back to article MS kernel patch skirts infected machines

Microsoft's latest batch of patches contains a kernel update designed not to install on machines infected with a rootkit. The move is designed to prevent the confusion that occurred when one of the patches released in February resulted in a Blue Screen of Death and continuous reboot cycles on some Windows XP machines. …


This topic is closed for new posts.
  1. jake Silver badge

    More and more bizarre ...

    "The idea is that this tool will remove malware and clean up systems which can then by safely patched at the second time of asking."

    I do not now, and probably never will, regret the decision not to work on MS infected machines anymore. How anyone can take this joke of an OS-producing company seriously is beyond me.

  2. Anonymous Coward
    Anonymous Coward

    Error Messages

    Isn't it about time MS thought about making those error messages easier to understand (I am sure removing error number and replacing it with a ribbon bar might be way forward :-p )

    1. Graham Marsden

      As the old tagline had it...

      Error 606: Lazy programer

  3. Secretgeek

    I like it.

    I'm assuming that MS will tell you that you're infected?

    Maybe they should braoden the net a refuse to update anyone with a virus, trojan or rootkit. Maybe it'll have some impact on the botnets?

    1. Danny 14
      Thumb Down


      no, doubtful they will tell you in case they are wrong and get sued.

    2. Anonymous Coward
      Anonymous Coward

      RE: I like it.

      "I'm assuming that MS will tell you that you're infected?"

      They don't - they give you a bizarre error number instead.

      ...but if you are infected, the symptoms are easy to detect. Something called "Windows" is installed on your computer and this makes it easier for malware to be installed...

  4. The BigYin

    Does it warn?

    "Dear User,

    One of the MS updates could not be installed as your system is infected with a 'rootkit'. It is string advised that you disconnect from the internet and hire a professional to fix your system."

    Or something. If they don't do that the n they are not helping to stamp out the millions of infected Windows boxes that plague the net

    1. Anonymous Coward
      Gates Horns

      RE: Does it warn?

      No warning, just a meaningless error message.

      Don't know why your post was downvoted - it's very sensible. Must have been a Windows fanboi (hard to believe such a thing exists but apparently they do)

  5. Anonymous Coward
    Anonymous Coward


    "Microsoft is using technology designed to prevent the update from installing onto malware-compromised machines." because installing the patch may cause a BSOD

    A bit like saying

    "The fire brigade is using a new tool designed to prevent firefighters from spraying water at burning houses" because that might wet the sofa.

    Really? If ever you needed proof that Microsoft aren't a serious software company....

  6. Anonymous Coward
    Anonymous Coward

    This is just going to make things worse.

    Consider scenarios A and B:

    A. User with virus installs patch, bricks system, has to reinstall Windows, no longer has virus, was inconvenienced in the process but he's a Windows user so he's used to that sort of thing

    B. User with virus attempts to install patch, thanks to MS gets weird error, ignores it, doesn't know they have virus, never gets patched, is insecure forever

    And Microsoft prefers scenario B.

    1. Alex 0.1

      And maybe...

      How about scenario C, as follows:

      User with virus attempts to install patch, thanks to MS gets the following incredibly clear message:

      ""Your computer might not be compatible with Microsoft Security Update MS10-015. Proceeding with installation of the update could prevent your system from starting successfully. For additional information please visit" "

      Page linked to in message says:

      "These conditions on your system may be the result of a computer virus that modifies some operating system files, which renders your infected computer incompatible with the MS10-015 update. In some instances, installing security update MS10-015 in such a condition causes the computer to restart repeatedly."

      Page then goes on to provide detailed information and guidance on what help and advice to seek to clean your computer.

      User consequently knows theyre infected, can get pached, is not insecure forever, and did not have to brick their machine (and whine at microsoft for it) in the process.

      But why let the truth get in the way of sensationalist bitching at microsoft, huh?

      1. ElReg!comments!Pierre

        How about scenario D?

        «User with virus attempts to install patch, thanks to MS gets the following incredibly clear message:

        ""Your computer might not be compatible with Microsoft Security Update MS10-015. Proceeding with installation of the update could prevent your system from starting successfully. For additional information please visit" "»

        User is used to getting strange error messages, can't be arsed to check the related URL (this minesweeper won't solve itself) and -as usual- just clicks OK and forgets about it. User never gets patched and is infected forever.

  7. AndrueC Silver badge


    And of course I didn't notice the pending updates until I'd cloned five VMs onto a new host.

    So now I have ten guest OSes want updating. I'm also creating a domain controller and Exchange server on the new VM host so /that/ now wants to update. The new VM host needs updating. Even the old host is waiting to install updates because it was down for the last couple of days for maintenance.

    ..and meanwhile Muggins here is trying to install Exchange 2010 on the new DC.

    Oh what a fun day to be sure :-/

  8. KarlTh


    Scenario A was what we had in Feb, and everyone blamed MS then.

    1. ElReg!comments!Pierre

      What's your point?

      «Scenario A was what we had in Feb, and everyone blamed MS then.»

      So what if a couple overexcited, erm, respectable-though-not-very-IT-literate MS customers flamed their fave vendor back then? Anything is better than the «there might be something terribly wrong with your machine but carry on as usual» approach. Thanks to the collusion between Intel and MS (and Apple?), as well as Best Buy /et al./, most home and small biz users have *massively* overpowered machines. When you have a top-of-the line 8-cores CPU and 4Gigs of RAM on a machine you only use for web browsing, email and the occasional Word document, you're not likely to notice any performance hit from a rootkited spam engine that spews nastiness all day long. If the software vendors are doing everything they can to make life with malware as comfy as possible, why the heck would the average tech-illiterate punter go out of his way to sanitize his/her machine?

  9. Field Marshal Von Krakenfart


    MickySoft can identify that a PC has been rootkitted but they won't fix it ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

    Question marks instead of exclamation marks as I am no longer suppressed at anything Mickysoft does… or doesn’t do.

    1. KarlTh

      Read for comprehension

      last bit of article. MST will remove rootkit; next update check will install the missed update.

      1. Ken Hagan Gold badge

        Yes! Please read for comprehension.

        I was going to upvote this, but since nearly everyone who has commented so far has missed this point I think we need something LOUDER.

        Read the article, peeps. The kernel patch is held back until the rootkit has been removed, by another part of this month's offerings.

        FWIW, I've had similar experiences using apt-get on Linux. Scheduling actions so that they work is not some evil conspiracy to cover incompetence. It is just sensible and you'd be flaming MS if they *didn't* do this.

  10. This post has been deleted by its author

    1. Ammaross Danan


      @R 16,

      "But come on, the first thing I though of was to cause a big popup window that says your computer might be infected with malware. It is preventing this windows update from completing, here is some suggested actions to take to remove the malware."

      I believe you are missing something in your post. THIS IS WHAT MALWARE DOES TO GET INSTALLED IN THE FIRST PLACE. (the suggested action is "buy this AntiVirus 2010 software")

      Sorry for the flame, but it was warranted.

  11. Robert Carnegie Silver badge

    MS does provide a Malwares Uninstall Combination Kit

    And a Critical Update Notification Tool, but they renamed that one, too. (Actually.)

    So they have a complete cover-your-end service.

  12. Neal 5

    I love all those scenarios

    heh, actually agree with the Linux fanbois here, why the fuck don't you learn to protect yourselves instead of fucking whinging. try an AV (that's anti-virus, some of do know what that is, a few of us actually use one) and even try a firewall (ditto) and stop browsing porn you fuckwits.

    heh, lookie here at the MS fanbois, proud to say, I am one. Difference being, i do know what I am doing, unlike some of the alledged computer literate here, who claim to know but don't actually know their arse from their elbow.

    For the reformat scenario, almost, but i think is perhaps a learner, who only knows the power on button.

    And for the Linux fanbois, the windows CMD prompy beats the Linux terminal every day. Hence never a reformat since the early days of my learning on 3.1. You can do it to, if only you weren't such a bunch of fucking cheapskates. And yes, I'm fully conversant with Linux, i have to be, i just hate it.

    1. ElReg!comments!Pierre

      Beer time at last!

      Cheers. You apparently got ahead already but I do plan to catch up.

    2. OldDogNewWalk

      @ Neal 5

      Don't mean to diss you pal but if you are really

      _fully conversant_ with Linux you are exceptional in the EXTREME, and will be soon be getting multitudinous offers of employment. (From me among others)

      But... CMD is better than bash! Let alone ksh!!!

      Ahhh, sorry, I get it. Don't fish myself.

    3. Anonymous Coward

      Re: Neal 5

      "And for the Linux fanbois, the windows CMD prompy beats the Linux terminal every day."

      excellent trolling, *golf clap*

    4. Ammaross Danan


      "the windows CMD prompy beats the Linux terminal every day"

      "every" = "any" perhaps?

      Anyway, I'd like you to do something like this at a windows command prompt:

      ps -ux | grep "firefox"

      kill -9 <insert firefox pid here>

      Why you say? Because Ctrl+Alt+Delete->Task Manager (or right-click taskbar -> Task Manager, etc) -> Applications tab (or Processes if you prefer) -> select Firefox -> End Task -> Are you sure? Yes!!!.... wait 5 seconds, didn't die? select and End Task again. Are you sure?!?!? FAIL

      kill -9 and it dies. Period.

      And yes, I am "conversant" with BOTH, and I actually know which role each should be used for.

      1. mrobaer

        or ...

        You could do this perhaps:

        C:\>tasklist | find "firefox"

        firefox.exe 2960 Console 0 78,188 K

        C:\>taskkill /pid 2960

        SUCCESS: The process with PID 2960 has been terminated.


        And it dies. Period. I do understand it's a lot different than what you may be used to in *nix systems. Maybe you overlooked this due to being "conversant" or something?

      2. Victor Ludorum

        conversant with command prompt

        Have you tried

        taskkill /F /IM /T iexplore.exe

        One line. One command.

        'Nuff said.


      3. Anonymous Coward

        To be fair

        To be fair to the windoze-weanies, it's a bit easier with the Powershell bolt-on but Windows (ANY VERSION) lacks the proper CLI utilities to provide a rich working environment.

        I had the misfortune of having to take some MS Exchange server training courses and they were going on and on about how great this new command line interpreter was - how 80s.

        Anyway, I can get that down to 1 line - "pkill -9 -U me firefox"

        got to remember which users you want to kill as you can run multiple sessions on a single *NIX server out of the box, included in the price and not worrying about licenses - even PHUX!

  13. Martin Usher

    Why not replace the component instead of patching it?

    That probably is too complicated for Miscrosoft's maze-o-code...but it would work...

  14. Neal 5

    @Ammaross Danan

    No. matey, my English is just fine, I DO mean every and not any, in exactly the same way as I would hopefully guess that by now, you would know your OWN mind, instead pf trying to second guess mine.

    Obviously then, there is no need for me to explain taskkill to you. I also think that you misunderstand the CMD prompt for what it is, yes you are right, I could use GUI (task manager) to perform the action, actually a beautiful thing for the uninitiated, but , as you point out obviously , knowing every single PID by heart is only a trivial matter, even in Linux, so, WHAT actually is the point you are making?

    For you and me, it is easy to forget that the GUI system is for pricks without the common sense or inclination to actually use a computer properly. This is why Linux take up is low, your average 9-5 er just wants to system on and go, the beauty of Windows and to a part, Apple as well. And to be honest with you, why do I want to spend more time than neccesary installing a program or whatever when I can let the computer do it for me. Call me lazy or whatever, it's more important for me to be happy, you too can also be happy in your own fashion, not everyone needs to be a geek to be happy, enjoy it and stop whinging.

  15. Anonymous Coward

    Pesky rootkits..

    Hey, I have an idea.

    Why not distribute a partial rebuild disk that replaces all the damaged files, updates *everything* to SPwhatever, etc *and* permanently kills the rootkit by patching the kernel ?

    Include scanning with MSRT and the latest antivirus at the same time, as well as repairing the system if it does fail to boot afterwards like a rollback feature.

    Said disk self creates using a 4096 bit custom keydriven encryption when downloaded by the host PC, then burns itself directly to CDR using the same secure mechanisms used to generate Windows 7/laptop rebuild disks.


    AC, because i don't want to get "offed" by the Internet Mafia....

  16. kain preacher

    @Why not replace the component instead of patching it?

    "That probably is too complicated for Miscrosoft's maze-o-code...but it would work.."

    Actually its simpler reason than that . You have software like anti virus that modifies the kernal. When vista was in the beta stages MS made it so that only MS could modify the kernal(or at least make it very hard) Then the anti virus people pitched a fit. Sure MS could of told them to gets stuffed but I fel that they would of screamed anti trust issue . Personally I wish MS would break all of those crappy programs , but then I have people bitching about MS screwing people over .

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020