Why WaasMedic Agent hammers the disk

After a recent large Windows update I noticed that "WaasMedic Agent Exe", hosting the "Windows Update Medic Service", regularly caused 100% disk usage for over an hour at a time. Since this was hindering my machine's performance I spent a little time looking into what exactly it was doing.

With Sysinternals Process Explorer I saw that the process accessed all kinds of files deep in my user profile, virtually none of which should have anything to do with Windows Update. The only thread that appeared active during the disk usage had a stack including both WaaSMedicAgent.exe (as expected) and SedPlugins.dll. Disassembling and obtaining symbols with IDA 7, the offending call stack seems to be (more recent calls last):

WaaSMedicAgent.exe: PluginAction
SedPlugins.dll:     ?PluginDetectCondition@CSedimentDriverExternalFunctions@CSedimentDriver@WSD@@QEAAJPEBGPEA_N@Z
SedPlugins.dll:     ?DetectCondition@DiskCleanupPlugin@1WSD@@UEAAJPEAH@Z
SedPlugins.dll:     ?CollectCommonDiskInformation@CDiskFileCleanup@WSD@@QEAAJXZ
SedPlugins.dll:     ?CalculateDirSizeInternal@CDirUtil@WSD@@CA_JAEBV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@_J_N@Z
SedPlugins.dll:     (recursive call...)

The update medic service seems to be very modular, capable of hosting different plugins. The calls to PluginDetectCondition and DetectCondition are both indirect. SedPlugins.dll holds "sedimentation" plugins (?), which I imagine is some kind of internal project codename. I speculate that each plugin is supposed to check for and try to resolve a different issue that might interfere with Windows Update functionality. A "disk cleanup" plugin might make sure that a reasonable amount of space is free on the system drive and invoke cleanup of dispensable files if not.

Speculation aside, the disassembly of CollectCommonDiskInformation makes the problem very clear. It calculates and logs the total size of each of several directories: 

• %WINDOWS%\installer
• %WINDOWS%\SoftwareDistribution
• %WINDOWS%
• %WINDOWS%\serviceprofiles
• \program files
• \users
• \programdata
• \program files\WindowsApps
• \$Windows.~BT
• \Windows10Upgrade

My user profile folder contains a lot of small files in moderately deep directory hierarchies, so this is very slow. Also, some of these checks are redundant - the size of the Windows apps folder is already included in the size of Program Files. More importantly, this approach will spend a lot of time worrying about the size of things that can't be automatically cleaned up - I could purge my Gradle caches if I needed space, but Windows doesn't know that and can't know what's dispensable in general. Even more importantly, I have over 500 GB free on my system drive! Checking the disk free space is very fast (not recursive), so ideally the plugin should notice that cleanup is not necessary and skip expensive calculations.

[Update: I filed a Feedback Hub report.]

Since Windows Update is working as desired, I decided to disable this "medic" service until its disk hammering is fixed. This service seems to get special defense against modification through the services API, so I disabled it by setting the Start value to 4 in its SCM Registry key:

HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc

The Windows 10 global microphone off switch

Today I spent a good chunk of time hunting down an audio issue with Windows 10. A USB audio input device (the microphone embedded in a webcam in this case) was recognized by Windows and applications, but never seemed to actually provide any sound. No bar appeared to indicate the level in the sound settings when the microphone was spoken into. Strangely, Google Hangouts just re-muted audio input shortly after the unmute button was pressed. 

After a great deal of messing around, I eventually found a "privacy" switch that essentially completely disables microphone use by desktop applications: Settings → Privacy → Microphone → "allow desktop apps to access your microphone." You'll probably have to scroll down; the switch at the top only affects modern/UWP/Metro apps.

It would be really helpful if there was a clear indication that this setting is off in the places one might try to manage the microphone: the Sound settings page, or at least the troubleshooter.

Windows feature updates may remove support for old file shares

I recently updated a Windows 10 machine with the newest feature update. Afterward it was unable to open a folder shared from a Windows 95 VM. Opening the share produced an error about SMB 1.0 no longer being supported. Fortunately it is possible to reenable support for the old protocol by installing an optional component. In the Windows Features dialog (run optionalfeatures), enabling "SMB 1.0/CIFS File Sharing Support" or specifically "SMB 1.0/CIFS Client" made the share usable again.

When windows become unresponsive after another program goes fullscreen

I've noticed something interesting on my current installation of Windows 10 that I don't remember seeing before. When one application (DOSBox specifically) went fullscreen, windows belonging to other programs stopped responding to mouse movements or clicks. They can be made normal again by pressing Windows+Down then Windows+Up, thereby restoring and re-maximizing them.

The downloadable Windows Update troubleshooter might work better than the built-in one

I recently tried to get a Windows 10 1709 VM to update to 1803. It consistently failed about 78% into the first installation phase. The Windows Update troubleshooter from Settings | Update & Security | Troubleshoot didn't seem to change anything. The equivalent troubleshooter downloadable from Microsoft, however, did seem to have an effect. The update still failed for me, but at least it got noticeably further into the process. (I'm still trying to figure out what issue it's running into.)

Remote Server Administration Tools might install fine but not show up as a feature

Today I tried to get the Windows 10 Remote Server Administration Tools installed in a VM so I could test some PowerShell modules. The VM had Windows 10 1709, so I downloaded RSAT for that edition. The MSU installed just fine, but the optionalfeatures dialog didn't list Remote Server Administration Tools even after a reboot. Downloading the MSU for Server 2016 and trying to install it just produced an error saying the update was already installed. To my surprise, I soon after noticed in the Start menu that there were RSAT shortcuts marked as New! The install appears to have completed successfully -- the PowerShell module I wanted is available -- even though optionalfeatures still doesn't list the feature.

Assign 2 GB of RAM to Hyper-V machines before trying to upgrade Windows 10

Hyper-V has a dynamic memory feature that allows it to change how much RAM is allocated to the virtual machine while it's running. The absolute minimum - usually much less than will be allocated for realistic workloads - is set in the VM configuration. When starting the upgrade to a new build of Windows 10, the setup infrastructure checks whether the machine has at least 2 GB of RAM. If the check fails, it cancels the upgrade and deletes the update files. To avoid needing to wait for the update to be downloaded again, I'd advise making sure the VM is guaranteed 2 GB before trying to start the upgrade.

Patch to fix 100% CPU usage and freezing in Clarion 6 applications

A little while back, I noted that Windows 10 build 1703 rewrote the window manager internals. Now, calling PeekMessage sometimes produces more window messages. If a program peeks for messages a few times every spin around its message loop, it can wedge itself into an infinite loop as GetMessage then returns immediately when it sees the internal message, letting the loop go around once more. It so happens that there's a framework that does just that. I worked with a third-party application built on version 6 of Clarion. When run on 1703, the program froze in certain places, pegging the CPU at 100%, but on older Windows versions it was fine.

SoftVelocity no longer supports Clarion 6, so Clarion users are on their own. Fortunately, I managed to create a patch that fixes the problem. The relevant code is in C60RUNX.DLL. At 0xA867B, write these bytes:

8B 44 24 28 ; mov eax, [esp+28h]
E8 D2 42 03 00 ; call fix_detour
83 F8 00 ; cmp eax, 0
75 F2 ; jne -Dh
90 ; nop

We need some extra space for a bit of new logic. Fortunately, there is plenty of padding at the end of the code segment, which is where the call goes. At 0xDC956, write:

50 ; push eax
6A 00 ; push 0
6A 00 ; push 0
6A 00 ; push 0
50 ; push eax
E8 25 46 F2 FF ; call GetMessageA
58 ; pop eax
8B 40 04 ; mov eax, [eax+4]
25 FF FF 00 00 ; and eax, FFFFh
3D 38 07 00 00 ; cmp eax, 738h
0F 94 C0 ; sete al
0F B6 C0 ; movzx eax, al
C3 ; ret

This latter part is a function that takes the address of the buffer for the message in eax and returns whether the message should be ignored (i.e. is the new 0x738 message). Experienced Win32 programmers may notice that this doesn't check the return value of GetMessage, but neither does the original code, so this is no worse. Back up in the first section, the patch replaces the call to GetMessage with a call to this function, and if the message needs to be skipped, it just jumps back and does the call again until it gets something else.

Configuring blue light reduction settings with PowerShell

Windows 10 1703 introduces the "night light" feature, also known as blue light reduction. Its settings are stored in the Registry, but it's a binary blob under CloudStore, rather difficult to manipulate. One user was interested in automating the setting in some way. They already found this GitHub script that sets some values, but it only supports a handful of predefined configurations. So I took a look.

Wild speculation brought me to the SettingsHandlers_Display.dll file, which I suspect is responsible for the relevant part of the Settings app. I got a hold of a 32-bit version so IDA could disassemble it, but it appears to be written in C++ and so is a huge mess to reverse engineer. There seems to be COM involved as well, and though IDA mentions some class names and even some structs' members' names, I couldn't figure out where the saving/loading took place. Looking for struct definitions to get some ideas on the blob's layout, I acquired the PDB file for the DLL, but couldn't accomplish anything with it.

So I was back to plain old pattern recognition. One run of bytes changed every time I edited the blue light settings, no matter what control I altered, and I deduced that to be a FILETIME indicating the store entry's last-modified time. Flipping some switches caused the blob to grow in size, which was puzzling, but most changes just replaced one or two bytes - at least those were easy to track down. It was in that way that I figured out where the color temperature slider's state was kept. The actual numeric value that it changed, though, did not make sense. Changing the Registry value in certain slight ways inexplicably jammed the slider against one end of the other. It didn't help that I didn't know what value the bytes were serializing from the slider.

Use of the Inspect tool revealed the numeric value of the slider. Like f.lux, it remembers color temperature in Kelvin. Some seriously bizarre binary math goes on in the serialization. Nevertheless, I figured out the formula. And though I don't quite have a handle on why the blob expands and contracts, my script works consistently. Interestingly, some of the UI elements in the Settings app immediately update when the script is run.

The script itself is in my Super User answer.

Thoroughly disabling OneDrive in Windows 10

The Windows 10 OneDrive app really likes to pop up my OneDrive folder every so often. Since I don't use OneDrive on most of my devices, I like to turn it off to minimize annoyance. There isn't a very convenient way to do it, but it can be disabled with Group Policy. The relevant setting is this one (Policy Plus unique ID):

Microsoft.Policies.OneDrive:PreventOnedriveFileSync

In the normal hierarchy, that's Computer Configuration → Administrative Templates → Windows Components → OneDrive → "Prevent the usage of OneDrive for file storage."

Enable that, and OneDrive will stop bothering all users on the computer.

Windows 10 Wi-Fi won't turn on? Install different drivers

Today I dealt with a Lenovo ThinkPad E545 laptop that refused to enable Wi-Fi. In the network pop-up from the notification area icon, it said "Wi-Fi off." Flipping the appropriate switch in the Settings app had no effect; it just went back to Off immediately. Reboots didn't help, everything seemed fine in Device Manager, and no third-party VPN software (which is sometimes the cause of Windows 10 network troubles) was installed.

The only other thing I could think of was to install a different driver. Lenovo hasn't published Windows 10 drivers for the E545 yet, but I found some for 64-bit Windows 8. Bizarrely, they had drivers from at least two different vendors. The Realtek installer actually ran - as opposed to others which didn't. After setting the driver in Device Manager to the new Realtek one, the Wi-Fi switch actually worked, and sure enough, Wi-Fi turned on as normal.

Windows 10 upgrade broke one of my Hyper-V machines

I did an in-place upgrade to Windows 10 from Windows 8.1 Pro a while back. Shortly after that, I went to the Hyper-V Manager to start a couple of the VM's I've put together over time. One of them refused to start, citing a failure to load an AVHDX file. Some Google results suggested deleting the saved state, but that VM had no saved state. Upgrading the configuration version did nothing. All useful changes to the VM's settings failed because of the inability to load the virtual hard disk. I tried deleting the checkpoints (which seemed to be the locus of the problem), but got the same error.

None of the Things On The Internet that I could find worked. Since it wasn't a super important VM, I just deleted it and reinstalled it fresh from the ISO I still had.

When the Windows 10 upgrade fails with "Operation failed: Mount WIM file"

I continued attempting to upgrade a 64-bit Windows 8.1 laptop to Windows 10 today. It would consistently get to about 24% in the pre-reboot setup screen (when the old OS was still running) and then fail with the generic "Something happened" message box. This appeared at the end of the setuperr.log file:

2016-06-09 11:37:53, Error                 SP     CMountWIM::DoExecute: Failed to mount WIM file C:\$WINDOWS.~BT\Sources\SafeOS\winre.wim. Error 0xC1420127[gle=0xc1420127]
2016-06-09 11:37:54, Error                 SP     Operation failed: Mount WIM file C:\$WINDOWS.~BT\Sources\SafeOS\winre.wim, index 1 to C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount. Error: 0xC1420127[gle=0x000000b7]
2016-06-09 11:37:54, Error                 MOUPG  MoSetupPlatform: ExecuteCurrentOperations reported failure!
2016-06-09 11:37:54, Error                 MOUPG  MoSetupPlatform: Using action error code: [0xC1420127]
2016-06-09 11:37:54, Error                 MOUPG  CDlpActionImageDeploy::ExecuteRoutine(329): Result = 0xC1420127
2016-06-09 11:37:55, Error                 MOUPG  CDlpActionImpl > > >::Execute(441): Result = 0xC1420127
2016-06-09 11:37:55, Error                 MOUPG  CDlpTask::ExecuteAction(3243): Result = 0xC1420127
2016-06-09 11:37:55, Error                 MOUPG  CDlpTask::ExecuteActions(3397): Result = 0xC1420127
2016-06-09 11:37:55, Error                 MOUPG  CDlpTask::Execute(1631): Result = 0xC1420127
2016-06-09 11:37:55, Error                 MOUPG  CSetupManager::ExecuteTask(2024): Result = 0xC1420127[gle=0x0000013d]
2016-06-09 11:37:55, Error                 MOUPG  CSetupManager::ExecuteTask(1987): Result = 0xC1420127[gle=0x0000013d]
2016-06-09 11:37:55, Error                 MOUPG  CSetupManager::ExecuteInstallMode(804): Result = 0xC1420127[gle=0x0000013d]
2016-06-09 11:37:55, Error                 MOUPG  CSetupManager::ExecuteDownlevelMode(389): Result = 0xC1420127[gle=0x0000013d]
2016-06-09 11:37:58, Error                 SP     CDeploymentBase::CleanupMounts: Unable to unmount the directory C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount. Error: 0xC142011C[gle=0xc142011c]
2016-06-09 11:38:12, Error                 MOUPG  CSetupManager::Execute(232): Result = 0xC1420127
2016-06-09 11:38:12, Error                 MOUPG  CSetupHost::Execute(371): Result = 0xC1420127

The mention of WIM mounting made one user in the Super User chatroom recall the WIMMount Registry entry. I removed the subkeys of this:

HLKM\SOFTWARE\Microsoft\WIMMount\Mounted Images

After I did that, setup ran successfully to completion! (I had also run dism /online /cleanup-image /restorehealth along the way, but I'm not sure that did anything relevant.) That laptop is now running Windows 10.

Renaming libraries on Windows 10

Windows 10 automatically adds "libraries" like Documents and Pictures to each user's Quick Access section of Explorer and also shows them under This PC. Interestingly, there is no Rename option on them.

Therefore, the only way to change the names of default libraries is to edit their desktop.ini file. The LocalizedResourceName entry usually refers to a localizable resource in a system DLL, but any value without a preceding @ sign will be treated as a literal value. So, you can do something like this:

LocalizedResourceName=Top of the Desk

After a logoff/logon cycle, the new name is shown:

Desktop and Documents renamed

I originally published this information in a Super User answer.

When Bash on Ubuntu on Windows can't update because it "could not resolve" an Ubuntu server

An issue people are running into with Windows 10's new support for Ubuntu's Bash shell is that it sometimes has no Internet connectivity and therefore cannot update. Specifically, this text appears as part of the output of sudo apt-get update:

Could not resolve 'archive.ubuntu.com'

There are two likely causes mentioned in the discussion surrounding the issue on GitHub:

1. /etc/resolv.conf didn't get generated correctly. Add a nameserver line with the address of a valid DNS server. That seems to work best when the DNS server is on the local network, i.e. is the router. For example, nameserver 8.8.8.8 sets Google DNS as a DNS resolver.
2. An antivirus application is interfering with Bash's network connections. Try disabling the firewall.

Getting the Bash shell on Windows 10

With Insider build 14316, Windows 10 can include Ubuntu's Bash shell natively. The article explains how to enable the feature, and I summarize the relevant parts here:

1. Update to build 14316 (requires an Insider account on the Fast ring)
2. Enable Developer Mode (Settings → Update & security → For developers)
3. Enable the Windows Subsystem for Linux (Beta) feature in the classic Windows Features dialog
4. Type bash in a command prompt
5. Answer the confirmation prompt affirmatively with a y

All necessary features will be unpacked and set up for you.

Windows 10 Server Wi-Fi: Missing in Action

I have a laptop on which I installed the Windows Server Technical Preview 3, the third preview of the Windows 10 server OS. Today I found myself without a spare Ethernet cable for it, but I figured Wi-Fi would do the job. Apparently it won't - Windows always says "no connections available", even though I've confirmed that the Wi-Fi adapter/driver is present and enabled. Even pressing "Connect to" in Network Connections with it selected does nothing. I guess WSTP3 doesn't support Wi-Fi? That would be a shame.

Windows 10's Stricter SmartScreen

Today I discovered a rather inconvenient fact about Windows 10 while showing Zhongkey to some people in this year's Chinese class. SmartScreen, the Windows feature that warns users about unknown (i.e. rare and unsigned) apps, now outright refuses to permit such a program to run without administrator approval. That defeats a large part of the purpose of portable software for non-administrative domain users, and I am not a fan.

Fortunately, it can be disabled by administrators in the desktop Control Panel's system settings, just like in Windows 8. See one of many guides to making the change. I think - but am not sure - that the showstoppingness will be suppressed if the zone identifier is removed by pressing Unblock in the downloaded program's property sheet.

Researching Windows 10's "Who owns this PC?" Question

In the month that has passed since I asked my question on Super User about what the "Who owns this PC?" question in the Windows 10 setup actually means, some other people asked the same question on Microsoft forums, Some answers have been posted on those forums (none on my question yet), indicating that it has to do with Azure Active Directory, Microsoft's organization cloud service. Choosing that the organization owns it results in the question of whether a normal domain or an Azure AD environment is in place. Nobody is really sure why it's allegedly difficult to change, though.

Further reading: a question on TechNet, a question on Microsoft Answers

Weirdness with Windows Update and Windows 10 Upgrade

While messing around with Windows Update (on my Windows 8.1 Pro machine) today, I noticed some strange behavior with the Windows 10 upgrade mechanism that got installed a few months ago along with the Get Windows 10 app.

Whenever I manually select some updates to install (not including the Win10 upgrade of course), the progress indicator retains the "Downloading Windows 10" caption/style. Once the updates finish, the Windows 10 upgrade files start downloading again, despite them having already been downloaded and my having canceled my reservation. Fortunately, a press of the "Stop download" button saves the day, or at least the network utilization.

I have tried hiding the Windows 10 upgrade entry in the available updates list by right-clicking it and choosing "Hide update" as I would do with any other update, but it does not seem to have an effect. The checkbox next to it grays out, but next time I open the dialog, even after a reboot, the entry is back.

Hopefully I won't accidentally upgrade to Windows 10 before I'm ready.