forums.wsusoffline.net

[archiveguy]

Just noticed this

I have added several kb's to the exclude list in the client folder

2 of these updates in particular are causing problems: KB3112343, kb3109094

here is a sample from my exclude list:
kb3112343,win10prep
kb3109094,win10prep

it seems that regardless of these being in the exclude list or not, they get installed..
here is a sample of my installer log: (I have edited out my exact s/w version as it should not matter)

Starting WSUS Offline Update (v. 10.3.1) at 16:35:19.18...
Checking user's privileges...
Determining system's properties...
Found Microsoft Windows version: 6.1.xxxxxxxxx (w61 x86 enu sp1)
Found Microsoft Office 2010 Word version: 14.0.7xxxxxxxx (o2k10 x86 enu sp2)
Checking medium content...
Medium build date: 01/09/2016
Medium supports Microsoft Windows (w61 x86 glb).
Medium supports Microsoft Office (ofc enu).
Checking Windows Service Pack version...
Checking Windows Update Agent version...
Checking Windows Installer version...
Checking Windows Script Host version...
Checking Internet Explorer version...
Checking C++ Runtime Libraries' installation state...
Checking Windows Defender installation state...
Checking Office Service Pack versions...
Checking Windows Update scan prerequisites...
Installing Windows Update scan prerequisites...
Installing update 1 of 2...
Verifying integrity of ..\w61\glb\Windows6.1-KB3112343-x86.msu...
hashdeep.exe: Audit passed
Installing ..\w61\glb\Windows6.1-KB3112343-x86.msu...
Installing update 2 of 2...
Verifying integrity of ..\w61\glb\windows6.1-kb3109094-x86_d5582ff8e01aabb11ca0c
e174f8106fdace1aecd.cab...
hashdeep.exe: Audit passed
Installing ..\w61\glb\windows6.1-kb3109094-x86_d5582ff8e01aabb11ca0ce174f8106fda
ce1aecd.cab...
Checking state of service 'Windows Update'...

Any suggestions on what I may be doing wrong?
Any suggestions on how to make sure it is "excluded" other than deleting the actual updates from the W61-xx\glb folder

[boco]

Yes, unfortunately the Prerequisites routine doesn't honor the Excludelist at all. Personally, I do regard this as being a bug.
Check the .\client\static\StaticUpdateIds-wupre-w*.txt files - take the KB numbers out to remove them from Prereqs installation. Any Update might overwrite those files, forcing you to take them out again.

If just the Prereqs routing would honor the Excludelist...

[archiveguy]

Humm.. I have a few tests in mind to see if we can "resolve this". I will post back some comments shortly

Alternate, as I am not very familiar with the actual program "flow", maybe we could develop a pre - filter script

What I mean is once the user click's on "Start" from the Update 10.x.x-Installer
assuming this is was possible
say for each of the "StaticUpdatexx-xxx-xxxx.txt files, open them,
1) compare first entry within them to all entries in the \client\custom\exclude.txt file
2) should a match be found, delete said entry from the StaticUpdatexx-xxx-xxxx.txt
3) repeat for next entry from the StaticUpdatexx-xxx-xxxx.txt
4) then repeat for the next StaticUpdatexx-xxx-xxxx.txt file
5) repeat until all static files are done

then run the rest of the application...

At least this way, should the user say "EXCLUDE KB # whatever....at least they are no longer listed in the applicable prerequisite StaticUpdatexx-xxx-xxxx.txt
Effectively this would now, modifying your comment: Prereqs routing would now honor the Excludelist... (in a backdoor fashion way )

At least then, we only have to maintain the "exclude list" and hopefully each time the UpdateGenerator.exe asks if you want to update to the next version of the program, the exclude list is not over written
Ah that would a perfect fix..... Granted it's only an idea... Implementation , well that is another thing....

[WSUSUpdateAdmin]

Hi!

Yes, unfortunately the Prerequisites routine doesn't honor the Excludelist at all. Personally, I do regard this as being a bug.[...]

Sorry, I can't see a bug here, since exclude lists have never been evaluated when processing static definitions.

All I can offer is to evaluate ...\custom\StaticUpdateIds-wupre*.txt instead of ...\StaticUpdateIds-wupre*.txt, if first is present.

However, this would be a little confusing, because all other "custom" static definitions work in addition to the built-in ones.



Greets,
Torsten

[boco]

The problem is, that users usually have a very good reason for excluding updates. A rule that excludes updates should override all other definitions, including statics! Think of it like a "Never" declaration in this forum software - no matter where the "Never" is defined it overrides all other selections.

The telemetry/spyware updates and Win10-infested WU-clients are ones that I never, under no circumstances, want downloaded and installed.

Maybe think about implementing a global (purely user-managed) blacklist that
- is evaluated at start before all other rules, and
- physically removes all blacklisted updates from statics/prereqs, and
- add that KBs to all ExcludeLists.

Since the changes would be physical on disk, later operation did not have to be changed.

[archiveguy]

I agree with forum user BOBO. PS.. Thanks BOBO on how to get the "Code" to display properly in the forum

Dues to issues previously mention, some static updates can not be blocked as the M$ tools do not honor exclude rules so to speak... I have tried, in the past to delete any of the nasities I did not want installed, and then ran the Updateinstaller. The down side of deleting them, is that on next run of the Updategenerator, they would be downloaded again...(defeats part of this purpose)

So, I have created a few scripts to effectively allow the user to manage their own BLACK LIST such that for all entries in said black list, they will be "stash"ed into a stash folder one level down from where they were found. The Updateinstaller effectively does not see them, and what it can not "see", it can not install.

An additional plus is that even if WSUS gets auto updated, it does not touch your excludemstr.txt file

Simply put.
A) Before running UpdateGenerator tool, run the Restore_KB.bat (shown below) to move any KB's from their stash folder back to where they were originally located. No harm done if you never did the Move_KB.bat as the restore_KB bat would be harmless...
B) Run the Updategenerator as required
C) Edit the excludemster.txt file as required
D) Run my Move_KB.bat file (shown below) to "stash" all the KB's listed in excludemstr.txt
E) Run the Updateinstaller tool to install as required

So, as they say.....use at your own risk, no warranties, but then again what do you have to lose
In my opinion not much compared to the MS spying and such, but that is just my opinion :
I recommend you place these batch files and excludemstr.txt files in the WSUS\Client\ folder.



happy "excluding"...

1) Make a text file called excludemstr and paste this into it

Code: Select all

;format of file is ignore lines starting with semi-colon
;separator is a comma and everthing to after the comma is ignored
;make sure to keep this file in same folder as the Move_KB.bat
;and the Restore_KB.bat files
;This file must be called-----> excludemstr.txt
kb2902907,MS Security Essentials/Windows Defender related update [no description/information available]
kb2952664,Compatibility update for upgrading Windows 7 more info…(Preping for windows 10)
kb2966583,Prep for windows 10


----------------------------------------------------------------------------
2) Make a batch file called Move_KB.bat and paste this in.

Code: Select all

echo off
cls
rem for reference information, this file is called ---> Move_kb.bat
rem searches directory tree from batch file home location for all KB numbers entered in an "excludemstr.txt" file
rem if they are found, they get "moved" one directory level down to "stash" folder under the same path they
rem were found, effectively hiding them from any of the Microsoft updating tools.
rem
rem Next time BEFORE you search for any updates, first run the "restore_KB.bat" which will move any KB's found
rem in the "stash" folders back up one level into there original folders.....
rem If you do not run the restore bat, you will download these updates again, which is kinda redundant
rem
setlocal enabledelayedexpansion
set version=01.000      &:20160130 A.G.   framework ready
SET version=%version: =%
SET title=%~nx0 - version %version%
Title %title%
set work_dir=%CD%
rem ignore lines starting with semi-colon
rem delimiter is a comma  ie: KB12345,what ever
FOR /F "eol=; tokens=1* delims=, " %%i in (excludemstr.txt) do (
   call :inner %%i
   )
goto complete
:inner
set Kb_No=%%i
FOR /R %work_dir%  %%B IN (.) DO (
     pushd %%B
    set curpath=!CD!
    set curpath=!curpath:~-5!
    echo looking for %kb_no%       in !CD!
     IF EXIST *%Kb_No%*.* (
       rem if current path is the stash folder, skip it
      if !curpath! NEQ stash (
         rem check exist stash folder & move kb after
         call :chk4stash
         move /y *%Kb_No%* !CD!\stash >nul
         echo file *%Kb_No%* moved to stash)
         )
    :getout
    popd
)
goto :eof
:chk4stash
rem check for stash folder
echo off
IF NOT EXIST stash\. mkdir stash
goto :eof
:complete      
echo ..
echo ...
echo ....sweep done.... Application will close in 5 seconds or press PAUSE key
REM.-- End of application
FOR /l %%a in (5,-1,1) do (TITLE %title% -- closing in %%as&ping -n 2 -w 1 127.0.0.1>NUL)
TITLE Press any key to close the application&ECHO.&GOTO:EOF


---------------------------------------------------------
3) Make a Restore_KB.bat file and paste this in:

Code: Select all

echo off
cls
rem for reference information, this file is called ---> Restore_kb.bat
rem searches directory tree from batch file home location for any stash folders
rem if they are found, their contents  get "moved" one directory level up same path where they  were found
rem
setlocal enabledelayedexpansion
set version=01.000      &:20160130 A.G.   framework ready
SET version=%version: =%
SET title=%~nx0 - version %version%
Title %title%
set work_dir=%CD%
FOR /R %work_dir%  %%B IN (.) DO (
    pushd %%B
    set curpath=!CD!
   set isit=!curpath:~-5!
   if !isit! EQU stash (
         rem so check stash folder & move it
         set rest_fldr= !curpath:~0,-6!
         echo restoring files to folder !rest_fldr!
         move /y !CD!\*.* !rest_fldr!>nul 2>nul)
    popd
)
:comp_lete      
echo ..
echo ...
echo ....sweep done.... Application will close in 5 seconds or press PAUSE key
REM.-- End of application
FOR /l %%a in (5,-1,1) do (TITLE %title% -- closing in %%as&ping -n 2 -w 1 127.0.0.1>NUL)
TITLE Press any key to close the application&ECHO.&GOTO:EOF


[WSUSUpdateAdmin]

Moin!

Tja, dann muss ich da wohl noch mal ran, irgendwann...

Gruß,
Torsten

[boco]

Mir wärs auch lieber, ich würde es nicht brauchen. Aber es sind MEINE Computer, nicht die von MS.

Es müßte eine Routine sein, die nach den dynamischen Statics/Exclude Updates läuft. Diese Routine würde alle programmeigenen (nicht custom) relevanten Static/Exclude Dateien überprüfen und die KBs der Blacklist entfernen (Statics) oder hinzufügen (Exclude, falls notwendig). Damit ist sichergestellt, daß auch nach einem WSUSOU-Update oder dynamischen Update der Statics/Excludes die Blacklist eingehalten wird. Die Modifizierung der Text-Dateien ist sicherer als das physische Verschieben der Updates.

[archiveguy]

I to would prefer if the application could do all of it, but MS seems to not be playing fair

As I see it, my trick of moving any KB's that I do not want installed was the simplest solution.

Move them before you run Update installer,
Restore them before you run Update Generator... At least we don't end up downloading them again

And if my translation of your response is correct, yes modification of text files is easier than doing file move, but current WSUS follows what i believe are MS rules and as we have found out , MS rules don't always follow Exclude rules.

But then again,
if only editing text files, which ones, as it may vary from computer to computer.... which may start to become messy
Add to that...
Who says which KB to blacklist and which one not to.?? Everyone has their own preference...
so again, it may vary from computer to computer, user preferences & all...

Granted, my method is a bit of a pain but it allows the user to control EVERYTHING the way they want to and not the way MS wants to...

[aker]

We were talking about an update for wsusou, which automatically changes its own routines to remove blacklisted updates from the static update routines.