Blacklist Windows Update

[Macedonio Heninger]

Ihave discovered that my Windows 10 Pro installation automatically downloads and installs Synaptics touchpad driver. All well I suppose, with automatic updating and stuff, except that the driver is an abomination (the fact I have observed to be true for many generations of the driver, as each new version is just an iterative update). The driver has my cursor disappearing and freezing despite me frantically "fingering" my touchpad. I am an IT professional and completely depend (don't we all) on being able to interact with the computer, and the driver is simply not up to par. It worked better in Windows 7, but was never great, really, and now it hit the new low. Nevertheless, Windows seems to think it is a good update candidate, and I have apparently no say in the matter.

Removing the driver (uninstalling it in Device Manager and/or doing so from Programs where it is listed as well) only brings temporary relief, before Windows automatically downloads and re-installs it again. Welcome to 2015, people.

I do not want to disable automatic updates, I am sure most of them are useful, but there are certain things I should be able to opt out of, at least certain versions of upstream drivers, skipping these entirely.

Should I setup WSUS or something? What choices do I have? This touchpad issue drives me nuts. Maybe I should resort to fixing the driver myself, somehow? I checked with Synaptics' own webpages, and the driver that Windows pushes on me is even newer than the one they list as newest on their pages!

Yes, this solution does not allow you to block some particular driver or some particular update. Instead, it blocks all the driver updates. But its still better than nothing, because when windows keeps re-installing the driver update no matter how hard you try to prevent it, it all gets very annoying.

Don't waste your time on the "Hide update" tool from Microsoft that you mentioned: when you do the above steps, this tool will start seeing and blacklisting the driver update, but the windows update service just ignores that! It keeps installing the update that is supposed to be hidden. So this tool simply doesn't work.

Why in your case it doesn't even see an update, is because the Device Install Service starts installing it instantly, after which it is no longer a pending update and is therefore "uninteresting" for this tool.

Trying to blacklist Windows Events 4688 and 4689 that come from the Splunk Universal Forwarder, I've checked the regex and it looks right according to I've looked through many of the different links and haven't seen anyone doing this specifically. Has anyone else had any luck with this?

If the title of the question is correct "on a universal forwarder", then you can't. To filter data, using those configs, before sending it to a indexer you need a heavy forwarder. If you still want to keep the universal forwarder, you need to apply those configs in the indexer instead.

More on forwarder types from docs:

Positive. EventLog filtering is a Windows-only configuration. That table you reference also has Light Forwarders, which in most practical instances, are not used any more. The "Per-Event Filtering" is probably a generalized statement as it only applies to "Windows Event Logs" only. Any other file, monitor, script, etc will not be filtered like the Windows Event Logs.

I have installed Splunk Universal Forwarder Version 6.1.1 and Indexer also on 6.1.1. I am trying to understand the various option to filter EventCode with these version of Splunk. I think Splunk has introduced some new capability to have whitelist and black list in the Universal Forwarder input stanza .

I would like to additionally resend into Splunk a "whitelisted" "System" logs, but only for "error" and "critical"; i.e., not EventID based as I am not sure what they are, plus do not wish to index informational garbage.

FWIW, I tested multiple versions of all this, to no avail. I even read a Splunk blog that's often cited by similar questions... I love it when you read "accepted answers" for your questions, and docs, and blogs, and NONE of what they say work until you experiment on your own and stumble upon a solution, happens more times than I want to admit.

Using a deployment server (6.5.1) and Universal Forwarders (6.5.1.). Don't know if all that other cruft is necessary, but it works for me. Oh, and make sure you don't have more than one [WinEventLog://Security] stanza.

Another thing to Watch out for is > if data is ingested on Universal Forwarder you need to add blacklist to input stanza on Splunk Universal Forwarder.

If the Data directly ingested from indexer in that case input with blacklist will go to indexer.

In 6.0 one could filter on just the event code on windows event log modular input. In 6.1 Splunk introduced a regular expression filtering capability. A good blog post can be found here: -4662-messages-in-the-windows-security-event-log/

You may want to consider, rather than blocking all updates, managing updates with WSUS. Assuming you have a copy of Windows Server and your clients are in a domain, it's a free option that you can use to only deploy updates when and where you want them.

Its simple go to start menu> control panel (view by small icons)>administrative tools > services. Search for Background intelligent transfer service and windows update ...stop the services and on properties disable them

I hope this isn't a dumb question but I'm not a network expert, I'm just in charge of taking care of our network. We have a MX64, MS220-8P and MR33. With the looming loss of support for Windows 7 I've been wondering if it would be possible to cut all Win 7 clients off from the internet or possibly from the whole network. I'm working to make sure any machines that actually need to be used are replaced or upgraded but just in case someone brings in a laptop from home or there's one lurking around here it would be nice to block it. Even better would be to block everything prior to Win 7 as well.

I see that the Meraki dashboard knows if a client is Windows 7, 8 or 10. Seems like it might theoretically be possible to do what I want, even if it wasn't perfect. False negatives would be preferred over false positives - in other words, I'd rather let a Win 7 machine touch the web occasionally than block a Win 10 machine.

@CodeMercenary So under the MR dashboard under clients, you can see in the dashboard that they have previously connected (last 30 days) and/or are currently connected. Now that you have them listed in dashboard (under OS they are indentified as Windows 7 - you can search for just windows 7 etc), if you select each one and then apply to a policy you have created that either limits what they can access or block them entirely using the default 'block' action

Windows is able to blacklist bad memory addresses using the bcdedit tool. However it only blacklists page of memory (4KB) instead of single address. In order to convert from memtest86 single address syntax to bcdedit pages syntax I had to remove the last 3 letters from each memory address (since 0xFFF is 4KB).

h. disable device

0 = enable device; 1 = disable device

If darktable detects a malfunctioning device it will automatically mark it as such by setting this parameter to 1. If you have a device that reports a lot of errors you can manually disable it by setting this field to 1.

Start an Issue in GitHub for Feature Request to remove the Neo as blacklisted for windows. Provide screenshots or some info that shows it working on your system with current drivers. Test using multiple heavy openCL modules (D&S). Without an issue and test data, it will remain blacklisted

Blacklisting and non-blacklisting special combinations is a no-go for me as there is no way to check all cases.

We could offer some way to override blacklisting via preferences though for easier testing.

After some more testing I observed that it crashes whenever I try to enable highlights reconstruction in filmic and that using the color zones module produces artifacts in the blown highlights at export.

Local Termination of Wacom tablets provides the best user experience in networks with high latency, however some features of the tablet may not be fully supported with local termination. A HID local termination blacklist has been added to override the preferred local termination mode.

Devices on the blacklist would be bridged to the remote desktop. To enable the HID local termination blacklist, add the following setting to %APPDATA%\Teradici\Teradici PCoIP Client.ini. The vendor and product IDs are separated by a comma and multiple devices are separated by a space.

I recently upgraded to windows 10. I've got a software which I use to run while on windows 7. It was possible to add tools by simply opening the software editor folder and dropping the require file type. Ever since I upgraded to windows 10, each time I attempt this process, I get an error message telling me the folder is blacklisted... I noticed this folder is a sub to the 'appdata' folder in users (which I've already made visible).

But, if there was a whitelist, and you add the contact to both the whitelist and blacklist, what would you hope the result would be? Do we follow your explicit instruction to move the message, or do we follow your other instruction not no move the message?

To remove an address you previously added to the Blacklist Rule, go to Menu > Rules and open the Blacklist Rule. Addresses and domains are listed in the order you added them, so scroll through the list, find the address and remove it as @sunriseal suggested.

3a8082e126