Jump to content

  •  

CNers have asked about a donation box for Cloudy Nights over the years, so here you go. Donation is not required by any means, so please enjoy your stay.

Photo

Explaining why Win 10 security update KB4056892 breaks ASCOM drivers

  • Please log in to reply
53 replies to this topic

#1 MCovington

MCovington

    Soyuz

  • *****
  • topic starter
  • Posts: 3691
  • Joined: 13 May 2014
  • Loc: Michael Covington - Athens, Georgia

Posted 08 January 2018 - 10:31 PM

I have not been able to test any of this myself, but many people are reporting that some of their ASCOM drivers don't work properly after the latest Microsoft security patch (to protect from the speculative execution bug).   [UPDATE: Others are reporting no problems. It is possible the bug only affects some versions or has been quietly fixed in a later update.]

 

These instructions for fixing ASCOM, rather tediously, are circulating and are reportedly reliable:
https://www.theastro...to-crash/1/2018

 

The idea is to use DCOMCNFG.EXE to hunt through the drivers and change their authentication level from "None" to "Call".
ASCOM drivers aren't really DCOM, but they use the same authentication system.

 

But what really went wrong?

I think I know.  Microsoft admits a bug with DCOM authentication in KB4058702.  Search for "_CALL" on this web page:
https://support.micr...pdate-kb4056892

 

The problem they report is that CoInitializeSecurity (the system call to start up a driver like ASCOM's) doesn't work right when passed "None" as an authentication level, and you have to change it to "Call".

 

Microsoft admits this is a bug and promises to fix it.

 

It is not a bug in ASCOM, although ASCOM could probably work around it by installing the components with authentication level "Call".

 

In the meantime, I am uninstalling KB4056892 from my autoguiding computer.  That's easy to do from Control Panel, Programs and Features (under View Installed Updates), and you don't need to boot into Safe Mode.

 

After uninstalling KB4056892, you can hide it so it won't come back the next time your computer wants to download updates.

(And later unhide it, if you feel it necessary.)  Use the troubleshooter here: https://support.micr...alling-in-windo  and don't worry that it runs a long time scanning all your installed updates before it does anything else.

 

Is it dangerous to do without the update?  In my opinion, no.  I've consulted several CPU experts, and they say that if you're not running a server, there's not much danger.  The bug does provide a new way to write viruses, but there were lots of ways to write viruses already, and under most circumstances this new method has no appeal.   (I have also heard dissenting voices, so you'll have to make your own decision. I recommend the rollback primarily for computers that are not used extensively for web surfing or other software.)

In any case, Microsoft promises us a better fix soon.


Edited by MCovington, 09 January 2018 - 10:18 AM.

  • George N, dswtan, PI_CO100 and 7 others like this

#2 CharlesW

CharlesW

    Mercury-Atlas

  • *****
  • Posts: 2649
  • Joined: 01 Nov 2012
  • Loc: Chula Vista & Indio, CA

Posted 08 January 2018 - 11:32 PM

Thanks very much for this. I’m driving out to the obs this weekend and I’ve got your fix bookmarked. 



#3 MCovington

MCovington

    Soyuz

  • *****
  • topic starter
  • Posts: 3691
  • Joined: 13 May 2014
  • Loc: Michael Covington - Athens, Georgia

Posted 08 January 2018 - 11:38 PM

OK, bear in mind that I haven't tested this myself!  I'm just putting together information from different sources.



#4 44ye

44ye

    Mariner 2

  • -----
  • Posts: 211
  • Joined: 15 Aug 2015
  • Loc: MACKINAW TOWNSHIP CHEBOYGAN CO MI

Posted 09 January 2018 - 12:53 AM

''Microsoft promises us a better fix soon"lol.gif ranting.gif ranting.gifrant


Edited by 44ye, 09 January 2018 - 12:54 AM.

  • Fernando134 likes this

#5 DS INC

DS INC

    Vostok 1

  • -----
  • Posts: 121
  • Joined: 17 Jun 2013

Posted 09 January 2018 - 01:08 AM

OK, bear in mind that I haven't tested this myself!  I'm just putting together information from different sources.

It works for the most part, looks like Jerry just copied Bobs stuff and threw a page together, eh it works.

 

One thing, the fix may not work if TSX is involved. See the bottom on the original fix here...

 

http://forums.dc3.co...67734#post67734



#6 psandelle

psandelle

    Surveyor 1

  • -----
  • Posts: 1815
  • Joined: 18 Jun 2008
  • Loc: Los Angeles

Posted 09 January 2018 - 11:29 AM

Could one do a system-wide change using DCOMCNFG? Just let 'em all rip?

 

Paul



#7 MCovington

MCovington

    Soyuz

  • *****
  • topic starter
  • Posts: 3691
  • Joined: 13 May 2014
  • Loc: Michael Covington - Athens, Georgia

Posted 09 January 2018 - 11:53 AM

I don't know, but one thing to try would be changing the default (which is in the Properties window of My Computer in DCOMCNFG).  I don't know if that would work.

 

It is also possible to write software that will hunt down all the drivers and change their settings.

 

Or Microsoft might fix the bug...


  • psandelle likes this

#8 ram812

ram812

    Viking 1

  • -----
  • Posts: 663
  • Joined: 10 Dec 2014
  • Loc: Grants Pass, Oregon

Posted 09 January 2018 - 12:03 PM

  So if Microsoft is aware, ASCOM is aware, will somebody besides us end users please come up with a fixtongue2.gif! I have a new 2TB laptop I was going to dedicate to PHD2/SSAG/ASCOM and am not very computer savvy to begin with. Guess I'll bookmark all this and get the wife to fix it for melol.gif. I do it and guarantee it wont work.Ralphgrin.gif 


  • psandelle likes this

#9 psandelle

psandelle

    Surveyor 1

  • -----
  • Posts: 1815
  • Joined: 18 Jun 2008
  • Loc: Los Angeles

Posted 09 January 2018 - 12:17 PM

I don't know, but one thing to try would be changing the default (which is in the Properties window of My Computer in DCOMCNFG).  I don't know if that would work.

 

It is also possible to write software that will hunt down all the drivers and change their settings.

 

Or Microsoft might fix the bug...

Yeah, that was my thought, a system-wide changing of the "none" to "call," but wasn't sure if that would freak everything else out. The one good thing is my astro-laptop is just astro, so maybe if I change everything, it won't hurt too much. Maybe. We'll see if MS comes up with anything (since it's their problem). MS fix something...hahahahahaha!

 

Paul



#10 Peter in Reno

Peter in Reno

    Cosmos

  • *****
  • Posts: 9547
  • Joined: 15 Jul 2008
  • Loc: Reno, NV

Posted 09 January 2018 - 12:22 PM

 

I don't know, but one thing to try would be changing the default (which is in the Properties window of My Computer in DCOMCNFG).  I don't know if that would work.

 

It is also possible to write software that will hunt down all the drivers and change their settings.

 

Or Microsoft might fix the bug...

Yeah, that was my thought, a system-wide changing of the "none" to "call," but wasn't sure if that would freak everything else out. The one good thing is my astro-laptop is just astro, so maybe if I change everything, it won't hurt too much. Maybe. We'll see if MS comes up with anything (since it's their problem). MS fix something...hahahahahaha!

 

Paul

 

I don't think it's a good idea to use system-wide because it may negatively affect everything else like non-astro stuff.

 

Bob Denny's work around instruction is very clear and easy to do and there's no harm.

 

Peter


  • psandelle, MCovington and ram812 like this

#11 ahelms

ahelms

    Lift Off

  • -----
  • Posts: 5
  • Joined: 22 Mar 2015

Posted 09 January 2018 - 12:25 PM

You should know that meltdown and spectre IS in fact a danger for everyone. There are proof of concepts available that show stealing passwords in real time, leaking memory, and other major security issues. This is one of many examples: https://twitter.com/...706387491786752

 

What will not effect the end user is the performance hit associated with the software patch. That only really is a problem with huge numbers of syscalls, something servers do all the time. End users will not notice this performance hit but they ARE still vulnerable to all the security implications if the system is not patched.

 

I have seen others recommend to disable updates entirely which is foolish and frankly a dangerous suggestion. 

 

If the patch is breaking your ASCOM, uninstalling the update temporarily until a newer patch is available is reasonable, but make sure you install the newer patch when available.


  • dswtan, Phil Cowell, hnau and 3 others like this

#12 MCovington

MCovington

    Soyuz

  • *****
  • topic starter
  • Posts: 3691
  • Joined: 13 May 2014
  • Loc: Michael Covington - Athens, Georgia

Posted 09 January 2018 - 12:30 PM

I agree that we should install the newer patch when available.  Lowering security is a temporary measure

 

Also, on my astronomy computer I don't do online banking or web surfing.  Very little can be stolen from it!  This is one of many reasons to have a separate, inexpensive laptop for telescope control.


Edited by MCovington, 09 January 2018 - 12:30 PM.

  • mikefulb and ram812 like this

#13 psandelle

psandelle

    Surveyor 1

  • -----
  • Posts: 1815
  • Joined: 18 Jun 2008
  • Loc: Los Angeles

Posted 09 January 2018 - 01:18 PM

Peter - cool. Was just checking. There's something satisfying about going nuclear and changing everything...and letting the chips fall where they may. But...I will proceed with surgical strikes now. grin.gif

 

Thanks,

 

Paul


  • ram812 likes this

#14 Peter in Reno

Peter in Reno

    Cosmos

  • *****
  • Posts: 9547
  • Joined: 15 Jul 2008
  • Loc: Reno, NV

Posted 09 January 2018 - 01:36 PM

Peter - cool. Was just checking. There's something satisfying about going nuclear and changing everything...and letting the chips fall where they may. But...I will proceed with surgical strikes now. grin.gif

 

Thanks,

 

Paul

First test if you have problems with any astro devices before making surgical strikes.

 

Peter


  • ram812 likes this

#15 psandelle

psandelle

    Surveyor 1

  • -----
  • Posts: 1815
  • Joined: 18 Jun 2008
  • Loc: Los Angeles

Posted 09 January 2018 - 01:39 PM

 

Peter - cool. Was just checking. There's something satisfying about going nuclear and changing everything...and letting the chips fall where they may. But...I will proceed with surgical strikes now. grin.gif

 

Thanks,

 

Paul

First test if you have problems with any astro devices before making surgical strikes.

 

Peter

 

Of course, but I wanted to have a course of action if I found anything (rather than sitting there with a stunned look on my face and confusion in my heart). It's a pain to set everything up indoors to check, so I'm making sure to be ready when I do.

 

Paul


  • ram812 likes this

#16 Arie

Arie

    Explorer 1

  • -----
  • Posts: 85
  • Joined: 01 Sep 2015
  • Loc: Netherlands

Posted 09 January 2018 - 03:22 PM

I am about to replace my old 2009 Macmini , in my new dome running W7 32bit in Bootcamp, with a Win10 mini PC.

Should I wait, or get a NUC and install Win7 on it?



#17 hnau

hnau

    Vostok 1

  • *****
  • Posts: 102
  • Joined: 12 Sep 2007

Posted 09 January 2018 - 03:47 PM

Could one do a system-wide change using DCOMCNFG? Just let 'em all rip?

 

Paul

 

I did this in about 5 minutes using powershell mostly because I'm too lazy to futz around in the gross dcomcnfg ui.  Feel free to use/modify to your needs.  save the below as a powershell script (.ps1 extension) and run as admin.  Use at your own risk, no guarantees, etc...  change the 3 to a 1 and re-run to undo the changes.

# get ascom dcom things
$wmi = Get-WmiObject -Class Win32_DCOMApplicationSetting |
    Where-Object {$_.Description -match "ASCOM"}
    
# change auth level, 1 = none, 3 = call
foreach ($ascom in $wmi) {
    $ascom.AuthenticationLevel = 3
}

# save changes
$wmi.put()

  • guyroch, PatNois and ahelms like this

#18 View2

View2

    Apollo

  • -----
  • Posts: 1377
  • Joined: 20 May 2016
  • Loc: Vancouver, WA USA

Posted 09 January 2018 - 03:47 PM

Omg. I think I'll just throw in the towel.

#19 epdreher

epdreher

    Viking 1

  • *****
  • Posts: 520
  • Joined: 12 Jun 2011
  • Loc: Texas Hill Country

Posted 09 January 2018 - 03:54 PM

I switched to Macs in 2006 and have never regretted it.

The Win laptop is never used for anything but astronomy for reasons like this. Ugh.

#20 44ye

44ye

    Mariner 2

  • -----
  • Posts: 211
  • Joined: 15 Aug 2015
  • Loc: MACKINAW TOWNSHIP CHEBOYGAN CO MI

Posted 09 January 2018 - 04:33 PM

epdreher  Eric

 

This is Not Just A MS problem it is a processor chip security problem across all mfg. see C.N. LINK

 

https://www.cloudyni...5-to-30-slower/

 

If you have  astronomy computer that never goes online your golden . How to do this is to download updates and new programs to thumb drives or external drives from your online computer and then install from that drive

 ARIE

 As above link says  chip security and  I QUOTE   Ishtim

Posted 04 January 2018 - 07:43 AM

""I started looking into this as well and found that MANY chips may be vulnerable, NOT just Intel... and the "slow down" claims pointed out by the OP is "exaggerated" according to Intel.

"Some researchers have claimed that any fixes could slow down computer systems, possibly by 30%, but Intel believes these claims are exaggerated."

"Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect."

https://newsroom.int...earch-findings/

 

There are two separate security flaws, known as Meltdown and Spectre.
◾Meltdown affects laptops, desktop computers and internet servers with Intel chips.
◾Spectre potentially has a wider reach. It affects chips in smartphones, tablets and computers powered by Intel, ARM and AMD.

http://www.bbc.com/n...nology-42562303

 

I guess the PixInsight Batch Preprocessor COULD now take 5.2hrs instead of 4 if you patch your OS. laugh.gif""

 

READ THE BBC AND NEWSROOM LINK S

Don

p.s. IF your computer did a major upgrade in dec and your internet seems to be slower it is IMO

because of some of the patches 


Edited by 44ye, 09 January 2018 - 04:45 PM.

  • Steve Cox likes this

#21 toddistic

toddistic

    Sputnik

  • -----
  • Posts: 34
  • Joined: 28 Jul 2016
  • Loc: Portland, OR

Posted 09 January 2018 - 07:50 PM

 

Could one do a system-wide change using DCOMCNFG? Just let 'em all rip?

 

Paul

 

I did this in about 5 minutes using powershell mostly because I'm too lazy to futz around in the gross dcomcnfg ui.  Feel free to use/modify to your needs.  save the below as a powershell script (.ps1 extension) and run as admin.  Use at your own risk, no guarantees, etc...  change the 3 to a 1 and re-run to undo the changes.

# get ascom dcom things
$wmi = Get-WmiObject -Class Win32_DCOMApplicationSetting |
    Where-Object {$_.Description -match "ASCOM"}
    
# change auth level, 1 = none, 3 = call
foreach ($ascom in $wmi) {
    $ascom.AuthenticationLevel = 3
}

# save changes
$wmi.put()

Doing the Lord's work here, you the real MVP!bow.gif


  • hnau and MCovington like this

#22 MCovington

MCovington

    Soyuz

  • *****
  • topic starter
  • Posts: 3691
  • Joined: 13 May 2014
  • Loc: Michael Covington - Athens, Georgia

Posted 09 January 2018 - 07:50 PM

All you have to do is roll back KB4056892 and wait for a more correct version of it.

 

The media created a panic, and Microsoft had to roll out a patch too quickly.


  • Tonk, epdreher and ram812 like this

#23 epdreher

epdreher

    Viking 1

  • *****
  • Posts: 520
  • Joined: 12 Jun 2011
  • Loc: Texas Hill Country

Posted 09 January 2018 - 08:02 PM

44ye:

 

I didn't mean to say that it doesn't affect the use of Intel processors elsewhere, just that MS always seems to break things in a rush.


Edited by epdreher, 09 January 2018 - 08:03 PM.


#24 rockstarbill

rockstarbill

    Gemini

  • *****
  • Posts: 3101
  • Joined: 16 Jul 2013
  • Loc: Snohomish, WA

Posted 09 January 2018 - 08:28 PM

All you have to do is roll back KB4056892 and wait for a more correct version of it.

 

The media created a panic, and Microsoft had to roll out a patch too quickly.

I would agree that removing the patch is the best way forward.

 

44ye:

 

I didn't mean to say that it doesn't affect the use of Intel processors elsewhere, just that MS always seems to break things in a rush.

Always? fingertap.gif


Edited by rockstarbill, 09 January 2018 - 08:31 PM.


#25 44ye

44ye

    Mariner 2

  • -----
  • Posts: 211
  • Joined: 15 Aug 2015
  • Loc: MACKINAW TOWNSHIP CHEBOYGAN CO MI

Posted 09 January 2018 - 08:40 PM

I understand completely (grin) post #4 (grin) Just for general info for the mac users .hopefully no foul smile.gif

I am old enough to be dangerous with a computer in my hands .Most of the above is Greek to me but I do under how to uninstall updates thank's guy's /gals

 

Don 


Edited by 44ye, 09 January 2018 - 08:41 PM.



CNers have asked about a donation box for Cloudy Nights over the years, so here you go. Donation is not required by any means, so please enjoy your stay.







Cloudy Nights LLC
Cloudy Nights Sponsor: Astronomics