Windows 10: windows update replaced conhost.exe but the file is not included in the update binary

We‘re performing file security analysis based on the source (where files are coming from).

A Windows 10 update installs a new conhost.exe but we cannot find out where the file is coming from. It doesn't seem to be in the .cab file of the update.

This is what we did:

1. install windows 10 1809 v2 (c:\windows\system32\conhost.exe md5 is 4c41666923a14dc687deee3b143afb55)
2. let Windows install update kb4501835 (windows10.0-kb4501835-x64_a8a91185c1cf9b9fefa6e9e07fc3d74c45fb2fee)
3. After finishing the installation of this update and rebooting, c:\windows\system32\conhost.exe md5 hash is c221707e5ce93515ac87507e19181e2a

Where‘s that conhost.exe coming from?
Windows 10 update history just says that it installed the Update kb4501835. So we manually downloaded kb4501835-x64 from here, expanded it to a temp dir, expanded the resulting file Windows10.0-KB4501835-x64_PSFX.cab to another temp dir. (commands used: c:\Windows\System32\expand.exe -R %FILE% -F:* 1\)

In this tmp directory, we found two conhost.exe with md5 d810493b38380e30855f1e9e7d395000 andebf996ce7169609d9b892b5a79297611

So neither of the two conhost.exes in the kb4501835-x64 has the md5 c221707e5ce93515ac87507e19181e2a

Question:
Where is that new conhost.exe coming from if it‘s not in the update .CAB? We can verify the .cat based signature with signtool, so yes, it‘s apparently from Microsoft and signed and everything is alright, but we need to know the origin of files that are replaced on disk.

Any hint?

:)

 

Microsoft Decreasing Windows 10 Updates Downtime in Fall Creators Update

I don't think Windows will ever be able to do live/hot patching due to the limitations in the file systems of Windows. On Windows you can't change a file that's currently in use be it an EXE or DLL file. This limitation of course has caused application developers to have to create special routines to replace their binaries as part of application update procedures. I myself have done this for my own programs which usually includes downloading a new binary file to a new file like "application.exe.new.exe" and executing it with a "-update" switch. This isn't a problem on Linux due to its use of iNodes at the file system level. The file system on Linux is fundamentally different than NTFS which allows Linux to patch in-use binaries.

 

Windows Updates failed to instal

I'm not sure how differant XP media center Edition is but you could clear the history \ cache if these folders are there.

Step 1 Register DLL files.

=================

By trying this step, we can check if the update engines are working properly.



1. Close all instances of Internet Explorer.

2. Click Start and Run, type "Regsvr32 atl.dll" (without quotes) in the Open box and click OK.



Note: There is a space between regsvr32 and atl.dll



3. Similarly, one by one, register the files listed below:



Regsvr32 msxml3.dll

Regsvr32 wuapi.dll

Regsvr32 wuaueng.dll

Regsvr32 wuaueng1.dll

Regsvr32 wups2.dll

Regsvr32 wucltui.dll

Regsvr32 wups.dll

Regsvr32 wuweb.dll

Regsvr32 qmgr.dll

Regsvr32 qmgrprxy.dll

Regsvr32 jscript.dll



Note: If you encounter errors while registering any of these files then skip that file and continue with the next one.



If the issue persists, let's move on to the steps below to verify Windows Update services and temporary folders.



Step 2 Verify the relevant Windows Update services.

=========================================

1. Click Start->Run, type "services.msc" (without quotation marks) in the open box and click OK.

2. Double click the service "Automatic Updates".

3. Click on the Log On tab, please ensure the option "Local System account" is selected and the option "Allow service to interact with desktop" is unchecked.

4. Check if this service has been enabled on the listed Hardware Profile. If not, please click the Enable button to enable it.

5. Click on the tab "General "; make sure the "Startup Type" is "Automatic" or "Manual". Then please click the button "Stop" under "Service Status" to stop the service.

6. Then please click the button "Start" under "Service Status" to start the service.

7. Please repeat the above steps with the other services:



Background Intelligent Transfer Service

Event Log

Remote Procedure Call (RPC)



Note: Event log service is enabled on all of the hardware profiles; this service does not have an option to enable or disable on certain hardware profile.



If it still does not help, let's proceed to step 3.



Step 3 Reload the Update temporary folders.

===================================

One possible cause is that the temporary folder for Windows Update is containing corrupted files. Let's erase all the files there to get the system clean.



1. Click Start, Run, type: cmd and press Enter. Please run the following command in the opened window.



Net stop WuAuServ



2. Click Start, Run, type: %windir% and press Enter.

3. In the opened folder, rename the folder SoftwareDistribution to Sdold.

4. Click Start, Run, type: cmd and press Enter. Please run the following command in the opened window.



Net start WuAuServ



Please test the Windows Update website and let me know the result. If the issue persists, to clarify the issue and provide more accurate troubleshooting steps, please assist me in collecting the following information.

 

windows automatic updates

i have some questions about the windows automatic updates in windows xp pro w sp/2. ive got about forty updates they recommend , mostly for security but i only installed two today. after installing them i found them in my add/remove programs in the control panel, if i add all these updates that is a lot of space on my hd almost 1 gig. i thought that updates just updated files and not created new programs. should i innore all these update suggestions from microsoft?