German On February 8, 2018 Microsoft released the update KB4023057 for various Windows 10 versions via Windows Update. Here are some details about this update.
Update KB4023057 is a reliability update for Windows 10 version 1507 (RTM), 1511 (November 2015), 1607 (July 2016) and 1703 (March 2017). Only the current version Windows 10 Fall Creators Update didn't receive this update. Microsoft write:
This update includes reliability improvements that affect the update components in Windows 10 Versions 1507, 1511, 1607, and 1703.
This update includes files and resources that address issues that affect the update processes in Windows 10. These improvements ensure that quality updates are installed seamlessly to improve the reliability and security of Windows 10.
Only certain builds of Windows 10 Versions 1507, 1511, 1607, and 1703 require this update.
Only via Windows Update
Devices that are running those builds will automatically get the update downloaded and installed through Windows Update. This update is not available in the Microsoft Update Catalog and the update is reissued cyclically by Microsoft – the last time I reported this update was in October 2017 (see Windows 10: Update KB4023057). However, Microsoft doesn't document this update in detail. At Askwoody I found the information, that the update isn't offered via WSUS.
If I remember well, KB4023057 was and still is one of the most weird and unexplained updates in the recent times. This update has never been offered to WSUS, but only to Windows Update. This would indicate that it meant for unmanaged end-users and unmanaged small business users.
Maybe someone who runs WSUS can say something. Interesting is also the statement in the above linked comment that the update is also rolled out for Windows 10 Enterprise LTSB version 1607.
Some background details
The kb article says, that this update changes the files Drvdbfix.exe, Rempl.xml, Remsh.exe and Unlock.xml. However, there is no further information on this subject. Here is an attempt to gather some information.
What is Drvdbfix.exe?
I would translate the file name Drvdbfix.exe as Driver (Registry)-DB-Fix, a tool that checks and repairs the Windows driver database for inconsistencies (also in registry entries9). Old drivers have been the cause of failed updates in the past. Then the workaround to clean the driver cache with this statements was required:
rundll32.exe pnpclean.dll,RunDLL_PnpClean /DRIVERS /MAXCLEAN
Maybe the above tool does this automatically – but it's speculative now, I haven't analyzed the program. Furthermore I found hints on the internet that the tool should check and fix registry entries for drivers.
This is now Off Topic – this article deals with the question of how to remove unnecessary drivers in Windows. The Driver Store Explorer (RAPR) is also introduced there. Another tool is called Device Cleanup Tool and is available from Uwe Sieber here.
What is Datei Remsh.exe?
Let's have a lot at the Remsh. exe program, where Microsoft doesn't document anything. At Askwoody, user abbodi86 gives users the following comment on a previous version of Remsh. exe when updating KB4023057:
basically it's a tool called "Remediation Shell" which remedy "fix" update related components to facilitate the upgrade i.e. registry settings, services status, USO and WU SIH schedule tasks, disk space, launch Windows10UpgraderApp.exe if installed (included with 1607 CU since June)
Would be an explanation for the file name Remsh.exe. In the blog article Windows 10: What is REMSH.exe for? I had already provided some information about this program before.
Another Off Topic: In the above commentary the term USO (Update (Session) Orchestrator) appears. There is little else about this, apart from hints on the Internet (here, here, here) that a usoclient.exe will appear briefly in a window of the command prompt at system startup. Here (deleted) you can even see a screenshot of the window and here you can see a screenshot of the task planning with the Update Orchestrator task to start usoclient.exe. The best explanation I've found so far comes from MawshiKid in this Microsoft Answers-Thread.
The supplementary comments given in my German blog are especially interesting. Blog reader André has taken care of the module and found out that it uses the following registry entries.
Software\Microsoft\rempl\remediationresults, Software\Microsoft\Windows\CurrentVersion\rempl\settings
Software\Microsoft\Remediation\LocalState\Telemetry
A comment at my blog post Windows 10: What is REMSH.exe for? has analyzed the .etl log file from the REMSH folder. There are some hints on what Remsh.exe does. A CloudControlState is beeing detected, there are hints to a check of the WindowsUpdateTelemetryDataEvent as well as to a check of the free memory on the hard disk. In addition, the status of the system via GetRestoreHealthMarker is presumably queried.
The update package sets up a task for the cyclic execution of Remsh.exe (see also this German blog comment from Thorsten), which awakens the Windows system from the energy-saving mode (Suspend). Also within this article you will find such a description (it also shows an excerpt of the file Unlock.xml – the file specifies when the usoclient is allowed to run). In this Microsoft Answers forum thread, someone complains that Remsh.exe generates a high CPU load.
-This is a FYI and does not need to be posted.-
GB, Thank you for your article. This is a FYI to you on your article' links.
"Another tool is called Device Cleanup Tool and is available from Uwe Sieber here."
Resulted in from Norton:
Malicious website blocked!
http://www.uwe-sieber.de
@gunther: Thanks for your information – I decided to publish it here as a comment, because other readers are probably stumpled uppon the same (false) Norton alert.
A good thing is, to check such a site with virustotal.com – here Uwe's site is reported as clean ;-).
Pingback: Windows 10: Update KB4023057 re-released | Born's Tech and Windows World
Pingback: Microsoft releases new version of Win10 patch KB 4023057 @ AskWoody