A number of Win10 updates are deleted right after download

A number of Win10 updates are deleted right after download

Postby zespri » 23.04.2017, 21:29

I'm getting this:
Code: Select all
22-Apr-17 17:35:26.06 - Warning: Deleted unsigned file "H:\Windows\WindowsUpdate\wsusoffline-10\client\w100-x64\glb\windows10.0-kb3172729-v2-x64_ccc19baa66b28b18518e015e10674bd992e258b8.cab"
22-Apr-17 17:35:26.06 - Warning: Deleted unsigned file "H:\Windows\WindowsUpdate\wsusoffline-10\client\w100-x64\glb\windows10.0-kb3173423-x64_90670bfe5ce19d79087c6464b7f65c08717e99be.cab"
22-Apr-17 17:35:26.06 - Warning: Deleted unsigned file "H:\Windows\WindowsUpdate\wsusoffline-10\client\w100-x64\glb\windows10.0-kb3198389-x64_f4e40f87224dcac322a6af001bb225897927aff3.cab"
22-Apr-17 17:35:26.06 - Warning: Deleted unsigned file "H:\Windows\WindowsUpdate\wsusoffline-10\client\w100-x64\glb\windows10.0-kb3207296-x64_e896d075d0599902f3a00a4df1f95094f00c5dba.cab"
22-Apr-17 17:35:26.06 - Warning: Deleted unsigned file "H:\Windows\WindowsUpdate\wsusoffline-10\client\w100-x64\glb\windows10.0-kb3209498-x64_3a21fb3d9caed0c5a9d525ad5ccdee16743dccdb.cab"

These are from these urls:
Code: Select all
22-Apr-17 17:08:21.10 - Info: Downloaded/validated http://download.windowsupdate.com/c/msdownload/update/software/secu/2016/12/windows10.0-kb3209498-x64_3a21fb3d9caed0c5a9d525ad5ccdee16743dccdb.cab to ..\client\w100-x64\glb
22-Apr-17 17:08:21.10 - Info: Downloaded/validated http://download.windowsupdate.com/d/msdownload/update/software/secu/2016/07/windows10.0-kb3172729-x64_f4fc9775baa98c176f43e87c40088231a884122b.cab to ..\client\w100-x64\glb
22-Apr-17 17:08:21.10 - Info: Downloaded/validated http://download.windowsupdate.com/d/msdownload/update/software/secu/2016/08/windows10.0-kb3172729-v2-x64_ccc19baa66b28b18518e015e10674bd992e258b8.cab to ..\client\w100-x64\glb
22-Apr-17 17:08:21.10 - Info: Downloaded/validated http://download.windowsupdate.com/d/msdownload/update/software/secu/2016/10/windows10.0-kb3198389-x64_f4e40f87224dcac322a6af001bb225897927aff3.cab to ..\client\w100-x64\glb
22-Apr-17 17:08:21.10 - Info: Downloaded/validated http://download.windowsupdate.com/d/msdownload/update/software/secu/2016/12/windows10.0-kb3207296-x64_e896d075d0599902f3a00a4df1f95094f00c5dba.cab to ..\client\w100-x64\glb


When I run a sigcheck on one of these I get:

Code: Select all
Verified: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.


And indeed, checking the cert on the files reveals that it expired on 19th of April 2017. Still wsusoffline keep downloading and then deleting these.

Any idea why and can this be "fixed"?

Thank you in advance.
zespri
 

Re: A number of Win10 updates are deleted right after downlo

Postby aker » 23.04.2017, 22:30

Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to keep or sell it.
aker

WSUS Offline Update „Community Edition“
https://gitlab.com/wsusoffline/wsusoffline/-/releases
aker
 
Posts: 3999
Joined: 02.03.2011, 15:32

Re: A number of Win10 updates are deleted right after downlo

Postby zespri » 24.04.2017, 00:27

This did not seemingly affect anything.

Can you run sigcheck on http://download.windowsupdate.com/d/msd ... e258b8.cab
and confirm that you see different result than me? I have a suspicion, that it's the certificate that is inside the .cab is expired not a cert in a local store.
zespri
 

Re: A number of Win10 updates are deleted right after downlo

Postby zespri » 24.04.2017, 00:34

In fact, I'm almost sure, that's it the cert in the file itself, see below:

Code: Select all
PS C:\_test> $signature = Get-AuthenticodeSignature .\windows10.0-kb3172729-v2-x64_ccc19baa66b28b18518e015e10674bd992e258b8.cab
PS C:\_test> $signature.SignerCertificate

Thumbprint                                Subject
----------                                -------
2383BED52ABD42366137BFA95716AB432BAD6B3E  CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US


PS C:\_test> $signature.SignerCertificate.NotAfter

Wednesday, April 19, 2017 6:07:31 AM


I checked my local store, there is not cert with this thumbprint, so the only place it can come from is the file itself.
zespri
 

Re: A number of Win10 updates are deleted right after downlo

Postby boco » 24.04.2017, 01:20

Just checked, seems to be expired.

Image
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany

Re: A number of Win10 updates are deleted right after downlo

Postby zespri » 24.04.2017, 02:25

So now, when we established that, is there a way to "fix" this?

Note for future readers of this topic: the two exes that were linked above (viewtopic.php?f=2&t=6282&p=21885#p21885) come originally from microsoft, but they are about 3 years old as of 2017. They install a whole bunch of different certs in your local store, and you need to make sure that you are comfortable with all these certs being in your cert store. One one hand, since these come from microsoft they are likely safe, but on the other hand, exploits are being found everyday and these are 3 years old. Use your judgement.
zespri
 

Re: A number of Win10 updates are deleted right after downlo

Postby boco » 24.04.2017, 04:16

Nope, no one can "fix" expired certificates. If those updates are still relevant, MS must re-release them with updated signatures.

Note that once you put Windows online and it functions normally, it will handle certificate additions and revocations by itself (search Event Viewer for CAPI2 events). So, the rootsupd.exe is only a kick start when the system isn't online, yet (as it adds the later MS root cert which Win7SP1 does not include).


Edit: While the cert cannot be "fixed", it could be ignored. But WOU would require a special exception list for that.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany

Re: A number of Win10 updates are deleted right after downlo

Postby zespri » 24.04.2017, 08:39

boco wrote:Nope, no one can "fix" expired certificates. If those updates are still relevant, MS must re-release them with updated signatures.


Sure. I was wondering for a "fix" that either the wsus offline author could do something, or if there is some configuration that can help.
Ultimately, I'd like to know if these updates are still relevant. If they are relevant and stock-standard windows update is still downloading and applying them, then obviously this would be a bug in wsus offline, that would need to be fixed. Failing that, there could be some configuration option to "whitelist" these so that they can be accepted, yet that signature checking is not disabled globally.

If these update are not relevant any longer it would be interesting why wsus online is still downloading them, again, may be this is something that can be fixed?

Finally, if the behaviour that I'm describing is local to me, I'd like to know what's different in my setup and how can I work around that.

boco wrote:Note that once you put Windows online and it functions normally, it will handle certificate additions and revocations by itself (search Event Viewer for CAPI2 events). So, the rootsupd.exe is only a kick start when the system isn't online, yet (as it adds the later MS root cert which Win7SP1 does not include).


Thank you, this is a useful clarification. I think it's important to note, that the certificate in a signed file is different from the certificates rootsupd. The latter go to the local cert store, the former does not. However in order for the signature to validate, the cert in the file needs to be a part of a valid cert chain, which ultimately ends in the local cert store. As such it does not look very likely that any amount of local store certs update can help with an expired cert *within the file*.

However I wonder how MS handles this in general, surely many updates live (that is stay relevant) much longer than a year. Yet, the default cert validity timespan, is usually just one year. Does any one know how these older updates keep working? Does Microsoft re-sign them regularly?
zespri
 


Return to Download

Who is online

Users browsing this forum: No registered users and 53 guests

cron