Recent Windows updates cause hang when starting SoftClient

Windows security updates  KB4056890 through KB4056899 may cause 64-bit Windows systems to hang when starting SoftClient release 16.1 and older.

Resolution:

Secomea has prepared a new SoftClient installer that will detect the state of your computer and offer choices to automatically patch your computer with either workaround 2 or 3 described below.

Download SoftClient build 16.2.18025


Description of the problem:

Possibly affected Windows versions and related patch:

January 3, 2018—KB4056897 (Security-only update)
January 9, 2018—KB4056894 (Monthly Rollup)
January 3, 2018—KB4056888 (OS Build 10586.1356)
January 3, 2018—KB4056892 (OS Build 16299.192)
January 3, 2018—KB4056891 (OS Build 15063.850)
January 3, 2018—KB4056890 (OS Build 14393.2007)
January 3, 2018—KB4056898 (Security-only update)
January 3, 2018—KB4056893 (OS Build 10240.17735)
January 9, 2018—KB4056895 (Monthly Rollup)

The primary purpose of these updates were to mitigate the Meltdown and Spectre vulnerabilities discovered recently.

Unfortunately, these patches significantly alter the handling of virtual memory in a way that is both incompatible with certain AMD CPUs, as well as certain applications, hereunder SoftClient. Starting SoftClient on 64 bit Windows 8.x and 10 may freeze or crash Windows and require a manual restart of your computer.

It is expected that Microsoft will provide a resolution in a future patch update, and has paused the patch roll out for AMD-based computers but not for Intel-based computers. Due to the nature of the problem, it is expected that a solution for the AMD CPU will also solve the problem with SoftClient.

More info on the problems caused by the update can be found in various online articles, e.g.

https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

http://windowsreport.com/kb4056894-issues/


Workarounds overview:

  1. Uninstall the security update, and prevent it from auto-installing (see http://windowsreport.com/block-kb4056892/ )
  2. Disable the security patch in Windows registry
  3. Configure SoftClient to use hardware virtualization instead of software based virtualization (Requires that virtualization is enabled in the computer BIOS)
  4. Wait for Microsoft to release a fix

Technical details about the workaround choices in SoftClient build 18025 installer:

Selecting the first workaround choice in the SoftClient installer, performs the following registry changes that will disable the Spectre and Meltdown security mitigations:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If answering No to the above workaround, the SoftClient installer will offer using hardware virtualization, by setting the value <HardwareVirtEx enabled="true"/> in the SoftClient.xml file located in \\Program Files\Secomea\TrustGate SoftClient\Machines\TGSoftClient

At any time in the installer, you can press Cancel and no changes are made.

Note: that once having selected the first choice (registry changes), you cannot undo this by running the SoftClient installer again. If having selected the second choice (hardware virtualization), running the installer again will again offer the first choice (registry changes) and disable use of hardware virtualization in the SoftClient. There is no option for applying both workarounds concurrently.


Using the Workaround:

To use the workaround that disables the security patch follow these steps:

  1. Install the newest SoftClient version - found here .
  2. After the installation - start SoftClient and the window shown below will show, choose "Yes"


  3. You will now be told that you must reboot - press "OK" to reboot.


  4. The workaround is now enabled and you can use SoftClient as normal.

To use the virtualization workaround follow these steps:

  1. reboot and enter the systems bios - you will need to enable "Hardware Virtualization", save and exit bios.
  2. Install the newest SoftClient version - found here .
  3. Start SoftClient and press "NO" to the first question box - seen below.


  4. if you get the picture below where you can only press "OK" or "Cancel" Hardware virtualization is not enabled in bios - press cancel and go to step 2, else go to step 5.


  5. If you get the question box shown below press "Yes" - SoftClient will now start as normal even with the windows security patch installed.



Creation date: 04/12/2019 16:30 (skr@secomea.com)      Updated: 04/12/2019 16:30 ()