dimitrih88
New member
- Mar 21, 2024
- 3
Greetings,
I would like to start off by saying thank you for answering my previous request regarding curl and getting that solved. For those that don't want a wall of text, my question is at the bottom. Feel free to skip this.
I have already created a script that does dism scanhealth, then checkhealth, read the output of checkhealth, confirm its bad, then read the cbs.log file and match on curl.exe. this gives me the version it's requesting. I then can do a dism restore, pointing to the directory where I have multiple WinSxS folders for curl. I then check the state of CBS by doing dism checkstate again, getting the output. So automation isn't a problem here.
The problem is the number of different variations of curl that could be requested on these "broken systems" and without an upstream to Microsoft, the systems have to be manually provided the files.
I think for most of us, we started patching curl when it started popping up on vulnerability scanners. Less than a year ago? We created scripts to change permission of the curl file in both System32 and SysWow64 folders then injected the updated curl files, this satisfied the vulnerability scanner.
Looking back, might have been easier to disable it with permissions rather than updating / deleting in some cases.
So right now, some of us are finding out curl was a big deal when it came to updates and the CBS store, etc and how replacing that file essentially causes a hash mismatch causing patching to fail.
IPU as a solution was recommend but in my scenario, cannot be used as the Windows 10 builds users are currently on have to stay that way for one reason or another until approved for upgrade.
Another solution would be a Reimage of the current build, then upgrade to latest patch set, obviously removing the Non Microsoft curl upgrade from this and future set of patches.
TL;DR:
It seems that the curl that was provided was what I consider "version locked" meaning the versions / sha have to match with what the system has registered in the component database. Knowing that, how would I go about fixing this on a more widescale approach where the machines are in an air-gapped environment.
Does Sysinternals or Microsoft have a zip package that has a good amount of these curl folders for WinSxS that I could package on an offline disk and run my script against so dism has a bunch of folders to chose from.
If a package isn't available, is a list of links from Microsoft available? I would gladly have someone download them all to get this issue resolved.
Thank You again for your time!
I would like to start off by saying thank you for answering my previous request regarding curl and getting that solved. For those that don't want a wall of text, my question is at the bottom. Feel free to skip this.
I have already created a script that does dism scanhealth, then checkhealth, read the output of checkhealth, confirm its bad, then read the cbs.log file and match on curl.exe. this gives me the version it's requesting. I then can do a dism restore, pointing to the directory where I have multiple WinSxS folders for curl. I then check the state of CBS by doing dism checkstate again, getting the output. So automation isn't a problem here.
The problem is the number of different variations of curl that could be requested on these "broken systems" and without an upstream to Microsoft, the systems have to be manually provided the files.
I think for most of us, we started patching curl when it started popping up on vulnerability scanners. Less than a year ago? We created scripts to change permission of the curl file in both System32 and SysWow64 folders then injected the updated curl files, this satisfied the vulnerability scanner.
Looking back, might have been easier to disable it with permissions rather than updating / deleting in some cases.
So right now, some of us are finding out curl was a big deal when it came to updates and the CBS store, etc and how replacing that file essentially causes a hash mismatch causing patching to fail.
IPU as a solution was recommend but in my scenario, cannot be used as the Windows 10 builds users are currently on have to stay that way for one reason or another until approved for upgrade.
Another solution would be a Reimage of the current build, then upgrade to latest patch set, obviously removing the Non Microsoft curl upgrade from this and future set of patches.
TL;DR:
It seems that the curl that was provided was what I consider "version locked" meaning the versions / sha have to match with what the system has registered in the component database. Knowing that, how would I go about fixing this on a more widescale approach where the machines are in an air-gapped environment.
Does Sysinternals or Microsoft have a zip package that has a good amount of these curl folders for WinSxS that I could package on an offline disk and run my script against so dism has a bunch of folders to chose from.
If a package isn't available, is a list of links from Microsoft available? I would gladly have someone download them all to get this issue resolved.
Thank You again for your time!
Last edited:
