I had the displeasure to start the control panel on my Windows 10 (1607) this Sunday morning and find an entry I didn’t know about and that I didn’t install myself otherwise I’d remember having done so.
Here’s what I saw:
Being a sysadmin dealing with security, I immediately thought “OMG! My children running as standard users have been able to install a software that was able to do a privilege escalation despite the harden configuration I set up”.
In less than 2 seconds, knowing exactly what registry keys have been queried to populate these entries in the control panel, I realized my kids who have been somehow trained about social engineering tactics,… wouldn’t have fallen in this basic trap and install something called “Windows 10 Update and Privacy Settings”.
Sure, my 10 years old son was able to identify the following malicious tactics described in this article “Breaking down a notably sophisticated tech support scam M.O.” a few weeks ago before this article was published.
Mystery solved. As you can see above, there’s URLInfoAbout that points to http://support.microsoft.com/kb/4013214 and it’s not a fake.
Is it legitimate?
Knowing also how to find other footprints of this installation in the registry, I was able to identify where the msi file is stored on the disk.
Using the local package path, I can check its digital signature like this:
What the irony! Something legitimate called “Windows 10 Update and Privacy Settings” was installed automatically via Windows Update without prompting me to do so. I could have been prompted like any license agreement with a message saying: “Hey! We are preparing 1703/creator update deployments and need you to pay attention to this update and install it before we can run the upgrade.”