How to install KB2554746 despite Domain Policy
So I had a minor wtf issue escalated to me from the plebs on the third line today. They were trying install KB2554746 on a specialty Windoze Seven WS. (Required for workflow with our application.) The system was registered on the domain, the put behind a NATPAT router in a pretty hard to get to location.
So of course customer IT had disabled hotfixes per group policy and of course Microsoft in its endless consistency does not provide an offline installer for this one. The customer domain muppet, err admin, was unable to resolve this issue by getting the PC off the domain for a bit or doing anything useful. He kept trying to install the x86 version of that thing on his personal 64-bit laptop because that is good sense.
The customer was whining they'd cancel their support contract if this was not resolved within the hour. So I installed this windows update the one true way:
Install kb on my own machine. Kill windows update service via net stop on customer machine. Rename .dlls affected by the kb on customer machine. Copy and paste in updated .dlls from my machine. Cry about the death of IT best practice.
And then Windows SFC/File Protection/Whatever notes that the dll files aren't registered in the One True Source of Windows Files and replaces them with "Known Good" ones?
@Tsaukpaetra Ah, but they are signed with the magic key. This might actually work, since they're things that MS does expect to exist. Theoretically, it could fall afoul of a few things, but they're pretty unlikely.
I offer for people wanting to get rid of their eyes after thinking about this episode.
since they're things that MS does expect to exist.
They may be signed, but other file indicators used in the check maybe not so much. But I'm not SFC, so who knows?
They may be signed, but other file indicators used in the check maybe not so much.
Most of those checks have been moved over to being signature-based, since those are much more reliable (it being significantly more difficult to screw those up in a hostile way). There is the possibility of a manifest locking things out, but that's relatively unlikely as it would be hard to keep correct except in the most locked-down environments. Also, @royal_poet is authorised and able to copy over a correct manifest…
since those are much more reliable
They also can serve the "Is this file not corrupt" check, since the likelihood that the file is both corrupted and has a valid certificate is effectively 0.