29 August 2025

Microsoft: Stop Pushing KB5063878 "Death Patch"

Please, Microsoft; place a "hold" on KB5063878 August Cumulative Update for Windows 11, until it can be trusted not to destroy storage devices, installations and data.

We're encouraged to trust vendors to know best, including blocking updates known to cause trouble and/or suffer from compatibility issues.  Microsoft knows that KB5063878 corrupts storage (although this is not documented here), including destroying storage hardware, yet even after testing indicated the issue affects more than just a few particular SSDs, but also hard drives as well, it still pushed this update yesterday (28 August 2025) to a brand new laptop.

Yes, the issue may "only affect a few systems" and only when doing bulk file transfers of 50G+, but that's exactly what a new system will do straight after mandatory updates; bulk transfer data onto the new system from the one it is to replace.  This scenario is even more likely at a time Microsoft is telling us to replace perfectly capable Windows 10 systems so we can "be supported" on Windows 11 - even as that "support" involves pushing known-lethal updates "to keep us more secure".

As it is, KB5063878 is a nasty face-hugger beast, including as it does a Servicing Stack Update as well as changes to code outside Windows itself; since the previous month's Cumulative changed WinRE, thus the automatic recovery system for failed boot, and likely WinPE, perhaps pre-BCD and UEFI, who knows?  Now that "BIOS" is "extensible", toxic OS drivers can permeate that space via UEFI drivers, as already afflicting the BCD Boot Menu.

So, it's not as simple as uninstalling the update, and/or blocking it by hiding it from future Windows Update activity.  Uninstalling the update may fail with errors, requiring a more elaborate approach via DISM, possibly disabling WinRE and Sandbox first, etc.  Advice then suggests Pausing updates in the hope that Microsoft fixes what is quite a deep change to the code base, in the hope that this happens before the maximum allowed Pause time expires, that rushed fixes don't create new issues, and that exploits don't start hitting whatever KB5063878 may have fixed while we wait.

If we cannot trust Microsoft to place a "hold" on updates that can destroy data, installations and hardware - surely the biggest impact possible - then we need a way to block particular updates before they get rammed into the system.  We should not have to first accept the update before uninstalling and blocking it, nor should we have to Pause updates altogether, just to avoid a crisis du jour.

25 August 2025

Windows Update: Control Bandwidth

Here's a performance tip affecting online traffic in particular; control the bandwidth allowed for manual and background Windows Update activity.  Use this to speed up manual updates when you aren't doing anything else, and slow down background activity when you are busy!

The settings for this are buried deep in Settings, Update and Security.  Go down to "Advanced options", then scroll down below what may appear to end with "Pause updates", to "Delivery Optimization" and click into that link.  Then "Advanced options" on the next page that appears, to finally reach the playground.

I choose the "Percentage..." radio button, then check the boxes for "...background" and "...foreground", to accept the defaults, or set to taste.  The "...foreground" setting should apply when you manually visit Settings, Updates and click "Check for updates", then "Download and install".

UI safety tip

It's so easy to beef about mandatory Windows updates, that you can miss what control is offered, and it's easy to miss things hidden below a "scroll" you didn't know was there.  

You can fix that UI risk via Settings, Ease of Access, scroll down (of course), "Automatically hide scrollbars in Windows", and turn that Off.  UIs should tell the truth, the whole truth, and nothing but the truth; hence the advice to "always go Custom, check every Advanced" etc. when dealing with software, especially in contexts where vendor goals may mis-align with yours.

Vive la difference!

I was working on two laptops, neither of which are supported in Windows 11.  Both had Intel i5 processors, before AMD shamed Intel into offering more cores in the 8xxx generation, when up-spending on laptop "i5" and "i7" got you what would be called "i3" in a desktop PC - but one was a Generation Zero xxx with a SATA SSD, and the other was a generation 7xxx with a hard drive.

Guess which was slower, and why?  Yep, the 7th generation system went 100% storage and bogged down so badly, WhatsApp Web would give up and release the link, windows would grey out as Not Responding, and it was hard to get a click in edgeways.  The hogs were Windows background rubbish; not just the visible Windows Update but "App" updates and Feed, even though the News pimple on the Taskbar was long disabled.  It felt like something one just had to accept... at the time.

Later I was manually catching up a fresh Windows 10 to 11 upgrade, which had downloaded and installed overnight.  Next morning I clicked to Restart, and the new Windows installed fairly quickly and cleanly; then off to Windows Update, Check for updates... and that took hours to download 10%.

I finally got a clue, and checked the settings described above - and yes, way back when originally setting up Windows 10, I'd set both bandwidth % sliders to minimum, when still allowing peer-to-peer update traffic over LAN, but not Internet.  Once I changed the "...foreground" slider to max, the remaining 90% of the download, and the install, was done within minutes!

So if you're wondering why a routine Cumulative is taking as long as an OS download and install, go dig into that "advanced..." etc. UI, and ye may find what ye seek  :-)


22 August 2025

Windows 10 EOL is not about Windows 11, it's about OneDrive "Backup"

The end of Windows 10 support is not about Windows 11; it's about stampeding everyone on to OneDrive cloud storage - either as a pure money-maker, and/or to extend geopolitical reach.

Microsoft has to patch Windows 10 anyway

Consider: If Windows 10 will have code repair updates developed against exploitability for those who choose to buy extended support for three years, then that work has to be done anyway.  Extending update delivery to systems is the same cost, whether they are on Windows 10 or 11.  A wider pool of Windows 10 users may mean more niche testing, but also means more involuntary testers, making it easier and quicker to find out what needs fixing next.  

In the worst-case scenario, a massive exploitable base of unpatched Windows 10 systems could pose risk to everything connected to the Internet, which may compel Microsoft to "support" (fix) all those systems.

Folks aren't joyously flooding to Windows 11, throughout years of ongoing development, right up to these final days before Windows 10 (and Windows 11 23H2 and older) go out of support.  Many systems are disqualified due to TPM 2.0 and other requirements, but others are simply user refusal, as well as the inertia of large managed networks.  

In response, Microsoft offers Extend Security Updates (ESU) programs to both professional networks administrators and consumers.  The "pro network" crowd have to pay, but a new "free" option has been added for consumers that looks too good to be true... and is.

Baked-in ransomware

If you allow the Windows Out Of Box Experience (OOBE) to lead you by the nose ("a little WiFi here, a little sign-in there"), then this is what happens:
  • you sign in to an online Microsoft Account
  • your internal storage is encrypted without your knowledge or consent
  • the encryption key is available only from your online Microsoft Account
  • all appears to work as normal, so you don't get the key you didn't know you'd need

Now if that smells like a ransomware attack, that's because it is exactly that.  Microsoft doesn't extort money upfront, payment doesn't involve complicated crypto currencies, and it's not about payment anyway; it's about the option to deny access, either for breach of the vendor's private law (the EUL"A" that no-one reads) or at the behest of US policy, such that sanctions can apply to data as well as money.

Data survivability is now brittle, as various local situations can trigger a demand for the key:

  • you need to boot into Safe Mode
  • you need to access your storage from a different system
  • something glitches the TPM, e.g. a firmware ("BIOS") update

There may be server-side issues too, e.g. your online account is hacked, or deleted by the vendor, or you follow advice to discard the account to use a Local account instead, or your account hasn't been signed in for "too long", or the vendor or US policy applies a "data sanction" on you.

Theft-to-cloud as "backup"

Backup is actually a hard problem; the aim is to keep all wanted data changes, while excluding all unwanted changes - a mix of sheep and goats, needles in the haystack.  Strategies vary, but always involve multiple copies of data such that if one is afflicted, the other is available to restore.

Sync is the opposite of backup; if anything bad happens on any one system, that unwanted change is immediately propagated to all systems.  The server beyond your reach is now the dog, and all "your" devices are now its chew-toys.  Whatever entity signs into that online account is deemed to be "you", and shares some control with the vendor; if you're locked out, sorry for you!

Once you get past the OOBE (if not before), you're pestered to "backup" to OneDrive.  If you swallow the bait, the content of many shell folders is automagically copied to the OneDrive cloud storage service, while what you see locally as your files may appear to work, but in reality may have been replaced with stubs to online files, "to save space".  Just like automatic Device Encryption, this payload is hidden, with delayed effects that arise when you try to work offline, and "your" files aren't found within the large cache footprint that the cloud service uses as an ashtray.

So, now your data is exfiltrated, local copies destroyed, and you're even more vendor-dependent.  When you run out of free space at the server end, you'll have to pay up for more space, or buy some other service that bundles the extra space you need.  

This is a straightforward hook-and-reel-in sales scam, similar to a time-bombed "free trial" that lasts just long enough to create data you can't use unless you pay (especially Outlook's .pst walled garden).  That's a significant incentive to the vendor, leaving aside any geopolitical implications.

You can use Windows 11 safely

As at August 2025, there are ways to skirt these risks while still upgrading to Windows 11 for more effective ongoing support.  There are ways to break into the OOBE to trigger a restart that will add small links for "I don't have Internet" and "Continue with limited setup"; there are ways to craft a bootable USB installer that bypasses various compatibility checks and onerous UI pressures.  As long as you can install Windows 11 and run the OOBE while safely not connected to the Internet, you have the potential to be safe; staying that way requires ongoing resistance to embedded sales pitches.

There are also ways to block Device Encryption by policy, as applies via a .reg import or direct Regedit; to hide OneDrive, or at least stop it reducing your files to online pointer stubs, and so on.  If Device Encryption is already in effect, you can step over the scary warning to turn that off; maybe it will take a long time, as the warning states, or maybe not - the whole process is so opaque (or transparent, in that one sees through it even if trying to see it is harder) that I've no idea if it completes as quickly as it seems, or if it grumbles along unseen for hours or days.

Upgrade carefully, if system is compatible

In my opinion, it's better to carefully upgrade Windows 10 to 11, after suitable backups, as long as your system is compatible, than stay on Windows 10.  It's also a good time to upgrade the OS hard drive to a speedier SSD, as that way the original hard drive can be your "undo" fallback backup.

If your system is incompatible, you may be able to force the upgrade via Rufus or similar tools, and/or more manual methods - but I'd be reluctant to do that.  "Hard" incompatibilities include PopCnt instruction and SSE 4.2 support; without these, Windows 11 24H2 (the minimum version supported after October 2025) will likely BSoD on boot.

Some of the softer requirements may be attained by changing partitioning from MBR to GPT, changing boot mode from CSM BIOS emulation to UEFI, enabling Secure Boot, and enabling TPM, either as such, or drilling down into CMOS Setup to where the processor vendor implements this as a fTPM.

So far, so good - but if you can't pass the PC Health Check or the Windows 11 Installation Assisitant won't install, then you'd have to resort to an "unsupported" state via bypass methods e.g. Rufus.  I don't see a great future there; the PC may be fine, until some update or annual new version starts to invoke things that are not there, which could leave the system unable to run, or even boot up.

"If a bad guy can run code on your system"...

Microsoft's 2000 Ten Immutable Laws of Security still make sense to me, even if the battle to keep our computers "Personal" has long been lost.  The list has been weaseled to pass off "the cloud" (= other people's computers) as safe enough, but the original is here.  The first Law:

"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore"

I'd show you the rest of the laws, virtually all of which are broken by the unwanted intimacy of current vandor (vandal/vendor) practice, but the WayBack archive page first bordered on the unusable (refreshing banner ad moving the page, refusal to copy selected text to clipbord or print the page), then after coerced "donation", lost where I'd come from and failed to load the page when the URL was re-pasted.  Enshittification is certainly not unique to a few big vendors; buggy code is everywhere, and it can be hard to distinguish stupidity from perfidity!  Bah, humbug, etc.

Should you trsut your vendor?

At the top of the Trust Stack is the intent of the party to be trusted; at the bottom is the competence to do what they intend to do.  There have been updates that either trashed data completely, or accidentally placed it out of reach, raising concerns about the bottom of the trust stack, as if the need to constantly fix code via "updates" wasn't enough.

Most of the links are about a scenario where the user profile subtree in C:\Users was shunted off and replaced with a new profile, so at least the files could be found... unless they couldn't in some cases.  However, I remember a much harder crisis where user data was deleted completely, not in the recycle bin, due to a side-effect related to... OneDrive (formerly called SkyDrive, until someone watched the Terminator movies and suggested a branding change).

It is utterly indefensible for a code vendor to delete user data, no matter what they were trying to do with it; the sheer arrogance beggars belief. Moving directory file entries to a C:\Windows.old is one thing, but to delete completely and irreversibly, is quite another risk to take with what is not yours.

So... should you trust the "man behind the curtain"?  After all, well-resourced professionals with a large budget should keep their servers running more reliably than a home user's system, and you may feel that is true for you.  

But leaving aside vendor priorities and intent, the fact is that there's nothing magical about what the cloud is made of; it's all stacked layers of code with significant error rates, whether it's the cross-platform compilers, the microcode squirted into what used to be "hard logic" processors, a UEFI as complex as Windows 95 (or "extensions" thereof), the firmware within off-processor components as complex as MS-DOS, web browsers and the unwashed junk they have to run, or the strapping together of these things in de-featured web Apps and PWAs.

We have no insight into what goes on in cloud servers; the fixes, emergency kludges, crises narrowly avoided or not, the data loss affecting "only a few users", etc. until a Cloudflare mess wakes us up.

21 August 2025

AI: The Computer Revolution, Again

I'm lucky to have experienced personal computing from the beginning, from Sinclair's Black Watch, ZX80, ZX81 and Spectrum through Pick R83 and MS-DOS 3.3 to today's herding into Microsoft's pen for Windows 11 survivability.

We are perhaps the last human generation to believe we could understand electronic digital computers at every level, from transistors and logic gates through to automated online banner ad auctions, Bitcoin mining, botnets, etc.  It's got so complex, newcomers have to choose which slice of the tottering stack in which they will specialize; code is becoming ephemeral, beyond human scope if it is to be kept on track.

In the 16-bit home computing era, computers became our toys, while futurists were still telling us we needed to learn binary arithmetic at school to prepare for tomorrow's careers.  Hobbyists were asked to justify the time and effort they lavished on their FREDs (Folking Ridiculous Electronic Devices), who would reply "Look, I can create a page of printed text in minutes!" ...not counting minutes spent waiting for code to load off audio cassette at one end, and the noisy printer at the other.

So it is now, with "AI", i.e. the extension of expert-system pre-loaded wisdom, to machine learning.  We play with ChatGPT etc. as toys, while bigger budgets put AI to work; new but transient careers beckon, and early adopters may find the skills built in advance are as mis-aligned as trying to apply only binary arithmetic to higher-level programming languages.

Performance is not yet there; early AI-capable laptops and PCs are as rare and costly as the first round of "multimedia" (sound card, CD-ROM, video playback, a handful of available titles) before Windows 95. Nvidia's monster AI chips are as unattainable for us as 3DFX's dedicated 3D accelerators were way back in the day, when affordable "Windows Accelerator" graphic cards just couldn't cut it for new 3D games.  Industrial-grade AI thrives on ye olde IBM mainframe budgets of half a century ago.

This time round, I'm content to watch from the sidelines - if I was 20 years old again, I'd have jumped into Android when toy smartphones escaped Apple's iron grip, I'd have years of Linux under my belt, and I'd be very actively involved in "playing with AI".


05 August 2025

Bug: Windows 11 Safe Cmd OSLoader loads Explorer.exe as shell

Using BCDEdit to /Copy {default} to two new GUIDs, setting those to Safe Mode and Safe Cmd, then adding the GUIDs to {bootmgr} via /DisplayOrder, is a great way to pause the Windows boot process at a BCD boot menu, to either power off or choose a safer option when needed.

I started doing this in Windows 7 and it's worked well up until Windows 11, possibly version 24H2, where the alternate shell directive (SafeBootAlternateShell)  in the Safe Cmd OSLoader is ignored, causing Explorer.exe to load as the shell instead. This may run unwanted code integrated into Explorer.exe, or cause the system to crash if something is seriously awry within the Explorer.exe shell sub-system - so advice to "just RegEdit HKLM...WinLogin, Shell and restart" won't avoid that risk.

If I navigate the BCD boot menu via the Tab key or mouse to "Change defaults or choose other options" section below the OSLoader list, and use the Boot Options there to force Cmd as shell, that works after the usual restart and boot.  Command Prompt also works when selected from OSLoaders that launch a .wim via RAM Drive, e.g. the built-in WinRE or added WinPE, such as offered by Macrium Reflect, EaseUS To Do Backup, or your own "home-rolled" WinPE.

So there's something amiss with how Windows 11's pre-OS code interprets OSLoader settings to ignore the setting to use alternate shell , or something else at that fork in the BCD interpretation logic.

Here's what these OSLoaders look like, from a working Windows 10 22H2 system:

C:\WINDOWS\system32>BCDEdit /Enum OSLoader

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \WINDOWS\system32\winload.efi
description             Windows 10
locale                  en-US
inherit                 {bootloadersettings}
displaymessageoverride  Recovery
recoveryenabled         Yes
isolatedcontext         Yes
osdevice                partition=C:
systemroot              \WINDOWS
resumeobject            {<GUID1>}
nx                      OptIn
bootmenupolicy          Standard

Windows Boot Loader
-------------------
identifier              {<GUID2>}
device                  partition=C:
path                    \WINDOWS\system32\winload.efi
description             Safe Mode
locale                  en-US
inherit                 {bootloadersettings}
displaymessageoverride  Recovery
recoveryenabled         Yes
isolatedcontext         Yes
osdevice                partition=C:
systemroot              \WINDOWS
resumeobject            {<GUID1>}
nx                      OptIn
safeboot                Minimal
bootmenupolicy          Standard
sos                     Yes

Windows Boot Loader
-------------------
identifier              {<GUID3>}
device                  partition=C:
path                    \WINDOWS\system32\winload.efi
description             Safe Cmd
locale                  en-US
inherit                 {bootloadersettings}
displaymessageoverride  Recovery
recoveryenabled         Yes
isolatedcontext         Yes
osdevice                partition=C:
systemroot              \WINDOWS
resumeobject            {<GUID1>}
nx                      OptIn
safeboot                Minimal
bootmenupolicy          Standard
safebootalternateshell  Yes
sos                     Yes

It is the safebootalternateshell = Yes that is ignored, in Windows 11 24H2.