OK, then. First let me explain that IME is short for Intel Management Engine. This firmware component is present on all modern PCs with Intel CPUs since 2008. It operates while the OS is active, and IME also runs during boot-up. In fact, IME is accessible even when a PC is shut down or sleeping, as long as power is available. I’m pondering IME recovery state issues for one reason. My 2012-vintage Lenovo X220 Tablet hangs at every restart to report that “ME is in a recovery state.” I must enter a keystroke before boot-up continues.

I’m learning that IME has deep access on any Windows PC where it resides. For more details, check out the Wikipedia article Intel Management Engine.

Why I’m Pondering IME Recovery State Issues

Fixing this issue on my old Lenovo touchscreen PC is proving nearly impossible. Check out this Win-RAID forum thread on ME Cleaner (a management engine cleanup tool). Hopefully, you’ll get a sense of what contortions removing IME entail. Long story short: some real BIOS hacking, with no guarantee of success, is required to disable (or remove) IME at the BIOS level. Sheesh!

The lead-in graphic for this story comes from Intel’s Converged Security and Management Engine Version Detection Tool (CSMEVDT). For the X220 Tablet, it shows that the system is no longer supported (no surprise there, considering its age). No new releases planned, either…

Increasing Horror Results When Pondering IME

In fact, the more I learn about the Intel Management Engine, the more disturbed I become. The Wikipedia article (cited above) does a good job of hitting the high points. What I learned from direct experience on my X220 Tablet is also scary. It goes so far as to speculate that state-level threat actors have been actively seeking out IME exploits for over a decade.

But alas, even after disabling IME in BIOS, the Recovery State error continues. At least the related driver error for “Serial Over LAN” (SOL) access no longer appears in Device Manager.

For the moment, I’m against making BIOS hacks. I’m pretty sure that the absence the SOL driver means IME can no longer access the network. But gosh, this is a scary set of security vulnerabilities to contemplate. Indeed, the rest of my Intel-based systems have IME “working properly.” That’s where my real concerns begin. I’ll have to make sure to patch them all, pronto!

Here’s an interesting item. Check your system/boot (usually C:) drive in Windows 10. If it’s filling up (or full), that may come from a (hopefully temporary) Windows Defender gotcha. The program starts creating loads of 2K binary files in the Scans/History/Store subfolder. Ghacks reports tens of thousands to nearly a million such files showing up on affected PCs. Normally, a healthy Defender installation has one or two files in this folder (shown in the lead-in graphic). That makes it easy to check if a system is subject to this potential Defender Engine 1.1.18100.5 gotcha.

How to Check For Potential Defender Engine 1.1.18100.5 Gotcha

The complete directory path to check is:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store
If  you see more than a handful of files there, you may be subject to the gotcha. It it’s chock-full of files and your C: drive is filling up, the gotcha is active! It’s OK to delete those files (Defender will make more), according to Brinkmann.

Brinkmann theorizes that the current Defender Engine version — namely 1.1.18100.5 — is responsible. He says MS is aware of the gotcha, and is planning a  fix with the next engine update. That new version should carry an ID of 1.1.18100.6, and be ready as soon as Thursday, May 6.

FWIW, I checked all of my Windows 10 PCs. While all of them are indeed running Engine version 1.1.18500.5, none of them is showing symptoms indicative of the gotcha. Clearly, it’s out there. But it’s not clear how widespread or active this gotcha may be. And it sounds like MS is already working on a fix that should do away with it completely.

At least, we don’t have to wait too long to find out if a fix is forthcoming. As I write this item, it could be just over 24 hours from release. For the record, Microsoft updates usually hit the Internet at 9:00 AM Pacific Time on release days. That’s about 26.5 hours from now.

Note Added May 5 Afternoon

A new engine build is already out,  and should download automatically to all Windows 10 PCs running Defender. I just found it already installed on my test PCs, to wit:

Note the new engine is out: 1.1.18100.6. Problem solved!

That was quick! Glad MS is on the ball today. Thanks to @WindowsInsider and the whole Windows Team.

With each Patch Tuesday, MS releases a new version of the Malicious Software Removal Tool (MSRT). Just yesterday, I learned about a similar but different tool named Microsoft Safety Scanner (MSERT.exe). At first, I did a double-take to make sure it wasn’t a typo. It’s not, as the Safety Scanner Docs page attests. (Here are live links to the 32-bit and 64-bit downloads mentioned in the lead-in graphic.) Here, I’ll explore what’s involved in using Microsoft Safety Scanner, aka MSERT.exe.

Explanation Precedes Using Microsoft Safety Scanner

MS explains the tool thusly “a scan tool designed to find and remove malware from Windows computers.”  It goes on to says “Simply download it and run a scan to find malware and try to reverse changes made by identified threats.” Like the MSRT, the MS Safety Scanner gets updates and new signatures all the time, so MS recommends that you always download a fresh copy any time you’d like to use it. They also observe that it’s only worth using for 10 days, after which one MUST download a new version.

Here’s how MS describes the MSRT on its download page:

Windows Malicious Software Removal Tool (MSRT) helps keep Windows computers free from prevalent malware. MSRT finds and removes threats and reverses the changes made by these threats. MSRT is generally released monthly as part of Windows Update or as a standalone tool available here for download.

I’ll be darned if I can tell much difference between them. Nor do I see much distinction in third-party coverage. That said, Explorer sees big differences in size between the two, to wit:

Notice that MSERT.exe shows up as itself, while MSRT shows up as KB890830, version 5.87. Because MSRT is released monthly through WU, it apparently keeps the same KB number, but gets a new version number with each release. MSERT is not so readily obliging but does show that information on its Properties/Details page. That’s where I learned that MSERT stands for “Microsoft Support Emergency Response Tool.”

Full name plus file version info readily available here.
[Click image for full-sized view.]

Let’s just say this is another tool from MS you can run at your own discretion to check a Windows PC for malware, and attempt cleanup. All this makes me curious to understand why we have access to not one, but two, such tools. Even the best of third-party explanations/explorations tend to be a bit shaky, like this Tom’s Hardware Forums item. Even my home forums community at TenForums is pretty much mum on differences, to my consternation and regret.

Using Microsoft Safety Scanner

The .exe file is portable and runs from anywhere (including the Downloads folder). The Docs don’t say one should run the program as administrator, but I did so anyway. It presents a EULA to which you must agree before it does its thing. Next you get a welcome/disclosure screen:

Click Next, and you get your choice of scan types (quick, full, or customized).

Then, it scans your “most likely compromised” files under quick scan.

On my production PC, the whole process took about 3:00 and produced the following results.

Nothing to see here folks, please move along. A clean bill of health, in other words.

Upon completion,  the log file (named msert.log) shows nothing informative about cleanup or actions taken (probably because it found nothing to clean up). Here’s a NotePad++ view of its contents (click to view full-sized, as it’s a little hard to read in native WordPress resolution):

I’m still not sure if you and I really need this tool or not, but it’s nice to know it’s available on demand should you wish to make a malware scan and clean-up pass over your Windows PC. The whole thing still has me wondering…