back to article Is Windows 10 ignoring sysadmins' network QoS settings?

An Australian sysadmin frustrated with his business' sudden loss of performance has sparked a conversation about whether Windows 10 is behaving badly on network connections. To jump well into the discussion thread that points the finger at Microsoft: “We have had reports now from several people, not all our clients, reporting …

  1. streaky

    "What do our sysadmin readers think?"

    WSUS. That's what I think.

    But yeah, trash. Lets not even discuss the win 10 store connections for completely unrelated apps that never even came from the store.

    1. Anonymous Coward
      Anonymous Coward

      Re: "What do our sysadmin readers think?"

      $ ssh root@server

      Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-74-generic x86_64)

      * Documentation: https://help.ubuntu.com/

      Last login: Thu Jun 9 09:00:20 2016 from 10.87.130.21

      root@server:~# apt-get install wsus

      Reading package lists... Done

      Building dependency tree

      Reading state information... Done

      E: Unable to locate package wsus

      1. streaky

        Re: "What do our sysadmin readers think?"

        Funny you should mention that I've been working on for a while what I think is the first third party implementation of a SUS server (it's a well-documented open standard - no really) and it happens to be Open Source and also, y'know, run on Linux (for updating windows hosts) :)

        1. Anonymous Coward
          Anonymous Coward

          Re: "What do our sysadmin readers think?"

          I recall researching the problem a few months back and drawing blanks. There was some commercial solution, but nothing distributed in the standard repositories.

          Normally "WSUS" refers to the Microsoft implementation, which is only shipped with Windows Server. A very expensive piece of software to perform what is essentially just a caching proxy server role.

  2. Anonymous Coward
    Childcatcher

    Ho hum time for another VLAN

    Today I created a VLAN, at work, called SEWER purely for a set of devices too dodgy to go on the THINGS VLAN. THINGS was for IoT stuff like tellys, cameras and the like and brave real systems with a carefully crafted firewall and rather more HIDS and monitoring than the usual. SEWER devices are just a bit odd(er) to be honest.

    It seems I will now need a CESSPOOL VLAN for Windows 10 PCs with even more stringent checks.

  3. veti Silver badge

    Microsoft/Akamai?

    It's not quite clear whether people are talking about updates to an existing copy of Windows 10, or the rammed-down-the-throat upgrades being applied to existing Windows 7 and 8.1 systems. From the involvement of Akamai, I can't imagine these are regular updates. Surely not even Microsoft would be insane enough to outsource those.

    If Microsoft has engaged Akamai somehow to push their thrice-cursed upgrades, then that might also go some way to explain the tactics that have been deployed. (Particularly if Akamai is paid by the download.)

    1. Adam 52 Silver badge

      Re: Microsoft/Akamai?

      Still amusing that Azure CDN clearly wasn't up to the job.

    2. Bob Vistakin
      Pint

      Re: Microsoft/Akamai?

      "thrice-cursed upgrades"

      Have an upvote.

    3. Anonymous Coward
      Anonymous Coward

      Re: Microsoft/Akamai?

      Microsoft used to - not sure if they still do - sell their software via Digital River. It was a steaming pile of rubbish, little support, failed to allow you to enter basic details, etc.

      If they couldn't even do ecommerce (when everyone lese seemed to have managed it) I'm not surprised if they have to outsource their CDN.

    4. Zoopy

      Re: Microsoft/Akamai?

      Assuming Microsoft cryptographically signs their updates, why would it matter if they used Akamai or any other CDN to distribute the actual files?

  4. aberglas

    My home network unusable

    Installed windows 10 + office, and there are dozens of gigabytes of downloads. New C drive went from 12 gig after install to 50 gig now and growing.

    On a 2 megabit ADSL, and it clobbers everything.

    There are rumours that gsedit can throttle the BITS, but did not work for me.

    Also llnw downloads, is MS using them too? All hidden behind the svchost.

    Anyway, Gargoyle to the rescue, throttles the IP, seems to work despite this article. ALthough Gargoyle itself has been crashing recently.

    1. Anonymous Coward
      Anonymous Coward

      Re: My home network unusable

      "On a 2 megabit ADSL, and it clobbers everything."

      Pity the poor buggers on the end of a satellite phone or dial up. The sort of people who have to turn off HTML in their email ...

      There are plenty of them across the world, say in huge swathes across Africa, large parts of Asia, masses in South America etc etc and I'm sure they are loving the free upgrade.

    2. DryBones

      Re: My home network unusable

      That'd be Windows 10 trying to serve updates to the rest of the world from your computer, I think. Turn that option off under Advanced Options in Updates.

      1. Roland6 Silver badge

        Re: My home network unusable

        Set your network connection(s) to 'metered'.

        WiFi is obvious in the settings, for fixed LAN see:

        https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/how-to-set-an-ethernet-connection-as-metered-to/ecdaca08-d413-4a6a-9e33-b4afb337fc18?auth=1

      2. cdmdotnet

        Re: My home network unusable

        One additional thing I've not tested but heard might be a work-around is marking the network connection as a metered connection. Apparently this stops the connection being used (even it it's wired or wireless) for collecting updates in the background. I have no idea what other consequences this has, and it might not help out much at all, but hey. worth a try and sharing if it works or not.

  5. Anonymous Coward
    Linux

    Re-read and remember

    If I recall correctly, Win10 sans WSUS will act like a bit like a Bittorrent client and advertise itself and start sharing. The article mentions that the sysadmin has an alternative patching mechanism and hence this may have kicked in ... along with a nasty looking bug.

    This is purely speculation on my part but hey, I'm a commentard.

    I suggest that MS restrict themselves to doling out their malware themselves or via Akamai and Co. They charge their customers for their OS. No other OS vendor has tried to hijack their customers connection like this, that I'm aware of. Most Linux/*BSD distros don't even get to charge at all and none of them have even contemplated this nonsense. Apple get's the moral high ground here as well *haaaaawk* ... *spt-ing*.

    1. a_yank_lurker

      Re: Re-read and remember

      @ gerdesj, I remember reading something about W10 acting like torrent client for updates awhile back and the report was apparently straight from Slurp. If my memory is correct, using users machines as part of a torrent stream strikes me as below dodgy since most people do actually have monthly data cap even if it is quite large.

      1. Anonymous Coward
        Anonymous Coward

        Re: Re-read and remember

        There is a peer to peer.

        Any half competent sys-admin knows

        a) how to disable the peer to peer going out to the internet

        b) How to disable it completly

        c) how to stop auto-updates.

        Even if you do have auto-updates running, change the bloody schedules!

        1. Kiwi

          Re: Re-read and remember

          Any half competent sys-admin knows

          Most Windows users aren't competent system admins or even competent computer users (why would they be using Windows if they were? :) ) - most are home users who may be extremely competent in other fields but not computers.

          a) how to disable the peer to peer going out to the internet

          Most Windows users would not have a clue about that.

          b) How to disable it completly

          Most Windows users would not have a clue about that.

          c) how to stop auto-updates.

          Most Windows users would not have a clue about that.

          Even if you do have auto-updates running, change the bloody schedules!

          Most Windows users would not have a clue about how to do that!

      2. TonyJ

        Re: Re-read and remember

        "...most people do actually have monthly data cap even if it is quite large.."

        Not justifying this in any way (and I had the whole torrent-style of sharing/downloading updates turned off from the get-go, but most people's caps are for download only.

        Now I can see why this would be a decent idea for machines on the same LAN segment that are behind a slow link, but come on MS...that's one of the things WSUS is for

        1. SImon Hobson Bronze badge

          Re: Re-read and remember

          > but most people's caps are for download only.

          I doubt that.

          While I'm now on an "unmetered" tariff and VDSL (FTTC in the UK), my previous ADSL tariff with the same ISP metered traffic both ways. I'm fairly certain that this is not uncommon.

          But anyway, people have mentioned slow connections - but even "modestly fast" connections (like the 6Mbps ADSL I used to have) often have much slower uplinks (442kbps before overheads for ADSL is typical in the UK). Hence acting as a torrent peer is going to royally screw your uplink, and therefore your latency, and therefore make anything interactive turn into "an unpleasant experience".

  6. Steve Davies 3 Silver badge
    FAIL

    And still people want to use this POS?

    After all their previous issues with networking going back to Windows 3.0/3.1 I am actually saddened that MS puts out software that behaves like this.

    It is almost as if the droids in Redmond are deliberately ignoring the fact that most of the world is not on 100Mbit Connections (not ASDL either).

    So come you MS fanbois, defend this?

    My decision to never use W10 that I made lst October seems to be even wiser every day.

    IMHO, it is a POS and not fit to wipe yor arse when doing No 2's.

    Sadly, MS won't do anything to fix the problems. They are in 'la-la-la-la-la-can't here you land' at the moment.

    Such a shame. They could have made a really good OS instead... they failed, miserably (IMHO)

    1. chivo243 Silver badge
      Windows

      Re: And still people want to use this POS?

      @Steve Davies 3

      I've not touched a Win10 install. The handful of visiting vendor tech's that are using them like the OS itself. However, the slurp factor, and all of the underhanded crap that is also part of the Win10 experience has put us off to put it mildly and politely.

      I think you have nailed it, the C and D levels at MS are living in la la la la land, fingers in ears, collecting a big salary on a regular basis. As long as their fat salaries are being paid I'm sure they're living large in another reality.

      Unlike us, see icon: -------------------------------------------------------------------------------^

    2. Peter G Green

      Re: And still people want to use this POS?

      While there are a couple of caveats with using Windows 10, overall, once you've stopped the persistent reporting back to MS (try this AntiBeacon tool: https://www.safer-networking.org/2015/spybot-anti-beacon-privacy-protection-tool/), uninstalled all the apps you'll never use (Sway, Sport, Candy bl**dy crush) and sorted your privacy settings, it's actually pretty good to use.

      OK, I'd still prefer a more stripped down version of Windows (ala XP) but you have to move with the times and Windows 10 is a return to form after the disaster that was Windows 8.

      I don't feel it deserves the rant you've posted.

      1. Aoyagi Aichou

        @Peter G Green

        The update policies, which include driver updates through Windows Update, alone deserve that kind of a rant. As does the amount of work one has to do to make the OS not "pretty good to use" as you claim, but "about as good as Windows 7 to use".

        1. Peter G Green

          Re: @Peter G Green

          I didn't say it was perfect. With the way I set up Windows 10 (which is "Minimal" and that should actually be an install option), I actually prefer it to Windows 7. I still prefer Windows XP where everything just worked and feel that both Windows 7 and Windows 10 could learn lessons in usability from Windows XP, but I think Windows 10 is a fine OS.

          <Divergence> For any old-timers who use SUBST on local drives for development purposes, has anyone found a Windows 10 method of getting SUBST to work in both "Normal" mode and "Elevated" mode at startup? This is one of the other caveats of Windows 10 use :-) </Divergence>

      2. Roland6 Silver badge

        Re: And still people want to use this POS?

        once you've stopped the persistent reporting back to MS ..., uninstalled all the apps you'll never use ... and sorted your privacy settings, it's actually pretty good to use.

        Now do that on the other systems in your house and then the parents and other family systems you are supporting... and repeat every so often as MS has a habit of messing things up with it's periodic major updates...

        Perhaps instead of Classic Shell and Start8/10 we need an XP Shell/StartXP which automatically do all of the stripping out of Win10 and make it as well behavied as XP/7...

  7. TReko
    Mushroom

    Office 2016

    It's not just Windows 10 updates that ignore TCP standard holdoffs, Office 2016 updates will do it too.

    These can easily bring a network to a standstill, unfortunately.

    1. Anonymous Coward
      Anonymous Coward

      Re: Office 2016

      Is it actually Windows 10/Office or is it Akamai?

      I know for fact they've made major changes to the TCP congestion backoff on their kit. Buried in their site somewhere they even advertise it as a benefit, which is great until congestion occurs because you _are_ on a crappy link

      1. Chromatix

        Re: Office 2016

        It's got to be Akamai. That sort of fundamental breakage of TCP congestion control can't happen client-side, not if it wants the lost packets to be retransmitted so it actually gets them.

        I've seen servers that ignore ECN marking recently, but they at least still respond to the packet drops which inevitably happen when the queue overflows. They're misbehaving, but in a sort-of manageable way.

        This, though - this is *evil*. It's undoing the mid-1980s work which got the Internet running again after the Great Congestion Collapse Event. It needs to be stopped - NOW.

  8. Sebastian A

    You're no longer a customer, you're a product.

    And product has to shut up and sit on the shelf for the actual customer, namely advertisers.

  9. Oengus

    W10 testing regimen

    It is almost as if the droids in Redmond are deliberately ignoring the fact that most of the world is not on 100Mbit Connections (not ASDL either).

    You mean that everyone doesn't have 100MBit connections? Well I'll be damned. Everyone I know has at least 100Mbits available to them. </sarcasm>

    Whatever is responsible was probably tested (assuming someone did some testing) on an isolated single user environment inside the corporate headquarters then pushed out to the Basic/Home users to do the real testing. Isn't it M$'s policy to have the W10 basic users test the patches before rolling them out to the Pro/Enterprise community?

    1. Sebastian A

      Re: W10 testing regimen

      Pffft, every PC I deal with has 100Mbit if not a gigabit.

      To the switch.

      After that, 8 MBit is common.

  10. J__M__M

    a quiz

    Right now I have 6 vm's running on this machine... guess which one just can't seem to shut up until I remove the default gateway or otherwise kill it's internet access?

    1. Win 7

    2. Win 7

    3. Win XP

    4. Server 2008

    5. Server 2012R2 Core

    6. Win 10

    1. Hans 1
      Holmes

      Re: a quiz

      1 and 2 are the same answers, is that a give-away ? Noo, that would be too easy, 3 has been out for decades, probably misses a few security updates since it EOL'd and is infested with malware? Hm, the servers ? Nooooo, ok, hmmm, OHHHHHHHHH, BINGO!!!!!!!! THERE, Windows 10, Ok, MUST BE 6.

      Do I win anything, today?

      1. DryBones
        Trollface

        Re: a quiz

        Yes! You have won the coveted No Prize.

  11. Anonymous Coward
    Terminator

    There's a storm coming.

    (Wasn't expecting it to be a packet storm.. but its obvious now)

  12. bombastic bob Silver badge

    I noticed this a year ago during the 'insider' program

    I noticed this same thing a year ago during the 'insider' program. I complained about it. A *LOT*. I have limited bandwidth available, and Microsoft was _STEALING_ it whenever they *FELT* like it, which might be while I'm listening to streaming radio or something. It was part of my argument *AGAINST* the "not being able to control WHEN windows updates 'happen'".

    THAT obviously landed on DEAF ears. Micro-shaft does not care what customers want. Micro-shaft is doing everything in Win-10-nic for their OWN benefit, SCREW everyone else.

    1. James 51

      Re: I noticed this a year ago during the 'insider' program

      Until I read the name I thought this was amanfrommars1 who had taken some dried frog pills.

  13. Anonymous Coward
    Anonymous Coward

    Be quiet citizen

    Advertising is good.

    Big business is good.

    If you don't share then you don't care.

    You will comply.

    1. Myvekk

      Re: Be quiet citizen

      They Live!

      [quote]

      I have come here to chew bubble gum and kick ass! And I'm all out of bubble gum."

      [/quote]

  14. Anonymous Coward
    Anonymous Coward

    M$ using torrent is fine

    After all, I get ALL of my MicroShit products via torrents!!!!

    Anon for obvious reasons

  15. chopsywa

    I posted the original article on Whirlpool. What makes it particularly nasty is that it is all done on port 80. Presumably Microsoft want their updates to work even when users are behind diligent sysadmins' firewalls. This is doubly nasty. You can't block port 80 or you block browsing. You can't block Akamai, or you block legitimate and well behaved services. I am hoping I can find a header identifier in the traffic that I can use to block the Windows 10 / Office 2016 updates at layer 7 for now.

    I just hope people who can fix this at the source are taking notice and do something about it. They are breaking the Internet....literally.

    1. Dr Spork
      Alien

      Welcome to The Reg

    2. Missing Semicolon Silver badge
      Boffin

      @ chopsywa

      Thanks for dropping by!

      What immediately occurred to me is that the bad behaviour you have seen is coming from the TCP/IP stack in Windows, not just the Microsoft upate processes. Does that mean that any outgoing connection from a Win10 box will result in the same packet storm if you choose to throttle it?

      1. chopsywa

        Re: @ chopsywa

        I haven't seen any other traffic causing an issue. It is specifically the update process and it is the inbound traffic that runs amok. I thought it might be a flood of syn acks as I had seen a huge surge in connections (several thousand in several seconds) that then died down. However, the packet trace I took whilst the problem was occurring seem to indicate that the connections are fully open and the sending server (Akamai) is just hammering the external interface even though the router is dropping packets to try to throttle the connections back.

    3. reecem27

      "You can't block Akamai, or you block legitimate and well behaved services"

      What other well-behaved Akamai served resources do you use?

      Can you run a 'fixed' hosts file on your AD DNS server that forces all *.akamai.* to lookup as 127.0.0.1?

      Or create a GPO script with a schedule that stops and disables the windows update service

      with "net stop wuauserv" and "sc config wuauserv start= disabled". Then do the reverse when you wish to allow the PC's to update?

      1. chopsywa

        Re: "You can't block Akamai, or you block legitimate and well behaved services"

        It is a shared tenants' connection, so we can't simply block Akamai.

  16. Medixstiff

    Speaking of Windoze 10.

    I found one staff members PC this morning with the "Get Windows 10" notification in the tray.

    He's not an Admin.

    It's on a Domain with WSUS updates (which M$ says won't get Windows 10)

    Yet I had to uninstall these updates:

    wusa /uninstall /kb:2952664 /norestart

    wusa /uninstall /kb:3035583 /norestart

    wusa /uninstall /kb:3068708 /norestart

    wusa /uninstall /kb:3080149 /norestart

    So now I'm wondering if it's something like the annoying Windows 10 pop-ups that MSN Australia has been pushing out, somehow pushing out the updates if the user clicks on the ad. accidentally?

    1. Roland6 Silver badge

      Re: Speaking of Windoze 10.

      May have installed via the IE update and the user dismissed the IE GWX pop-up 'incorrectly'...

    2. Joe User

      Re: Speaking of Windoze 10.

      Run this registry file on the machine:

      Windows Registry Editor Version 5.00

      [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

      "DisableOSUpgrade"=dword:00000001

      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GWX]

      "DisableGWX"=dword:00000001

      [HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade]

      "ReservationsAllowed"=dword:00000000

      Even with those updates installed, you won't get prompted for a Windows 10 upgrade (that is, until Microsoft decides to ignore these keys...).

  17. lansalot

    Branchcache and WSUS - should solve most of his issues.

    1. chopsywa

      Pretty much any patch management server will. However, not everyone has this and in my instance I have a router in the basement of a multi-tenant building sharing a fibre connection. The tenants are all connecting to my router via PPPoE and they all receive a public IP. The router does fair queueing and prioritises VOIP. For two years it has worked like a dream and usage graphs show that the link is often saturated for a good part of a working day, yet phone calls are crystal clear and no complaints about speed.

  18. Anonymous South African Coward Bronze badge

    grc.com and never10.exe for those straggling few PC's having their tootsies stomped on by WGX

    I am not impressed, we also get a hammering on our network as there are three or four W10 viruses spewing forth their vitriol here.

    Earlier in the year I relented and allowed my laptop to be upgraded to W10 - and regretted it two days after... now I'm very anti-win10 and want that particular nasty virus to go away and never return.

    it's worse than Cryptolocker. With crypto you just nuke the offending PC, restore a good backup and you're back in business... with win10 if you throttle port 80 or any port it uses, then people will moan and complain... no way for you to save face here.

  19. Stuporhero

    Windows 10, amazing for some reasons, awful for others

    Damn it. Microsoft nearly had it right with Windows 10.

    Updates in the Kernel for better performance - YES

    Improvements to the audio system meaning leading to very low audio latency when using USB audio devices - YES

    Improved DirectX for gamers - YES

    Return of the Start menu - YES

    I even like the look, though beauty is in the eye of the beholder.

    But those privacy issues and their update system needs to die pronto. Hell, I'd be happy to kill the universal apps too for my usage.

    1. James 51

      Re: Windows 10, amazing for some reasons, awful for others

      Even if they kill the privacy stuff they can bring it back in with an update you can't refuse.

    2. Bloakey1

      Re: Windows 10, amazing for some reasons, awful for others

      Tying things down should be relatively easy with a decent firewall and judicious use of the hosts file

      I am more concerned about the privacy issues of using Akaima, the NSA etc. See below for an informative post on the issue:

      http://tinyurl.com/jr5waw6

      1. TonyJ

        Re: Windows 10, amazing for some reasons, awful for others

        "...Tying things down should be relatively easy with a decent firewall and judicious use of the hosts file.."

        You do realise the OS ignores the hosts file for certain domains, don't you, and has for years?

        Some sites are hard coded into DNSAPI.DLL - can you guess whose?

        1. Roland6 Silver badge

          Re: Windows 10, amazing for some reasons, awful for others

          Some sites are hard coded into DNSAPI.DLL

          Outpost firewall gets those, unfortunately the product has been withdrawn and is now well into it's final year of support - Yandex brought Agnitum back in Dec 2015...

  20. Aqua Marina

    Me too!

    Me too. When I try to upload a video to my you-tube site, for the duration of the upload, I (and anyone else on my network) am unable to browse the internet. It's as tho Win 10 just floods the router.

  21. 404

    Holy shit.. THAT'S why Microsoft bought Skype...

    Ever try to block Skype on your network?

    Fuck a duck....

    1. Anonymous Coward
      Big Brother

      Re: Holy shit.. THAT'S why Microsoft bought Skype...

      You quite sure that's the only reason?

      1. 404

        Re: Holy shit.. THAT'S why Microsoft bought Skype...

        Of course not. Just considering the software/port agility that Skype demonstrates in making a phone call if used with other applications and/or scams... Damn.

    2. MHammett

      Re: Holy shit.. THAT'S why Microsoft bought Skype...

      You do realize that's intentional on Skype's behalf, right? It's purposely difficult to stop.

  22. A Ghost
    IT Angle

    I was a 'victim' of this the other day

    Not in a sysadmin role, but as a customer of an organisation.

    I was on the phone to some people who are helping me out in what has actually become a life or death situation.

    There were some developments that I had to deal with there and then, but the lady who was helping me told me that she could not access her computer 'again' as it was updating and she was unable to pull my files from the database.

    I asked her what exactly was updating and she read me the contents of the message box that had hi-jacked her machine - Windows 10.

    She apologised and asked me to ring back later that afternoon and hopefully it would be 'sorted' by then.

    We are getting very close to people losing life and limb here, such is the extreme gravity of this situation. It can not be allowed to continue. Microsoft must be made to pay. I will be punishing them by never using a microsoft product, 'free' or paid, for the rest of my life. I also won't deal with any computer that uses a microsoft operating system above windows 7. No big deal, I'm not a big computer repair shop, but I do what I can, and that won't involve microsoft anymore.

    So not only has this restricted use of my own personal machine by hi-jacking my cpu and making the machine unusable at times, it also made me unable to change my ISP from TT to BT because I couldn't stop it sucking down 50GB plus per month (not allowed on the BT package - the best one btw).

    And now it is directly affecting my life, making me unable to access certain social/medical services that I am desperately in need of. The best part being that I now realise that the most private and intimate information about me is now being slurped by Microsoft without my consent.

    I am dizzy with rage over this. I would cry but I'm too angry.

    I would be very surprised if someone has not directly or indirectly lost their lives over this.

    In fact, thinking about it, I have been accessing various services over the past few months, and without fail they have all said the same: Sorry, my computer is updating now and I can't stop it. This has happened on several occasions but I just didn't join the dots.

    Microsoft need to be taken to the cleaners over this.

  23. A Ghost
    Alert

    Petition for EFF to investigate Microsoft for malicious practices regarding Windows 10

    Please sign this petition if you feel strongly enough about this:

    https://www.change.org/p/the-electonic-frontier-foundation-have-the-eff-investigate-microsoft-for-malicious-practices-regarding-windows-10

    It is slowly gaining momentum with over a thousand people signing it since last night.

    I'm not sure how effective it will be or what good it will do, but anything that takes the fight to these immoral bastards is a plus in my book.

    1. Captain Obvious

      Re: Petition for EFF to investigate Microsoft for malicious practices regarding Windows 10

      Just signed the petition and I am spreading it to everyone I know. Thanks for posting this!

    2. JcRabbit

      Re: Petition for EFF to investigate Microsoft for malicious practices regarding Windows 10

      Signed it too! I'm amazed MS hasn't been hit by a class action suite yet.

  24. ecofeco Silver badge

    Nothing new, just worse

    Since XP, Microsoft OS has always had a large amount of Internet traffic hiding under inscrutable names.

    FireFox also has this issue when you start collecting add-ons.

    Far too many programs these days are constantly in contact with the mothership. Sure, most of it is checking updates, but how can anyone really know?

    This is why good firewalls are essential. You have to control not only inbound traffic, but outbound as well.

    1. quxinot

      Re: Nothing new, just worse

      ^ Good firewalls means trustworthy ones.

      I understand that some large OS makers used to have these.

  25. Anonymous South African Coward Bronze badge

    Petition

    Signed it as well.

    Enough is enough. Thank you Steve Gibson for Never10.

  26. Psymon

    Self appointed Mythbuster to the rescue!

    Firstly, Microsoft are *NOT* using bittorrent to distribute their updates. Nor are they using bittorrent protocols between clients. It's Microsofts own technologies, called BITS and Peercaching

    This is actually a technology to help poor souls who have poor internet connections in remote offices. If you have a small office in say, Bora Bora, you simply configure that site to allow Peercaching. Then, once one machine on that site defined subnet has the update, it shares it with the other machines, negating the need for them to all phone home, alleviating the strain on that sites internet connection.

    This is not a security issue, as the clients will only trust domain joined computers, which are validated by their AES256 certificates, so to inject malicious content, the hacker would have to obtain a certificate AND spoof being on the same subnet. It's much easier to just use a Flash vulnerability.

    Of course, if you are using a 3rd party patching system, and have NOT configured WSUS to be disabled, then naturally, those machines will be oblivious to the fact, and will attempt to patch themselves regardless. I genuinely wish that every product had a centralised patch management system as advanced and FREE as WSUS, but it's relatively trivial to point the clients update service at say, 127.0.0.1, or enable the option "Do not connect to any Windows Update Internet locations" in:

    Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update

    Few of these technologies are very new, most of which were available in Win7, and it's been the case since XP, that you can set throttling scheduling for the Background Intelligent Transfer Service. Peercaching can be configured separately. You can also define the behaviour of BITS on costed networks.

    Also, if you have not correctly configured your Active Directory sites (which also allows you to specify bandwidth scheduling), then those machines will not know the difference between a computer on the desk next to them, and one 30 miles away on the other end of a piece of wet string.

    When it's all been set up correctly, these technologies do a damn-sight better job of nursing your precious bandwidth than most other products, including the *nix derivatives.

    While I do have some sympathy for those home users stuck on poor ADSL and even dial-up, the larger downloads is an industry-wide trend, not limited to MS. I frequently see the likes of Firefox, Java, and Sophos pulling 140MB updates, and yet none of these products have options in the corporate market for proper throttling.

    This is in fact why our smallest branch sites have a ban on Firefox, Chrome, and Java. We've even switched antivirus to MSE, because it obeys the throttling rules. Since we removed 90% of non-MS products from said sites, we've seen dramatic improvements in overall performance.

    I am speaking from actual, genuine experience. We configured the sites properly, got rid of the 3rd party crap, and things got better. It's that simple.

    You may now commence with your "shill" comments.

    1. SImon Hobson Bronze badge

      Re: Self appointed Mythbuster to the rescue!

      > ... as the clients will only trust domain joined computers ...

      So in fact, it's useless as the vast majority of computers that are domain joined are likely to be better managed, but domain joined computers are in a minority anyway. Most small businesses don't have a domain etc ...

      So if you are correct, MS have gone to a lot of trouble for nothing, and this won't help the majority of people who could actually use it.

      On the other hand, if the file is signed rather than it being an inter-computer trust thing, then that's a different matter ...

      1. Psymon

        Re: Self appointed Mythbuster to the rescue!

        @Simon Hobson

        "So in fact, it's useless as the vast majority of computers that are domain joined are likely to be better managed, but domain joined computers are in a minority anyway. Most small businesses don't have a domain etc ...

        So if you are correct, MS have gone to a lot of trouble for nothing, and this won't help the majority of people who could actually use it."

        You don't need a domain to mitigate this problem, as I pointed out in the original posting. Yes, peercaching is a great feature, but if a half-competent sysadmin wants to prevent the large packets from Akaima, and has zero budget, then he/she simply needs to do the one thing they should have done right from the start.

        Install WSUS. It's free. You don't even need a domain controller. You can install it on any Windows client, and configure the other machines to pull updates from it instead of the internet. There you go, problem resolved. Microsoft provided this option about 15 years ago.

        Seriously, this is from page 1 of Networking For Dummies, and should be the very next step after setting up DHCP and DNS if you've got more than 3 computers in the building.

        Oh, and of course, the patch packages are also signed. That goes without saying.

        @A Ghost

        "Thanks for confirming that Microsoft actually ARE using some KIND of peer to peer distribution bespoke software, to redistribute their malware, without asking. That's not just rude. It's against the law. If I did that to a machine on your network, are you telling me you would not report me and my IP to the Police? I think you would. Especially if you had asked me to stop, on 'several' occasions."

        I think your tin foil hat must have slipped, because the lizard people appear to be controlling your thoughts again.

        What part of having to configure peercaching makes you assume that somehow your next door neighbours computer is secretly slipping updates to you? This is only for domain joined computers (or Homegroup, if you fiddle a bit) and is disabled by default.

        I despair sometimes when I read the comments on articles like this, which highlights the dire lack of training in IT "professionals" who are running small networks, and blaming their failings on the tools.

        Remember, these are security updates. I'm no longer surprised at Microsoft's aggressive stance on pushing them out, when all I see in comments is bemoaning having to do your job properly and shoddy security practices.

        I only wish the open source community enforced this kind of mandatory update regime. It seems I only need to sneeze while filling in a web-based form, and 5 random Apache servers dump their username and plain-text stored password tables for all to see.

        1. SImon Hobson Bronze badge

          Re: Self appointed Mythbuster to the rescue!

          > You don't need a domain to mitigate this problem, as I pointed out in the original posting.

          I think you completely missed my point. If this peer caching needs domain trust, then hardly anyone who could benefit from it will be able to use it. As you point out, a half-competent admin can install and use WSUS - but the vast majority of computers are on sites with no admin - no half competent one, not even a not competent one, but no admin at all.

          If you are unaware of these sites then you need to get out more. These are the small offices, shops, larger homes, whatever where they buy computers ad-hoc, files tend to live on each users computer with no means of sharing them, printers are often USB connected because network connections to them are too complicated, ...

          So for these sites, WSUS might was well be the sound someone makes when they sneeze.

          Oh yes, and it looks like BITS has been subverted already :

          http://www.theregister.co.uk/2016/06/09/bits_of_poison_downloading_malware/

          1. Psymon

            Re: Self appointed Mythbuster to the rescue!

            The example you gave was an already installed piece of malware using BITS as the mechanism to download other malware. Although the article doesn't state the initial point of infection, the overwhelming odds are that it was from a compromised Apache server using an Adobe Flash vulnerability, as that's is 90% of attack vectors in use today.

            As with any operating system ever created, once the malware gains elevated privileges, it can subvert any internal component it wants, hence the huge swathes of compromised Apache servers spewing their SQL tables to world + dog.

            This is not an example of a man-in-the-middle attack that has successfully poisoned a genuine windows update. There has not been a report of a successful attack using said means.

            As for your assertion that this must be a larger problem, I think we need to apply a venn diagram principle to this matter.

            For this to be a problem, the following criteria must be met:

            1) No WSUS and/or no domain. I obviously concede there are a great many places that have just one or two standalone computers, but this on its own is not enough to cause a problem.

            2) An asynchronous internet connection that is erratic enough to repeatedly trick the Akamai servers. Like the vast majority of data transmission protocols, the Akamai server slowly increases the RWIN (Receive Window - the number of packets the server transmits before waiting for an ACK, or Acknowledgement packet). This is to reduce delays introduced by the RTT, or Return Trip Time, which is basically just waiting for a response, which places an artificial cap on the maximum bandwidth, because if it has to wait for an ACK for every tiny packet, both ends sit needlessly twiddling their thumbs. That's why UDP is faster than TCP, but I digress.

            So, the Akamai server increases the speed until the client says "hey, slow down!" and they dial it back, just like optical drive reading speeds. This won't cause a problem on a consistently slow connection, as both ends will agree on a transmission 'speed'. Nor will it cause a problem on an internet connection that slows down, as they will re-negotiate a slower speed.

            No, the precise circumstances require the connection speed to go up and down like a yo-yo, and it has to do so often enough to repeatedly trick the Akamai server into increasing its' RWIN with enough frequency to cause packet flooding at the clients router end. Again, this is certainly possible, but affects only a percentage of slow internet connections. This technique is pretty standard practice, to negate the inherent flaws of TCP.

            3) Finally, Both Windows Auto Tuning, and Windows Scaling Heuristics need to be fooled into believing the internet connection is much faster than it is. These algorithms are more reliable than Akamai, as they are closer to the users router, and use a broader average to guestimate bandwidth. This is usually caused by a misconfiguration in the network settings, or poor reporting from router hardware.

            The vast majority of users report these two technologies SLOWING bandwidth, not the other way round, so it's possible that Heuristics has been disabled. A common novice error, disabling swathes of services because they think they don't need them, and then usually complaining to me at dinner parties that their computer is "broken", and do I have a spare minute to look at it...

    2. A Ghost
      Thumb Up

      Re: Self appointed Mythbuster to the rescue!

      Firstly, Microsoft are *NOT* using bittorrent to distribute their updates. Nor are they using bittorrent protocols between clients. It's Microsofts own technologies, called BITS and Peercaching

      Thanks for confirming that Microsoft actually ARE using some KIND of peer to peer distribution bespoke software, to redistribute their malware, without asking. That's not just rude. It's against the law. If I did that to a machine on your network, are you telling me you would not report me and my IP to the Police? I think you would. Especially if you had asked me to stop, on 'several' occasions.

      To my recollection, not one person has actually accused Microsoft of using Bit Torrent. I certainly did not.

      The fact remains. The cheeky bastards are using MY internet connection on MY computer, that I pay for, without asking, in fact, even after I have 'asked' them several times to stop.

      Thanks for the heads up. What they are doing is illegal. And they will be punished. One way or another.

    3. Myvekk

      Re: Self appointed Mythbuster to the rescue!

      The problem is, that it doesn't work. I have several PCs with 10 installed and they are all set to only share on LAN. They do not upload updates to the internet in general. So far so good.

      BUT. They also do not share on the LAN. Each one still downloads all it's updates from outside. And when they do, they frequently saturate the connection so that nothing else can connect in a timely manner. And unless you have Pro or Enterprise you don't have GPedit and cannot rate limit the downloads.

      1. Tim Bates

        Re: Self appointed Mythbuster to the rescue!

        "And unless you have Pro or Enterprise you don't have GPedit and cannot rate limit the downloads."

        Even if you have Pro, it looks like it just ignores that setting now. My box is set to 128kbps, but the other day I spotted it doing 5mbps (which broke web browsing, which is why it got set to 128k in the first place).

        I've not done much testing, but it worked on 1511, and doesn't work on 1607. I suspect their changes that stop the Store blocking GPO working on Pro may have broken BITS too.

  27. Anonymous South African Coward Bronze badge

    Today's Sandra and Woo comic : http://www.sandraandwoo.com/comics/2016-06-09-0793-an-offer-you-cant-refuse-ww.png

  28. nil0

    Nicely timed article

    I made the change to Win 10 on Tuesday, and have been seeing precisely this.

    I'm on a sub-2Mbps link, and I use the bandwidth controls on my router to fairly share out the bandwidth available (i.e. make sure I can work and use the VoIP phone even if the kids are watching YouTube videos). It's always worked reasonably well.

    Since switching to Windows 10 I've found that although the throttling of 'normal' traffic (web browsing, downloads, YouTube, etc) still works fine, when Windows Update is downloading something it eats every available bit of bandwidth - to the extent that not only do I get time outs trying to load web pages on my own machine, other PCs in the house also struggle to connect at all.

    Which is crazy, as you'd expect Windows Update traffic to be the lowest priority on the network; it's non-interactive, happening in the background, and should be happy to trickle feed at a slow rate or when there's bandwidth available. I've even tried using the local group policy editor to throttle down the maximum rate at which BITS can download, but it still seems to just blast away...

  29. Unbelievable!

    In my experience, (both domain and domestic) installations of win10 (pro and home) always begun with a few weeks of utter slowness of the O/S. I dont know whether we just 'get used to it' or it actually gets faster after week 4? am i alone on the "gets faster thing"? We were forced into win 10 as we were told to

    I have a win 7 and a fresh win 10. The win 7 is a dual core, 4gb 8 yr old piece of crud from zoostorm . and the spanking new water cooled win10 16gb amd 9590 black (wish i got a skylake.. but maybe it's win 10..grr). with practically nothing on it. win 7 thrashes win 10 in just about every aspect of interaction.

    (oh get EVERYTHING by the way. best windows search tool for windows by a mile. it's made by void tools in case googling EVERYTHING takes you a while..;-) )

    I might be paranoid, but it occured to me that once ms have slurped pretty much everything it can find about you, the thing speeds up. i guess it's keeping up with on a regular basis with the user data it sends to the NSA. I was think of dumping 20gb of hi res nasa pics on the machine and just see if those few photos took the general speed and net speed of things back down for a few days. Obviously sourcing them and retrieving them using a workstation.

    sorry if i've encouraged a down vote. Just wanted to share my two cents

  30. HAL-9000
    Thumb Down

    M$ Apologists

    There's a special place in hell for some of these M$ apologists in here. I've been forced (by work) to use this heap of devil dung since win3.1. Xp was as wobbly as a 2 wheeled trike, and liable to fill up with malware in an instant. Vista was total fail, 7 a slight improvement, 8 & 8.1 was utter shite, 9 didn't even make it and finally 10? Fortunately most bizz has refused to accept its' steaming carcass, consequently I've not had to endure it for one moment - praise be, halleluljha

    Yet these M$ fools still refuse to accept the blinding truth standing right before their eyes.

    1. Unbelievable!

      Re: M$ Apologists

      Sounds like you didn't get a chance to work with the wonderful Windows 98! (or ME)

      You'd really drop your chips in awe of those peices of..work.

      *snigger*

  31. Anonymous Coward
    Anonymous Coward

    Most sites doesn't have the luxury of setting a PC aside for WSUS.

    WSUS need Server200x to run on, am I right? Or can you set a WSUS shop up on win7 and upwards without the need of Server200x?

    1. Psymon

      No, you can install WSUS on any Windows computer, and continue to use that machine for its original purpose

  32. MHammett

    CDN Overload

    I'm working on collecting information on this problem and working with CDN engineers to resolve these issues. Please fill out my form here: https://goo.gl/forms/LvgFRsMdNdI8E9HF3

    You can see the information I've collected so far here: https://docs.google.com/spreadsheets/d/1Jdm0dOBf81kSnXEvVfI6ZJbWFNt5AbYUV8CDxGwLSm8/edit?usp=sharing

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like