Microsoft releases 'Silver Bullet' patch KB 3024777 to eliminate KB 3004394

More information unfolds about the Windows Root Certification patch and its foibles

Another episode of the KB 3004394 saga is unfolding, as Microsoft releases a new patch, KB 3024777, specifically designed to take out this week's Black Tuesday fiasco, KB 3004394, on Windows 7 SP1 and Windows Server 2008 R2 SP1 machines. The story's a little more complicated than a simple Shootout at the OK Corral.

You'll recall this week's bête noire, KB 3004394. Issued on Tuesday, by Wednesday there were dozens of reports of problems with odd UAC prompts, Windows Diagnostic Tool error 8000706f7, failure on attempting to install the AMD Catalyst driver, Windows Defender error 2147023113, and several more. It's as if Microsoft didn't test the patch before releasing it. On Thursday, Microsoft yanked the patch and later advised in an Answers forum post that you should uninstall KB 3004394.

Today's a new day, and we have a new explanation -- and marching orders.

Microsoft has updated its KB 3004394 article to say that the problems only occur on Windows 7 SP1 and Windows Server 2008 R2 SP1:

We have found that this update is causing additional problem on computers that are running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the inability to install future updates. The KB 3004394 update does not cause any known problems on the other systems for which it is released. We recommend that you install the update on the other systems.

If you have not yet deployed KB 3004394 on Windows 7 SP1-based and Windows Server 2008 R2 SP1-based computers, we recommend that you delay installation until a new version of this update becomes available.

If you have already installed KB 3004394 on Windows 7 SP1-based and Windows Server 2008 R2 SP1-based computers that were not restarted after the update was installed, we recommend that you delay the restart if it is possible until more information is added to this article about a method to remove the update.

If the installation of KB 3004394 is causing problems on these computers, remove the update, and then restart the computers. The ability to remove Windows Updates through Control Panel may no longer function on some Windows 7 SP1-based and Windows Server 2008 R2 SP1-based computers after KB 3004394 is installed.

I don't see any advisory about problems with KB 3004394 on Windows 8/8.1 machines. As best I can tell, at this moment, KB 3004394 is offered on Windows 8/8.1 systems through Windows Update, but not on Windows 7 systems.

Last night, Microsoft released a new patch, KB 3024777. I call it a "Silver Bullet" patch because it's specifically aimed at eradicating the KB 3004394 patch. Here's how the KB article describes it:

The KB 3004394 update that was dated December 10, 2014, can cause additional problems on computers that are running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the inability to install future updates. This new update is available to remove KB 3004394 from your computer.

Which of course leads to a chicken-and-egg question: If installing KB 3004394 renders your machine incapable of installing future updates, why is Microsoft releasing this Silver Bullet update through the Windows Update chute?

Further confounding the issue, at least on my Windows 7 machines, the Silver Bullet patch doesn't appear on the Windows Update list unless KB 3004394 is installed. As best as I can tell, for those who didn't install KB 3004394 or those who took Microsoft's earlier recommendation and manually removed KB 3004394, the Silver Bullet doesn't even show up.

My guess is that those with Windows 7 SP1 or Server 2008 R2 SP1 machines, who have KB 3004394 installed but can't get any new updates to install (take a deep breath here), need to manually download and run KB 3024777 to ensure that KB 3004394 is terminated with extreme prejudice. Fortunately, there are download links on the KB 3024777 page.

There's some anecdotal evidence of the Silver Bullet's behavior. Poster myarmor on SevenForums says:

It seems this update removes kb3004394 and vanish without a trace (except in History). Neither seems to be available in the uninstall list afterwards.

Poster Tibbies4Life, on the Norton Community forum, brings up a confusing situation:

I bit the bullet and ran new update KB3024777 and it updated successfully with one reboot. When I checked installed WU  list, KB3004394 is still showing as successful  install. However, when I checked my list of installed programs in Control Panel after applying KB3024777, KB3004394 is  no longer listed as an installed update. So looks like KB3024777 successfully removed the nasty thing from my computer, but why wouldn't it remove it from list in WU page? 

There's a detailed walkthrough of the KB 3024777 actions posted by guenni on Born's Tech and Windows World blog.

Reading between the lines -- several of them, actually -- it looks like this is what you should do:

  • On Windows 7 SP1/Server 2008 R2 SP1 machines: Crank up Windows Update. If KB 3024777 is listed, run it. If the installation fails, manually download the Silver Bullet and fire. Er, run it.
  • On Windows 8/8.1/Server 2012 machines: I wouldn't manually uninstall KB 3004394, if you have it, until Microsoft tells us more about potential conflicts.

I don't see the original bad patch being offered on Windows 10 Tech Preview machines.

On the one hand, it's remarkable that Microsoft is fixing this patch so quickly. We Windows Victims have grown accustomed to botched patch fixes taking weeks, or even months. On the other hand, you have to wonder how (or even if!) this patch was tested before it was released.

Somehow the idea of Microsoft releasing a Silver Bullet patch that's solely devoted to killing another Microsoft-released patch makes me uneasy. Maybe Elon Musk is right.

Copyright © 2014 IDG Communications, Inc.