Today I got the following message:
Computer was frozen and the only button available was "Get Updates".
I don't need this feature, I need to work, not serve my machine the time she wants.
Currently I did cold reboot and had time to open task manager and process explorer on different screens before the message appears again. Due to the bug in the application, I was able to kill MusNotification.exe
process.
Unfortunately, I am unable to restrict system access to musnotification.exe
and musnotificationux.exe
files, or add them to antivirus blacklist.
How to ban this feature?
Answer
Unfortunately, I am unable to restrict system access to musnotification.exe and musnotificationux.exe files
From my observations, "restrict system access to musnotification.exe and musnotificationux.exe files" is an effective method of blocking that message, if you have administrator privilege.
Paste these lines to elevated cmd
to deny Everyone from executing the two files:
cd /d "%Windir%\System32"
takeown /F MusNotification.exe
icacls MusNotification.exe /deny Everyone:(X)
takeown /F MusNotificationUx.exe
icacls MusNotificationUx.exe /deny Everyone:(X)
rem
I have managed to create a Hyper-V virtual machine that can test this "feature".
- Clean install Windows 10 Enterprise LTSB
- In
gpedit.msc
change Windows Update to Notify download - Check for updates, but reboot when it begins to download.
- Run
usoclient StartScan
and wait for the CPU usage to drop to normal. Save a virtual machine checkpoint.
Now, changing the system date to one month later (!) will 100% immediately trigger the "Updates are available" message.
However, if I restore the checkpoint and paste the commands above, changing the date will do nothing special.
Edit:
To undo the changes, run the following commands:
cd /d "%Windir%\System32"
icacls MusNotification.exe /remove:d Everyone
icacls MusNotification.exe /grant Everyone:F
icacls MusNotification.exe /setowner "NT SERVICE\TrustedInstaller"
icacls MusNotification.exe /remove:g Everyone
icacls MusNotificationUx.exe /remove:d Everyone
icacls MusNotificationUx.exe /grant Everyone:F
icacls MusNotificationUx.exe /setowner "NT SERVICE\TrustedInstaller"
icacls MusNotificationUx.exe /remove:g Everyone
rem
This removes the execution restriction first, and temporarily grants Everyone full access to the relevant two files, so that you are able to change the owner of the files back to Windows (TrustedInstaller
). After the ownership change, the temporary full access is removed. This is tested on Windows Server 2016 TP4 and does bring back the awful dialog, if I change the system date to 1 month later.
No comments:
Post a Comment