W7 X64 Windows update turned itself on for all products.

This computer is a new build as of mid december. I installed W7 x64 sp1 on it with no further patches except for one needed for solidworks to run.

As I always do the first thing I did was turned off auto updates. I also ran a utility "Kill w10 upgrade nag"

The computer has been heavily used since and constantly online. Everything appeared fine with no nags or associated traffic until today.

The only strange thing I noticed on the network for the last 2 or 3 days was an almost constant low bw (average 2.5kb) flow to this computer. I spent some time trying to identify it's source and purpose. The addresses involved were ipv6 around ff02::1:3. The purpose is supposedly to do with the replacement of ipv4 DHCP server and provides an automatic version of DCHP for ipv6. No changes were made to the network or software installed on this machine at the time this started to appear.

When I started up my computer this morning shortly after booting I got a popup message that windows needed to restart in order to install updates.

I went and had a look at the updates on this machine and it now showed dozens up KB's all with today's date Feb 9. This is probably everything since SP1. It included

KB 3035583 - According to Microsoft, this update enables "additional capabilities for Windows Update notifications when new updates are available".

I have backups of every 3 hours for the previous month and daily before that so I decided out of curiosity to let windows update itself. I first uninstalledKB 3035583.

The computer re-booted successfully. The first thing I check was the update settings which were all on. I turned them off and again rebooted the computer to assure update settings weren't still turned on in memory.

I watched internet bound traffic using the avast firewall and also wireshark. After a few minutes I noticed a new svchost thread start to 13.107.28.43 which turns out to be a microsoft update server. I blocked that IP in the computer's firewall, not the router's and again restarted the computer. The router is a commercial grade one through which I provide wifi internet to my remote community through 2 ganged satellite links.

I had a look in \window\SoftwareDistribution\Download\ and deleted all the files there.

After a few minutes the low bw traffic started up again. It was now from an akami server.

I should have checked where that process # was initiated from but didn't. I then manually disabled the WindowsUpdate service which was listed but not running.

I had to go out for about half an hour.

When I got back I checked the download directory again and there were 394 new directories in with most being empty. There were 14 directories with a total of 940mb of data in them.

The router I use is a Peplink Balance 20 which does an excellent job of logging internet bw. I can identify by hour/day/month each users bw individually. During the period I was gone the total bw down was 86mb. Where did the 950mb of data come from?

I was suspicious of the ipv6 traffic and suspecting possibly MS was doing something on ipv6 networks to multicast w10 upgrade files across a local network if there were multiple computers that had been upgraded or had upgrade files downloaded to them. I know some of the computers on this network are now W10 and at least 1 is currently being upgraded.

I renamed the \download\ directory \download.delete\ to see if \download\ was automatically recreated. I disabled ipv6 on the router and also on my W7 computer. So far after about 2 hours there is no sign of update downloading.

Is there anything else I can do to stop the updating?

Petero said:

...I decided out of curiosity to let windows update itself.

Since KB3035583 specifically and notoriously installs W10 I wonder why you would do this. But since the problems only started yesterday I would restore to a Monday backup of my system, or perhaps last Friday or something as you suspect you've had something unusual going-on for a few days.

Thanks for responding max7...

There are several reasons I didn't simply restore the system to a previous backup.

There are some events of concern surrounding this timeframe. At the time the low bw stream started I was about 4 days into doing a frame by frame analysis of the video released by the FBI of Lavoy Finicum's shooting which I am currently about half way through. At the time the first 2 segments of my analysis had just been released publicly although still at a very low level.

I have previously done similar analysis and during that period my computer which is religiously maintained managed to seriously crash scrambling drives on an average of twice a day after running flawlessly for several years. At the time not just the system drive was trashed but also online data drives. Because of my on/offline backup procedures I was able to recover quickly and proceed on.

This new computer is much better protected and also lets me keep a closer eye on what is going on.

This time I figured that simply doing a restore left me wide open for the same thing just happening again.

I had just turned on the computer to start working for the day and KB3035583 and the other KBs had put their code in place but had not yet been executed. Although I wasn't sure I could uninstall KB3035583 before a reboot I gave it a try and was able to.

KB3035583 was the obvious culprit to be wary of but I suspected there was probably more going on so decided to proceed to see what happened with one possible source ruled out. Sure enough the data stream continued and began replacing the material associated with security backups I had just deleted even though all normally used settings for controlling updates were turned off. Even after the WindowsUpdate service was manually disabled the stream continued.

It was only after disabling ipv6 functionality on the network, and on the computer, that the stream stopped.

I mentioned all this here out of privacy concerns not just for myself but also for everyone else using windows. I have no illusions about our computers being private; this situation suggests that those with intent to spy can and do so without regard for the law.

I was a programmer many years ago but have had other interests and am no longer fully conversant on all aspects of the windows OS.

I appear to have stopped the problem for now. Another area of concern I have which I'm not familiar with is the code in windows enabling remote access. I have manually turned off remote access and quarantined some obviously associated services but have no idea where to look in more detail. Perhaps the experts here might have some suggestions?

File and printer sharing is also turned off. Broadcasting of the computer's resources on the network is also turned off.

Thanks,

Peter

Petero said:

I had just turned on the computer to start working for the day and KB3035583 and the other KBs had put their code in place but had not yet been executed.

There is obviously much more than meets the eye re your PC. All I can suggest is that I don't know how you knew "their code...had not yet been executed" i.e. while there are many updates which require reboots, not all do and so I imagine many of them will "start executing" immediately.

I stand corrected, I assumed that the reboot was always the case as many of the KB's need the reboot in order to kill currently executing code in memory which locks the associated files. From the windows dialog at such times it appears the new files to be put in place are pre-staged to replace the original code during shutdown and restart while the original files are unlocked.

Do you have a list of the KBs that introduce the same surveillance/update? routines of W10 into W7 & W8? I'm still in the thick of the current project and do not have the time to find them myself and would like to remove them as they are now on my machine.

If I feel it is safe I would like to proceed with most of the 346 KBs since SP1 in place. There are likely some new backdoors since then but hopefully I will spot them if used.

In the 346 kbs there are probably some compatibility ones that will improve the reliability of the computer. I have a full month to change my mind if things go badly. My new system substantially has all the software I need in place and all data is segregated onto different drives so a system restore a month from now will hopefully be relatively painless.

I wanted a fresh install of windows on the new machine after keeping the last install running since xp. There were countless manual fixes over the years that I wanted to remove as it was getting more difficult to keep the old version of windows running.

There are many threads here already about "avoiding the dreaded W10 updates" and while 3035583 is a key one I do not know all. You can also surf on GWX Control Panel which may help.

Good luck in getting the updates installed. Hopefully some of the things you've done like deleting the files in \window\SoftwareDistribution\Download\ have not made successful updating impossible.

this is interesting

https://www.google.co.uk/url?sa=t&rc...t9CrgTMc17glgA

Roy

Since all the changes introduced in W10 I have no interest in getting anymore updates from MS ever. I am currently still debating leaving the 346 recently installed KBs in place.

Unfortunately I need some of the capabilities only available in windows to efficiently utilize the memory, cores, and high end graphics that I need for software I use regularly. Virtual machines I have tried so far do poorly relying on generic drivers. Dual boot is a pain in the butt if you regularly need to go back and forth.

What I'm going to try next, once I have the time to set it up, is boot into windows which will be blocked for outside access and run Linux inside it in a VM for communications purposes only. I have enough oomph to do this side by side acceptably. I use VMs regularly but so far the windows shell has been my main platform.

Running windows in a VM from inside Linux creates the problem of poor hardware utilization. Apple is not an option as it is even more opaque than windows.

Thanks for your insight.

torchwood said:

this is interesting

https://www.google.co.uk/url?sa=t&rc...t9CrgTMc17glgA

Roy

Thanks for that it is interesting.

It loads it's executables somewhere unexpected

Files installed by Akamai NetSession Interface

Program executable:netsession_win.exe Name:Akamai NetSession Client Signed by:Akamai Technologies Path:C:\users\user\appdata\Local\Akamai\netsession_win.exe MD5:aab979089e192acc0fe1e3c018f8b591
Akamai NetSession Client is part of the Akamai Download Manager, a computer program dedicated to the task of downloading (and sometimes uploading) possibly unrelated stand-alone files from (and sometimes to) the Internet for storage....

Probably without notifying the user.

No mention of it in my registry and none of the associated files installed.

It really boils down to the fact that we have no idea of what is going on in our computer's these days. Most consumer routers have horrid BW monitoring abilities. Using software utilities depend on a computer being on in order to record bw data.

Using a good router I know for a fact that one machine I manage downloaded the W10 upgrades while shutdown, not just asleep, but still plugged into power. I guess for security we need to unplug computers from power when not needed not just turn them off.

You dont have to have WU on to update drivers.

If your specs are correct then all you need for your graphics is the Intel update utility.
Mind you i know little about Linux kernal operations/VM and if this option is viable on your set-up.

PS firefox is way above 28.

Roy