"Pre Ban Hotfixes" from your XPUa CD

[SilverBulletUK]

Hi guys,

Ive been figuring out a way to ban hotfixes from being installed via windows update via my XPUa CD.

I think ive sussed it and would like to pass on my solution, I know it could be done via VBS but im a bit more comfortable with Batch files.

I hope this helps, feel free to improve.

2 Files are needed, firstly.....

BanHotFix.BAT

@Echo Off

Title=Banning updates...

Set BannedUpdateList=HotfixList.ini

:::::::::::::::::::::::::::| Parsing Banned Update List File
::
Set UpdateNumber=0
FOR /F "skip=10" %%a in (%BannedUpdateList%) Do Call :Process %%a
GOTO :EOF

:PROCESS
Set Update=%~1
Set /a UpdateNumber=%UpdateNumber%+1
Cls
Echo Banning Item: %UpdateNumber% Update name: %Update%
Echo.

:::::::::::::::::::::::::::| Creating Folder Structure
::
Set UpdateFolder=%WINDIR%\$NtUninstall%Update%$
IF NOT EXIST %UpdateFolder% MD %UpdateFolder%
Attrib +R +H %UpdateFolder%

:::::::::::::::::::::::::::| Creating Dummy Text File
::
Echo "This update has been banned via your installation CD.">>%WINDIR%\%Update%.log

:::::::::::::::::::::::::::| Creating Registry Key 1
::
Reg Add HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\%Update% /f

:::::::::::::::::::::::::::| Creating Registry Key 1 Data
::
Reg Add HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\%Update% /v DisplayName /t REG_SZ /d "This update has been banned via your installation CD." /f

:::::::::::::::::::::::::::| Creating Registry Key 2
::
Reg Add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\HotFix\%Update%" /f
Reg Add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\HotFix\%Update%\File 1" /f

:::::::::::::::::::::::::::| Creating Registry Key 2 Data
::
Reg Add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\HotFix\%Update%" /v Comments /t REG_SZ /d "This update has been banned via your installation CD." /f
Reg Add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\HotFix\%Update%" /v Installed /t REG_DWORD /d 1 /f

:EOF

And...

HotFixList.ini

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::
::Please list any updates you wish to add to the banned list
::  by placing the update UNDER the "[UpdateList]" header.
::
::  PLEASE NOTE: All updates MUST be preceded by Q or KB!
::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

[UpdateList]
KBsample
Qsample

Im hoping it should be pretty self explanatory.

EDITED TO INCLUDE DUMMY TEXT FILE, COUNTER AND UPDATE CURRENTLY PROCESSING

EDITED TO INCLUDE "/F" SWITCH TO REG ADD WHICH FORCES UPDATE IF KEY EXISTS ALREADY

EDITED TO INCLUDE "FILE 1" REGISTRY STRING

SilverB.

Edited August 13, 2006 by SilverBulletUK

[muiz]

what then use?

[SilverBulletUK]

We use a custom application in our office, and one of the updates stops it communicating with its server in the workshop.

If the update gets installed we have a lenghty process of installing the manufacturers 'hotfixes' so I was just thinking of a way round it.

Might not be of use to anyone else, but just thought id offer it up.

SilverB.

[Takeshi]

I have a few queries if you don't mind please.

1. In the ini:

[updateList]KBsample

We put KB123456, not KB123456.exe, right?

2. I see you're creating pseudo entries in the registry and making dummy files & folders to fool WU. Is the registry entry enough?

3. Does it work for WGA Notification?

[Gee]

Very well written.

To answer some of Takeshi's questions

1. Yes, do not add .exe

2. Should be enough, but may vary depending on the update

3. Yes, I am not positive, but I just checked my machine and I think these entries are adequate to supress WGA Notification

My only observation is that. The dummy text file should be a dummy .log file not a .txt file

:::::::::::::::::::::::::::| Creating Dummy Text File

::

Echo "This update has been banned via your installation CD.">>%WINDIR%\%Update%.log

Edited August 12, 2006 by Gee

[Takeshi]

Thanks.

Yep, they're log files.

As far as I can tell, KB905474 (WGA Notification) does not create an uninstall folder, nor a log, just an entry in Add/Remove Prog (registry).

[Gee]

As far as I can tell, KB905474 (WGA Notification) does not create an uninstall folder, nor a log, just an entry in Add/Remove Prog (registry).

I just checked my registry and it doesn't create the Add / Remove entries in the registry either.

I think the entries are created in

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\Notify\WGALogon

So chances are, you cannot use this method to supress KB905474

[Takeshi]

I just updated WGA Notification 1.5.0540 (19.6.2006).

It updated its entry in Add/Remove prog and here in the reg:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WgaNotify

It also updated the wganotify.log in WINDOWS, wgalogon.dll and wgatray.exe in system32 in dllcache.

It left behind the Download folder in Software Distribution. Inside there's an uninstall file.

I'll investigate this further. It's getting late now. I'll rename those files offline, leaving only the reg entry and see.

Edited August 13, 2006 by Takeshi

[Gee]

I found the entries now. It is under WGANotify and not KB905474

I integrated KB905474 into my uninstall CD. It appears that none of the %WINDIR%\$NtUninstall%Update%$ are actually required when supressing hotfixes.

The only necessary entries are the .log files and the registry entries.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WgaNotify]
"DisplayName"="Windows Genuine Advantage Notifications (KB905474)"
"UninstallString"=""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20020109"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=905474"
"URLInfoAbout"="http://www.microsoft.com/genuine"
"NoRemove"=dword:00000001
"NoRemoveInitialValue"=dword:00000001
"DisplayVersion"="1.5.0540.0"
"VersionMajor"="2"
"VersionMinor"="0"
"ParentKeyName"="OperatingSystem"

Edited August 13, 2006 by Gee

[SilverBulletUK]

Very interesting, great work guys.!

When i written the batch i wasnt sure what Windows Update looked for when updating so I just had a 'stab in the dark' so to speak.

Thanks for the ".log" and not ".txt" pointer Gee, much appreciated!

SilverB

[Takeshi]

I'll rename those files offline, leaving only the reg entry and see.

Didn't work. Tried that in my laptop already updated as described.

Gee's method didn't work either. Tried that in VMWare without previous update.

[Gee]

Try this registry entry to suppress the installation of KB905474

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000001
"InstallNotifyShown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,69,56,c4,80,41,b9,4a,43,bf,97,3b,98,06,7e,34,57,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,14,d8,49,b1,9b,43,d1,7b,\
b9,7c,85,a2,9c,f6,c8,b7,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,e4,\
59,49,a2,0f,ee,a6,23,78,e5,c8,91,3e,f7,40,64,70,06,00,00,1a,2b,76,12,0e,6c,\
b9,0e,f2,68,c3,ba,11,32,b8,e4,1c,4d,63,45,b4,42,e6,b8,95,49,31,9c,45,ab,21,\
39,25,c2,a5,6d,36,3d,63,a4,75,e7,97,05,c7,62,52,76,9b,71,26,06,ae,28,08,77,\
22,d0,21,9d,1b,f9,ea,7a,b3,b1,07,2c,6b,17,48,06,10,1e,10,48,06,32,a6,fb,16,\
cf,b7,2e,d6,00,42,d8,2e,47,ad,87,45,2a,7e,c8,5a,1c,e3,99,dc,3c,8c,a7,29,a4,\
cd,ad,c8,d9,52,64,d9,16,00,81,ff,66,fd,f2,d2,17,ee,92,8d,a4,38,06,70,63,f9,\
0b,55,be,b5,c0,5a,8a,3e,b9,fb,13,8c,c1,df,50,61,d5,60,89,9a,0d,36,0d,3f,2e,\
77,7c,04,ef,8d,76,41,07,75,27,d2,ac,11,62,1a,7f,91,35,22,4f,0e,92,6d,2d,45,\
e9,e3,ad,0e,33,46,b4,03,b5,94,2d,9b,d7,f1,62,f9,0e,b1,9f,56,bd,80,7a,44,06,\
9f,80,19,45,bd,04,56,9c,5d,eb,fb,10,59,cd,5e,02,66,b6,af,de,d0,4e,08,ca,ff,\
44,d6,e6,a6,b1,50,cd,e9,de,f6,b9,06,90,45,f8,c7,ec,44,73,b8,8f,0f,3d,27,a7,\
32,42,2d,04,c1,a2,e2,c2,23,70,97,10,09,a2,05,00,58,95,00,94,7f,74,4e,18,e0,\
0d,e7,be,3e,2c,3e,7c,5d,c4,26,fd,bb,08,e0,c8,01,2e,db,5a,51,80,8f,f4,3e,6e,\
53,52,3d,a7,52,aa,c6,8e,fd,33,26,03,e8,3d,81,d8,c5,82,0a,ce,14,ae,29,d4,16,\
0f,7d,83,30,d1,4d,13,d9,72,52,8f,db,4c,43,63,cb,dc,97,a8,86,83,85,e6,ad,00,\
a2,13,23,c8,3a,f0,50,a7,58,ae,eb,b3,e6,1f,a4,5f,6f,5d,a1,1b,c8,1f,9e,c4,ed,\
48,53,1d,82,0d,1c,a2,6f,b6,8a,67,1a,bc,c8,de,2a,56,d9,7a,b6,e9,83,28,ab,44,\
fb,06,0b,3b,0d,9f,3e,e5,3e,5f,ff,97,eb,0c,9f,b8,4a,8b,6a,fc,91,34,64,ac,7e,\
e8,41,5d,ae,3c,59,71,2f,67,08,9c,a2,d6,88,8f,3c,e9,a9,eb,fc,b9,77,c6,ff,b6,\
66,24,b7,65,31,0e,95,64,5f,5e,af,f1,a3,f1,f2,16,f9,53,52,f1,46,77,31,4b,ad,\
62,ed,38,93,d4,c0,e9,50,db,b8,7f,68,c5,89,c9,58,a6,e2,17,9c,5b,35,54,3b,9e,\
28,6e,39,8c,bf,01,b8,3a,7a,2f,ee,07,54,ec,84,90,4b,a2,4e,24,06,19,da,e9,f3,\
1d,b1,a0,f8,1d,fc,c3,42,1a,d0,42,ba,95,8b,4b,af,16,6d,35,3e,a2,d3,9b,a1,39,\
2f,d7,a0,50,51,8e,2c,52,87,67,17,26,54,7e,de,7d,ed,68,97,66,1b,5a,c0,3f,8d,\
22,b7,8f,21,1b,51,7a,28,67,d4,ed,81,cf,fc,94,0b,ca,14,c6,8d,85,2b,e2,a5,5e,\
2a,70,50,70,59,1e,a2,aa,d8,cc,eb,59,89,36,ca,b8,15,e9,3b,14,82,86,20,9f,8a,\
45,cd,35,0c,fb,1f,52,d0,26,27,f8,ff,e3,ae,b4,80,75,c6,7b,b1,11,ab,47,8e,3f,\
11,fc,b5,1f,f9,65,e3,8a,e1,6b,68,20,e4,c3,cb,91,1e,03,99,84,48,00,a2,18,9e,\
c8,ae,54,4c,92,99,fd,03,66,17,aa,b0,d7,38,3f,d2,d6,a0,10,f1,ab,09,79,9f,ef,\
0d,5c,45,01,01,1d,cc,12,ce,d0,a4,de,e2,b2,42,45,be,ba,a9,d4,8c,7c,05,d8,7c,\
0e,48,8b,3b,0a,a5,74,90,6e,fa,ce,5f,42,93,51,19,8e,5f,6e,bd,a1,ce,cc,a3,89,\
a6,28,70,e6,0a,c7,38,56,4d,4f,89,35,8d,e1,73,2c,e6,ab,24,aa,d2,dc,cb,09,5e,\
97,aa,f6,cf,9d,ed,4f,4f,b6,27,28,ba,fe,78,f4,be,82,68,86,fb,9f,77,d2,6a,dd,\
72,86,b5,ce,da,bb,29,37,d7,e1,0e,5e,80,77,61,57,1b,6e,ae,ae,11,ae,46,98,3d,\
da,fb,3a,92,a4,8e,68,b7,24,1a,cf,8e,06,8b,63,c3,8b,55,15,c2,df,b1,97,b4,b0,\
4a,99,7d,f7,1b,8b,48,38,74,24,1c,be,c3,57,35,75,ec,ba,3e,3e,f9,03,d7,a6,9f,\
75,8b,91,73,37,27,d9,a1,4c,64,19,28,f4,54,76,81,22,1e,8a,63,c6,b0,5f,f3,f3,\
7e,d8,f6,e1,3a,06,4e,2f,3b,d6,a8,8f,a9,49,26,3d,3d,16,e4,cb,ce,8d,46,26,52,\
38,95,0d,2a,98,77,f1,c7,11,b9,da,1c,f1,c9,60,b1,97,14,4a,d5,40,53,02,f8,5e,\
de,53,27,58,94,bd,00,74,4b,04,16,35,8d,00,b0,dd,fe,43,ef,3f,84,eb,b5,f8,1d,\
72,45,b0,7a,94,99,c9,91,11,59,d5,f6,e6,69,d4,4f,e6,69,d3,cf,75,73,53,9f,82,\
2b,94,68,e4,c2,af,1e,4b,99,ea,c3,1c,9d,20,8f,cd,8d,40,af,bf,e1,be,93,02,de,\
05,40,56,2f,e2,2d,57,c0,24,f3,63,43,0d,3c,4d,de,28,ed,98,96,74,59,a5,83,8e,\
d8,be,09,15,9a,7e,f5,df,95,24,15,07,27,06,11,6a,a1,82,d8,20,35,71,9e,c5,9b,\
56,64,45,43,96,a0,55,23,c4,57,8a,c2,bc,ab,a8,ef,04,a7,27,8b,98,9c,83,5c,a7,\
55,11,d2,61,15,47,e7,d4,da,f9,33,6e,bd,de,9e,5a,eb,39,f2,9b,b2,f8,44,40,01,\
ec,5e,8b,4d,79,d3,df,b2,db,0b,b8,80,b8,9a,7e,fe,1d,08,c9,5d,21,43,23,50,1d,\
0c,a2,aa,d6,53,b9,a6,4c,9f,a2,3e,ee,65,21,46,5c,3c,63,79,68,58,60,94,87,ce,\
3f,f3,82,e9,03,b3,7e,91,ce,3d,dd,42,2a,cd,a6,01,0f,b7,51,0e,1a,b4,bd,7b,7e,\
7d,22,19,15,c3,7f,40,9f,70,de,6a,27,f7,05,b1,e0,95,31,fe,6c,6f,49,62,a1,37,\
be,7e,66,1d,35,7b,ee,1c,e2,46,ef,10,94,d5,c4,97,7d,06,fc,a1,11,9b,1c,17,08,\
5f,8f,d2,5f,fe,2f,56,19,f5,a5,49,b0,9b,ee,5a,e4,88,c1,77,d2,83,90,1f,5b,8a,\
54,77,d5,ca,9d,81,a1,7b,73,a2,31,31,d4,27,57,dc,11,f0,0b,a9,e9,f4,2f,5b,6a,\
3c,db,49,3a,5c,90,19,b9,bc,07,7f,1b,b9,ae,3f,fe,a1,f8,9f,39,0e,34,10,fe,a1,\
8a,04,cd,48,47,c9,ba,a6,35,cc,36,61,51,36,96,a9,2a,a8,c5,61,0c,c3,97,c2,c5,\
71,ae,93,b4,f4,37,68,fb,b9,9a,77,a1,6c,9f,c3,1a,e6,10,63,0c,44,fe,ce,68,44,\
86,07,91,e3,d2,6f,b7,1b,81,5b,14,9b,33,1b,1b,78,31,e8,3e,60,aa,38,59,f2,91,\
e9,75,90,a7,1e,a9,c8,13,c9,a9,3e,0c,8b,44,72,ec,cc,45,d3,11,7b,0e,1c,ac,76,\
ac,0e,52,72,89,17,9d,23,13,af,7c,65,45,76,1d,d5,ab,f5,b0,9e,b4,20,6b,be,b2,\
57,e6,73,ff,6b,69,dc,4a,76,13,c3,e3,e7,41,62,88,a0,54,11,6a,6a,31,f9,b1,25,\
cc,c2,06,dc,d3,88,02,82,69,70,2e,09,9f,64,40,88,c9,ff,6a,ee,66,69,5d,ca,79,\
b9,f0,03,23,b8,c9,1b,d9,f6,9b,d4,65,85,4c,d4,c4,09,fd,a5,45,ad,ad,49,bb,c7,\
fb,b8,2a,46,e1,15,09,1a,5e,1c,e7,16,e6,a7,8b,e4,42,d1,07,8a,ec,b4,eb,d0,09,\
c9,bd,24,89,1f,28,65,99,72,bd,3b,ca,6b,fd,f2,24,63,2a,0b,d9,c7,9a,4b,c1,29,\
21,17,7b,23,60,2c,06,db,ac,64,b7,7d,83,80,0d,ef,58,a8,a5,6f,df,9c,16,0c,5d,\
ff,ec,db,de,72,80,66,7f,0c,65,82,45,c3,b8,9a,5e,cd,0f,3d,bf,5f,cf,93,db,fc,\
5f,89,de,8b,82,88,33,ad,83,d6,bb,fd,f2,24,f5,df,ee,14,00,00,00,af,22,08,52,\
f6,a0,30,d5,4e,c6,b8,bf,fd,67,be,a7,73,67,db,7d

wga.reg

[Takeshi]

Those reg entries are already there in my genuine installation updated with KB905474.

The entry "InstallNotifyShown" is not there in my reg. The settings key is a bit different. I tried yours with no luck.

I don't know whether being OEM install makes a difference. Still investigating.

[SilverBulletUK]

Did you guys manage to sort out what tag WU looks for?

It seems my solution is a bit hit and mit on the test systems here....

:@

[Takeshi]

I get the impression that there's no universal solution that applies to ALL the updates and hotfixes.

KB890830 (malicious sw removal tool, a scan really) is different as it writes to a different reg key but it can be fooled (already discussed elsewhere).

KB905474 needs the current legitcontroll.dll, wgalogon.dll and wgatray.exe at least. I've since found there're more registry keys involved.

Perhaps it'd be more helpful at least to post which KB works using your method.

I've also noticed that the yellow shield in the Notification Area notifying you of updates can behave inconsistently, when it says you need this KB even though you've already installed it, and when MU website says you don't need it. So it might confuse the issue during testing.

Edited August 20, 2006 by Takeshi