From Newsgroup: alt.comp.os.windows-11
On Sun, 5/24/2026 6:20 PM, T wrote:
On 5/24/26 4:12 AM, Kerr-Mudd, John wrote:
On Sat, 23 May 2026 10:22:45 -0400
"....winston" <winstonmvp@gmail.com> wrote:
On 05/23/2026 2:34 AM, Paul wrote:
On Sat, 5/23/2026 12:49 AM, T wrote:
Hi All,
I have to do VulnDetet updates of vulnerable programs once
a week on several customers as part of PCI testing.
One customer has to get "Microsoft .NET Desktop Runtime 8",
the long term supported version, updated every month because
of some security this or that.
Is there something about Microsoft .NET Desktop Runtime 8 I
should know? Is it really such a security nightmare?
Yours in Confusion,
-T
https://en.wikipedia.org/wiki/.NET
   "Versioning practice
    .NET Core Runtime roughly uses semantic versioning, the major.minor.patch format.
    ...
    Patch versions are given for bug fixes, new platform support, >>>>     or other changes not included above.[37]
That means the reason for issue, may not be purely CVE based.
    Paul
Not unusual for security updates, but as noted platform and code changes >>> are included in each and every monthly update(typically/routinely
once/mo. except in Dec.)
Also, basically a legacy product. Support ends this year. Migration to
.NET 10 is necessary to maintain the LTS(Long Term Support) path.
i.e. The customer and computer support personnel should be looking
forward rather than concern for security updates included in .NET 8.0
monthly updates.
I spurned DotNet bloat when it first raised it's ugly MS-locked-in head.
Dot Net gives me the creeps too.
As of last week,
   https://dotnet.microsoft.com/en-us/download/dotnet
M$ only listed 8 as "Long Term Support". It now lists
10 as also having long term support.
And I am not up to finding out what programs they are
running require what version of dot net. If 8 is working
for them, then that is the one to keep, until long term
support is discontinued. There is no sign of that.
Here is an untested script from CoPilot.
This initially started using the following CoPilot Question.
******************** CoPilot Question *******************
How can I scan C: for dotnet assemblies and get specific version information for the programs using such assemblies ?
For example, an IT person notices that .net core version 8 is installed
on a modern Windows OS, and one thing (Intel DSA, something to do with updating an
Intel graphics driver) seems to have caused .net core version 8 to be installed.
How can that IT person scan the C: drive and determine it is the Intel
product and which precise executable which is doing it ?
******************** END: CoPilot Question *******************
This is the script it eventually created. Note that some of the
Windows Apps are stored in Access Denied areas and Administrator
Elevation is unlikely to get you in there. Perhaps running the
script as TrustedInstaller would cover off the missing bits (not
on your customer machine, that suggestion is purely to see
how or if this script works worth a damn).
******************** Scan-DotNetAssemblies.ps1 ************************
<#
Scan-DotNetAssemblies.ps1
Scans C:\ for .NET assemblies, extracts TargetFramework,
maps assemblies to installed programs, and outputs a CSV
listing all assemblies requiring .NET 8.
Also logs directories where access is denied.
$ErrorActionPreference = "SilentlyContinue"
Write-Host "Scanning installed programs..." -ForegroundColor Cyan
# --- Collect installed program info from registry ---
$installedPrograms = @{}
$uninstallPaths = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall",
"HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall"
)
foreach ($path in $uninstallPaths) {
if (Test-Path $path) {
Get-ChildItem $path | ForEach-Object {
$p = Get-ItemProperty $_.PsPath
if ($p.DisplayName -and $p.InstallLocation) {
$installedPrograms[$p.InstallLocation.TrimEnd('\')] = $p.DisplayName
}
}
}
}
Write-Host "Installed program entries loaded: $($installedPrograms.Count)" -ForegroundColor Green
# --- Prepare output collections ---
$results = New-Object System.Collections.Generic.List[Object]
$accessDenied = New-Object System.Collections.Generic.List[String]
Write-Host "Scanning C:\ for .NET assemblies..." -ForegroundColor Cyan
# --- Enumerate files safely, capturing access-denied directories ---
try {
$files = Get-ChildItem -Path "C:\" -Recurse -Include *.dll, *.exe -ErrorAction Stop
}
catch {
# We need a manual walker to capture access-denied paths
function Safe-Enumerate($path) {
try {
Get-ChildItem $path -ErrorAction Stop | ForEach-Object {
if ($_.PSIsContainer) {
Safe-Enumerate $_.FullName
} else {
if ($_.Extension -in ".dll", ".exe") {
$_
}
}
}
}
catch {
$accessDenied.Add($path)
}
}
$files = Safe-Enumerate "C:\"
}
Write-Host "Files found: $($files.Count)" -ForegroundColor Green
# --- Function to extract TargetFramework ---
function Get-TargetFramework($path) {
try {
$asm = [System.Reflection.Assembly]::LoadFile($path)
$tfm = $asm.CustomAttributes |
Where-Object { $_.AttributeType.FullName -eq "System.Runtime.Versioning.TargetFrameworkAttribute" } |
Select-Object -ExpandProperty ConstructorArguments -ErrorAction Ignore |
Select-Object -ExpandProperty Value -ErrorAction Ignore
return $tfm
}
catch {
return $null
}
}
# --- Function to map file to installed program ---
function Map-ToProgram($filePath) {
$dir = Split-Path $filePath -Parent
foreach ($installPath in $installedPrograms.Keys) {
if ($dir -like "$installPath*") {
return $installedPrograms[$installPath]
}
}
return "(No matching installed program)"
}
Write-Host "Analyzing assemblies..." -ForegroundColor Cyan
foreach ($file in $files) {
$tfm = Get-TargetFramework $file.FullName
if ($tfm -and $tfm -match "net8") {
$program = Map-ToProgram $file.FullName
$results.Add([PSCustomObject]@{
FilePath = $file.FullName
TargetFramework = $tfm
Program = $program
})
}
}
# --- Output CSV ---
$outFile = "$env:USERPROFILE\Desktop\DotNet8_Assemblies.csv"
$results | Export-Csv -Path $outFile -NoTypeInformation -Encoding UTF8
# --- Output access-denied log ---
$denyFile = "$env:USERPROFILE\Desktop\AccessDenied_Directories.txt" $accessDenied | Sort-Object -Unique | Out-File $denyFile -Encoding UTF8
Write-Host ""
Write-Host "Scan complete!" -ForegroundColor Green
Write-Host "Results saved to: $outFile"
Write-Host "Access-denied directories saved to: $denyFile"
******************** END: Scan-DotNetAssemblies.ps1 ************************
You can see that's not much of a scan, as it does not look "everywhere",
it looks in curated places. A program must be "installed" to be note-worthy
to the scanner.
If you need ammunition, start with a junk install on a physical machine
(the kind of junk installs I do on my other computers when a VM
install will not suffice), and you may be able to "spot" this one.
It apparently installs a runtime for .NET 9, but it could be doing
it in a private manner. This is just the first thing that came to mind regarding dotnet executables. It may not be the absolute best example.
The page has the usual trashy teaser-dialogs you're not supposed to press :-) And a google-vignette for you to press the reload icon on your browser
and continue on with the download step after that.
https://www.getpaint.net/download.html
I'd do all of this, but I don't have Intel graphics (and Intel drivers) to test the DSA theory.
Lots of people have laptops with an Intel iGPU, which may make them
good candidates for a throwaway install on a scratch drive. I don't
have a good Intel-flavored machine for this sort of test of Intel stuffings
as a possible source of .NET 8.0 involvement.
Paul
--- Synchronet 3.21d-Linux NewsLink 1.2