hehehe comment was aimed at freeman, specifically BUT the other 2 could also use a good "throttling"
dont forget "windows is the greatest thing since sliced bread"- Drew1903, but he got smart and just lets us be, now. think he learned when he felt the big MS boot up his ass
Post by Bayer A.User on Oct 17, 2015 15:56:36 GMT -6
Noel, as soon as i get the hang of this forum will post some log info about Windows update agent & orchestrator. The Appx Deployment Service can be disabled, have you tried this ,yet ?
Post by stefansart on Oct 17, 2015 23:08:49 GMT -6
I strangled Windows Update on my Windows 7 Ultimate x64 when they started with their GWX-bullshit. Afterwards i have only installed those updates i could trust (not many). Today Windows Update is completely blocked.
I have secured it as i have with XP and XP x64. Browsers always run in a sandbox, HOSTS-file has become larger and larger and my firewall work hard to.
No way i install their low quality updates any more.
Post by Bayer A.User on Oct 18, 2015 7:28:31 GMT -6
Here is what i've done with 10Enterprise, Gpedit to prevent .exe's from running. My policies have been respected in spite of WU re installing the apps i have uninstalled. I have 3 accnts, Admin, standard1 & standard2 Admin: ALL apps uninstalled via powershell / cortana&cloudexpHost ManuallyDeleted Standard1 : all oem installed apps functional/no cortana,searchUI or onedrive/sync Standard2 : all oem apps UNINSTALLED/ no cortana,searchUI or onedrive/sync
Being able to compare the two in real time comes in handy.
Windows Firewall- Blocked all outbound except for MY rules, only iex11, Firefox, AVG & MBAM. Wuaserv is running, but cannot access the internet. As result no updates or surprise system changes.
Speaking of running a Win 7 system nicely muzzled...
I have detected a Win 7 svchost service that logs in with my username (that's as detailed as the Sphinx Firewall Control reporting gets). It tried repeatedly to access these two addresses:
192.116.242.20:80 (www.startssl.com in Israel) 93.184.215.200:80 (Edgecast Networks in Wichita Kansas)
I'm still trying to nail down which service it is, and why it's running. Anyone have any idea? I'm not at all keen on having my system regularly contacting some place overseas. My security log overran, so I couldn't figure out what service it was, so I've increased the file size. Next time it tries I should be able to tell... The investigation continues...
-Noel
Author of the "How to Configure the 'To Work' Options" series of Windows books. Not feeling enough love to do one for Windows 10.
What's not clear yet is what part of the Windows 7 system wants to contact startssl.com. It could be a certificate validation for something that ran, e.g., the Subversion server software's own update check.
It ran another 24 hours and I never saw another check, so it's not a daily scheduled item. I hate these long cycle operations, because they're hard to catch in the act.
-Noel
Author of the "How to Configure the 'To Work' Options" series of Windows books. Not feeling enough love to do one for Windows 10.
Post by BarcodeZero on Nov 19, 2015 16:24:07 GMT -6
Ok, so i wholeheartedly agree on needing a way forward and i just cant see one that involves windows, at least not natively
Its become far too naughty to be trusted, it needs to be contained in something, so it can be better monitored and prevented from leaking information all over the place, it needs... a diaper, or a box, a sandbox all its own, to keep it contained, make supervision easier and prevent it from running off and screwing up anything important.
A Virtual Machine yes i know the performance implications but i cant think of anything better, and i welcome suggestions
the idea is to transition completely to Linux, do absolutely everything i can natively in Linux, use WINE, and code-weavers crossover products to perhaps run some windows things, but also have windows there in a VM for whatever i cant do on Linux or through wine/crossover.
another interesting thing i thought about is that, within the security of a VM i could run windows xp for that matter, and it would be ok because there would be an underlying secure os Underneath it
i think a virtual machine is the way to go, i mean, do we even NEED windows? i mean its NICE i guess, but do we really need it, and can those needs be met within linux under some kind of VM/wine/crossover etc..
I run Windows 10 in a VMware virtual machine, hosted by Windows 8.1 on a big workstation class system.
At the moment I give Win 10 8 virtual cores and 8 GB, but I've run it with 16 cores and 16 GB. In either configuration my Windows VMs give enviable performance. My chief engineer runs a high-end iMac, and he does Windows development in a Win 7 virtual machine. Both my workstation and VMs run off SSD arrays, and my chief engineer's iMac runs off internal flash storage (pretty much the equivalent of an SSD array in performance).
The moral is: If you get big enough hardware running Windows in a VM can be quite viable.
That being said, you can contain a system that runs on hardware fairly well. The privacy implications of my Windows 8.1 system, which my workstation runs natively, aren't really less than those of Win 10 - quite the opposite, really. Win 8.1 was considered a cloud-integrated system by Microsoft, and it hasn't had NEARLY as much scrutiny as Win 10 in that regard - hence it's actually MORE chatty than Win 10 after the latter has been closed down by several methods (e.g., O&O ShutUp10 and other tweaks).
But I keep all of them in check at this point with the "deny-by-default" firewall setup. As I may have mentioned above, I have the Sphinx Windows 10 Firewall Control product (which also works on 8 and 7). I've been working as a beta tester with the author, and he's getting it well whipped into shape. I run the Network/Cloud edition, which allows me to control everything centrally.
There's no question a "deny-by-default" firewall setup takes some initial effort to set up properly, then a somewhat smaller effort to run, but once done it's both effective and not terribly intrusive.
If Windows 10 actually delivered anything I really wanted, I'd actually consider running it on hardware in much the same way I'm running it now in the VM - the operating system is blocked from contacting anyone outside my LAN unless I reconfigure it temporarily to be allowed to contact the mothership for Windows Updates.
But...
That only covers part of the problem.
The possibly more important issue regarding long-term usage is this: Every 4 months Microsoft is releasing a new in-place upgrade. That wouldn't maybe be so bad, but they've already shown that they're going to disrupt the hell out of everyone's system by reverting settings, reinstalling components that had previously been removed, and in general costing upwards of a week of lost productivity.
I don't know about you, but I'm not so rich that I can spare a week's lost productivity out of every 16. I rely on my computer every day. Even having figured out how to only allow Windows to update itself when *I* say it's time isn't enough. It's still a lost week!
So, much as you've said, for me Windows 10 remains a VM denizen. I still lose the productivity, because I choose to learn everything I can about the upgrades, but it's not an OMG thing - I can do it at my pace, all the while continuing to run my well-tuned, very stable 8.1 system (presently up on its current boot for 19 days 10 hours without so much as a glitch).
How long will a current system with an older Windows release running on it be good? Maybe 4 or 5 years. Will there be a viable Windows replacement by then?
-Noel
Author of the "How to Configure the 'To Work' Options" series of Windows books. Not feeling enough love to do one for Windows 10.
Post by Bayer A.User on Nov 22, 2015 11:02:24 GMT -6
Riddle me this.....How long can a user get away with rearming an unactivated win10 install ? Say for example the re-arm count is 1000. If that user has fully functional WU,including all the cumulative KB's regarding "security" as well as defender defin updates. Whats the downside? Minor loss of customization. Win store non- functional. Inplace upgrades not appearing? We shall see. 999rearms divided by 365days = 2.73years if i rearm every day. win10 calculator sucks,by the way.
Edit for Clarity- What if i can go 30 days before Rearm ? thats 29,970 days. or 82years Is this the "forever"Lifetime of the Device ?Hahaha, on a windows trial 2,3,4 rearms is par for the course.
Last Edit: Nov 23, 2015 11:48:59 GMT -6 by Bayer A.User
Post by Locutus deBorg on Dec 1, 2015 15:56:34 GMT -6
my update strategy , is simple
not doing them anymore for win 7 and up since MS cannot be trusted
on fresh install of win 7 RTM or SP1 set updates to option 3, > do not download or install anything (notify only)
next step is to begin checking the release dates, anything with a 2015 date, check what it's for with the more info links if they aren't all that descriptive google the KB number, if it's anything back-ported from 10tanic, toss it out immediately (right click : hide this garbage)
unless yer a dot nut dev. you can also skip all the extraneous version updates of the dot nut garbage,
the above can also be applied to winders ape / ape dot one
(°ö°) (*also crapdates from the last quarter of 2014 need to be checked)
Last Edit: Dec 1, 2015 16:05:18 GMT -6 by Locutus deBorg
I find the lack of configuration options disturbing !
I felt a great disturbance in the force.. as if millions of win 7 systems suddenly cried out in terror.
Yep, I've been off updates completely on Win 7 and 8.1 for over a month now... Solid uptime on both systems, since I've had no other reasons to reboot - no glitches in sight.
I guess we should thank Microsoft for finally becoming so stupid/evil that choosing to no longer partner with them with regard to Windows Updates makes sense. They've made our systems more stable!
In other news... I refined my Win 10 update strategy a bit today, given Microsoft's latest (thanks for the tip that another cumulative update was pending, Mike).
With my deny-by-default firewall setup, I've created a whitelist of rules that are applied to the System that allow both the Windows Update Hiding Tool (which can be used to check for pending updates), and the actual Windows Update to complete. Meanwhile the rest of the system is blocked from communicating online, and the system absolutely does NOT update itself, no way no how - until I request it.
My Win 10 manually initiated update sequence goes like this:
1. Start Windows Firewall service (I keep it on Manual, but it's required to complete an update). 2. Change Windows Update service from Disabled to Manual. Normally it cannot run. 3. Start Windows Update service. 4. Set Windows Update service back to Disabled (so it won't start on next bootup). 5. Initiate an update check via Microsoft's "WUShowHide" tool (KB3073930). 6. If an update worth having shows up, initiate the Windows Update via the Settings panel. 7. Upon successful installation and prompt for reboot, do so.
Are they really going to make me shut off the Windows Update service and install an alternate AV?
For instance, through the “get Windows 10” application, users can disable OS updates, preventing their computers from automatically downloading newer versions of Microsoft’s operating system. As Microsoft works to update its Windows Update center however, users are reporting that their machines have been automatically switched to allow OS updates. Mayfield explains this in an interview he did this past Friday. Over Thanksgiving weekend I started getting reports that the Windows Update ‘AllowOSUpgrade’ setting was getting flipped back on on a number of peoples’ PCs, and it keeps re-setting itself at least once a day if they switch it back off.
Post by Bayer A.User on Feb 13, 2016 9:19:44 GMT -6
Interesting, this past crash tuesday(feb 9) 11 important security kb's were found for my win7sp1. KB 313 4814-cumulative security for IEX11 involved an additional KB 314 1092 hotfix that was not on the WU list i ok'd for install. KB 314 1092- solution for "some enterprise mode sites don't load" in iex11. MSFT has made it clear that if you aren't on iex11 or edge you will be without support in the very near future. Evidently, enterprise mode for iex11 means compatibility for websites/apps written for older iex(7,8) to render in 11. Other interesting tidbits- "data gathering""crowd source" compatibility testing. etc.
I reviewed my list of allowed security addresses last night, and found a rule that I had recently opened up just a bit too wide, since I had seen some legitimate certificate verification traffic on several addresses, and my rule list is limited in size (next version of the firewall has been promised to lift the restriction).
Specifically, I had opened up 23.14.84.* to be allowed by the system services that need to do such things, and lo and behold guess what? Microsoft was sneaking in checks of ctldl.windowsupdate.com on 23.14.84.162 and 23.14.84.163 - even though I have the Windows Update service disabled.
Lessons learned:
a) Don't open ranges of addresses up when single addresses will do. b) Manage my security zone actively to ensure the addresses listed are actually needed and don't fall out of date.
c) Get firewall software that doesn't have such a tight limitation on whitelist size.
In the longer term, given the way modern networking works where many server names can resolve to the same address (e.g., because of CDNs) I think firewalls are going to have to get more involved with not only traffic management but also name resolution.
-Noel
Author of the "How to Configure the 'To Work' Options" series of Windows books. Not feeling enough love to do one for Windows 10.
After yesterday's list maintenance, I have discovered a troubling activity with Win 8.1, and I'm not quite sure what to do about it yet...
I've found that the server name ctldl.windowsupdate.com is contacted regularly by the cryptography service (CryptSvc) to check for certificate revocation.
Based on my observations, CryptSvc is hosted by the same svchost process that is involved in doing a Windows Update.
This gives rise to a fundamental conflict, since it's impossible to tell whether the server is being contacted for a certificate revocation check or a secret, unsanctioned update. We already know there are ways they can do that; the (unanswerable) question is, is all possibility of a secret, no user approval required update blocked by just not running the Windows Update service?
On the one hand, I absolutely will block Microsoft's attempts to update my older OS - in every way possible.
On the other hand, I would like my web-integrated security subsystem to continue to work properly.
The addresses used for this activity include these:
23.14.84.24 23.14.84.48 23.14.84.57
23.14.84.162 23.14.84.163 23.14.84.177
23.14.85.27 23.14.85.48
I'm not sure whether to continue to block these addresses. A definitive answer doesn't seem easy to come by.
-Noel
Author of the "How to Configure the 'To Work' Options" series of Windows books. Not feeling enough love to do one for Windows 10.
Windows 10 stayed quiet for days, then this morning when I logged-in Explorer tried to contact cdf-anon.xboxlive.com at address 23.202.16.64 on port 80 (http:).
I have everything that has to do with xbox disabled at this point.
I really hate it when some new attempt at privacy intrusion that's clearly been there all along (I haven't updated it in days) rears its ugly head.
-Noel
Author of the "How to Configure the 'To Work' Options" series of Windows books. Not feeling enough love to do one for Windows 10.
<Rick> Good video. It's almost hard to believe that at one time Windows 98 was the resource hog, but even then, it still ran circles around what Windows 10 can do on today's modern hardware and look a heck of alot better doing it.
May 25, 2021 22:55:12 GMT -6
<Rick> As stated elsewhere, So much for the launch of Windows 11, "The Great Crash." Myself, I had a hard time getting into the site listed above, when I did get in, the video was partly done and then it crashed. There has been many other reports of crashing.
Jun 24, 2021 9:52:33 GMT -6
*
<Rick> I see Microsoft has been very quick to pull down reports of site crashing regarding the Launch of Windows 11 on the Microsoft Insiders forum.
Jun 24, 2021 9:57:31 GMT -6
*
<Rick> The rebroadcast is working okay.
Jun 24, 2021 11:00:25 GMT -6
<Rick> With reports of people being able to install the dev-edition of Windows 11 on machines not meeting spec, I thought I would give it a what-the-heck try. Lucky me, I'm caught in the downloading, doesn't meet spec, clearing, re-downloading loop on my machine!
Jul 2, 2021 7:08:46 GMT -6
<Rick> I've recently purchased a license for ArcaOS from www.arcanoae.com/ to play with. First impressions, it's still OS/2, but it now has a Linux twist to it.
Jul 2, 2021 7:32:53 GMT -6
*
<dozrguy> laptop shit out and am stuck buying a new one. os win11 as fucked as win10 was?
Oct 2, 2021 12:56:10 GMT -6
<Rick> Let's see ..., my impression of Windows 11 is that it is a spruced up version of Windows 10 requiring a 64-bit processor plus a piece of security hardware that is less than 4 years old in order for it to run.
Oct 4, 2021 18:25:49 GMT -6
*
<Rick> On the plus side, Microsoft is supposed to be supporting Windows 10 for some time to come for those of us still using systems with I7 or older processors.
Oct 4, 2021 18:44:35 GMT -6
*
<dozrguy> i tried installing win10 om the 'shitout' pc this morning usung media creation. EPIC FAIL! went into an endless bootloop. win7 reinstalled just fine
Oct 21, 2021 11:23:38 GMT -6
<dozrguy> STILL so much bullshit and so little time for the kiddie ideas from the hill. My new laptop (MSI GE 11-UH461) would be an awesome "10" machine but because of Winblows I can only give it a "2"......wasted $3500
Oct 27, 2021 9:36:47 GMT -6
<Rick> Hello. Just checking in.
Mar 17, 2022 10:46:54 GMT -6
<isidroco> Each new w10 update adds >100000 useless files to \Windows\Servicing\LCU\Package_for_RollupFix... folders. Even in a SSD takes time to delete that stuff. In each version they manage to worsen stuff.
Mar 27, 2022 16:14:51 GMT -6
*
<dozerguy> still traffic here?
Oct 9, 2022 17:32:44 GMT -6
<Rick> No, there does not seem to be very much traffic these days. I still check in from time to time.
Oct 9, 2022 20:08:58 GMT -6