SOLUTION: Cannot Uninstall Microsoft Security Essentials from Windows 10

Recently, I encountered two different workstations that had upgraded to Windows 10 from Windows 7 on which Microsoft Security Essentials inexplicably was not uninstalled during the upgrade process by Windows Setup.  This is baffling, because MSSE isn’t designed to work with Windows 10 (it doesn’t work), and plus, it precludes the use of Windows Defender, which is essentially the Windows 10 upgraded equivalent of MSSE.

If you’re in the same situation, you’ll also discover that it is impossible to remove Microsoft Security Essentials from Programs and Features; when attempting to do so, you simply receive a generic message which states “You don’t need to install Microsoft Security Essentials.”  That’s great, Microsoft, because we don’t want to install it, we want to uninstall it.

Anyway, the solution to this problem is actually quite simple:

  1. Press Windows Key + R to open the Run dialog.
  2. In the Open: field, type:
    • explorer “%PROGRAMFILES%\Microsoft Security Client\”
      and press ENTER.
  3. Highlight the file Setup.exe, right-click it, and choose Properties.
  4. Choose Compatibility.
  5. Click Change settings for all users.
  6. Check the box next to Run this program in compatibility mode for: and choose Windows 7 from the drop-down box.
  7. Click OK on all dialogue boxes to exit all windows.
  8. In the search box at the bottom of the screen, type cmd. At the top of the pop-up window, underneath the heading Best matchright-click Command Prompt and choose Run as administrator.
  9. In the Command Prompt window that opens, type the following command:
    • “%PROGRAMFILES%\Microsoft Security Client\setup.exe” /x /disableoslimit
  10. Follow the instructions to uninstall.

That’s it!

Special thanks to corrado_boy_g60 at the Microsoft Community for information leading to this solution.

SOLUTION: Mouse cursor freezes after typing in Windows 10

Recently, a client came to me with a problem where his mouse cursor would freeze for a few seconds after pressing any key on the keyboard in Windows 10.  The delay was driving him nuts, and I empathized with him after using the computer for a short time.

In retrospect, the problem appears to be mostly limited to Synaptics drivers, and only on systems where such drivers are installed and active within Windows 10 (which also features its own “precision” touchpad driver settings).

Fortunately, the solution — while elusive — was simple:

  • Search Mouse in the searchbox at the bottom of the screen; Choose Mouse & touchpad settings from the results
  • Choose Additional mouse options
  • Click the ClickPad tab, then click Settings…
  • Click the Advanced tab
  • Set the Filter Activation Time slider all the way to 0.

touchpad(Note the slider just below the touchpad diagram)

That’s it!

SOLUTION: Windows 10 Start Menu text is unreadable / too dark

This problem seems to affect primarily Haswell-based notebooks with Intel HD Graphics drivers in use.  I have not yet seen it affect Broadwell chipsets, but it may.

The issue is that the Start Menu text is too dark — and in fact, it becomes gradually darker — and illegible, fading into the background of the Start Menu.  While it seems likely that a Windows 10 setting (or theme) should be to blame, it actually is neither.

The problem is the Intel Graphics driver, which includes a setting that purports to implement application-specific fixes.  To correct the problem, all you have to do is disable the setting and reboot the PC:

  1. Right-click the Desktop and choose Graphics Properties…
  2. Choose 3D.
  3. Under Application Optimal Mode, click Disable.
  4. Reboot the PC.

The problem is solved!

It’s likely in the future that Intel will correct their driver optimization presets for the Windows 10 desktop windows manager / Explorer.exe, but until that day, this is the correct workaround.

SOLUTION: Windows Update cannot currently check for updates, because the service is not running.

A common problem following the replacement of a hard drive (or other low-level storage-related change, such as a storage driver or interface change) is a broken Windows Update.  I’ve been seeing this more and more frequently, in fact, on Windows 7 machines after performing drive recoveries and installing a new drive.

The exact message is:

Windows Update cannot currently check for updates, because the service is not running.  You may need to restart your computer.

While lots of solutions are offered across the internet for this problem, ultimately, it’s actually relatively simple: the storage driver is frequently to blame.  Specifically, the Intel storage driver (generally iaStor.sys), which comes as a part of the Intel Matrix Storage Manager package (renamed to Intel Rapid Storage Technology on later versions of Windows).

It’s been documented in other places as well that this is in fact the root of the problem.

Problem is, there are different versions of the Intel Matrix Storage Manager for each manufacturer — so it isn’t always possible to simply download the latest version directly from Intel and install it.

The HP version of that driver is listed above, and it will indeed work for many systems in question.  For other manufacturers, it’s best to search for the driver manually and download it directly from the PC manufacturer’s web site.  You can use search terms such as:

intel rapid storage technology driver ich10r vista 32-bit

To locate a suitable version for your particular situation.

If this still does not correct your issue, you may need to follow up the driver upgrade with a reset of the Windows Update repository:

  1. Open an elevated Command Prompt (Run as Administrator).
  2. Type the following commands (pressing ENTER after each one):
    1. net stop wuauserv
    2. net stop bits
  3. Open a Windows Explorer window and navigate to %WINDIR% (e.g., normally C:\Windows).
  4. Rename SoftwareDistribution to SoftwareDistribution.old.
  5. Return to the elevated Command Prompt and type these commands:
    1. net start wuauserv
    2. net start bits

This procedure has corrected the problem on all of the PCs where I’ve encountered it thus far.

SOLUTION: Malware extensions continually reload within Chrome even after reinstallation

Greetings again random internet-surfing technology enthusiasts,

Today, I’d like to tackle a puzzling issue that many techs encounter with regard to disinfecting Chrome and problematic extensions that manifest within it.  Of course, anyone with any technical expertise is aware of the fact that browser extensions are currently one of the hottest attack vectors for unsuspecting users’ machines, but removing and keeping such extensions from reloading is another matter entirely.  Some of examples of these include:

  • AdBlocker (not the legitimate and excellent AdBlock)
  • Vosteran Search
  • WebProtector
  • and many, many others

Most techs use some degree of automatic scanning and removal tools, and that’s fine, provided they don’t rely on them exclusively (as it doesn’t work… something I’ve covered countless times in the past).  However, even those who dabble in manual or assisted-manual disinfection procedures have probably found that Chrome is one of the most problematic items to permanently clean on a user’s PC.  This is ironic because Chrome also happens to be the browser I recommend to my clients for safety and speed currently (and it has been for quite some time).  Does that mean that we should move on to a different browser choice instead?

Fortunately, nope.  There is indeed a pretty universal solution to this problem, and today I’ll reveal it to you.  For purposes of illustration, we’ll choose the third example extension I listed above for today’s explanation (WebProtector).

Each Chrome extension is affiliated with a unique identifier to help users locate and install the extension from the Chrome Web Store.  WebProtector’s, for instance, happens to be kfecnpmgnlnbmipaogfhoacoioifjgko.  The Web Store does indeed host this extension in spite of its fraudulence; and Google, for all their great work in producing a relatively safe browser in Chrome, have done a pretty terrible job of keeping the store cleaned of such filth.  The problem with WebProtector (and many of these other extensions) is that even after they’re cleaned from the computer and all other malware is removed, the users may find that they reload themselves regardless later on with little or no warning.  You might think that completely uninstalling Chrome, removing all directories on the system relating to Chrome, and cleaning/resetting the user’s Chrome Data profile (as I described in another post recently) should logically solve the problem.  But it doesn’t.  The extension yet again reloads itself upon future reinstallations.

The answer to the puzzle is Policies in the Windows registry.  Chrome stores its policies in the following two keys:

  • HKCU\Software\Policies\Google
  • HKLM\Software\Policies\Google

Under these keys you will find a subkey called Extensions; it is from this key that Chrome is instructed to load the infected extensions upon each reinstallation and subsequently thereafter at regular intervals.  Simply deleting these keys (provided the user is not reliant on any policies in Chrome for administrative purposes) will prevent the behavior.  At an elevated command prompt, try typing these commands:

REG DELETE “HKCU\Software\Policies\Google” /f
REG DELETE “HKLM\Software\Policies\Google” /f

Specifically, the autoinstall keys that are likely being used are:



However I like to remove the entire Policies key on most machines as other suspect keys are also often used, such as whitelisting of bad extensions and even blacklisting of good ones.

It also goes without saying that the extension itself must first be removed for this to work.  That includes killing the keys relating to it in the following locations:

  • HKLM\SOFTWARE\Google\Chrome\Extensions\
  • HKCU\SOFTWARE\Google\Chrome\Extensions\

As well as the associated files within the user’s Chrome User Data directory.  If you’re really just looking to clean sweep the entire program, you can follow my previous instructions to backup the user’s Bookmarks and other personal items and then simply wipe out all related keys and files after uninstalling Chrome.  This will finally solve the problem!

SOLUTION: CPU Throttling on Dell Latitude Ultrabooks (E7440, E7240) after power exceptions

Recently I have seen multiple instances (fairly rarely, but nevertheless) of the newer Dell Latitude Ultrabooks (circa 2013/2014 models, E7440 and E7240 specifically) throttling CPU frequencies under exceptional power conditions (such as possibly a misbehaving AC adapter or extremely low battery condition while under load).  I haven’t confirmed the exact circumstances which lead to this behavior, but I do know of a solution.

I first noticed this when a client recently reported sluggish operation of his brand-new E7440 Ultrabook… which, of course, made little sense considering the blazingly-fast parts (SSD included) that we purchased for him.  I checked the software briefly and saw no issues which would suggest configuration problems.  However, upon opening Task Manager, under the Performance tab, the CPU frequencies were reportedly below 400 MHz permanently–which, of course, is incredibly low considering the max Turbo Boost frequency of the i5 Haswell CPU he had of 2.8 GHz.  Fortunately, I had seen this problem once before.

My theory is that it is likely related to power disruption conditions, as I have only thus far seen it happen in circumstances where an AC adapter was not providing proper voltage or where the machine was in a very low battery state while sustaining heavy CPU loads for some reason (Windows Updates, etc.).  The machine responds by throttling CPU clock rates to protect itself from possible damage, but the problem is that it never reverts from this throttled state until it is powered off and the battery is removed.

UPDATE: A new and even better solution has been found (see comments below), as some of these machines continue to suffer from the same problem even after the BIOS update has been applied. The new solution is to remove a screw underneath the keyboard, just under the “C” key (or close to it). Believe it or not, as bizarre as it sounds, this always works. I’ve tried it on dozens of systems at this point with success each time. Disassembly is relatively simple; check out Dell’s Service Manual for more info on this if you need it.

Fortunately, the solution is easy, if not a bit difficult to discover.  All that is required is a BIOS update to the latest firmware available from Dell (, search for your particular model).  In my most recent client’s case, an upgrade from A05 to A15 immediately corrected the problem.  It remains to be seen whether it recurs, but I do not expect it to given the last instance I saw, where we did just the same thing and the problem was permanently corrected.

Poweliks: Widespread malware without a filesystem object

Preliminary note:  This process will normally remove Poweliks from a system.  However, Poweliks is merely a tiny fraction of what is usually also alongside it on an infected system; after all, it is a downloader.  So if you’re trying DIY disinfection, just be advised that there is a very good chance that your system is still infected even after this process by multiple other malware families.  I would advise hiring a professional in your local area to assist with the job instead of risking your personal information and data!

I’ve long been preaching that scanners just don’t do the trick as a universal, one-size-fits-all solution to malware, and that’s precisely because they can’t possibly catch everything.  The latest zero-day threats will always find a way to evade even the best antimalware tools in some capacity, and because of that, a complete reliance on scanners for either proactive blocking of threats or removal of existing embedded threats is misguided and will always run into trouble.

This latest threat, which has now been circulating for a few months, is a perfect example of this.  It’s called Poweliks, and it’s unique for one very specific reason: it infects the system without the use of a filesystem component at all.  Now, it’s not like this is the first threat to accomplish such things; before it, we had such interesting specimens as the TDL4 rootkit, which created a hidden, encrypted partition at the end of the drive containing the rootkit’s code, which was loaded at each boot before the Windows partition.  Eventually, however, this rootkit was identifiable (at least, somewhat) via the presence of a conspicuous (and suspicious) 10 MB or so empty space (RAW) at the end of a drive.  And it was easy to kill: simply delete that partition from offline and set the proper Windows partition as active.

Poweliks uses a totally different approach: it embeds itself in the system’s registry in an encrypted key that actually contains the body of the malware as opposed to mere settings and program data (as is intended for the Windows registry to contain).  The identity of the key has changed across variants, but the most recent one I’ve seen is:


What about symptoms?  Well, they’re not all that clear-cut.  The machine will certainly be slower than normal.  Apart from that, it may simply be generally infected, as that’s what Poweliks is all about: downloading other infections.  The problem is that you cannot search for a particular process in memory or even a file on the hard drive, as no file exists and the process is always a completely legitimate one.

However, at least as of currently, it is not random.  The most recent process which has been associated with Poweliks infections is dllhost.exe.  It’s a totally normal process, so seeing it running by no means indicates infection.  However, seeing it running persistently and for long periods of time is a bit more suspicious if you’re having other symptoms.  And if you close dllhost.exe using Task Manager and it repeatedly reappears in multiple instances, it’s a really suspicious scenario.  You’ll also likely see tons of other random (normally legitimate) processes running which should not need to be running.  These can’t be specified here as they are random.

For further diagnosis, however, you can download Process Explorer to inspect the genealogy of the processes that are currently running.  It’s a dead giveaway: if dllhost.exe is launching dozens of other processes, you know it’s Poweliks.


This isn’t so bad at all if you know how to tackle it!

The easiest way to handle it is to prepare with a tool that can handle removal first.  In this case, I recommend RogueKiller.

NOTE:  This tool isn’t to be used lightly, especially by those who aren’t thoroughly familiar with computer repair.  By design, it is heavy on false positives, so take care when agreeing to remove what it flags as suspicious.

Try the following approach:

  1. Open RogueKiller; allow the prescan to finish.  Run a scan.
  2. Once the scan completes, look for its detection of Poweliks on the Registry tab.  Be sure it is selected for removal.
  3. Open Process Explorer.  Pause all dllhost.exe processes.  Kill all processes below any dllhost.exe process once the processes have been paused.
  4. Click Delete on the RogueKiller window and immediately reboot the system.

With any luck, upon reboot, the malware will be gone.  By pausing the process with Process Explorer, you essentially negate the malware’s ability to detect its neutralization via watchdog processes that relaunch the dllhost parent process after it’s killed.  That enables disinfection to take place before the malware is relaunched and the registry key is reinfected.

Of course, to repeat myself, keep in mind that Poweliks is merely a tiny fraction of what is usually also alongside it on an infected system; after all, it is a downloader.  So if you’re trying DIY disinfection, just be advised that there is a very good chance that your system is still infected even after this process by multiple other malware families.  I would advise hiring a professional in your local area to assist with the job instead of risking your personal information and data!

SOLUTION: Microsoft Outlook 2013 hangs at “Loading Profile…” after Office Update

Now here’s an interesting conundrum.  A recent update to Microsoft Office 2013 that’s being pushed out automatically to clients results in some of them being unable to open Outlook 2013.  Instead of running normally, the program will hang at the “Loading Profile” stage of launch, as though the profile is corrupt (if you haven’t already checked this, it could actually be the case instead of course).  A workaround is to open Outlook using the well-known /safe command line switch; but this is merely a workaround (which in turn disables all add-ons), not a permanent solution.

For a much more reasonable resolution, try this instead:

  1. Run regedit (Start > Run > type regedit and press ENTER)
    1. On Windows 8, Win + R; type regedit and press ENTER
  2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common
  3. Right-click, select New > Key and name it Graphics
  4. Select the Graphics key you just created, right-click in the right panel and choose New > DWORD (32-bit) Value and name it DisableHardwareAcceleration.
  5. Double-click the new value and assign it a value of 1.
  6. Close regedit and try opening Outlook again.

This should fix the problem.  I first stumbled upon the solution when I realized that opening my TeamViewer Remote Support program while Outlook was loading kicked it into launching, which suggested either a network- or graphics-related cause (as TV affects both of those when launching).  The original solution listed here came from the Microsoft Office 2013 Issues Blog, though the symptoms listed are different from these.

Hope this helps! 🙂

SOLUTION: Dell Laptops Hang on Reboot/Shutdown after Windows 8.1 update

I’ve recently encountered a pretty new issue involving some Dell laptops where the system will simply hang at a black screen, completely blank, when a shutdown or restart is initiated.  This behavior occurs following the installation of the free Windows 8.1 update.  There is no evidence present in the Event Log or anywhere else to indicate what might be to blame, and nothing on the internet that I could find references the issue.

In my case, I encountered the problem while setting up around 10 Dell Latitude E7240 (Latitude 12 7000 Series) notebook computers for my clients.  The solution, as it turns out, is pretty simple.

As usual, it’s a driver which is to blame for the problem.  I first stumbled across the solution while troubleshooting when I decided to disable the wireless adapters (Wi-Fi and Bluetooth) using the hardware wireless switch on the side of the computer before shutting down.  You’ll notice that while Airplane Mode is on, the system reboots/shuts down just fine.

It’s because of the Dell Wireless 1601 WiFi/BT driver that’s preinstalled; for whatever reason, the Bluetooth portion of it is incompatible with Windows 8.1.  Explicitly disabling Bluetooth also fixes the problem, confirming that this is the source of the issue.

To correct it once and for all, here’s what you need to do:

  1. Download this driver from Dell.
  2. Choose to Extract Without Installing and specify a location of your choice.
  3. Wait a few seconds for the confirmation dialog to appear, then click View Folder.
  4. Double-click the Install_CD subfolder to open it.
  5. Run setup.exe and follow the instructions.
  6. Reboot the computer.

The problem is solved!

I presume this most likely affects all Dell computers running the A01 version of the driver.  I hope this solution has helped you!

SOLUTION: Windows Vista In-Place Upgrade fails when PowerShell is installed

This one’s quick and easy.  On multiple occasions, I’ve encountered problems with Windows Vista performing an in-place upgrade (in situations where conventional repairs are not sufficient and such measures are necessary) if the client’s machine has Windows PowerShell installed.  PowerShell is listed as incompatible with the upgrade procedure by the Setup process.  Usually, it’s as easy as removing it via Control Panel > Programs and Features > Turn Windows features on or off, but on more than one occasion, when a workstation is really screwed up, this process fails.

In those cases there are two other options you can try.  The first is to head to Programs and Features, choose View installed updates, and remove Windows Management Framework Core, which is the update associated with PowerShell.  If this STILL doesn’t fix it, however, there’s one surefire way to do so:

  • Simply rename the directory %SYSTEMROOT%\System32\WindowsPowerShell (where %SYSTEMROOT% is the system environment variable for the Windows directory).

This easy workaround will allow the upgrade to proceed, which will usually fix most serious problems with a Vista installation and pave the way for updates and other corrections before wrapping up the work.  It’s just another way I’ve been able to avoid a reinstallation of Windows under circumstances which would normally seem to suggest it as the only option.