Cumulative Update KB4494441 Windows 10 v1809 Build 17763.503 - May 14 Win Update

Page 20 of 31 FirstFirst ... 10181920212230 ... LastLast

  1. Posts : 3,453
       #190

    Nice Dimitri, maybe MS have realized the reg stuff (especially regarding protection) is open to abuse and are injecting fixes into the kernel...?
      My Computer


  2. Posts : 2,450
    Windows 10 Pro x64
       #191

    Superfly said:
    Nice Dimitri, maybe MS have realized the reg stuff (especially regarding protection) is open to abuse and are injecting fixes into the kernel...?

    I have no idea Craig. Your guess is as good as mine, but it seems that they definitely changed something and they don't rely on the Registry entries anymore!
      My Computer


  3. Posts : 42
    Windows 10
       #192

    ddelo said:
    An interesting observation:
    Before updating, I deleted the two Retpoline entries:
    • FeatureSettingsOverride and
    • FeatureSettingsOverrideMask
    from the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

    After the installation was completed, the two registry values are still missing, but the SpeculationControl PowerShell script, shows Retpoline enabled!
    Perhaps Microsoft have changed the defaults for these entries, so rather than deleting them you have to set different values to disable Retpoline
      My Computer


  4. Posts : 2,450
    Windows 10 Pro x64
       #193

    babyblue said:
    Perhaps Microsoft have changed the defaults for these entries, so rather than deleting them you have to set different values to disable Retpoline
    I wouldn't say that I disagree, but if you like, take a look in that thread and you'll probably get an idea, better than I do!
      My Computer


  5. Posts : 3,453
       #194

    ddelo said:
    I have no idea Craig. Your guess is as good as mine, but it seems that they definitely changed something and they don't rely on the Registry entries anymore!
    Well let's hope .. with their Linux kernel acquisition it's huge - if they apply the same principles to the Windows kernel (eg. adding drivers i.e. no .inf's amongst others) it will be a much safer environment
      My Computer


  6. Posts : 2,450
    Windows 10 Pro x64
       #195

    Superfly said:
    Well let's hope .. with their Linux kernel acquisition it's huge - if they apply the same principles to the Windows kernel (eg. adding drivers i.e. no .inf's amongst others) it will be a much safer environment
    I agree 100%.
    But I just noticed something else.
    Take a look at the output of the PS script, in this post
    Cumulative Update KB4494441 Windows 10 v1809 Build 17763.503 - May 14

    No Retpoline enabled....now I'm confused.

    Update:
    No I'm not confused. The member who made the post has an i7-8700K CPU. This is not included in the Retpoline capable CPUs, according to Intel. And apparently they haven't included the BTIKernelImportOptimizationEnabled feature in their whatever change. (which is probably done via Registry entries??...not a clue here)

    The one i know of, who can test it, is Dick @f14tomcat, who has a similar CPU. If he runs the SpeculationControl script see the output and then delete the entry and run the script again, we'll see if BTIKernelImportOptimizationEnabled is still enabled via Registry entries.
      My Computer


  7. Posts : 111
    Windows 10 Pro 1903
       #196

    Guitarmageddon said:
    Ok im going through the steps to run the revised power shell, and it detects the version from the last time I ran this script. how do I install the most current version? Im a newb....i thought I could simply add -force to the end of the "install-module speculationcontrol" command and it would work. Any help?

    Attachment 233850


    just following the steps here
    How to test MDS (Zombieload) patch status on Windows systems | ZDNet

    - - - Updated - - -

    Ok update, got the "-force" to work, but it tells me that the mitigation isnt present....i installed the update?? thoughts?
    Attachment 233851

    - - - Updated - - -

    OK, third update. went to windows update, and installed it again. Now its in there twice, brought my build up to 17763.503 (it was not before the first update go round). But when I run that script, still "false" in MSDSWindowsSupportPresent.....

    - - - Updated - - -

    I guess it may just come down to waiting on the MC update I assume? Im just impatient
    Run CMD as admin and execute these commands, then return with the results

    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    
    If the Hyper-V feature is installed, add the following registry setting:
    
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
    Source: https://support.microsoft.com/en-us/...erabilities-in

    I am having all enabled, just waiting the microcode update for the MDS as reported in this post Cumulative Update KB4494441 Windows 10 v1809 Build 17763.503 - May 14


    Code:
    PS C:\Windows\system32> Get-SpeculationControlSettings
    For more information about the output below, please refer to https://support.microsoft.com/help/4074629
    
    Speculation control settings for CVE-2017-5715 [branch target injection]
    
    Hardware support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: True
    
    Speculation control settings for CVE-2017-5754 [rogue data cache load]
    
    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: True [not required for security]
    
    Speculation control settings for CVE-2018-3639 [speculative store bypass]
    
    Hardware is vulnerable to speculative store bypass: True
    Hardware support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is enabled system-wide: True
    
    Speculation control settings for CVE-2018-3620 [L1 terminal fault]
    
    Hardware is vulnerable to L1 terminal fault: True
    Windows OS support for L1 terminal fault mitigation is present: True
    Windows OS support for L1 terminal fault mitigation is enabled: True
    
    Speculation control settings for MDS [microarchitectural data sampling]
    
    Windows OS support for MDS mitigation is present: True
    Hardware is vulnerable to MDS: True
    Windows OS support for MDS mitigation is enabled: False
    
    Suggested actions
    
     * Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119
    
    
    BTIHardwarePresent                  : True
    BTIWindowsSupportPresent            : True
    BTIWindowsSupportEnabled            : True
    BTIDisabledBySystemPolicy           : False
    BTIDisabledByNoHardwareSupport      : False
    BTIKernelRetpolineEnabled           : False
    BTIKernelImportOptimizationEnabled  : True
    KVAShadowRequired                   : True
    KVAShadowWindowsSupportPresent      : True
    KVAShadowWindowsSupportEnabled      : True
    KVAShadowPcidEnabled                : True
    SSBDWindowsSupportPresent           : True
    SSBDHardwareVulnerable              : True
    SSBDHardwarePresent                 : True
    SSBDWindowsSupportEnabledSystemWide : True
    L1TFHardwareVulnerable              : True
    L1TFWindowsSupportPresent           : True
    L1TFWindowsSupportEnabled           : True
    L1TFInvalidPteBit                   : 45
    L1DFlushSupported                   : True
    MDSWindowsSupportPresent            : True
    MDSHardwareVulnerable               : True
    MDSWindowsSupportEnabled            : False
      My Computer


  8. Posts : 208
    Win 10
       #197

    ddelo said:
    I have no idea Craig. Your guess is as good as mine, but it seems that they definitely changed something and they don't rely on the Registry entries anymore!
    I think they just default to 0/3 for w/o any reg key overrides. I set mine to 3/3 and it does disable, so reg values do work.
    I haven't tried other values but I bet it works as MS updated that doc on reg key values right after update.

    https://support.microsoft.com/en-us/...erabilities-in
      My Computer


  9. Posts : 2,450
    Windows 10 Pro x64
       #198

    JenyJ said:
    Run CMD as admin and execute these commands, then return with the results

    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    
    If the Hyper-V feature is installed, add the following registry setting:
    
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
    Source: https://support.microsoft.com/en-us/...erabilities-in

    I am having all enabled, just waiting the microcode update for the MDS as reported in this post Cumulative Update KB4494441 Windows 10 v1809 Build 17763.503 - May 14


    Code:
    PS C:\Windows\system32> Get-SpeculationControlSettings
    For more information about the output below, please refer to https://support.microsoft.com/help/4074629
    
    Speculation control settings for CVE-2017-5715 [branch target injection]
    
    Hardware support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: True
    
    Speculation control settings for CVE-2017-5754 [rogue data cache load]
    
    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: True [not required for security]
    
    Speculation control settings for CVE-2018-3639 [speculative store bypass]
    
    Hardware is vulnerable to speculative store bypass: True
    Hardware support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is enabled system-wide: True
    
    Speculation control settings for CVE-2018-3620 [L1 terminal fault]
    
    Hardware is vulnerable to L1 terminal fault: True
    Windows OS support for L1 terminal fault mitigation is present: True
    Windows OS support for L1 terminal fault mitigation is enabled: True
    
    Speculation control settings for MDS [microarchitectural data sampling]
    
    Windows OS support for MDS mitigation is present: True
    Hardware is vulnerable to MDS: True
    Windows OS support for MDS mitigation is enabled: False
    
    Suggested actions
    
     * Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119
    
    
    BTIHardwarePresent                  : True
    BTIWindowsSupportPresent            : True
    BTIWindowsSupportEnabled            : True
    BTIDisabledBySystemPolicy           : False
    BTIDisabledByNoHardwareSupport      : False
    BTIKernelRetpolineEnabled           : False
    BTIKernelImportOptimizationEnabled  : True
    KVAShadowRequired                   : True
    KVAShadowWindowsSupportPresent      : True
    KVAShadowWindowsSupportEnabled      : True
    KVAShadowPcidEnabled                : True
    SSBDWindowsSupportPresent           : True
    SSBDHardwareVulnerable              : True
    SSBDHardwarePresent                 : True
    SSBDWindowsSupportEnabledSystemWide : True
    L1TFHardwareVulnerable              : True
    L1TFWindowsSupportPresent           : True
    L1TFWindowsSupportEnabled           : True
    L1TFInvalidPteBit                   : 45
    L1DFlushSupported                   : True
    MDSWindowsSupportPresent            : True
    MDSHardwareVulnerable               : True
    MDSWindowsSupportEnabled            : False
    You need these registry changes, if the BIOS/UEFI does not support the Spectre mitigations. If it does you don't need them.
    Once the Microsoft update becomes available you apply it to mitigate MDS. The same applies if the board vendor provides an update to the BIOS/UEFI.
      My Computer


  10. Posts : 68,668
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #199
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 04:53.
Find Us




Windows 10 Forums