WhiskeyRiver 1 Posted May 21, 2018 Share Posted May 21, 2018 9 minutes ago, WhiskeyRiver said: I was just playing with that new group policy. Enabling Computer Configuration -> Administrative Templates -> System -> Credentials Delegation allows you to select migitgated, vulnerable or just disable the policy. This is a RDP session to a server that allows the user to look up all property records at every county court house in Oklahoma. I think I'm going to call them and see what they say because manipulating the three options doesn't help. Problem was on the server end. They had to change their group policy to force updated clients. They're running Win2008 R2 if that helps anyone. Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 21, 2018 Share Posted May 21, 2018 BAM! Caught one in the wild. Exact scenario we've been talking about. All three updates. Producing the Virus Scanner Initialization Failed message right now. Loading the NET developer tools on it so I'll have a memory dump later today. Link to comment Share on other sites More sharing options...
Daedalus 16 Posted May 21, 2018 Share Posted May 21, 2018 1 hour ago, WhiskeyRiver said: BAM! Caught one in the wild. Gotta Catch 'Em All Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 22, 2018 Share Posted May 22, 2018 Good Gawd. I can't get a memory dump from this computer by remote. The computer is so slow... And I'm trying to do it by remote. It's in too trafficy an area and someone keeps coming by, trying to use it and resetting it. Apparently the dump is taking hours. I can't induce a crash dump because I'm not there. Frustrating. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted May 22, 2018 Administrators Share Posted May 22, 2018 We've already got enough memory dumps so no further dumps are needed. As a workaround, you can try disabling Protected service in the HIPS setup and rebooting the machine. The only 100% solution known to date is upgrading Windows 10 RS4 x86 to x64 version. Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 22, 2018 Share Posted May 22, 2018 8 minutes ago, Marcos said: We've already got enough memory dumps so no further dumps are needed. As a workaround, you can try disabling Protected service in the HIPS setup and rebooting the machine. The only 100% solution known to date is upgrading Windows 10 RS4 x86 to x64 version. Okie-Doke. Glad you have what you need. I'm looking at a shelf with 10 Dell i560 desktops, all dual core Intels, all with 4Gb RAM, all were running 32-bit Windows, all of which got retired by either v1709 or now v1803 for various reasons, starting with the Scepter and Meltdown patches. It's a damn shame. All were replaced with new machines, I7 processors and 16GB RAM running 64-Bit Windows. Somebody's making good money from these Microsoft errors. I'm not a conspiracy nut but in this case... Oh, one of my other groups are reporting that 64-Bit Windows machines with AVG and Avast updating to v1803 are blue-screening on the reboot. These are trying times. Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 22, 2018 Share Posted May 22, 2018 That last one... Avast breaks the rollback too apparently. Re-Install is the only answer for them. Link to comment Share on other sites More sharing options...
itman 1,741 Posted May 22, 2018 Share Posted May 22, 2018 1 hour ago, Marcos said: As a workaround, you can try disabling Protected service in the HIPS setup I am still "mulling" over this one. Does this just disable PPL protection of ekrn.exe and/or additional Eset self-protection mechanisms? Also, I assume Eset is still using is elam driver to load ekrn.exe early in the boot process? Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 22, 2018 Share Posted May 22, 2018 1 minute ago, itman said: I am still "mulling" over this one. Does this just disable PPL protection of ekrn.exe and/or additional Eset self-protection mechanisms? Also, I assume Eset is still using is elam driver to load ekrn.exe early in the boot process? Doesn't work for all of them. The one I was trying to dump the memory on had the protective service disabled. Link to comment Share on other sites More sharing options...
itman 1,741 Posted May 22, 2018 Share Posted May 22, 2018 (edited) Here's some details on the Avast fiasco: https://news.softpedia.com/news/avast-antivirus-blamed-for-breaking-down-windows-10-april-2018-update-521227.shtml This did "get me thinking." Has anyone tried rolling back to ver. 1709; I assume that is only possible if you took an image backup of it prior to upgrading to ver 1803? Next, Uninstall NOD32. Then, perform the ver. 1803 upgrade. Finally, reinstall NOD32. Wonder if this would stop the X(86) issues? We need to find someone who installed NOD32 for the first time on ver. 1803 x(86). Edited May 22, 2018 by itman Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 22, 2018 Share Posted May 22, 2018 (edited) I did that already. All three of the laptops I reference early in this thread were brand new hard drives with v1803 installed from scratch. As soon you install Nod32 and reboot the antivirus starts failing. That Avast problem... It even breaks restore points so you're caught in a loop if you try to go back. I always straighten existing machines out... Clean them up... Make sure there's no viruses or rootkits... Clear all restore points and make a new one... Then do the upgrade. I haven't had that particular problem where I couldn't return. But I only use eset products and malwarebytes so I'm atypical. Edited May 22, 2018 by WhiskeyRiver Link to comment Share on other sites More sharing options...
itman 1,741 Posted May 22, 2018 Share Posted May 22, 2018 (edited) I just found this "tidbit" in regards to the next Win 10 release: Quote Windows 10 Insider Preview Build 17672 Release date: May 16, 2018 This build has only very minor changes and fixes. In it, the Windows Security Center (WSC) service now requires that third-party antivirus programs run as protected processes, or else they won’t show up in the Windows Security interface, and Windows Defender Antivirus will run side by side with them. You can, however, disable the behavior by creating the following registry key and rebooting: HKLM\SOFTWARE\Microsoft\Security Center\Feature DisableAvCheck (DWORD) = 1 Note that the key won’t work when the next version of Windows 10 is closer to being released. https://www.computerworld.com/article/3118132/microsoft-windows/windows-10-redstone-a-guide-to-the-builds.html Edited May 22, 2018 by itman Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 22, 2018 Share Posted May 22, 2018 2 minutes ago, itman said: I just found this "tidbit" in regards to the next Win 10 release: https://www.computerworld.com/article/3118132/microsoft-windows/windows-10-redstone-a-guide-to-the-builds.html I will apply it and report back. Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 23, 2018 Share Posted May 23, 2018 17 hours ago, itman said: I just found this "tidbit" in regards to the next Win 10 release: https://www.computerworld.com/article/3118132/microsoft-windows/windows-10-redstone-a-guide-to-the-builds.html If it does anything besides pitch an annoying security center box in R4 i can't confirm it. I still had to disable security center or it can be clicked right back on. I had to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService - set start to 4 and Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - delete the string value labeled SecurityHealth So far I haven't tinkered this particular machine too much. The famous antivirus initialization error was evident when I found it this morning. I didn't know I had this many 32-bit installs still out there. Link to comment Share on other sites More sharing options...
itman 1,741 Posted May 23, 2018 Share Posted May 23, 2018 (edited) 13 minutes ago, WhiskeyRiver said: If it does anything besides pitch an annoying security center box in R4 i can't confirm it. Did you check via Process Explorer, etc. if WD engine was running; i.e. C:\ProgramData\Microsoft\Windows Defender\platform\4.14.17639.18041-0\MsMpEng.exe? Edited May 23, 2018 by itman Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 23, 2018 Share Posted May 23, 2018 (edited) Not running. That part worked. I guess. WD is generally not running when the Nod32 errors occur. Hadn't thought about that before. Edited May 23, 2018 by WhiskeyRiver Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 23, 2018 Share Posted May 23, 2018 Well... Not surprising now that I think about it. On most of these machines I've already tinkered with them ahead of time. I know I'm going to install Nod32 so I zing in a few registry changes: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] "DisableRealtimeMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection] "EnableNetworkProtection"=- I'm still working on my first cup of coffee. Surely the cobwebs will vacate shortly. In the meantime I'm distracted by the little guy in my head asking stupid questions like "is Batman a transvestite?" Link to comment Share on other sites More sharing options...
itman 1,741 Posted May 24, 2018 Share Posted May 24, 2018 (edited) @WhiskeyRiver, FYI Microsoft Releases KB4100403 to Fix Windows 10 Intel & Toshiba SSD Issues Quote Earlier today, Microsoft released cumulative update KB4100403 that fixes several bugs, including the issues some users reported with Intel and Toshiba solid-state drives (SSDs). Users reported these issues after updating to the latest version of Windows 10, the April 2018 Update —also known as version 1803. https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-kb4100403-to-fix-windows-10-intel-and-toshiba-ssd-issues/ Edited May 24, 2018 by itman Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 25, 2018 Share Posted May 25, 2018 17 hours ago, itman said: @WhiskeyRiver, FYI Microsoft Releases KB4100403 to Fix Windows 10 Intel & Toshiba SSD Issues https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-kb4100403-to-fix-windows-10-intel-and-toshiba-ssd-issues/ Nobody's happier to see it than me. Well, maybe my neighbor who manages an IS department that has a couple of dozen Surface Pros deployed. I wonder if they've slipstreamed the fixes into their downloadable ISO? Link to comment Share on other sites More sharing options...
itman 1,741 Posted May 25, 2018 Share Posted May 25, 2018 32 minutes ago, WhiskeyRiver said: I wonder if they've slipstreamed the fixes into their downloadable ISO? You can download it from the Win Update Catalog web site and roll it out to clients that way. Appears Avast has fixed their issues in regards to ver. 1803: https://www.ghacks.net/2018/05/25/avast-update-fixes-windows-10-version-1803-upgrade-issue/ Link to comment Share on other sites More sharing options...
WhiskeyRiver 1 Posted May 25, 2018 Share Posted May 25, 2018 1 hour ago, itman said: You can download it from the Win Update Catalog web site and roll it out to clients that way. Appears Avast has fixed their issues in regards to ver. 1803: https://www.ghacks.net/2018/05/25/avast-update-fixes-windows-10-version-1803-upgrade-issue/ Haven't had a chance to look. Busy day. If the SSD fixes aren't slipstreamed then I still can't deploy a new installation using an Intel drive. I will check to see what they've got up. Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts