KB4100347 Intel microcode updates for Windows 10 v1803 - January 8 Win Update

If my OEM ends up doing a BIOS update for the issue will I need to find and uninstall this update? Or deactivate with InSpectre?

Neither, unless you see a performance hit.

Eagle51 said:

Neither, unless you see a performance hit.

Wouldn't I be in a sense patching it twice if I did that? I thought it was preferred to have the microcode at the BIOS level.

Also, what is a good benchmarking utility to test the cpu performance with protection enabled/disabled?

Wouldn't I be in a sense patching it twice if I did that? I thought it was preferred to have the microcode at the BIOS level.

Yes, it is preferred to have the micro code run from BIOS and I'm not sure the KB patch even runs if you have an updated BIOS, probably does ... but don't quote me on that. There's a good chance that if you uninstall the KB patch, WU will just reinstall it, as what happened with my Desktop PC. You could always uninstall it and use Windows Update Mini Tool to hide it. Basically, if you not getting a performance hit, then having both shouldn't hurt anything.

Also, what is a good benchmarking utility to test the cpu performance with protection enabled/disabled?

Sorry, can't help you there, never benched marked my system.

Thanks for the information. I possibly could also disable the protections with InSpectre but don't know if that would disable them at the BIOS level.

Is everyone getting some form of performance hit or are some processor families affected more than others?

andyouf said:

Thanks for the information. I possibly could also disable the protections with InSpectre but don't know if that would disable them at the BIOS level.

Is everyone getting some form of performance hit or are some processor families affected more than others?

The patch itself should compare the BIOS uCode level to the one in the patch and apply it only if it is newer.

If it is the same or older it will be disregarded, you can safely uninstall the patch. But with KB4090007 and KB4100347 the patch has been revised, so any revision may trigger a new download, whether you uninstalled it or not.

Leaving it installed then SHOULD have no detrimental effect. But the patches were initially standalone and now they are automatic. Microsoft's advisory initially stated that machines with KB4090007 (v1709) would download and apply KB41000347 when upgrading to v1803. Initial upgrades to v1803 could be installed before KB4100347 was available as my own upgrade did. I installed KB4100347 manually, so my experience may be different to that of others.

The new update KB4346084 seems to be standalone at the moment, but it overlaps with KB4100347 in the CPUs it serves.

This brings me nicely to the next part of your question. Yes, the performance penalties are supposed to effect older CPUs harder than newer ones.

6th Gen Core i Processors and newer (Skylake, Kaby Lake/R, Coffee Lake/R) are supposed to have the best performance, they seem to receive patches sooner / first.

4th and 5th Gen (Haswell/R and Broadwell) are the next best in terms of instruction sets that can deal with the mitigations efficiently, but less so than the newer processors, so their performance is next least affected.

2nd and 3rd Gen (Sandy Bridge and Ivy Bridge) are the least efficient so their performance is affected to a greater extent.

Below this is where it gets sticky.

First gen Core i (Nehalem) were included on the list of processors that received Spectre variant 2 patching uCode from Intel, but these updates have not made it into the Microsoft patches. Some notable exceptions (Gulftown, Bloomfield and Lynnfield) were stopped in Beta. These were the performance end (hence server Xeon variants) of Nehalem. The mitigations were either not possible or hit performance so severely that the uCode never made production.

Anything Intel that is older than this microarchitecture was also stopped or never included in the initial Spectre update scope as it was likely to be aged 10 years or more. For the consumer, this is Core processors or older.

Finally, with regard to your last question, BIOS level uCode cannot be disabled. The Windows registry can disable the OS from using the newer uCode routines and then program code or drivers would be processed as if they were not there.

If you imagine the uCode as being an 'interpreter' (I mean this in the sense of a translator speaking language between two people) for your CPU, then the uCode rephrases the question to the CPU so it uses slightly different responses than it's 'normal' ones to achieve the end result. Without it the CPU makes a 'natural' response.

This is the theory. Other users may claim that things are not happening that way in their experience.

My opinion is the patches from Microsoft are not in step with the Intel updates, this is a problem. Without them, some of the newer OS mechanisms are not activated and Spectre patching is not possible. Not all Spectre variants require uCode, but for those that do, mitigations are not active. If they were in step, then the mitigations can be disabled. But it does seem they are perhaps not controllable with any degree of granularity, except by hiding the OS updates or installing the older versions of the KBs.

Regards any lack of performance, you should make objective decisions based on what is relevant to you. You will probably not notice any slowdown in general tasks, e.g. browsing.

You are likely to see the effects in CPU intensive or disk intensive activities. But if it is the difference between a video render taking 28 minutes instead of 24 minutes for example, you can see how it becomes a personal choice; 28 hours instead of 24 hours might have a different bearing. It may not even be directly linear like that.

So unless you find a tangible or important reason NOT to have the patches then I advise you apply them, but because the Spectre risk is currently defined as being 'hard to exploit' you may make the trade-off. Again, it depends on entirely your personal view as to how great a risk it may or may not be.

Hello guys! I had this update installed yesterdey on my AMD FX-6300 machine!Although I don't have any issue as far as I know,I'm kinda freaked out about an Intel update installing on my PC.Should I worry about it?

Okay magnificent post. Thank you that was extremely informative; you cleared up many gray areas. I need to do further research on the whole issue and how the exploit works; start with that meltdownattack site. I knew of it but had not taken the time to educate myself about it.

On triggering a new download. I wonder if, rather than uninstalling, disabling both protections (which would make the registry changes you mentioned where the OS disables the new uC routines) with InSpectre would avoid the trigger at the OS level? I'd assume it wouldn't because the OS would see that registry change. Not really a concern after reading your first sentence. Plus my laptop is from 2014 I doubt I am getting a BIOS update. I thought I read that even users with updated BIOS are having the uC pushed on them.

Strange that the update applications overlap. When you say installing older versions of KBs do you mean rolling back out of 1803? What sort of OS mechanisms make Spectre patching possible?

Isn't the underlying cause of this a vulnerability in speculative execution? Is the processor still able to use this feature or does the microcode enable the CPU to continue using it by "rephrasing" questions to the CPU as your analogy said?

If you imagine the uCode as being an 'interpreter' (I mean this in the sense of a translator speaking language between two people) for your CPU, then the uCode rephrases the question to the CPU so it uses slightly different responses than it's 'normal' ones to achieve the end result. Without it the CPU makes a 'natural' response.

This is the theory. Other users may claim that things are not happening that way in their experience.

You are saying other users believe that uC is doing something different than how you explained it?

Oh, if the problem is patched at the BIOS level does that take away the performance penalties from KB4100347? Did Intel develop the uC update and MS is just distributing it? I don't understand them not being in step with each other. Who is doing the BIOS updates?

Yes, there is no important reason for me not to have them enabled. I occasionally play a game. I may compare performance of a CPU intensive one with the protections on and off but either way I would keep them on. General tasks I thought I detected programs launching a bit slower but I think that is purely psychological.

Well, off to the rabbit hole of research on this. Maybe find some answers to my 140 questions there.

andyouf said:

On triggering a new download. I wonder if, rather than uninstalling, disabling both protections (which would make the registry changes you mentioned where the OS disables the new uC routines) with InSpectre would avoid the trigger at the OS level? I'd assume it wouldn't because the OS would see that registry change. Not really a concern after reading your first sentence. Plus my laptop is from 2014 I doubt I am getting a BIOS update. I thought I read that even users with updated BIOS are having the uC pushed on them.

Strange that the update applications overlap. When you say installing older versions of KBs do you mean rolling back out of 1803? What sort of OS mechanisms make Spectre patching possible?

Isn't the underlying cause of this a vulnerability in speculative execution? Is the processor still able to use this feature or does the microcode enable the CPU to continue using it by "rephrasing" questions to the CPU as your analogy said?

You are saying other users believe that uC is doing something different than how you explained it?

Oh, if the problem is patched at the BIOS level does that take away the performance penalties from KB4100347? Did Intel develop the uC update and MS is just distributing it? I don't understand them not being in step with each other. Who is doing the BIOS updates?

Yes, there is no important reason for me not to have them enabled. I occasionally play a game. I may compare performance of a CPU intensive one with the protections on and off but either way I would keep them on. General tasks I thought I detected programs launching a bit slower but I think that is purely psychological.

Well, off to the rabbit hole of research on this. Maybe find some answers to my 140 questions there.

Yes, users without UEFI/BIOS updates from manufacturers will get uCode via the MS updates. The OS hooks will only work if the uCode exists. If the OS hooks aren't enabled, the uCode is redundant.

No, I mean different versions of each OS update patch. KB4100347 is at revision 3.00. I don't know, you're asking me to comment about closed-source code and I am not a programmer (IANAP).

Yes. The uCode uses different instructions so that processes are isolated and fenced more effectively and / or the CPU cache is flushed as a backstop (I think).

People's anecdotal experience is that x microcode update (via UEFI/BIOS or update) caused y symptom.

The patch update or the UEFI/BIOS uCode IS the source of the performance penalty. It asks the CPU to process instructions differently (on the grounds of vulnerability by not doing so). Doesn't matter how you get it. Yes, Intel make the uCode and Microsoft distribute it. Linux makes it look extremely simple. Intel: "Here are the updated files". Linux user just drops them into /lib/firmware/intel-ucode (or not) and runs a couple of commands then restarts.

Your position seems entirely reasonable.

If you find something out after having your 140 questions answered, be sure to let me know In all seriousness, I only know what I know about it by being concerned enough about it to try to understand it.

So OS hooks disabled (I'm assuming that means the protections buttons are disabled)=OS thinks that Spectre update has not been performed even if it has at BIOS level. This is why people with BIOS updates are still getting the KB uC update which will then detect that it has already been patched to an equivalent or newer version at BIOS level.

Didn't know they revised updates. Also didn't know that the BIOS update did the same thing with regard to the performance penalty. Why is it better for the update to be at that level?

I wonder what would happen if speculative execution was disabled. Would that seal the vulnerability. Obviously that is a ridiculous proposal I'm sure it is some innate part of the processor. Seems like a really cool feature when not being vulnerable.

I remember this coming out, of course major news, don't know why I'm just catching up now just slipped my mind until the update. I hope to find and deliver news of a patch that enhances performance or of the "Intel Free CPU Replacement Program (over four generations of processors). Actually more you said the 10+ year old ones went unpatched. The main thing, I was about to ask you but instead will find in that research (and you sort of answered it with the chronology of generations affected) is how far back this goes. Did it start when speculative execution was introduced. I had thought it started with core but then remember seeing atom or something affected. I still need to figure out how to patch a relative's chromebook with a Celeron dual core 3205U.

I have only one question ; should I install KB4346084 on CPU 306C3 yes/no/ not needed .....???
Im not getting it with WUS ............