Skip to main content

How to check if your PC is protected from the Meltdown and Spectre exploits

A number of security researchers have recently disclosed two vulnerabilities ("Meltdown" and "Spectre") found in many modern processors. These are major hardware design flaws that attackers can exploit to access part of the memory that should remain private allowing them to steal your information (passwords, emails, browser history, and photos).

These flaws affect a large number of processors released in the past two decades, including those manufactured by Intel, Advanced Micro Devices (AMD), and ARM — but it's still primarily an Intel problem. AMD has published a statement clarifying that one (branch target injection) of the two Spectre variants doesn't impact its processors, and the second variant (bounds check bypass) can be resolved through a software update. The third variant, Meltdown (rogue data cache load), doesn't impact AMD chips either due to architecture differences.

In addition, as a result of these two now famous security flaws, supported OSes, such as Windows 10, macOS, Linux, as well as many other pieces of software, are also compromised.

Microsoft has already released a patch to mitigate part of the problem on Windows 10, and now hardware manufacturers are starting to roll out firmware updates to address the other part. However, because this is a multi-step solution to properly (but not entirely) fix the problem, it can be difficult to tell if your PC has been immunized, which is why the software giant also created a PowerShell script to check if your device is still vulnerable.

In this Windows 10 guide, we'll walk you through the steps to check if your device has the required system and firmware updates to mitigate the latest microprocessor security vulnerabilities. In addition, we'll look at the steps you need to follow if your computer is still not protected.

How to check if your PC is protected against CPU vulnerabilities

In order to verify that you're protected against the latest microprocessor security vulnerabilities, you can use a PowerShell script created by Microsoft (opens in new tab):

  1. Open Start.
  2. Search for Windows PowerShell, right-click the top result, and select Run as administrator.
  3. Type the following command to install the required module and press Enter:Install-Module SpeculationControl

  1. Type Y and press Enter if you're prompted to enable NuGet provider.
  2. Type Y and press Enter if you're prompted to confirm the installation from an untrusted repository.
  3. Type the following command to save the current execution policy so it can be reset and press Enter:$SaveExecutionPolicy = Get-ExecutionPolicy
  4. Type the following command to ensure you can import the module in the next step and press Enter:Set-ExecutionPolicy RemoteSigned -Scope Currentuser
  5. Type Y when prompted to confirm the execution policy change and press Enter:
  6. Type the following command and press Enter:Import-Module SpeculationControl

  1. Type the following command to check if your device has the necessary updates and press Enter:Get-SpeculationControlSettings

Once you completed these steps, you'll be able to determine whether or not your computer is still vulnerable to the Meltdown and Spectre security flaws.

If your machine only has the emergency patch for Windows 10 installed, which only addresses the Meltdown vulnerability, then you'll see all the requirements for "rogue data cache load" (Meltdown) set to True and highlighted in green.

Also, under the "branch target injection" (Spectre) only the software mitigation is present and set to True, but it won't show up as enabled if your device doesn't have the latest Basic Input/Output System (BIOS) or Unified Extensible Firmware Interface (UEFI) update from your hardware manufacturer.

Only after installing the emergency Windows 10 update and the required version of the BIOS or UEFI update will all the requirements under "branch target injection" and "rogue data cache load" be set to True and highlighted in green, indicating that your device is protected.

After you're done verifying the state of your device, type the following PowerShell command

Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

to roll back the execution policy to the original state and press Enter, and then type Y and press Enter to confirm the reset.

How to protect your PC from CPU vulnerabilities

Windows Update

The update that helps to mitigate the security vulnerabilities should install automatically, but if after running the PowerShell script, you notice that your device isn't protected, there could be a problem with Windows Update or there could be an antivirus conflict.

While creating the latest patch for Windows 10, Microsoft found that some antivirus solutions may cause a Blue Screen of Death (BSOD) that will prevent a device from starting. As a result, if you're running an unsupported third-party antivirus, Windows Update won't download and install the mitigation for the vulnerability.

If your computer isn't getting the update, visit your antivirus company's support website to find out if a new software update is available and follow thr instructions to apply it.

In the case that the antivirus doesn't have the patch to address the compatibility issue with Windows 10; you can temporarily uninstall the third-party antivirus. (Although, it's not recommended to keep your computer unprotected, remember that as you uninstall the third-party malware solution Windows Defender Antivirus will enable automatically.)

Uninstalling security software should be a straightforward process, but it's always a good idea to check your software company support website for specific instructions before using the steps below:

  1. Open Settings.
  2. Click on Apps.
  3. Click on Apps & features.
  4. Select the antivirus.
  5. Click the Uninstall button.
  6. Click the Uninstall button again.

  1. Continue with the on-screen directions to remove the antivirus.

If you have a problem with Windows Update, use the troubleshooter to fix the issue:

  1. Open Settings.
  2. Click on Update & Security.
  3. Click on Troubleshoot.
  4. Under "Get up and running," select Windows Update.
  5. Click the Run the troubleshooter button.

  1. Continue with the on-screen directions to fix Windows Update.

After installing the antivirus software update, or fixing Windows Update, use these steps to install the mitigation:

  1. Open Settings.
  2. Click on Update & Security.
  3. Click on Windows Update.
  4. Click the Check for updates button.

After the update downloads and installs, return to the Windows Update settings page, click the View installed update history link, and verify that one of the following updates has been successfully applied on your device:

  • KB4056892 — Windows 10 version 1709 (Fall Creators Update).
  • KB4056891 — Windows 10 version 1703 (Creators Update).
  • KB4056890 — Windows 10 version 1607 (Anniversary Update).
  • KB4056888 — Windows 10 version 1511 (November Update).
  • KB4056893 — Windows 10 version 1507 (Initial Release).

BIOS/UEFI update

In order to patch the Spectre vulnerability, a BIOS or UEFI update is required to be applied to your computer. Depending on the brand and model of your device the steps to install the latest firmware update will be different, as such make sure to visit your manufacturer support website to check for the latest update and the specific instructions on how to apply it.

You can use the links in the list below to check your device manufacturer support website for the latest firmware update to mitigate these new vulnerabilities. (If the manufacturer isn't in the list, you may need to contact the company directly.)

If you have a Surface device, Microsoft has already made available a firmware update to help mitigate these vulnerabilities on Windows 10 version 1709 (Fall Creators Update) and version 1703 (Creators Update) for the following devices:

  • Surface Pro 3.
  • Surface Pro 4.
  • Surface Book.
  • Surface Studio.
  • Surface Pro Model 1796.
  • Surface Laptop.
  • Surface Pro with LTE Advanced.
  • Surface Book 2.

Surface devices should receive the latest firmware update automatically, but you can can always force the update from Settings > Update & Security > Windows Update, and clicking the Check for updates button.

In order to check if you're running the latest BIOS or UEFI update use the following steps:

  1. Open Start.
  2. Search for msinfo32 (or System Information) and press Enter.
  3. On "Summary," check the BIOS Version\Date information.

Software update

Alongside applying the Windows 10 emergency patch and the latest firmware update to stay protected against the Meltdown and Spectre vulnerabilities, you also want to ensure to check for app updates (especially for your web browser, as it's possible to use similar techniques to compromise your information when surfing the internet).

Microsoft has already patched the latest version of Internet Explorer and Microsoft Edge. Mozilla protects Firefox users against these particular exploits starting with version 57. And Google is expected to release a Chrome update on January 23, which will also include Site Isolation enabled by default to add an extra layer of security.

Wrapping things up

Running the latest updates, in some cases, doesn't necessarily mean that you're automatically protected. After taking care of all the patches, use the PowerShell script again to make sure that your PC is no longer vulnerable.

Although many companies like Microsoft are quickly responding to mitigate the security issues with Meltdown and Spectre, keep in mind that these are just the first wave of updates. In the near future we're expected to see additional updates to better address these problems. However, these are complicated flaws that will ultimately require to replace the processor to fix these vulnerabilities permanently.

More Windows 10 resources

For more helpful articles, coverage, and answers to common questions about Windows 10, visit the following resources:

Mauro Huculak is technical writer for WindowsCentral.com. His primary focus is to write comprehensive how-tos to help users get the most out of Windows 10 and its many related technologies. He has an IT background with professional certifications from Microsoft, Cisco, and CompTIA, and he's a recognized member of the Microsoft MVP community.

30 Comments
  • Just what the doctor ordered, thank you for the handy guide. Will definitely help alot of people out there.
  • So if you need to replace laptop processor to ultimately fix hardware, how do you replace my hp spectre laptop, you know the thinnest laptop?
  • Simple, a sledge hammer or a steam roller :P. Just kidding, pretty much have no choice but to apply all the patches and get a proper heavy duty internet security suite like F Secure but that suite is resource heavy...
  • Is it possible these KB updates do NOT work on Insider systems? I checked and it looks like I don't have the patch, but neither Windows Update nor the downloaded KB file install, with the latter telling me it isn't applicable to my PC.
  • That is likely due to the fact that you do not have an antivirus product installed and updated. The patch will only show as advertised and install IF a reg key is set. This is documented here for reference -> https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-...   Jeff  
  • i have got this after following the procedure,its in red :SO WHAT DOES THIS MEANS? Hardware support for branch target injection mitigation is present: False
    Windows OS support for branch target injection mitigation is present: False
    Windows OS support for branch target injection mitigation is enabled: False
  • Are all four of them in red, if so then you need to check Windows Update for the Cumulative Update and make sure that your AV is compatible. If you only have three of them in red then you need a BIOS/UEFI update from the device/motherboard manufacturer. AFAIK that's the case at least according to the article.
  • So let me get this straight, Google find vulnerability, Microsoft and Mozilla patch their browsers but Google leaves it until the 23rd. That's a bit hypocritical of Google considering all the crap they give Microsoft for not patching vulnerabilities in Windows quickly enough.
  • Do you think the average Joe can do this?
  • Yes.  It's spelled out with copy paste-able powershell commands.   
  • SO this thing has been around for some years? Had it not been made public last week, everyone would be using their PCs unaware of it, and be nlikely ever to encounter any attack from it.
  • NSA got busted!
  • I'm on insider 17046, all relevant on RED-false. How to protect this machine?
  • How important is the BIOS update? It makes me nervous as I've never done it before, and Gigabyte haven't got an update since 2015 so not sure it would fix it anyway. My version is 2013. Thanks!
  • Actually, it's important to mitigate primarily the Spectre vulnerability.
  • BIOS update is very easy actually...
  • I didn't save my original configuration.  I thought I did, but instead of copying/pasting the instructions I typed them out and instead of save, I typed sace. Is there any way to get my original configuration back?  Does it matter if I leave the new configuration?   Thanks,
  • This command should do the trick: Set-ExecutionPolicy Default Thanks,
  • The powershell command to roll back execution policy does not work for me.
  • I just double-checked all the steps and run the rollback command and they worked as expected. You're probably not executing the commands and steps correctly. You can also use this command to Set-ExecutionPolicy Default to change the execution policy it safe settings.
  • I got the following message... Windows PowerShell updated your execution policy successfully, but the setting is overridden by
    a policy defined at a more specific scope. Due to the override, your shell will retain its current effective
    execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings.
  • That suggests that you have a different execution policy to the default
  • Had the same issue and Googled myself to death , gave up read tech docs and fixed the problem myself. run get-ExecutionPolicy -List this will show you which policy is set to remote (in my case it was CurrentUser) then run Set-ExecutionPolicy -Scope CurrentUser Restricted    (replace CurrentUser with whatever you have set to remotesigned) That should sort it out.  
  • Very helpful information!
  • Since I don't see any article mention it, I can assume VIA cpu chips are safe from Meltdown and Spectre. I now know which stock to put money into. lol
  • I thought I would mention that the firmware update isn't yet being distributed to all users, just those on the Insider Rings.
  • If your AV is preventing the MS patch, you can manually add the required registry key.  Trend Micro posted the instructions at: https://success.trendmicro.com/solution/1119183-important-information-fo...
  • How about a .bat file?
  • All good on a surface book, and don't really notice any slowdowns either. Now if only Gigabyte released updates for their motherboards..
  • What about verification for Windows 8.1, Windows 7 and Windows XP? Are these expected from Windows Central website?
    Or, should I say it is actually Windows 10-Only Central...?!