uninstall the script and then update system?
     
  10. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    4,932
    5,110
    150
    Sledgehammer's purpose is to block updates and upgrades. Best to uninstall it, do the upgrade, then reinstall it.
     
  11. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    12,945
    62,779
    340
    Code:
    for /f "tokens=1 delims==" %%a in ('powershell -nop -c "([WMI]'Win32_OperatingSystem=@').BuildNumber"') do (
      set /a WinBuild=%%a
    )
    :: or
    for /f "tokens=6 delims=[]. " %%a in ('ver') do set WinBuild=%%a
    
    Code:
    for /f "skip=2 tokens=2*" %%a in ('reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "PROCESSOR_ARCHITECTURE"') do set PROCESSOR_ARCHITECTURE=%%b
    
    Code:
    powershell -nop -c "([WMI]'Win32_Service=\"wuauserv\"').Started" | find /i "%status%" >nul && exit /b || (timeout /t 1 >nul & goto :wuauserv1)
    :: or
    sc query wuauserv | find /i "STOPPED" >nul && exit /b || (timeout /t 1 >nul & goto :wuauserv1)
    
     
  12. pf100

    pf100 Duct Tape Coder

    Oct 22, 2010
    2,059
    3,346
    90
    No bother at all and thanks for the post. I just found out about WMIC being dropped a few days ago.
    Recovery.cmd uses WMIC too but replacing it won't be a big deal.
    One way to get OS Architecture is: echo "%PROCESSOR_ARCHITECTURE%"
    One way to get OS build number is parsing the "ver" command
    One way to get wuauserv status is parsing: sc query wuauserv
    This is just off the top of my head and there are probably better/easier ways to do it with powershell or vbscript like you said.
    Everyone can expect a script update in the coming weeks. I've been farting around and not updating it for quite a while now, but since WMIC is being dropped I don't have a choice now.
    Also, @abbodi1406 replied while I was typing this :)

    Thank you @abbodi1406. Very helpful.
     
  13. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    4,932
    5,110
    150
    Thank you all. I'll try to repair (read: patch) the script until the update arrives.
     
  14. pf100

    pf100 Duct Tape Coder

    Oct 22, 2010
    2,059
    3,346
    90
  15. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    4,932
    5,110
    150
  16. rpo

    rpo MDL Expert

    Jan 3, 2010
    1,258
    1,168
    60
    The script tests the Processor_Architecture, but we need the OS_Architecture : a 32 bits Windows 10 the OS can may run on a 64 bits CPU
    for /f %%i in ('powershell "(Get-CimInStance CIM_OperatingSystem).OSArchitecture"') do set OS_ARCHITECTURE= %%i
     
  17. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    4,932
    5,110
    150
    Thanks, have replaced that statement in both variants. Do you know if the result returned is localized in any form (have only English OS to test)?
     
  18. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    4,932
    5,110
    150
    For some reason I don't get, the Powershell variant works for me but the other one doesn't.
     
  19. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    12,945
    62,779
    340
    Which doesn't?

    personally, i simply check the variables
    Code:
    if /i "%PROCESSOR_ARCHITECTURE%"=="amd64" set "xBit=x64"
    if /i "%PROCESSOR_ARCHITECTURE%"=="arm64" set "xBit=arm64"
    if /i "%PROCESSOR_ARCHITECTURE%"=="x86" if "%PROCESSOR_ARCHITEW6432%"=="" set "xBit=x86"
    if /i "%PROCESSOR_ARCHITEW6432%"=="amd64" set "xBit=x64"
    if /i "%PROCESSOR_ARCHITEW6432%"=="arm64" set "xBit=arm64"
     
  20. rpo

    rpo MDL Expert

    Jan 3, 2010
    1,258
    1,168
    60
    #1900 rpo, Nov 2, 2021
    Last edited: Nov 2, 2021
    On my French W11 system, the result is 64; this is language independant.

    Code:
    wmic cpu get AddressWidth /value|find "32">nul&&set PROCESSOR_ARCHITECTURE=X86||set PROCESSOR_ARCHITECTURE=AMD64
    if %PROCESSOR_ARCHITECTURE%==AMD64 (
     set "nsudovar=.\bin\NSudoCx64.exe"
     set "wumt=.\bin\wumt_x64.exe"
    ) else (
     set "nsudovar=.\bin\NSudoc.exe"
     set "wumt=.\bin\wumt_x86.exe"
    )

    replaced by :

    Code:
    for /f %%i in ('powershell "(Get-CimInStance CIM_OperatingSystem).OSArchitecture"') do (
    if %%i == 64 (
     set "nsudovar=.\bin\NSudoCx64.exe"
     set "wumt=.\bin\wumt_x64.exe"
    ) else (
     set "nsudovar=.\bin\NSudoc.exe"
     set "wumt=.\bin\wumt_x86.exe"
    ))