KB979683 driving me crazy

Peter Boulding · 15-04-2010

Win XP Home SP2

Windows update keeps insisting that I download and install KB979683. It is
incapable of accepting that I have already done this, even though the
Windows Update web site's "review your update history" link confirms that I
have now done so some... <counts> ...nine times in the last 24 hours--which,
in itself, is a triumph of hope over experience.

I have tried the solution suggested at
<http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/4a6ea702-47e9-48c6-8460-6d3e9f6d9abe/>
but this hasn't solved the problem. Note: Windows won't accept the "net stop
cryptsvc" command while Zonealarm's "Truevector" service (I think this is
vsmon.exe, version 9.1.007.002) is running. With Zonealarm shut down I can
stop the service and rename catroot2 (no tmp* files are to be found in
Catroot), but Windows Update still keeps demanding I download and install
KB979683.

PA Bear [MS MVP] · 15-04-2010

Read the known issues on this page, they explain what to do. There is a link
in that section to a fix.

You cannot install some updates or programs:
http://support.microsoft.com/kb/822798/

How do I reset Windows Update components?
http://support.microsoft.com/kb/971058

Is "Security Update for WinXP (979683)" listed in Add/Remove Programs?

What's the result of running the Fix It in
http://support.microsoft.com/kb/980966? [Ignore the reference to KB977165]

Why hasn't SP3 been installed by now?

What anti-virus application or security suite is installed and is your
subscription current? What anti-spyware applications (other than Defender)?

Has a(another) Norton or McAfee application ever been installed on the
computer (e.g., a free-trial version that came preinstalled when you bought
it)?

For home users, no-charge support is available by calling 1-866-PCSAFETY
(and/or 1-866-234-6020 and/or 1-800-936-5700) in the United States and in
Canada or by contacting your local Microsoft subsidiary. There is no-charge
for support calls that are associated with security updates. When you call,
clearly state that your problem is related to a Security Update and cite the
update's KB number (e.g., KB979683).

Peter Boulding · 15-04-2010

So there is: to the 'rename catroot2' fix which, as I explained in my
original message, turns out to be impossible to apply without first closing
Zonealarm, and which then does no good anyway.

None of the conditions described in 822798 appears to apply. I have,
however, as detailed in my original message, tried recommended fix #3
(rename catroot2) without success.

<downloads Microsoft Fix It 50202>
<runs it in default mode>
Damn: "The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code is
2755."

Yes, it is--as being installed (along with a bunch of other stuff) on
14/4/2010 (UK date format).

Oh: this points to a later version of Fix It (50378).
<downloads and runs>
"Your computer appears compatible with Microsoft Security Bulletin MS10-015
(http://support.microsoft.com/technet...ms10-015.mspx).
Please visit for [sic] Microsoft Knowledge Base article 977165
(http://support.microsoft.com/kb/977165) for additional information."

I have a couple of months' grace, do I not?

Question: given that this problem has arisen, is the installation of SP3
likely to solve the problem? Or to exacerbate it?

AVG 9.0.801; Superantispyware 4,34,0.1000; Malwarebytes 1.45. Only AVG (and
Zonealarm 9.1.007.002) have real time protection switched on.

Done. The following sent:

=================================
Win XP Home SPP2:

Windows Update KB979683 keeps being offered for download despite successful
download and installation (yes, it appears in add/remove programs; the
'history' page at the Windows update web site tells me I've downloaded and
installed it multiple times).

On advice of MS MVPs, I have tried the 'rename catroot2' fix #3 in
<http://support.microsoft.com/kb/822798/> (which doesn't work until you
close Zonealarm) but this hasn't solved the problem.

Likewise on the advice of MS MVPs I have tried downloading and running
Microsoft Fix It tools 50202 and 50378.

50202 failed: "The installer has encountered an unexpected error installing
this package. This may indicate a problem with this package. The error code
is 2755."

50378: "Your computer appears compatible with Microsoft Security Bulletin
MS10-015
(http://support.microsoft.com/technet...ms10-015.mspx).
Please visit for [sic] Microsoft Knowledge Base article 977165
(http://support.microsoft.com/kb/977165) for additional information."

Despite all the above, that damned shield icon in the system tray is *still*
telling me to download and install KB979683.
=========================================

Ottmar Freudenberger · 16-04-2010

You are aware that Windows XP SP2 will EOL in July, are you?

Here we go again:

KB979683 (MS10-021) is a kernel update and ever since these are released for
Windows XP, MS doesn't get those to install correctly as soon as it's an
OEM system (with OEM drivers installed) on which these kind of updates
should be installed on.

To get these updates for Windows XP installed properly on these systems,
you'll need to download the update from DownloadCenter:
http://www.microsoft.com/downloads/d...DisplayLang=en
*save* the file into a folder and execute the EXE with the parameter "/o"
(like "/overwriteoem") afterwards.

Let's assume you've downloaded the english version of KB979683 into a
folder "Downloads" which is located on your C: drive. In this case
please restart Windows in Safe Mode (hit the [F8] key after the BIOS
screen occured while booting your machine). Then enter the following
*including* all blanks and quote signs into "Run" in the Start menu
and hit [Enter] or click on OK afterwards:

"C:\Downloads\WindowsXP-KB979683-x86-ENU.exe" /o

After rebooting Windows, the update shouldn't be reoffered by WU/AU once
again.

MowGreen · 16-04-2010

I'd be willing to wager that a Clean boot of the system would have
*fully* disabled AVG and the update would have properly installed.

Now we'll never know *IF* the update would have installed by configuring
the system to Clean boot, thus ruling out AVG as the cause of the
repeated reoffering, because they asked you to recreate the
SoftwareDistribution subfolder.

suggest you configure AVG to not scan nor monitor the
locations mentioned in this MSKB:

Virus scanning recommendations for computers that are running currently
supported versions of Windows
http://support.microsoft.com/kb/822158

I'll be curious to see what happens when the next Kernel update comes
out with AVG configured in that manner.
IF the same issue occurs despite AVG not monitoring those
files/locations, then try the Clean boot as it appears to be impossible
to completely shut down AVG's services/processes.

How to configure Windows XP to start in a "clean boot" state
http://support.microsoft.com/kb/310353

Can you run the Reset Fix It http://support.microsoft.com/kb/971058 in
Default *and* Aggressive modes now?

Is AVG Linkscanner, Search-Shield, Active Surf-Shield, Security toolbar,
and/or any of the email scanning components installed?

Are you certain a Norton or McAfee free trial didn't come preinstalled on
the computer when you bought it? (Doesn't matter if you never used or
Activated it).

Peter Boulding · 16-04-2010

SUCCESS!

I received a lengthy reply within 24 hours, and the first fix offered
resolved the problem:

A) Close all web accelerators and security software. (I found that it
doesn't seem to be possible to fully close down AVG... two of its modules
fail to disappear when told to do so via the Windows Task Manager.)

B) Rename the SoftwareDistribution folder. The procedure for doing this was
given as follows:
--------------------------------
1. Click "Start", "Run", type: "cmd" (without quotations) and press
"Enter". In the command window, type "net stop WuAuServ" (without
quotations) and press "Enter".
2. Click "Start", "Run", type: "%windir%" (without quotations) and press
"Enter".
3. Right-click the SoftwareDistribution folder and choose "Rename", type
SDOLD as the new name.
4. Click "Start", "Run", type: "cmd" (without quotations) and press
"Enter". In the command window, type "net start WuAuServ" (without
quotations) and press "Enter".
Note: This folder will be created automatically after starting Automatic
Updates service. Only Windows Update history will be lost. To check
which update is necessary, I suggest we check updates on update website.
Now try Update to see if the issue has been resolved.
--------------------------------

So:
C) Go back to Windows Update and download & install what's offered.

If, like me, you use the "custom" facility at the Windows Update web site,
you will find that previously hidden updates are once more offered for
download; you have to hide the things you just don't want (such as IE8) all
over again (expand, and check "don't show me this again").

KB979683 *was* again offered for download. I went through the
download/install/reboot procedure, and this time the update "took"--that is,
the damned shield icon offering KB979683 has at long last gone away, and the
Windows Update web site is no longer offering it.

D) Re-enable accelerators and security software.

The MS e-mail did offer alternative procedures to try if the above didn't
work (manual download of the problem update to disk from a specified
location, followed by installation in safe mode; and procedures for sending
them logs if even that didn't work) ... but happily I didn't need to follow
those instructions.

Thanks, that's similar --renaming, and thereby recreating, the
SoftwareDistribution folder--did the trick.

I doubt, BTW, that OEM drivers were the problem in my case unless supplied
with the motherboard or with the DVD drive; the PC was built for me from
fairly standard parts by a friend; there's nothing very special about it--no
unusual hardware, no hidden partitions, or any such.

<looks up "clean boot">
Oh, right. I imagine it would.

I'm not so sure about that. See below.

TBH I don't understand what's special about KB979683 that would cause its
installation to behave differently from a bunch of other Windows patches
downloaded and installed at the same time (the April group of XP updates)
and under the same conditions (were none of the others kernel updates?). Nor
do I understand why, if AVG were the cause, renaming (and thereby
recreating) the SoftwareDistribution folder would have solved the problem,
given that the subsequent standard download/install of KB979683--with AVG
running normally--ran without a hitch.

AVG (unlike, for example, Norton) is a fairly well-behaved AV app.

OK... IF the problem occurs again with another Windows Update patch, I may
try your advice as regards file location exclusions and clean boot, but I'd
assume that KB822158, which relates to "Microsoft Windows when it is used
with antivirus software in an Active Directory domain environment or in a
managed business environment" isn't meant to be applicable to this home-user PC.

Anyway, I posted my solution (which was, after all, method #1 suggested by
MS tech support) because this thread might be found by others experiencing
the same problem--and who might be desperate to get rid of that damnably and persistently insistent shield icon...

You may feel that it's an uninformative workaround and yes, it may fail to
prevent a recurrence of the problem with another update, but I'm not a
Windows Update MVP (I used to be an MS Word MVP, but that's another story)
and it did have the following virtues: (1) it was easy to do, and (2) it
worked.

MowGreen · 17-04-2010

Your post is *quite* informative and I have *no* quibble with it.
What I'm questioning is *the tech* who had you wipe out the
SoftwareDistribution subfolder without having you first attempt to
install the update from the Clean boot state.
Now we'll never know what was the *specific* cause of the repeated
reoffering issue for your system or for that matter, anyone who reads
this thread if they just go ahead and recreate SD without first
attempting to install KB979683 from a Clean boot.

It was the only update for the Kernel. In the past there have been
varying issues with Kernel updates. Ottmar posted the workaround for the
OEM issue in XP. There are also at least 2 more issues that are not just
limited to XP, one caused by 3rd party software interference with the
replacement of the Kernel ( resolved by a Clean boot ) or, the presence
of UNsigned system binaries in the Catroot subfolder ( occurs in XP;
resolved by running sigverif.exe and, if UNsigned system binaries are
present, the deletion of tmp.*,cat files from the Catroot subfolder. If
you have the time to waste, here's a blog post of mine from the previous
Kernel update that explains all of the above issues a little better:

No, it's not just applicable to what MS states at the beginning of the
KB, it's also applicable to the Home User. It's been edited, last edit
appears to be around February 2, 2010.
I know many Users, including my clients, who have configured their AVs
to not monitor nor scan %windir%\SoftwareDistribution\Datastore
in Windows XP, Vista, and Win 7.

That location contains the database for all update activity,
DataStore.edb. That file in particular can become damaged/corrupted due
to it being locked (in use) and the AV will continually attempt to open
it to scan it. Also, an AV may also try to prevent or hinder writing to
it, which again, can cause it to become damaged/corrupted.
Anyway, the choice is yours, not mine.

And ... thanks for posting back with the resolution provided by MS. Most
of the posters in this NG never come back with resolutions provided by
MS or even post back to say that what we recommended actually resolved
their system's issue(s) or not.

It's still mid-Friday afternoon here but I hear a pint a callin' ...
have a great weekend, Peter. Again, thanks for posting the fix that MS
Support supplied and, going by the manner in which Users apparently
receive assistance, will need to supply again and again until they
finally realize that a Clean boot should be the first and *only* step in
troubleshooting update installation/reoffering issues.
If that doesn't resolve said issues, then they can go to the next one
instead of recommending 2 different steps right off the bat.
Apparently they're pressed for time and are just following a required
script.

PA Bear [MS MVP] · 17-04-2010

If you can't run the Fix It (which cannot harm anything), that could be a
symptom of an infection (despite the eventual success you had).

I asked about those AVG components in hopes that you hadn't installed any of them!

We'd have to rely on your memory (or the invoice from when you purchased the
computer) to know if a Norton or McAfee free trial came preinstalled on the
computer when you bought it.

Peter Boulding · 17-04-2010

I'm not sure I want to try. I hate to rock the boat, especially when the
seas are inevitably choppy already as I acquaint myself with, and customize,
this PC and its software.

Now you come to mention it, we installed none of these. I forgot to
mention them since, unlike their 'identity protection' module, they don't
appear as options in my AVG main window.

The PC could, of course, be riddled with nasties right now as a result of my
failure to install all these new-fangled protections-for-the-addle-pated
before visiting the Literotica web cams and dodgy Russian download sites but
recent scans by newly-updated AVG, SuperAntiSpyware, and Malwarebytes gave it a clean bill of health.

Well, I haven't right-clicked on 2,033 *.exe files and selected their
Version tabs in order to see whether they come from Norton or McAfee...
ditto 6,869 *.dll files, and so on, but their presence is unlikely since the
PC builder and I discussed software to be pre-installed and agreed on AVG
before he built the thing.

I hope you'll forgive me if I place a "keep" on that message (and, indeed,
on the whole thread) but decline to immerse myself in the intricacies of
Kernel Updates MS-Style right now.

Many thanks, though, for your--and everyone's--advice. I find the decline of
usenet (thanks primarily to the Evil Empire that is Google) both insane and
seriously depressing. It's an invaluable resource.

Thank you; I shall: I'm a Formula One addict so my eyes will have become
delectably rectangular by Sunday afternoon.

Now you're starting to sound like a soap box evangelist. You do realize that
this is Microsoft we're talking about?

OK... <reruns the two fixit packages>
The results are exactly as before:
I'll run new scans tomorrow...
I assure you, they ain't there.

SuperAntiSpyware found two tracking cookies stores by IE (which I rarely
use, preferring both Firefox and Opera). I'll have to check my IE
security/privacy settings. Nothing else.

Neither AVG nor Malwarebytes found anything.

P4WM7YLA5NMI · 17-04-2010

I have the same problem.

I have XP Pro SP3 and I get the nag for the re-installation of th
update even though it shows in add and remove programs. I'm trying t
do the fix the Microsoft provides, but I hang at

ren %systemroot%\System32\Catroot2 oldcatroot2

I get an 'access denied' even though I am an administrator. I have
installed some hardening programs and I seem to remember that there is
some sort of switch somewhere to protect system files, but I don't
remember where.

I am running Sunbelt Personal Firewall and Avast, but even disabling
the Firewall and disabling the Avast on-line shields doesn't stop the
problem.

I would like to try this simple command-line fix to see if it works
before going on to the more elaborate and messy fixes discussed above.
Anyone able to tell me how to get around the 'access denied' problem?

What I did do was follow Freudi's directions: I downloaded the
standalone installer for the patch, copied Freudi's command line with
the overwrite paramter to a text file, rebooted under safe, opened a
command line console and installed with Freudi's command from the text
file.

It worked, so at that level, goodbye to the nags.

I am curious about the following:

1. For next time, how do I get around the access denied problem? What
is the most likely cause?

2. Is there any danger that in using the overwrite parameter I have
overwritten my-manufacturer-specific code? So far I have been using the
computer for some hours and have seen nothing wrong. I do have a
day-old system disk image I can fall back on if something comes up, but
I would be happy to know what I've lost by this method if anything.

3. Wouldn't it be easier for Microsoft to fix the patch so that it
takes care of the problem automatically?

Peter Boulding · 17-04-2010

Why not try MowGreen's "Clean Boot" approach (see elsethread)? That should
deal with any anti-malware stuff that gets loaded at startup.

And before you rename any folders, why not see whether accepting yet one
more download and install of the patch under clean boot conditions does the
trick?

(I'm assuming that you are logging on to Windows with administrator
privileges...)

Possibly by booting in Safe Mode (using arrow keys and enter--'cos the mouse
won't work--select it from the menu that appears when you keep tapping F8
immediately after powering on or rebooting) and more likely by doing the
clean boot (see <http://support.microsoft.com/kb/310353>).

Maybe security software (e.g. a firewall, or an antivirus or antispyware
application). Possibly the kind of nasty that said software is supposed to
prevent. Or maybe something else that I don't know about.

I would assume that you're spot on; that the whole point of the overwrite
parameter is to allow Windows to ditch your manufacturer-specific code. One
would be happier if one knew what application might have had the temerity to
replace a chunk of kernel code in the first place.

Oi, experts, is that a common practice?

There is so much wrong with that question that it's difficult to know how to
answer. For starters you put the words "easier" and "Microsoft" in the same
sentence. Second, you're talking about the company that got its initial
boost by telling IBM it could write a disk operating system faster than
Digital Research when in fact it couldn't write one at all but knew a man
who probably could, although no better or faster than Digital Research.
Next... Well, I could go on. And on, but I'll jump to "and finally": and
finally, see (2) above.

P4WM7YLA5NMI · 18-04-2010

I looked at the clean boot instruction from Microsoft and it probabl
is a little safer than Freudi's method (speaking abstractly withou
knowing the details of what Freudi's method actually did, if anything
to manufacturer code). I would still like to know if Freudi's metho
actually overwrites manufacturer code. According to Microsoft's ow
documentation the problem arises because some of the installed binarie
are not digitally signed; the trick seems to be to find a workaroun
that makes the installer ignore this.

As for your remark about Microsoft, I am reminded of Churchill's remar
about democracy, that it is the worst system except for all the others.
This I say having been completely disillusioned with Linux and no
having the money to buy an apple.

MowGreen · 18-04-2010

IIRC, workaround is for the issue of when oem inf files are
causing the update's detection logic to identify the OS Kernel files as
OEM *driver* files. The KB979683.log, located in %windir%, will have
entries similar to this:

69.340: c:\windows\system32\ntoskrnl.exe is in the list of oem
drivers...skipping copy!
80.656: c:\windows\system32\ntkrnlpa.exe is in the list of oem
drivers...skipping copy!

One symptom of this issue will be that after KB979863 purportedly
installs there is no prompt to restart the system. That's because the
above files are *not* being replaced. IF they were being replaced, the
system would most definitely need a restart as the files are in use and
can not be replaced in that state.

I'm on my way out now but here's a semi-coherent explanation of 2 known
issues that will prevent XP Kernel updates from installing successfully.
The second workaround was provided by 'someone' from MS. Unfortunately,
I can't remember his name and which specific Product Group he works in:

Fix for the repeated offering of KB971486 in Windows XP

**jpsarge** · 02-05-2010

I was able to overcome the problem with KB979683 by downloading Microsoft Security Essentials and running a full scan on my computer. It found a rootkit virus that none of the other free AV products (tried Avast, Antimalware, a2squared) could detect. After rebooting, I tried running the security patch again, and it went right in.