Things to check after you upgraded to Windows 1803

Windows 1803 is out and you can download the ISO or UUP files already, the big question is what is the smartest decision, a clean install or an In-Place upgrade, waiting for WUS or switching to Linux?! Well the best is to switch to Linux but if you’re still want to ride the dead horse, here is my recommendation and a checklist what you need to do after the installation is finished.

Win10

In-Place Vs. clean?!

The all mighty myth that a clean installation is ‘better’ is wrong. It doesn’t speedup anything nor does it has any benefit over a normal upgrade. There usually two scenarios when your Windows is broken.

  1. You User profile is broken, simply create a new one
  2. You manipulated Windows files eg. because you did use a ThemePatcher etc.

Both of the issue forced in the past some users to ‘clean’ install Windows, this is not necessary. Since Windows 10 doesn’t work (by default) with the real administrative user profile (it’s deactivated) you can create a new user profile. The second point is a bit harder to solve but not impossible. You can work with DISM or SFC in order to correct those errors, as long you Windows WinSXS and other cache folders are intact you won’t receive an error during the repair process – of course there some examples when this might fail, mostly related to KB’s but this doesn’t matter in our case since 1803 not (yet) got any cumulative update and even if you can uninstall them via command line or Programs and Feature mechanism.

In-Place is enough, you won’t get any bigger problems, in case there some problems Windows usually move the problematically files and programs in the Windows.old folder.

Windows.old folder you don’t need to manually remove it!

The XP and Windows 7 times are over, you don’t need to manually delete the folder anymore, it’s the backup folder were you old files are being stored or the ones which aren’t compatible. Windows itself (via it’s notification center) ask you after some time if you like to delete the ‘old Windows version’. You also can like in the old times manually do this with the Windows integrated ‘cleanup’ tool – it’s located under ‘Windows Administrative Tools’ (cleanmgr.exe).

Things what the Update will “override”

Some kernel related stuff will override GPO settings, this has nothing much to do that Windows ‘resets’ something it’s a feature which comes from the Kernel in order to not run into possible problems after the first boot. This features needs manually be adjusted:

  • services.msc configuration
  • GPO/MDM settings (depending on the Account type and if a new Account was created or not)
  • ThemePatcher or other programs which altering the Windows:\ folder.
  • Apps (depending if you removed them previously or not), some goes for the Store

And that’s already it the rest is untouched. So you see the new Windows Spring Creators Update is really easy to use and lots of better compared to other versions.

%AppData% (your user profile dir) gets untouched usually same goes to Downloads, Music, Desktop etc. because those folders are ‘special’ compared to normal folders.

Difference between WU vs In-Place

There is no difference, WU downloads the entire package, extract it and then starts the same setup.exe with several possibilities like the normal In-Place e.g. you can choose if you like to keep your files or not. The Windows.old folder will also be created and the mechanism is exactly the same. If you download it over WU / Media Creation Tool or via other links – there will be no difference, maybe only if you choose UUP because these files must be manually decrypted first but that’s not anymore a big deal.

Things to do after the upgrade is finished

Microsoft changed several things, some options are gone other were moved or removed. I suggest the following:

  1. Don’t use any anti-telemetry – instead work with Gpedit.msc (Group Policy Editor) since some GPO settings can override/ignore registry / file changes. Together with the fact that lots of tools are faked, infected or redirected to manipulated programs. Just don’t do it, such tools are not better than gpedit.msc.
  2. (optional) Re-patch your uxtheme.dll if you like, the patchers from 1709 also working on 1803.
  3. After you changed 1. restart and check the settings panel in order to see of the changes recordings to Location, Speech & Co. are really applied, sometimes for no reason it takes two restarts in order to apply it.
  4. Check services.msc in order to disable unneeded things, usually setting them to ‘manual’ is enough. The telemetry related are: “Connected User Experiences and Telemetry” aka DiagTrack & the ones with numbers within the name _z234. The last ones are only stoppable via registry -> Start 4 (3 is manual and 4 is disabled). Those numbers are randomly created, you can simply copy the name and search the registry for the key’s. For example my UserDataSvc_53ce0 is together with the order services under: Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_53ce0.
  5. Check certmgr.msc and remove or disable untrusted, experied or uneeded certificates.
  6. Configure Windows Defender, don’t like it’s real-time protection okay, but leave the rest on since it has it’s benefits like the exploit protection.

The reason why you should not should use any ‘tools’

  1. Tools are infected, manipulated or compromised -> no download = no infection (logic.exe)
  2. Tools are mostly behind which means they can’t keep-up with the changes MS made with newer builds or cumulative updates in a worst case scenario you make it more worse.
  3. Some changes the tools make are useless, for example DNS related changes because dnsapi.dll might bypass HOSTS related entries so this is placebo effect.
  4. Gpedit.msc can do the same and these changes are not bypassable by the OS itself since the kernel takes care of it.
  5. Don’t use any tools if you can do the same with command line/batch files in order to see what it really do. This is helpful in order to track possible problems and a trust thing.
  6. Why use tools if a firewall does the same? Use a good firewall like Windows 10 Firewall Control or your NAT in order to block domains, single IP’s or IP ranges. Do not use WFC or Windows integrated firewall, the firewall is usually enough, sadly I noticed that windows own DNS mechanism doesn’t filter everything which means the firewall or it’s GUI might not show or block everything. You quickly can verify this by installing DNSCrypt-proxy and compare the log with the firewall log – surprise surprise! IPSec might help here but it’s especially for beginners more ‘complicated’ to configure here since there is no external GUI for it provided, so better do it with the Firewall, I recommend sphinx Windows10FirewallControl or Comodo’s free firewall both are not affected by Windows own DNS mechanism.

Task scheduler

There is the wrong information over the internet which recommend to delete tasks, I see this as wrong because some updates might simply re-create those tasks anyway and then you might never notice it, the smarter decision here is to disable unneeded tasks because if the task is changed or present the update usually not overrides it (of course it’s still possible but I haven’t seen this behavior).

Just check in the integrated task scheduler if there any telemetry or unwanted tasks, disable them or change them based on your needs. This is enough, no need to delete them. There is no benefit, some KB’s even have problems with deleted tasks or files and you often wonder why you see error XYZ.

Work with the permission system Windows gives you

Restrict some folders manually so no one can get access or write into it, Windows already provides you with everything you need but seems some people are too lazy to use it, instead they install yet another tool which does nothing but the same Windows already does. Right click on the file or folder and change it’s permission so you can prevent unnecessary file access, keep in mind that this not always works, in case you want to block the Store you might wonder why the change got reverted after a restart, this behavior is due to the fact that the TRUSTEDINSTALLER permission comes above the SYSTEM privilege which you on a normal account have no control over and even if you are behind a real administrative account you can’t get a higher level. This is a rin0 Windows protection mechanism in order to prevent e.g. malware to bypass such rights.

Checking the Windows Store and the Apps

The Windows Store is not the cancer people always say, in fact it has some useful things to offer like the Linux sub-system and other useful ‘gimmicks’ of course it’s up to you and your needs. You simply can restrict the Windows Store and it’s Apps via gpedit.msc no need to uninstall anything or mess with anything here. Once you set it and restarted you see that no app or Store is running.

gpedit.msc Store and apps settings
Most anti-telemetry do nothing except changing registry settings in order to toggle gpedit.msc settings which you can set manually.

Automate the process

I’m currently working on a template to automate the process, so you can copy / import the settings into a GPO folder, restart and everything gets automatically updated. The project will be available here once I’m finished finding all 1803 related changes which affecting the overall OS security. The benefit is that you can manually see the changed things with a normal text file editor and change things the easy way. The project will not be related to any external program, just the plain files which you can copy into Windows and then restart and it gets re-applied each time you restart the machine.

Final Words

Tools are mostly placebo, there not doing much more or something different what Windows can’t do since years, however I get the point that it’s maybe easier to beginners to use such tools on the other side are such tools the reason why no one cares about Windows own mechanism and I see this critical, you should review Windows own monitor mechanism because there exactly there to collect information which you can use in order to harden the OS – there also telling you a lot about possible or existent problems.

Once again using specific programs makes you not more secure, what really makes you or your OS secure is doing your own research, ask question and check and monitor everything. If you not interested in such topics don’t pretend you care about security, that’s a simple rule because you can’t gain any knowledge yourself by reading other people’s work (no matter if it’s right or wrong) you need to at some point make your own steps to start a consent about this huge topic.

Windows 1803 (from my experience) is far away from been a perfect OS, however it’s getting better and I hope Microsoft is continue to listen to its own crowd in order to improve the product. Some people might see this annoying because they life in XP times, these times are over, just wake up from your dreams – hackers don’t sleep so why should the OS do the same?!

Gpedit.msc and other integrated programs exist since years but no one really is going to use them because it’s easier to use shitty programs, that’s maybe our own fault because there not really much articles about the importance of the integrates mechanism or there simply outdated and people might have no time or the mood to keep up with Microsoft’s changes – I dunno.

I like to close this little overview with the words that MS did not a bad job with Redstone 4 even if Tabs are missing, the overall OS performance seems really smooth and I like that a lot of reported things are finally fixed.

3 thoughts on “Things to check after you upgraded to Windows 1803

  1. Not an ordinary article!
    Checked your Github, do you abandoned the GPO project?

    Thanks for your work!

    Like

Comments are closed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: