How to make sure Windows gets the right patches coming to it
- 16 January, 2018 22:12
The Windows emergency security updates issued by Microsoft earlier this month came with an unprecedented prerequisite - a new key stored in the operating system's registry - that antivirus vendors were told to generate after they'd guaranteed their code wouldn't trigger dreaded Blue Screens of Death (BSoD) when users apply the patches.
The demands confused customers, and fueled a flood of support documents and an avalanche of web content. Those who heard about the Meltdown and Spectre vulnerabilities struggled to figure out whether their PCs were protected, and if not, why not. Millions more, not having gotten wind of the potential threat, carried on without realizing that their PCs might be barred from receiving several months' worth of security updates.
Here are the steps Windows users can take to insure their PCs continue to receive security updates.
Check antivirus status, update antivirus
While Microsoft hasn't told customers which antivirus (AV) vendors have broken rules and made unauthorized calls to the kernel - the reason why the company's patches, which modify the kernel, may provoke BSoDs when certain AV software is loaded into memory - or even tracked the progress AV vendors made toward compliance, someone has.
Security researcher Kevin Beaumont publicly posted a spreadsheet listing more than 40 of the most popular AV products, and has updated it as vendors have released updates. Beaumont's spreadsheet indicates whether the vendor generates the registry key, is compatible with the January Windows updates, and in most cases, he provided links to the AV makers' explanatory documentation.
Beaumont's tracker has been invaluable to Windows users, who can use it to ascertain AV status before (or after) grabbing the latest antivirus program update, and read accompanying information.
Check the Windows Registry
The most important requirement - really, the only requirement - to receive January's security update is the presence of the Windows registry key antivirus vendors are to create to "attest to the compatibility of their applications," as Microsoft put it earlier this month.
Verifying that this key exists takes only moments. It's a good idea to confirm that it's present after scoping out and updating AV, but before applying January's Windows update.
In Windows, launch the registry editor (Regedit.exe) by typing REGEDIT in the search box (Windows 10) or in the Run box (Windows 7). The Run box will appear after pressing the Windows key at the same time as the r key.
Approve Regedit's launch by selecting "Yes" in the ensuing User Account Control pop-up.
The key will be within this folder: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat
Click on the QualityCompat folder to open it.
(To avoid have to root through layers of nested subfolders, simply copy the folder name above, then paste it into the field immediately under the menus in the registry editor.)
Inside the folder should be the key, identified as cadca5fe-87d3-4b96-b7fb-a231484277cc under the "Name" column, and REG_DWORD under the "Type" column.
If the key is there, close the editor by selecting "Exit" from the "File" menu.
Add the key manually
If the installed antivirus product didn't generate the key - some did not initially, but most have now complied - if there's no AV on the system, the user must set the key.
Note: Before monkeying with the registry, back it up. See this Microsoft support document for how-to info.
Use the same instructions under the previous section to launch Regedit and navigate to the folder: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat
Right-click the QualityCompat folder (also called a "subkey"), and choose "New/DWORD (32-bit) Value" from the menu.
In the field under the "Name" column - initially, this will read "New Value #1" - enter or copy/paste this: cadca5fe-87d3-4b96-b7fb-a231484277cc
Exit the registry editor.
Add the key with an automated tool
Microsoft may have left users to dive into the registry on their own, but others offered tools that generated the compatibility key correctly.
Trend Micro, for example, posted a download link to what it labeled ALLOW REGKEY, an archived file in .zip format. (On the page reached from the link above, look for "OPTION 1: Download and run ALLOW REGKEY.reg to let Windows receive 2018 1B update.")
Run the tool as described on Trend Micro's page.