通过

Incorrect file versions getting restored on removing patches

  • 项目

Hello. My name is Digvijay Nath, and I’m a Technical Lead with the Windows Performance team at Microsoft. This is a short blog on installation and removal of updates and hotfixes and its effects.

Consider the following scenario –

We have a system binary with the version 5.2.3790.4043. You install an update, say KB2507938 - which updated this dll to version 5.2.3790.4860. Later you install another update KB2567680 which updated the same dll to version 5.2.3790.4877

For some reason you want to remove these 2 updates.

Scenario 1:

You remove the patches in “first in, first out” (FIFO) order. You first uninstall KB2507938, it prompts that KB2567680 (which supersedes this update) will not work. You remove the patch and reboot the server. After the reboot, the version of the file changes to 5.2.3790.4043.

You then remove the KB2567680, and after the reboot, the version of the file changes to 5.2.3790.4860

Scenario 2:

You remove the patches in “last in, first out” (LIFO) order, first KB2567680, the version of the file changes to 5.2.3790.4860 and then KB2507938 and reboot. Now the file version changed to 5.2.3790.4043.

More Information:

The version of the file restored after removing a patch would depend on the version of the file present when *that* particular update was installed. When a patch is installed, Update.exe backs up the present file in the $NTUninstallKBxxxxxx$ so that it can restore the same file if we uninstall that patch.

So, if you remove an intermediary patch, the file version would be changed to the one that was present when the intermediary patch was installed, even when you have a newer patch that supersedes the intermediary patch installed on the server.

A  -->  B  -->  C

So, removing patch B would restore the file version to A which was currently at C.

Since the copy/replacement of the file updated by a patch happens only after the reboot (as the files may be in use when the patch was installed/un-installed) during the session startup by the Session Manager, there is no control of the System File Protection mechanism to prevent the overwriting of a newer version file by an older version. Hence there could be situations of older files being replaced even when you have newer version of the fix installed.

IMPORTANT NOTE:

Microsoft does not have any policy or makes any recommendation to remove security patches/hotfixes. Microsoft releases patches to address vulnerabilities exposed and fixes issues with the OS. If there is any need to remove patches, you should follow LIFO method so that correct file versions are restored.

Please also note that the above information is more relevant to Windows XP/2003. I will be following this blog up with another one which talks about the behavior in Windows Vista/Windows 7 as servicing stack has been completely revamped in these operating systems.

For More information, please review the following:

GDR, QFE, LDR... WTH?
https://blogs.technet.com/b/mrsnrub/archive/2009/05/14/gdr-qfe-ldr-wth.aspx

Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages
https://support.microsoft.com/kb/824994

What is the difference between general distribution and limited distribution releases?
https://blogs.msdn.com/b/windowsvistanow/archive/2008/03/11/what-is-the-difference-between-general-distribution-and-limited-distribution-releases.aspx

Digvijay Nath
Technical Lead
Windows Performance team

Comments

  • Anonymous
    June 08, 2012
    Hey Digvijay,This is a very nice blog post which discusses about the removing patches.Thanks for sharing.I have few more questions which are still unanswered in this area.When uninstalling any patches, We found some issue with that patch/patches hence we attempt to remove same. Is there any tracking done on the patch file level to retain least version of DLL instead of current version of DLL in system?Base version v0 for file.dllPatch 1 contain File.dll - v1Patch 2 contain File.dll - v2Patch 3 contain file.dll - v3Now we installed patch 3 directly on the system and DLL version changed to v3.When I uninstall this patch, using $NT** I will again go back to v0.When we remove $NT** folders from the Windows Folders(many times I have seen customers removing these folders due to space issue). Due to some issue, I want to remove few patches installed on the system. In this situation - is there any system from where I can download older version files from any authoritative source which will give me the old version of files specific to patch?I am not sure who can answer these questions but thought putting it up so that at least we can move forward considering these hurdles.Thank you.Regards,--S a r v e s h
  • Anonymous
    June 18, 2012
    Nice article. Looking forward for the next one on Windows 7. Few other links which may help the readersHow does Windows choose which version of a file to install?blogs.technet.com/.../how-does-windows-choose-which-version-of-a-file-to-install.aspxWindows Hotfixes and Updates - How do they work?blogs.msdn.com/.../windows-hotfixes-and-updates-how-do-they-work.aspx