On Wednesday Microsoft released another mystery patch, KB 3123862, which appears as an optional, unchecked patch in Windows Update and closely parallels last year's reviled Get Windows 10 patch, KB 3035583 -- a patch we're still fighting.
The patch itself seems innocuous. According to the KB article it delivers "Updated capabilities to upgrade Windows 8.1 and Windows 7." The entire description for the patch consists of exactly one sentence:
The update adds capabilities to some computers that lets users easily learn about Windows 10 or start an upgrade to Windows 10.
There's no indication which computers, what the upgrade cycle looks like, or how systems will be modified to let users easily learn about Windows 10. I suppose there's an itinerant sheep herder on the Mongolian steppe who hasn't learned about Windows 10 -- come to think of it, probably not.
If you install the optional update, you find that KB 3123862 gives you brand-spanking-new copies of the following:
- Explorer.exe, the Windows File Explorer, and ExplorerFrame.dll, which contains supporting files -- icons, menus, bitmaps -- for Explorer.exe
- Shell32.dll, the heart of the Windows interface
- Authui.dll, which controls logins
If that doesn't send a chill up your spine, you haven't been following along.
The parallels to KB 3035583 are uncanny -- and disquieting. The original Get Windows 10 patch appeared in Windows Update on Mar. 27, 2015, without explanation, as an unchecked optional patch. The title was "Update enables additional capabilities for Windows Update notifications in Windows 8.1 and Windows 7 SP1," and the entire description was:
This update enables additional capabilities for Windows Update notifications when new updates are available to the user. It applies to a computer that is running Windows 8.1 or Windows 7 Service Pack 1 (SP1).
We didn't discover the true nature of the patch until a week later, when Gerard Himmelein at heise.de uncovered a nascent subsystem called GWX that was installed and set in motion by KB 3035583. Since that time, an entire industry has evolved to deal with the ramifications of the GWX infection, with GWX Control Panel leading the charge.
This new patch doesn't install anything in the GWX folder, nor does it flip any of the registry settings users have been using to block the forced march to Windows 10. As a matter of fact, at this point nobody seems to have any idea what it does.
How does the old Scotty saying go? "Fool me once, shame on you. Fool me twice, shame on me."