Security Question

How do you uninstall or roll back a Microsoft Update for Windows 7 machines? specifically KB2823324.

04/12/2013 51284 views

this update is causing Windows 7 computers to run chkdsk at boot up until it's manually uninstalled. I'm looking for KACE to automate a rollback/uninstall on machinese that are set to automatically install updates.

Answer Summary:
Since Microsoft has already removed this update from their servers and no longer pushing down to machinese that are set for "Auto Updates", I found the following to work for my environment: %WINDIR%\SysNative\wusa.exe /uninstall /kb:2823324 /quiet /norestart thanks all for the quick responses.
0 Comments   [ + ] Show comments


Community Chosen Answer


I just made a script that ran C:\Windows\System32\\wusa.exe with params /uninstall /kb:2823324 /quiet /norestart” I then looked for machines in the inventory with the software title Security Update for Microsoft Windows (KB2823324) and then added them to label and ran the script against it. I also disabled the patch in kace.

Answered 04/12/2013 by: ms01ak
10th Degree Black Belt

  • this works on 32-bit machines, but no 64. Any ideas?
  • I've modified the script to run with the variable $(KACE_SYS_DIR), but from what I've read the patch only affects 32bit machines and not 64 bit machines.
  • Still failing on 64 bit machines even with variable. I'm seeing the issue on 64bit, and not 32.
  • Try pointing the C:\Windows\SysWOW64\wusa.exe instead of System32 and see if that does the trick
  • Tried that too... :(
    • Sorry for asking, but is x64 selected in the script for "Supported OS".
  • Try this dism /Online /remove-package /PackageName:Package_for_KB2823324~31bf3856ad364e35~x86~~
  • Use this script below in order for KACE to verify 32 or 64 bits.

    IF %PROCESSOR_ARCHITEW6432% == AMD64 goto :x64
    • Where exactly do I need to run this script? thanks.
  • both dism and wusa are located in the system32 directory for 32bit machines. In 64bit try C:\windows\sysWOW64
  • I have tried this multiple times multiple ways, and all I keep getting is: Windows update could not be uninstalled because of error 2147549183 "Catastrophic failure" (Command line: "c:\Windows\SysWOW64\wusa.exe /uninstall /kb:2823324 /quiet /norestart"). What am I doing wrong?
  • Nevermind, I figured it out. This fixed my problem: %WINDIR%\SysNative\wusa.exe /uninstall /kb:2823324 /quiet /norestart
    • Nice. this is what fixed my issue. thanks for posting.
    • Hello, I am facing the same issue and I dont want to install Microsoft sysinternals. I have the package for win7 64 bit and i dont have Sysnative directory to run the command. How can i accomplish this command for uninstalling the package.?
    • This worked as well for me. Thanks!
    • A trick that works properly even today, thanks a lot :-)

All Answers


What I did was create a manual label (Patch_MS13-036). I then went to the patch listing and manually applied this label to the corresponding patches.

I then created a new patch schedule with a patch action "Detect and Rollback". Under the "Detect Patch Label" I added my label (Patch_MS13-036) I created, and the same for "Rollback Patch Selection". Everything else is the same setup. 

Answered 04/12/2013 by: dugullett
Red Belt

  • The issue that I ran into is that I first set the patch to inactive to make sure it didn't get installed on other machines. However, once you do that, it no longer gets included in the rollback schedule, so I had to re-active the patch and adjust my smart label for production patches to specifically exclude this particular patch. Is there a better way to do that?

    The only difference with my rollback schedule is that I created a smart label to find machines that have the patch installed and used that for the schedule.
    • I'm wondering off the top of my head if you left it active, and added notes "DO NOT USE"? Then added the query below to your existing label. That way if it ever happened again in the future. As long as you kept the wording the same it should drop out.


      I lucked out, and we were still in testing. It only affected my test machines.
      • Looking at this further = is working finding the notes, but != is returning 0 results. I'll keep tinkering with it on Monday.
      • That's a good method. This seems more convoluted than necessary. It seems like I should be able to rollback an inactive patch, but that's not how it is designed.
  • Any inactive patch is removed from KBOX cache the next day, so in order to rollback a patch, it has to be present on the KBOX. It's a double-edge sword in this scenario. For one, you need it enabled to rollback, but then you don't want to have it installed on the managed systems.

You can follow a few simple steps and then create an uninstall package and push it. Here are the few simple steps to create the uninstall of MSU:



~Piyush Nasa

~My Blog:  http://msiworld.blogspot.com/

Answered 04/14/2013 by: piyushnasa
Red Belt

  • I can't find the associated .msu file on MS site anymore.

You need to change the directory first to sysnative and then run the command line.

cd %windir%\sysnative

You can do this in a batch file.

I faced a similar problem while installing language packs for win7 x64. I documented it here in my blog:


~Piyush Nasa

~My Blog:  http://msiworld.blogspot.com/

Answered 04/15/2013 by: piyushnasa
Red Belt

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ