Jump to content

InSpectre - New Steve Gibson utility


Recommended Posts

Steve Gibson has produced another helpful tool along similar lines to Never10 ..



Easily examine and understand any Windows
system's hardware and software capability to
prevent Meltdown and Spectre attacks.
(This 124k app is compatible with ALL versions of Windows.)


Its a neat and informative tool written in assembler so its small (same as all tools from Steve Gibson), only a week in development, but already looks like its just about done at release #5 .. At time of posting - Last Updated: Jan 18, 2018 at 13:14

Reference another topic on Meltdown and Spectre vulnerabilities, this tool will tell you if you are protected against these vulnerabilities or not

A Computerworld Columnist reckons the tool is sending anti-virus software a bit nuts because it is new and unrecognised software ..


Then I ran Steve Gibson’s just-released InSpectre scanner, and I got the overall report shown in this screenshot.

inspectre Steve Gibson

InSpectre scanner offers meaningful results that help users understand whether their PC is vulnerable.

That matches my experience with this machine and, in looking at numerous other reports, I’d say that Gibson has pretty much nailed it.

InSpectre’s a new program (less than 24 hours old at this point), and it’s driving antivirus scanners crazy. I’ve seen at least one notice that Kaspersky Antivirus flags the download as a “Heuristic” Trojan. There are additional warnings from VirusTotal, Panda and Sophos. They’re all false positives. If you download InSpectre from Steve Gibson’s site, it’s clean.

To be sure, it’s a “version 1.0” product and, as Gibson says:


We did not wish to delay this application's release while building additional confidence in its conclusions and output. It has been carefully tested under as many different scenarios as possible. But new is new, and it is new. We may well have missed something. So please use and enjoy InSpectre now. But you may wish to check back in a few days to see whether we may have found and fixed some last bits of debris.

If you’re not particularly interested in taking a graduate level course in Windows translation lookaside buffers and context switches, InSpectre can help. I’ve also just discovered a free Meltdown/Spectre checker from German software vendor Ashampoo. The results from their Spectre Meltdown CPU Checker match that from InSpectre on my machines.

I continue to recommend that you hold off on this month’s patches – that includes Windows patches, .NET patches, firmware patches, and more – but you should disable Equation Editor if you’re in the habit of Enabling Edits on spurious Word documents. See my post from last week, but also note 0patch has just released a fix that specifically plugs the Equation Editor security holes.

There are no known exploits for Meltdown or Spectre in the wild, although some are in development. (It’s feasible that nation states have been using either or both for decades!) For regular Windows users, the most likely infection vector, when it arrives, will be via a web browser, and those are getting patched quickly.

Wait until the dust settles on this month’s patches before you install something that could clobber or cripple your machine.

Share your InSpectre insights on the AskWoody Lounge.


.. "They are all false positives"

For development discussions, refer to Steve Gibsons Newgroups, News.Feedback

Edit : And there is a Security Now! podcast dedicated to the subject https://twit.tv/shows/security-now/episodes/646?autostart=false

(Scroll down a bit on that security now page too for the link to the show notes which has further helpful links).

Edit 2 : NVidia Graphics drivers latest updates (390.65 +) have been adapted to also help prevent these vulnerabilities.

Link to comment
Share on other sites

Unfortunately no good news on my current version of windows 10 x64 ..



(I did run it as administrator, and both buttons remain ghosted because the protections are not in place for me to enable them = I would have thought Win 10 would have had this by now but apparently not for the Creators update anyway)



Spectre & Meltdown Vulnerability
and Performance Status

Vulnerable to Meltdown: YES!
Vulnerable to Spectre: YES!
Performance: GOOD
(full details below)

In early 2018 the PC industry was rocked by the revelation that common processor design features, widely used to increase the performance of modern PCs, could be abused to create critical security vulnerabilities. The industry quickly responded, and is responding, to these Meltdown and Spectre threats by updating operating systems, motherboard BIOSes and CPU firmware.

Protection from these two significant vulnerabilities requires updates to every system's hardware-its BIOS which reloads updated processor firmware-and its operating system-to use the new processor features. To further complicate matters, newer processors contain features to minimize the performance impact of these important security improvements. But older processors, lacking these newer features, will be significantly burdened and system performance will suffer under some workloads.

This InSpectre utility was designed to clarify every system's current situation so that appropriate measures can be taken to update the system's hardware and software for maximum security and performance.

This system's present situation:

This 64-bit version of Windows is not aware of either the Spectre or Meltdown problems. Since Intel processors are vulnerable to both of these attacks, this system will be vulnerable to these attacks until its operating system has been updated to handle and prevent these attacks.

This system's hardware has not been updated with new features required to allow its operating system to protect against the Spectre vulnerabilities and/or to minimize their impact upon the system's performance. (Protection from the Meltdown vulnerability does not require BIOS or processor updates.)

This system's Intel processor provides high-performance protection from the Meltdown vulnerability. A properly updated operating system will be able to provide protection without significant system slowdown.

This system is not currently providing any protection against the Meltdown vulnerability. Either the operating system is unaware of this problem (which can be resolved by any operating system) or the operating system's protection has been deliberately disabled.

Due to the potential performance impact of these vulnerability protections, which may be particularly burdensome on older hardware and operating systems that cannot be updated, either one or both of these protections may be disabled with Windows registry settings. This system's "protection disable" is currently set as follows:

The system's registry is configured to enable both of the Spectre and Meltdown protections. Within the bounds of any limitations described above, Windows will work with the system's processor to prevent the exploitation of these vulnerabilities.

Guidance & Observations

Since this version of Windows is not fully aware of both of these security threats, if possible you should consider updating to a newer version which is fully aware. There are versions of Windows 7, 8.1 and 10 which are fully aware... even at a possible cost in system performance.

When enabled and active, both of these vulnerability protections come at some cost in system performance, and Meltdown attack protection may be quite expensive on older systems or under versions of Windows where Microsoft has not bothered to implement high-speed solutions. If this system's performance is more important than security, either or both of the vulnerability protections can be disabled to obtain greater performance.

When InSpectre is run with elevated administrative privilege, each button below toggles its respective protection on or off. Any changes will take effect after the system is restarted. Each button will be disabled if its protection is not available to be changed.

 For more information see GRC's InSpectre web page 

Copyright © 2018 by Gibson Research Corporation


Link to comment
Share on other sites

Seems the free version of Malwarebytes I was using was preventing me getting an important update, Windows update KB4056892

(See this topic for an explanation of why that can happen)

After uninstalling Malwarebytes, cleaning the registry, and then manually installing the missed windows update, I am now protected from Meltdown vulnerability



This system's present situation:

This 64-bit version of Windows has been updated for full awareness of both the Spectre and the Meltdown vulnerabilities. If the system's hardware (see below) has also been updated, this system will not be vulnerable to these attacks.

This system's hardware has not been updated with new features required to allow its operating system to protect against the Spectre vulnerabilities and/or to minimize their impact upon the system's performance. (Protection from the Meltdown vulnerability does not require BIOS or processor updates.)

This system's Intel processor provides high-performance protection from the Meltdown vulnerability. A properly updated operating system will be able to provide protection without significant system slowdown.

This system's Intel processor provides high-performance protection from the Meltdown vulnerability and this version of Windows is taking full advantage of those features to offer that protection without overly severe performance penalties.

Due to the potential performance impact of these vulnerability protections, which may be particularly burdensome on older hardware and operating systems that cannot be updated, either one or both of these protections may be disabled with Windows registry settings. This system's "protection disable" is currently set as follows:

The system's registry is configured to enable both of the Spectre and Meltdown protections. Within the bounds of any limitations described above, Windows will work with the system's processor to prevent the exploitation of these vulnerabilities.


Now I just need to find how to protect from Spectre apparently

Edit : Ugh! Solution to Spectre includes a device (probably BIOS) update from Intel to MSI, and then an update from MSI to individual machine models = Thats going to take a while longer .. https://www.msi.com/faq/notebook-2963

Link to comment
Share on other sites

Just found out about Inspectre a couple days ago. It's a wonderful utility. I don't know if you use a Nvidia GPU or not, but its new 390.65 driver helps protect against the first variant of Spectre. It will probably be quite some time before my old mobo/bios gets any updates but I'm going to hold off on them anyways for abit because many of them apparently are buggy as hell.

Link to comment
Share on other sites

:) Funny you should mention it .. I have just been updating all four machines in our house with NVidia cards to that version - I didnt know about it helping to protect against these vulnerabilities, I just thought while I am waiting for 4 sets of progress bars and losing sleep I may aswell grab the most recent graphics drivers too.

Found out my MSI machine will have bios update either later this month or early next month.

Success with windows updates has been great on 3 machines, but one is proving a little troublesome, maybe a corrupt update file causing the damned thing to go round in circles, might be time to wipe that one and start from scratch.

So many people are either going to be oblivious to these problems and not realise their machines stopped updating, or not even hear about the main concern, or if they hear about both then they may well come across the many update issues I have been reading about whereby the chain of updates can in odd circumstances lead to machines not being able to update at all even if the correct registry settings are in place. What a mess these vulnerabilities have caused.

Link to comment
Share on other sites

This mess with Spectre and Meltdown is ridiculous. Intel is now advising people with Haswell or newer CPUs to not install its current microcode/firmware updates. They apparently have a new patch ready to be released soon. Random reboots and failure to boot are happening with current patches for many people.

Techspot Article

There will apparently be even more of a performance impact with the microcode/firmware updates on top of the OS patch. Google came up with a solution for one of the Spectre variants called Retpoline, with less impact on performance, but Intel seemingly won't adopt it.

Link to comment
Share on other sites

I think it's somewhat telling that they achieved their slightly dominant edge over their competitors by taking such a nasty shortcut. There's mounting evidence to suggest Intel has known about this issue for 10 years or longer and did nothing about it because they wanted to maintain whatever thin edge they had over AMD.

Now that the edge is evaporated into nothing they're reaping the harvest of their bad seeds and everyone is realizing that their chips are nothing special after all and are currently a risky purchase for anyone requiring good security. AMD must be loving this.

Link to comment
Share on other sites

I am not having any detectable performance issues with an I7, but I still have not implemented the microcode fix yet. Even then, I only ever run this machine in its comfort mode running cool and dont have any games which need me to switch it into its sports mode.

There may come a day when I will have need to switch off internet connections, and then use those two toggle buttons in InSpectre to temporarily disable the fixes while I have a game load up and running at its best, then toggle the fixes back on again afterwards before going back online .. But I think thats still a few years away, and maybe I think games studios will now be factoring in avoiding any utilisation of those chips features which cause this vulnerability, because with the world trying to disable them the games cannot depend on any performance gains from that department anymore.

Link to comment
Share on other sites

Disabling speculative execution isn't anywhere as easy as it sounds. Game companies are not going to be looking for code tricks to do this on any sort of large scale. They'll just eat the hit because it's easier and more cost effective for them to just ignore it and let the OS+CPU people handle it.

Regarding some AMD chips supposedly not being able to boot at all, I've read countless similar articles of the same thing happening to a lot more of Inte'ls offerings as well so that's not really a fair counterpoint to make since Intel is suffering more in that department. After all, Intel isn't reissuing their microcode patch for their sanity alone, they're reissuing it because they bricked a bunch of PCs in the process.

Link to comment
Share on other sites

Windows Update isn't showing the patches for me.  I don't know what's wrong.  Last major OS update for me was in December.  I've read that some AV can cause this, but 1, I don't run anything but Defender and 2, I have the registry key that blocks updates when missing.  Anyone have any ideas why WU isn't showing me the updates?  It always says my system is up to date.

Link to comment
Share on other sites

1 hour ago, Malonn said:

Windows Update isn't showing the patches for me.  I don't know what's wrong.  Last major OS update for me was in December.  I've read that some AV can cause this, but 1, I don't run anything but Defender and 2, I have the registry key that blocks updates when missing.  Anyone have any ideas why WU isn't showing me the updates?  It always says my system is up to date.

From my experience with one machine (Win 10 x64) .. I had the Fall Creators update installed, but because I had Malwarebytes installed, the next necessary windows update was skipped, BUT, further updates beyond KB4056892 did install.

Once I had uninstalled Malwarebytes, and ensured Defender had planted its registry key, I tried KB4056892 again, and it would not install.

Nexts step I went into Win 10 settings, Updates, Update history and then uninstallled all updates since the Fall Creators update (Win 10 v1709) ..

And then tried the manual download installer of KB4056892

It then installed succesfully

I believe if you have that update prevented due to anything, and further windows updates install, they prevent an older major update from installing.

Go to the following page for Win 10 https://support.microsoft.com/en-gb/help/4056892/windows-10-update-kb4056892

Scroll down to How to get this update, then go to the Microsoft Update Catalogue

Then find the right file for your machine, for me it was "Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4056892)"

Roll back to Fall Creators update, install KB4056892, then just let windows update itself again a few more times with more recent smaller patches to the OS.

If you have to also roll back the Fall Creators update aswell as all other updates, then use the Windows 10 Update Assistant https://www.microsoft.com/en-us/software-download/windows10 first to get the Fall Creators update installed before applying the KB4056892 installer.

(That last step was necessary on my awkward machine I think because of a corrupted installation)

Your Mileage May Vary, but basicly you need Defender with the registry key set, no other anti malware preventing the update KB4056892, roll back all updates to Fall Creators Update Win 10 v1709 (in my case I had to also roll that back and reinstall it with the update assistant), then install KB4056892 manually, then let Windows roll onwards with any leftover updates ..

.. Fingers crossed for you :). My other machines were not so awkward and it was pretty straight forward, get rid of Malwarebytes, check registry key and Windows Defender with a quick scan, install KB4056892, all done.

TIP : For running Defender easier, go into ..

C: \ Program Files \ Windows Defender \ <- In here find a file called MSASCui.exe

Right click MSASCui.exe, Send to .. Desktop, rename the new desktop icon Windows Defender, double click it .. Anyone who remembers Microsoft Security Essentials before it was rebadged as Windows Defender to take over from the old Defender will now be in familiar territory :)


Link to comment
Share on other sites

Thanks for the help, but I just downloaded and installed the update manually.  Worked fine.  Now just need Intel to get their microcode patch straight for my processor...

I always believe your first line of defense to preventing malware, etc. is safe practices.  Like abstinence is the best way to avoid an STD, watching what you do online and in emails is #1.

Link to comment
Share on other sites

Version #6 is now released


  • Release #6 — Worked around a Microsoft bug and more . . .
    Users of an earlier version of Windows 10 (version 1703 ‑ the non-Fall Creator's Update) reported that InSpectre did not believe that their system had been patched for the Spectre vulnerability. Upon analysis, a bug was discovered in that version of Windows which affected the way 32-bit applications, such as InSpectre, viewed the system. This was apparently fixed in the later “Fall Creator's Update” (version 1709) but not in the earlier version. A 64-bit “probe” was added to the 6th release of InSpectre to work around this bug in version 1703 so that InSpectre would accurately reflect any system's true protection.

    And, while we were at it, the language presented in the summary was changed from “vulnerable” to “protected” so that “YES” was the good answer and “NO!” was the bad answer. :)


Link to comment
Share on other sites

Im just glad I am not a manufacturer of computers, have a look at the following couple of long lists of models which MSI have been working on ..


.. But they will have to do all of those again, and then work on the rest afterwards. That will be the same for everyone, the amount of time and effort being spent on this is tremendous. And now they all need doing again. Intel needs to get this right, lot of pressure, but hell what a time to make another mistake.


I heard mention somewhere that linux machines can implement the microcode fix for Spectre very easily, its just a case of dropping the microcode file in a special location in the OS (something \ etc \) .. And Windows (if Microsoft would do it) could be capable of doing this too. When the machine boots up, the file is loaded for use automatically by the BIOS. So no BIOS update necessary, its as simple as copy / paste.


And one more snippet of info heard - Only Windows 10 will get Meltdown OS fixes which do not affect performance so much as older Windows will be affected, so thats probably why my machine does not seem to be affected in any way that I can detect, apart from it being a relatively new machine, its received a better fix than will be given to say a machine with Windows 7.


Google Chrome v64 onwards ( And Chromium obviously ) has a new Flag which apparently helps with Meltdown exploits designed to use Java script via your Browser through hijacked 3rd party IFrames ( remember how Nexus used to unwittingly deliver Malware via some of its adverts and for the longest time Site admin did not know how widespread a problem it was ?, same mechanisms for delivery can now be blocked by this new flag in Chrome )

Type the flags url in the address bar, search for Isol, personally I'm going to try out Strict Site Isolation ..


Link to comment
Share on other sites

MS has rolled out KB 4058258, 2018-01 Cumulative Update for Windows 10 Version 1709 (loading it up now). I seem to have gotten all updates through out this debacle, without issue, on all my computers, core i7 1st, 3rd and 4th gen as well as core2quad, despite having MalwareBytes free on all of them.

Link to comment
Share on other sites

Lucky you .. I wonder why it did not like v3 Malwarebytes free, I have on all machines in the lifetime of the newest version of Malwarebytes allowed the full resident trial period to have a good look at the system, which afterwards I just let it expire without purchasing the full product (I think it was 14 days). Maybe having had it resident once something was set that Windows and these updates did not like .. Whatever it was anyway uninstalling Malwarebytes in my case on all 4 machines allowed the updates to proceed again.

Having also trawled through the MBAM forums, I am not an isolated case, there have been quite a few others affected the same way.

Link to comment
Share on other sites

  • 2 weeks later...

Spectre Microcode BIOS updates for MSI laptops are now on hold after the reboot problems Intel introduced in the first fix were found



**2018/1/25 Update:

MSI has been working on the new BIOS released with an updated Microcode for our customers by following Intel's suggestion. However, a recent update from Intel advised us to stop the update and restored the previous microcode version as the updated version may introduce reboot issues and other unpredictable system behavior. 

For models which already have the BIOS released will be rolled back to the previous stable version.

Other models which planned to have an updated BIOS release is paused at the moment. 

MSI continues working closely with Intel and will keep our customer updated once a stable update is ready. 


Thats a few weeks old now, but there have been no more notifications since. I expect this will be the same for most manufacturers trying to churn out a microcode fix for all supported machines .. Only to find they now have to suck back and redo all of them again from scratch.




Intel has released Spectre microcode update for Skylake (only)

Intel's first microcode update attempted to add instruction set features to give operating
systems control over branch prediction for Broadwell, Haswell, Skylake, Kaby Lake, and Coffee
Lake processors. But after the initial reports of "more frequent reboots" on Broadwell and
Haswell systems, it was later determined that Skylake, Kaby Lake, and Coffee Lake systems
were rebooting, too.
The newest microcode update only applies to Skylake mobile and mainstream desktop chips, so
if it passes testing -- which will doubtless be more rigorous this round -- owners of systems
containing laptop and desktop Skylake chips may see firmware updates being made available
before long. But the updates for other chips appears to be in the future.

Comments indicate that Windows also contains at-boot firmware patching capability.

Windows has the ability to warm patch microcode on boot using the
mcupdate_GenuineIntel.dll and mcupdate_AuthenticAMD.dll drivers (located at
C:\Windows\System32) on boot, for Intel and AMD cpu's respectively.
If those drivers - which are more accurately simple blocks of microcode and cpu
identifying information - contain newer microcode for the current cpu during boot, then
Windows loads the microcode from these drivers instead, overwriting the microcode that
is included with the firmware. This happens before any actual Windows initialisation, so
there are no "partial exposure" issues whereby early processes have access to old
microcode and later ones don't; all processes for the operating system past the bootstrap
launch after the microcode is replaced.
These changes are of course lost on reboot, so the "system" remains on an older
microcode version, but when running Windows the newer microcode is the only one in

Win10 does, indeed, have both files and this appears to be 100% credible.

Link to comment
Share on other sites

  • 4 weeks later...

Quote from GRC New Groups : https://www.grc.com/x/news.exe?cmd=article&group=grc.sqrl&item=18254&utag=



As I discussed on the podcast yesterday, Microsoft will be 
taking some responsibility for patching Intel (and eventually 
perhaps AMD?) processor microcode on-the-fly when Windows boots.

That's TERRIFIC news!  But it's going to create confusion...

As Microsoft's current page shows, they will be incrementally 
releasing microcode by specific processor, keyed to the CPUID. 
Since this will create a HUGE DEMAND for people to know what 
their own CPUID is, and since it's not obvious, I have updated 
GRC's InSpectre app to release #7 to include a report of this:


The internal text is also updated to aim people whose processors 
are not yet updated, to the Microsoft knowledgebase page by 
searching the Internet for the string "KB4090007":

> https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates

I have not yet updated the InSpectre homepage to discuss this, 
nor have I made release #7 public. I wanted to give everyone 
here the opportunity to check it out first. If anything appears 
to be wrong with it... I'm all ears!  Thanks everyone!!

		<< follow-ups to grc.news.feedback >>


InSpectre now at v7 and the release is uploaded



Link to comment
Share on other sites

A bit off topic but a heads up ..

AMD chipset users who escaped the Meltdown vulnerabilities (but some still need a bit of attention for the Spectre vulnerabilities apparently) have a new thing to be concerned with.

If you have Ryzen or EPYC then there are some serious flaws (4 types including back doors implanted by a contracted company outside of AMD) which have been revealed (well not just revealed, the security firm made a dedicated website for it, and only gave AMD 1 days notice)

AMD Flaws

If you want to know why so little notice was given have a read here http://www.tomshardware.com/news/cts-labs-amd-ryzenfall-ryzen-epyc,36660.html


Edit : Seems to be a bit of doubt about the validity of this, but :

Go to about 20 mins in on the Security Now podcast




Lets see what AMD have to say about this in due course


Found someone with a sceptical opinion, suspecting stock manipulation https://www.theinquirer.net/inquirer/news/3028437/amd-ryzen-epyc-cpus-critical-flaws-linus-torvalds-fake


But note that report ends with the following :




All that being said, CTS-Labs did get Dan Guido, founder of security firm Trail of Bits, to independently review its findings.

Guido noted that each flaw does exist and works in the way CTS-Labs claims it does: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works."
The security researcher highlighted that while all the flaws do indeed need admin access, they pose a threat by allowing hackers to spread malware from machine to machine or carry out espionage with the use of undetectable malware installed directly on a chip's firmware.
Link to comment
Share on other sites

There's a great deal of skepticism and suspicion surrounding this whole report from the way it was disclosed to the fact that the company hired a PR firm and set up a dedicated website with a less than neutral domain name and everything. Plus they appear to have a financial interest in the outcome of the damage it might do to AMD's stock. CTS is apparently involved with short-sellers on the stock market and plenty of other security techs have taken a look at their "data" and are concluding it's nowhere near as bad as this company says, especially since it requires a full root compromise to have occurred first. You're already screwed anyway if that's the case.

There's even been some talk that the way they revealed this to the world was in violation of Israeli law.

As for that Inquirer link, Linus Torvalds would be in a pretty solid position to know if this sort of thing is for real or not.

Link to comment
Share on other sites

O_o the microsoft fix list for Spectre has grown quicker than expected https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates

When I posted that link 6 days ago they only had two processors covered with that Microsoft boot fix, so it is as they say expanding with more coverage the more Intel adds Spectre Microcode fixes to it.

Shouldn't be too long before they have the majority of them done and we can all use that update. Though I think if my machine vendor comes out with the BIOS update I will probably still use that.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...