Two Soylentils wrote with a caution about a new strategy in Microsoft's playbook to get people to upgrade to Windows 10.
An Anonymous Coward writes:
That pesky Windows 10 forceware box...
This notification means your Windows 10 upgrade will occur at the time indicated, unless you select either Upgrade now or "Click here to change upgrade schedule or cancel scheduled upgrade". If you click on OK or on the red "X", you're all set for the upgrade and there is nothing further to do.
Windows 7 or 8.x users that want or need to hold on to their current operating systems may be in for a very unpleasant surprise. Microsoft has essentially changed their Windows 10 update notification from a very pushy "opt-in" to an "opt-out". The new notification automatically schedules a time to receive Windows 10. Clicking the "X", as many have gotten used to, no longer prevents installation. Those that do not pay close attention to this new notification may inadvertently wind up with Windows 10 even if they did not want it. Very sneaky stuff.
Microsoft has published an offical article describing the changes.
Original Submission #1
Original Submission #2
Can't one just create the two folders and mark them as read only? Why do we need to run some external program? If we were to prevent writes to the folders, there would be little reason to monitor the status of the folders. Take full control away from admin and any related services and just leave it as read (if not read an execute) and nothing is going to be writing to it. Keep admin as owner so changes can be made otherwise later if needed. Admins can manage folders and files they are unable to access directly. At least, that is supposed to be how my long HR file is supposed to be secured. I'd treat this the same way.
If it were discovered that administratively defined custom restrictive settings were arbitrarily ignored by an update process, that is quite the vector for attack and would receive just as much outcry about the whole windows 10 thing does to begin with.
We know this happens with the hosts file -- MS has hardcoded values and does not need to look at the file. DNS blocking for specific updates/purposes needs to be done external to the windows machine itself, and preferably, done on a machine that isn't of the same version or later due to the likihood of that windows machine/server hosting the same bypass mechanisms. Better to perhaps use linux or a cheap consumer router thing that can do dhcp and dns and block or contain static entries for specific FQDNs. (I am not stating that server 2008 or 2012 *will* allow such DNS resolutions even if you blackholed them/entered in fake info-- but I do know 2003 doesn't have the same entries in its DLLs that windows 7 does, and thus is ignorant of such hardcoded IP-to-DNS name resolutions. It carry out administrative action as defined by the admin, as opposed to as defined by MS).
That all detracts from my original question though -- why can't we create the folders and just set them as read only? I don't have spare licenses for win7 to practice this with, and would have to undo my other precautions to test it specifically.. but I'd feel pretty confident preventing writes to those folders than I would about installing third party stuff, even if it is good third party stuff.
Maybe I am just bitter we have to take these precautions to begin with.
The setup file is only ~350 KB.The installed program itself has two components: the GUI front end (FileLocker.exe - 460 KB), and a filesystem driver (xlkfs.sys - 27 KB)
The program does not need to run as an always-on service or daemon. You just run the program EXE, configure the two folders to be inaccessible and then close the program.Its folder locking magic is done by built-in methods hacking the Windows API in conjunction with the filesystem driver; it does not use the ACL/permissions system built into Windows.
The installation scripts built into the Windows updates can easily reconfigure file/folder permissions set by conventional means or commands.
This program (Easy File Locker) works like a white-hat version of a ransomware virus....and the password (if you have set one) is known to you; Read the FAQ page for more info.The author is renowned for creating robust 'security' software; his other program 'Shadow Defender' is a brilliant piece of coding and highly recommended.
This was one of my methods to block updates - use NTFS permissions to Deny write/delete/change-permission access to those folders and it's contents to Everyone. As you say, if even Windows processes can ignore these settings, then it may point to a serious hole in the NTFS drivers.
I say "was", since this was before I gave GWX control panel a try quite a while back. Certainly possible MS may get the installer to reset the permissions on the folders these days though, seeing as the installer runs at such high privileges.
The program option is always good for non-technical folk though, as long as you know what it is doing. Hard to say if that applies to an up-to-date patched copy of Windows these days.