T
thsc007
In link https://support.microsoft.com/en-hk/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in it is described, that 2 registry values need to be set to enable the fix:
To enable the fix *
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the computer for the changes to take effect.
To disable the fix *
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
After Installation of patch KB4056898 on a W2K12 R2 Server, both registry values doesn't exist. Do I need to set them manually? I couldn't believe that, I expected that the installation does it.
I did some check with the mentioned powershell script and saw that the result without existing registry values and enabled registry settings are different. The result without existing registry values are the same as disabled registry settings. Please note, that I always rebooted the Server after doing registry changes.
As a result it looks like that the patch really fixes nothing without additional registry settings, is this really true?
Please note, that I'm developping security compliance tools and need to report the correct result. It would be very helpful, if Microsoft documents this properly.
Continue reading...
To enable the fix *
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the computer for the changes to take effect.
To disable the fix *
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
After Installation of patch KB4056898 on a W2K12 R2 Server, both registry values doesn't exist. Do I need to set them manually? I couldn't believe that, I expected that the installation does it.
I did some check with the mentioned powershell script and saw that the result without existing registry values and enabled registry settings are different. The result without existing registry values are the same as disabled registry settings. Please note, that I always rebooted the Server after doing registry changes.
As a result it looks like that the patch really fixes nothing without additional registry settings, is this really true?
Please note, that I'm developping security compliance tools and need to report the correct result. It would be very helpful, if Microsoft documents this properly.
Continue reading...