Showing posts with label windows update. Show all posts
Showing posts with label windows update. Show all posts

Monday, August 24, 2015

HOWTO Remove KB2876229 - the sneaky Skype 7 Windows "Update"

A ton of Skype users were unhappy with the update from Skype 6.x to 7.x. Most of what I have seen is complaining about a few minor changes to the user interface. In the usual baby/bathwater situation that follows this sort of thing, "Power Users" began circulating guides on how to modify hosts files to prevent TCP connections to skype and msn domains. You know, because making sure you have the correct proportion of whitespace is more important than stupid trivia like patching critical security vulnerabilities.

To address this madness, Microsoft decided to get clever. In addition to sending the Skype 7 update through the Skype application and related packages like Lync, they would push it through as a Windows update - KB2876229. The Skype application updates are pushed through *.skype.com and *.msn.com, while Windows updates come from domains like *.microsoft.com, *.windowsupdate.com and *.windows.com. The looks over substance crowd hadn't yet reached the levels of derp required to break Windows Update and the Metro app interface in order to preserve their precious outdated GUI. The vast majority of users process Windows Updates automatically; even those who process the updates manually don't look too closely on non-commercial machines.

Adding insult to irritation, Microsoft decided to push this update to machines that did not have Skype installed. The technical term for this sort of distribution is "dick move".

It was through this trickery that Skype found its way onto one of my machines. Unlike those worried about the update, I don't want and never have wanted anything to do with Skype - and not because of how it looks, either. Finding Skype on one of my computers was like finding a lump on one of my testicles: I wished very much that it had never been there, but lacking that I just wanted it to disappear.

I thought the easiest course of action was to just delete the update. Skype announced its poisonous toxic infection almost immediately, and I could see the update easily within "Control Panel\All Control Panel Items\Windows Update\View update history". The typical command for managing Windows Update is "wusa", so I gave the command to burn Skype with righteous fire:

> wusa /uninstall /kb:2876229

Instead of making quick work of Skype, I was presented with an error message that through me through a loop:

Joshua Wieder - KB2876229

I tried to remove KB2876229 through the GUI by navigating to "Control Panel\All Control Panel Items\Windows Update\Installed Updates", but KB2876229 did not appear anywhere in Installed Updates. Just to make sure I wasn't going nuts, I confirmed that this whole thing wasn't some sort of fever dream by double checking the details of the KB in "View update history".

Joshua Wieder Skype Update Error

Now convinced that Windows was the crazy one, it took me a moment to determine why my operating system was fighting me on this.

As I mentioned earlier, Skype had not been installed on my system prior to KB2876229 - the KB was not an update to an existing application, it was an installation of  new program. It dawned on me that I should just uninstall it normally, through the Control Panel's "Add or Remove Programs".

Sure enough, that worked ... to an extent. Uninstalling leaves behind a ton of registry keys and files. A few of these remaining bits of garbage that are particularly troubling are:

     - Firewall rule exclusions for Skype
     - Skype remains in the Startup Approved list enabling an application to run immediately at boot
     - A bunch of parameters are left behind for the SkypeUpdate service
     - Skype remains the default IM provider
     - Calls to two DLLs remain: SkypeIEPlugin.dll & SkypePNR.dll

There is a whole lot of other needless trash that is left behind as well, but registry junk is a fact of life with Windows so a lot of stuff I won't stress too much - like Internet Explorer extension capability, URL associations, spammy entries in browser bookmarks, an application-specific certificate, etc.

Windows behavior continues to get more and more underhanded. Now is a great time for personal users to jump off the Microsoft mothership.

Monday, March 23, 2015

Windows 8.1 Error 80200056 after installing update KB2267602

Recently I noticed some strange behavior while launching an update through Windows 8.1's 'metro' menu. I launched Computer Settings app to run the update, which was a definitions update for Windows Defender (KB2267602).

The Update settings were configured to prompt prior to download & installation. This was the first task launched after awaking the computer from a Sleep state. The computer is not a virtual machine.

With Windows 8 and 8.1 the first places to look for Update failures are in the files C:\Windows\WindowsUpdate.log and C:\Windows\SoftwareDistribution\ReportingEvents.log - for those still unfamiliar with navigating the newer Windowses, you can reach a Run prompt to open these files using copy + paste by hitting the Window key and "R" key at the same time. 

The relevant entry of the ReportingEvents.log file shows me what Error 80200056 means in the most basic sense - the update failed to download; as opposed to failing to install.

{C7C93C12-61E3-4998-9EBD-B448C62540A4} 2015-03-23 19:39:34:484-0400 1 
161 [AGENT_DOWNLOAD_FAILED] 101 {FD8A47F9-2E75-4763-AE52-777D471C87C8} 201 
80200056 AutomaticUpdatesWuApp Failure Content Download 
Error: Download failed.




Right away my first instinct is a networking problem related to the sleep state. Going back to the Run prompt, I type `eventvwr` to bring up the Event Viewer log entries. I expand the Windows Log icon in the left navigation pane and select the System folder. A few seconds after the failed content download I see this: 


The browser has forced an election on network \Device\NetBT_Tcpip_{D03DC1BF-134A-4B75-B8F2-CD9086B301E1} because a master browser was stopped.

This would seem to confirm that there was in fact a networking issue; one relating to the always-disruptive Computer Browser service. The computer this issue occurred on does in fact reside on a network with a number of other Windows computers. The computer was also part of a homegroup. It was unlikely that any of the Windows computers had modified default LMHOSTS / NetBIOS over TCP/IP settings beyond configuration of the Homegroup.

This is a very long-winded blog post for what ended up being a very brainless solution. I launched the update service through the Control Panel in the Desktop user interface as opposed to the Metro user interface and the update completed successfully. Because my logs show that the a Browser election was forced and successfully completed seconds after the download failure, it is likely a retry within Metro would have worked as well.

Still, there is a reason why I described the issue in this much detail, and that is because there seems to be a great deal of misunderstanding about error and what is needed to resolve it.

First and foremost, Error 80200056 only indicates a download failure for Windows updates - not permissions failure, and it is not what I would describe as a warning sign of malware infection. Its possible I suppose that a compromised host could display this error but it is highly unlikely to be the only problem with a host that has been compromised through the updates system - there are a number of other places, like BITS and certificate trust issues, that are likely to occur as well. Quite a few of the articles I have seen on this issue on the internet are hysterical in their screams of "Its a virus!" when this issue comes up - even in paid technical support pages.

I have also seen incorrect explanations of KB2267602, where "technicians" describe this update as a one-time package. In at least one webpage I saw, a technician told a user that since KB2267602 was a package that "should have" been installed 9 months ago, that likely the last 9 months of updates were corrupted, instead of a single Virus definition. This claim is outrageous. Systems using Windows Defender should see regular downloads of KB2267602 in their Update History. Individual definition files can be told apart by their definition signature. The distinction is obvious:

Windows Defender, Josh Wieder, Definition Update logs
Windows Defender Definition Update Logs
If this issue is caught quickly, C:\Windows\WindowsUpdate.log should display a very detailed transaction history for Windows Update. If reviewing an older Update failure, older copies of this transaction log can be saved in subdirectories of C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ - the exact subdirectory can be found by consulting Event Viewer. The relevant log will be reported as Event ID 1001 from source Windows Error Reporting and will look like this:

Fault bucket , type 0
Event Name: WindowsUpdateFailure2
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.9.9600.17489
P2: 80200056
P3: FD8A47F9-2E75-4763-AE52-777D471C87C8
P4: Download
P5: 101
P6: Unmanaged {9482F4B4-E343-43B6-B170-9A65BC822C77}
P7: 0
P8:
P9:
P10:

Attached files:
C:\Windows\WindowsUpdate.log
C:\Windows\SoftwareDistribution\ReportingEvents.log

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.9.9600.17489_60820ed604236fc9285c92356031cd8da6466_00000000_cab_164a6aea

Analysis symbol:
Rechecking for solution: 0
Report Id: deccbe22-d1b5-11e4-8269-c7e81028dc3b
Report Status: 4


The "These files may be available here:" directory will include a copy of the relevant WindowsUpdate.log. For this error, the transaction report should provide quite a bit of detail about what was going on with the Update Service through the time of the failure:

19:39:34:015  892 191c AU #############
2015-03-23 19:39:34:015  892 191c AU ## START ##  AU: Download updates
2015-03-23 19:39:34:015  892 191c AU #########
2015-03-23 19:39:34:015  892 191c AU   # Approved updates = 1
2015-03-23 19:39:34:015  892 191c AU WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80070490
2015-03-23 19:39:34:015  892 191c IdleTmr Incremented idle timer priority operation counter to 2
2015-03-23 19:39:34:031  892 191c AU AU initiated download, updateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}.201, callId = {D9E27348-F835-47F4-8C48-7F6F84A58614}
2015-03-23 19:39:34:031  892 18b0 DnldMgr ***********  DnldMgr: Begin Downloading Updates [CallerId = AutomaticUpdatesWuApp]  ***********
2015-03-23 19:39:34:031  892 18b0 DnldMgr   * Call ID = {D9E27348-F835-47F4-8C48-7F6F84A58614}
2015-03-23 19:39:34:031  892 18b0 DnldMgr   * Priority = 3, NetworkCostPolicy = 6, Interactive = 1, Owner is system = 1, Explicit proxy = 0, Proxy session id = 1, ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}
2015-03-23 19:39:34:031  892 18b0 DnldMgr   * Updates to download = 1
2015-03-23 19:39:34:031  892 18b0 Agent   *   Title = Definition Update for Windows Defender - KB2267602 (Definition 1.193.3478.0)
2015-03-23 19:39:34:031  892 18b0 Agent   *   UpdateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}.201
2015-03-23 19:39:34:031  892 18b0 Agent   *     Bundles 3 updates:
2015-03-23 19:39:34:031  892 18b0 Agent   *       {78E75BF6-5B6F-4FCB-AD33-9A5618E50403}.200
2015-03-23 19:39:34:031  892 18b0 Agent   *       {768A90D1-09F4-475A-A4AF-6FCBB85222F1}.200
2015-03-23 19:39:34:031  892 18b0 Agent   *       {9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1}.201
2015-03-23 19:39:34:031  892 18b0 DnldMgr No locked revisions found for update FD8A47F9-2E75-4763-AE52-777D471C87C8; locking the user-specified revision.
2015-03-23 19:39:34:031  892 18b0 DnldMgr No locked revisions found for update 9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1; locking the user-specified revision.
2015-03-23 19:39:34:046  892 191c AU   # Pending download calls = 1
2015-03-23 19:39:34:046  892 191c AU <<## SUBMITTED ## AU: Download updates
2015-03-23 19:39:34:062  892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob) started; operation # 760; does use network; is not at background priority; will NOT stop idle timer
2015-03-23 19:39:34:062  892 18b0 IdleTmr Incremented idle timer priority operation counter to 3
2015-03-23 19:39:34:093  892 18b0 DnldMgr ***********  DnldMgr: New download job [UpdateId = {9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1}.201]  ***********
2015-03-23 19:39:34:109  892 18b0 DnldMgr   * BITS job initialized, JobId = {8F94CFCA-5055-4CD6-B71E-13F540B0BC5F}
2015-03-23 19:39:34:171  892 18b0 DnldMgr   * Downloading from http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/defu/2015/03/am_delta_48e485cc83da49bce931292934e1d75788e0629a.exe to C:\Windows\SoftwareDistribution\Download\a72da7d4ae868d3ed29b457ac7415777\48e485cc83da49bce931292934e1d75788e0629a (full file).
2015-03-23 19:39:34:203  892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob) started; operation # 762; does use network; is not at background priority; will NOT stop idle timer
2015-03-23 19:39:34:203  892 18b0 IdleTmr Incremented idle timer priority operation counter to 4
2015-03-23 19:39:34:234  892 18b0 DnldMgr *********
2015-03-23 19:39:34:234  892 18b0 DnldMgr **  END  **  DnldMgr: Begin Downloading Updates [CallerId = AutomaticUpdatesWuApp]
2015-03-23 19:39:34:234  892 18b0 DnldMgr *************
2015-03-23 19:39:34:312  892 db4 DnldMgr WARNING: BITS job {F79CE1D4-F6F3-4D14-A8AB-704A88E200AC} failed, updateId = {768A90D1-09F4-475A-A4AF-6FCBB85222F1}.200, hr = 0x80200056, BG_ERROR_CONTEXT = 2
2015-03-23 19:39:34:312  892 db4 DnldMgr   Progress failure bytes total = 295552, bytes transferred = 0
2015-03-23 19:39:34:312  892 db4 DnldMgr   Failed job file: URL = http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/defu/2015/03/mpsigstub_5dfd7f28a79c6fac6a908b9e5c2cf4e56320f3ee.exe, local path = C:\Windows\SoftwareDistribution\Download\f160e023de7cfeeda671dc169ba732fb\5dfd7f28a79c6fac6a908b9e5c2cf4e56320f3ee
2015-03-23 19:39:34:312  892 db4 DnldMgr CUpdateDownloadJob::GetNetworkCostSwitch() Neither unrestricted or restricted network cost used, so using current cost
2015-03-23 19:39:34:375  892 db4 IdleTmr WU operation (DownloadManagerDownloadJob, operation # 760) stopped; does use network; is not at background priority; will NOT start idle timer (task did not previously stop it
2015-03-23 19:39:34:375  892 db4 IdleTmr Decremented idle timer priority operation counter to 3
2015-03-23 19:39:34:375  892 db4 DnldMgr Error 0x80200056 occurred while downloading update; notifying dependent calls.
2015-03-23 19:39:34:375  892 12ec AU >>##  RESUMED  ## AU: Download update [UpdateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}]
2015-03-23 19:39:34:375  892 12ec AU   # WARNING: Download failed, error = 0x80200056
2015-03-23 19:39:34:437  892 18b0 DnldMgr *********
2015-03-23 19:39:34:437  892 18b0 DnldMgr **  END  **  DnldMgr: Download Call Complete [Call 5 for caller AutomaticUpdatesWuApp has completed; signaling completion.]
2015-03-23 19:39:34:437  892 18b0 DnldMgr *************
2015-03-23 19:39:34:468  892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob, operation # 762) stopped; does use network; is not at background priority; will NOT start idle timer (task did not previously stop it
2015-03-23 19:39:34:468  892 18b0 IdleTmr Decremented idle timer priority operation counter to 2
2015-03-23 19:39:34:468  892 12ec AU Download call completed, hr = 0x80200056
2015-03-23 19:39:34:468  892 12ec AU #########
2015-03-23 19:39:34:468  892 12ec AU ##  END  ##  AU: Download updates
2015-03-23 19:39:34:468  892 12ec AU #############

That's pretty much it. Since this has brought the always-irritating Computer Browser service to my immediate attention, I think I will write a more detailed post about it as well as some common issues here soon - as online documentation is few and far between on it.

Thursday, November 13, 2014

I Ran Windows 7 Updates and My Desktop Went Completely Black! What Do I Do?!

So last night (11-12-14) or this morning you ran a package of `Important` Windows Cumulative Security Updates. Gee those do sound important! There were about 11 or so - specifically, the ones most likely to give you trouble are these:

Update for Windows 7 for x64-based Systems (KB3008627)
Security Update for Windows 7 for x64-based Systems (KB3003743)
Security Update for Windows 7 for x64-based Systems (KB2993958)
Security Update for Windows 7 for x64-based Systems (KB2991963)
Security Update for Windows 7 for x64-based Systems (KB3005607)
Security Update for Windows 7 for x64-based Systems (KB2992611)
Security Update for Windows 7 for x64-based Systems (KB3010788)
Security Update for Windows 7 for x64-based Systems (KB3002885)
Security Update for Windows 7 for x64-based Systems (KB3006226)


After diligently downloading and installing these updates, you allow your computer to reboot. The boot process goes smoothly, you log into your computer, only to find a stark black screen greeting you. Your entire intricately-designed array of desktop icons is gone. Your Desktop Image is replaced by an inky black nothing. Worse even than the blackness of space - even space has stars.

The frank obituary to your beautiful desktop's demise is the following: 

C:\windows\system32\config\systemprofile\Desktop refers to a location that is unavailable. It could be on a hard drive on this computer or on a network. Check to to make sure the disk is properly inserted.

And its' not just the icons or the desktop. Trying to search for an item from the Start menu will produce an error along these lines (where searchstring is whatever you typed in the taskbar): 

"Windows cannot find `search:query=searchstring` Make sure you typed the name correctly, and then try again." 

Microsoft's Mouse and Keyboard Center failed to load completely; despite this, my laptop's USB mouse and embedded touch pad functioned properly.

Even non-Windows related applications will have problems. When I encountered this error, I had to launch Google Chrome as an Administrator in order to get it to run. I also use an incredibly handy text editor in Windows called Notepad++. Notepad++ is an ingeniously formatted gem of a Windows text editor; it can open text files that are sized well into the tens of megabytes without crashing, it color encodes scripted text for programming; its awesome. Use it; its free. Anyway, launching Notepad++ also produced errors; the application was unable to find a variety of XML configuration files.

We've established that this problem sucks. So how do we fix it?

First, you may have problems opening a Command Prompt due to the `search:query` error mentioned above. If you have Powershell installed, use that - it will save time and headaches and can function exactly as a normal command prompt would. If installed you can typically find Powershell in the Start Menu by navigating to All Programs -> Accessories -> Windows Powershell

If you do not have Powershell installed you will have to suffer through by opening a window from `My Computer` by navigating through the Start Menu: click Start and then Computer. It is likely that each time you open a window in this manner a new error message will be produced telling you that your systemprofile\Desktop is missing. You can ignore the error, clicking OK to remove it and proceed.

From here on we will be using in example in which the username we are using is Josh. On your computer you will of course replace Josh with your own username.

Either way you use (powershell of window), navigate to the User directory, which for the purposes of this tutorial will be C:\Users\Josh

We are here to check first and foremost that your actual Desktop folder and files still exists. Click or `cd` to the Desktop folder and take a quick look to ensure that everything still exists. If it does, proceed with the tutorial. If your Desktop folder is missing, than stop here - the issue I am describing should not have caused the entire deletion of your Desktop. You will need to restore these files from backup before continuing to troubleshoot; I hope you kept a backup!

Anyway, for those of us who found that C:\Users\Josh\Desktop exists and is populated with files, we will then navigate to the root of the problem: C:\windows\system32\config\systemprofile\

In this directory you are likely to find three items: Two folders, one named "AppData" and the other named "Contacts". The third item will likely be ntuser.dat - although it may be missing if your Windows folder settings are configured to "hide protected operating system files".

FYI don't be a wimp - BE A POWER USER and go to Organize -> Folder and Search Options -> View tab. From there UNclick "Hide protected operating system files" and select the radio button next to "Show hidden files, folders, and drives". Once you have done this you will notice that a new universe of system files is now available for your perusal. I offer less experienced users this tidbit with the explicit promise that they will refrain from two things:

        1. DO NOT Delete Files Because You "Don't Know What They Do".
             Only Delete Files That You Fully Understand.
        
        2. When You Encounter an Esoteric File DO NOT Search the Name of That File in Google. 
             All of the Websites in Google Will Tell you it is a Virus and Compel You to Purchase Their
             Magical Program to Remove Said Virus. To Understand System Files, You Must RTFM and
             Other Actual Books. Like From a Library Books.

Anyway back to the fix. Within the directory C:\windows\system32\config\systemprofile\  you must create a new directory (by right-clicking and selecting New -> Folder or issuing the command mkdir in PowerShell) and name it "Desktop".

Immediately after creating this directory you may notice that some icons have appeared on the black-as-death desktop. However, these won't include your normal icons, and your desktop image as well as any items you have stuck to the taskbar will not have reappeared. Thats okay - right now you are relying on a broken copy of the "Public" Desktop, and the appearance of icons is a signal that the Public profile is getting better.

To finally get all of your profile settings back, along with the precious icons and desktop doo-dads, simply goto Start, hover your mouse over the arrow next to "shut down" (not shut down, just the arrow) and click "Log off" from the resulting contextual menu.

You will be prompted to Log back into your account. Do so, and you will find that everything in your desktop is back to normal. Enjoy!

NSA Leak Bust Points to State Surveillance Deal with Printing Firms

Earlier this week a young government contractor named Reality Winner was accused by police of leaking an internal NSA document to news outle...