Updated: January 12, 2018
Meltdown. Spectre. You must have heard of these recent vulnerabilities in Intel's processors. As a consequence, there has been a flurry of security updates everywhere, in an attempt to patch these issues. Microsoft also released its own set, and warned users that they would not receive the updates if their anti-virus software is incompatible.
Hundreds of "tech" websites hurried to parrot this message, including copying the registry key hack that can work around this, in an attempt to scrape an extra click from this would-be drama. Not a single site actually bothered to ask: what if you run NO anti-virus software? I guess in the herd mentality world (the so-called fake news audience), there's no place for critical thinking. In this tutorial, I would like to show you what you need to do to obtain the January 2018 patches for the Meltdown and Spectre vulnerabilities, and how to remain up to date even if you run no anti-virus programs. After me.
I actually tested this on no less than six different systems, because I believe it is irresponsible to talk about something without personal experience. I did this to check how to deploy the patches - and also evaluate performance and stability impact. We will discuss the latter in a follow-up article.
Windows 7 example 1
We're talking a 2010 HP laptop with Windows 7 SP1, Nvidia graphics, limited user, EMET and SuRun for security, and no anti-virus whatever. This laptop was last patched in May 2017.
I decided to run the January 2018 security update right away - without even installing anything in between May and now, to see how this will work out. I also did not configure the registry key. I grabbed the update from Microsoft Update Catalog and ran the standalone installer. Seems okay. Reboot. All good so far.
After the reboot, I ran WU update again, and I had all the other patches there, which I installed and rebooted again. No issues. And also, no visible performance degradation, even though this is a first-gen i5 processor machine, now pushing into its eighth year.
And the last round of update checks:
What about the QualityCompat registry key?
I tried this on another Windows 7 machine. Set the key. Then, restart the WU service. You do not need to restart the machine. Once you do this, you will see the January update available. Do notice that applying the patch above did not set the key.
Security vs Monthly Rollup
There's also a question, which one should you use? KB4056897, the security-only update released on January 3/4 we just used, or KB4056894 (notice the lower number), the monthly-rollup update released on January 9? The actual dates can be seen in the Microsoft Update Catalog and not as the article titles state. The answer is, it makes no difference, as the security patches are identical in both, and also the impact on the system. But to that end, we move to our second test box.
Windows 7 example 2
This is a 2011 gaming desktop (still an immensely powerful and capable machine), with Nvidia graphics (upgraded to GTX 960), admin user, EMET for security, and no nonsense software. Here, I enabled the registry key and installed the monthly rollup. Reboot. All good. Everything is stable. And also runs well. More on this later.
Windows 8.1 example
I tried this on two machines, but specifically - a 2014 Lenovo IdeaPad Y50-70 laptop, with hybrid Intel-Nvidia graphics, admin user, EMET for security. No anti-virus software, because it's unnecessary.
Here, I tried a more conventional approach - updated all the Microsoft patches up to January, plus system drivers, including Nvidia. Then, I ran the standalone installer based on the advisory, using the monthly rollup patch for Windows 8.1, again elegantly and easily obtained from the Microsoft Update Catalog. Installed. Rebooted.
After the reboot, everything was peachy. I also tried a few games, like my favorites - the first-person shooter ArmA 3 and the city-building strategy Cities Skylines. Both games worked without any issues. If anything, everything feels FASTER now than before. But we will discuss this in detail separately, as I have to give the whole scaremongering fest around performance and updates its due sermon.
Windows 10 example
Here, I used my Lenovo IdeaPad G50-70 test laptop from 2015, which I also use for extensive Linux distribution testing (it runs an eight-boot setup). It has a limited user, with Exploit Protection in place, Windows Defender TURNED OFF. Anyway, I let Windows 10 update itself to the max, and without the registry key, it did not offer the January rollup. I added the key, restarted the WU service, and then got the January stuff, too.
So we can say for certain that Microsoft has a very narrow approach here, but I guess they cannot really know if you have a non-compatible AV or none, just that the registry key is missing. Moreover, the key is only loaded when the service starts, which also tells us a little bit about how programs work and how they load stuff into memory pages, which is where this issue resides. So if there's any performance impact, it's most likely going to be one during application startup. I will rant about this and the nonsense hype drama going on out there very soon.
I also tried two more systems, one Windows 7 and one Windows 8, all 64-bit, and in all cases, it was fine. The former is another desktop, similar to the gaming rig and also equipped with an Nvidia card (old and with an older set of drivers), while the latter is my Asus VivoBook, from 2013, with Intel graphics, running an admin account plus EMET. No issues at all.
Everything was fine. But still, if you're ever in doubt regarding future updates, you can always use offline tools like Autopatcher and/or the Update catalog, so you shouldn't feel exposed. Moreover, if you use sane security practices - limited user, EMET and/or the new and nice Exploit Protection in Windows 10, you do not need anti-malware products. Relax and enjoy life.
We have everything here. Six systems from 2010 through 2015, five different generations of processors and three different hardware vendors, Windows 7/8/10, Home, Pro and Ultimate editions, Nvidia and Intel graphics, admin and limited users, no anti-virus software at all. I tested manual security and rollup updates, I tested with the registry key. I tried applications, video streaming, games. Everything was fine after these updates. I am very confident you will be fine, too.
I cannot express my disdain for the herd mentality around this issue, and the scare fest out there. So much copypasta nonsense, so little help. And no one actually bothers testing or checking things. But they complain about fake news, right. Anyway, I hope you find this article useful. If you're happy, support me, so I can sit on a nice sunny beach somewhere while the first-world dramas unfold elsewhere. Performance stuff coming in a few days.