Windows patch KB 3022345 triggers apparent sys file corruption

The problem appears to be common to versions 1, 2, 3, and 4 of the Windows patch

Like the proverbial bad penny, the Diagnostic Tracking Service patch KB 3022345 appears to be corrupting Windows files -- or at least, convincing Microsoft's System File Checker SFC /scannow command that there are corrupt files -- and the corruption occurs in at least three (and probably all four) of its versions.

Are we absolutely sure the files are corrupt? No. What we know for sure is that Microsoft's tool for detecting corrupt system files, SFC, is reporting they are corrupt.

If the KB number sounds familiar, I've written about it before.

The patch first appeared three weeks ago, on April 21, as part of a big rollout of non-security patches. The first version was for Windows 8.1, RT, and Server 2012 R2 only.

On May 5, we got version 2, which appears to be Windows 7-specific.

On May 6, Microsoft rolled out version 3, targeting both Windows 7 and 8.1. Microsoft confirmed to me that it had to re-release the patch because the old version was keeping people from getting additional updates.

On May 12, version 4 appeared as part of the hundred-or-so Black Tuesday patches.

On May 13, the KB article was revised to version 5. It now includes this note:

The current version of this hotfix, Version 2, was published on May 6, 2015. The previous version of this hotfix was Version 1.005. Both versions provide the same functionality and protection except that Version 2 includes a minor update to support devices that do not contain U.S. English language files. However, the current hotfix is not a compatible upgrade to Version 1.005 and may cause an error (800F0922) if it is installed over the old version. We recommend that you install this hotfix if you have not already installed it. If you have installed the original version of this hotfix and you want the added functionality, we recommend that you wait for an upcoming version that will be a compatible upgrade to either version.

With me so far?

Looking back on some correspondence with reader CA, I noticed a troubling trend. This is what CA said about version 3 (using my version numbers):

After installation of the updated patch, I experienced explorer.exe crashes (once after installing the patch and once today) which I had never experienced before. I couldn't see how this patch could be related, but I decided to run:

SFC /scannow

The diagnostic said "Windows Resource Protection found corrupt files but was unable to fix some of them." So, I checked the log (C:\Windows\Logs\CBS\CBS.log), ran the usual diagnostics (chkdsk, cleanup, etc), but was still unable to repair the bad files.

I was aware of corrupt payload problems with this patch and Windows 8, but this last update apparently has borked Windows 7 as well. I also know that this patch may not uninstall properly (at least on Windows 8), so I don't want to attempt it with Windows 7.

According to the log, there are eight bad files, all involving the KB 3022345 "telemetry client" (nice phrase for spyware).

Reader CA then referred me to a post by Alex on The Tech Cookbook, which describes a similar problem. In fact, Alex found the same problem twice, once for Windows 7, and again for Windows 8. The timing of the posts leads me to believe that Alex hit the problem with versions 1 and 2 (again, using my numbers).

There are additional threads and details all over the Web now, most notably on the Windows SevenForums and the Microsoft Answers forum. In many cases it isn't clear which versions of KB 3022345 caused the problems. But there's no doubt at all that KB 3022345 is causing SFC to detect corrupt files that it can't fix.

CA wrote back to me with an update:

Had explorer crash again today so I decided to take a chance and uninstall KB3022345 on one of my other Win 7 Ultimate machines (this machine also manifested unrepairable SFC errors due to the May 5 issued KB3022345).

Uninstall results in the following:

 1) Removes "Diagnostics Tracking Service."

 2) Cold boots without issue. No errors/warnings in the event viewer.

 3) SFC now reports "Windows Resource Protection did not find any integrity violations."

 4) KB 3022345 reappears in the update chute.

It appears the uninstall was successful and resolved SFC corruption errors.

I've since received independent confirmation about this behavior from many sources, including reader Canadiantech, who apparently is working with version 4.

Without any real description from Microsoft, speculation has run rampant that KB 3022345 is yet another piece of unwanted Windows 10 spy-and-or-nag-ware. I've found nothing to contradict that conclusion, and quite a bit in support.

With four versions in three weeks, most -- if not all -- of them triggering corruption errors, and yet another version apparently on the way, you really have to wonder who's minding the store.

Copyright © 2015 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon