Posted on 09/13/2007 8:40:04 AM PDT by ShadowAce
Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates.
Many companies require testing of patches before they are widely installed, and businesses in this situation are objecting to the stealth patching.
Files changed with no notice to users
In recent days, Windows Update (WU) started altering files on users' systems without displaying any dialog box to request permission. The only files that have been reportedly altered to date are nine small executables on XP and nine on Vista that are used by WU itself. Microsoft is patching these files silently, even if auto-updates have been disabled on a particular PC.
It's surprising that these files can be changed without the user's knowledge. The Automatic Updates dialog box in the Control Panel can be set to prevent updates from being installed automatically. However, with Microsoft's latest stealth move, updates to the WU executables seem to be installed regardless of the settings — without notifying users.
When users launch Windows Update, Microsoft's online service can check the version of its executables on the PC and update them if necessary. What's unusual is that people are reporting changes in these files although WU wasn't authorized to install anything.
This isn't the first time Microsoft has pushed updates out to users who prefer to test and install their updates manually. Not long ago, another Windows component, svchost.exe, was causing problems with Windows Update, as last reported on June 21 in the Windows Secrets Newsletter. In that case, however, the Windows Update site notified users that updated software had to be installed before the patching process could proceed. This time, such a notice never appears.
For users who elect not to have updates installed automatically, the issue of consent is crucial. Microsoft has apparently decided, however, that it doesn't need permission to patch Windows Updates files, even if you've set your preferences to require it.
Microsoft provides no tech information — yet
To make matters even stranger, a search on Microsoft's Web site reveals no information at all on the stealth updates. Let's say you wished to voluntarily download and install the new WU executable files when you were, for example, reinstalling a system. You'd be hard-pressed to find the updated files in order to download them. At this writing, you either get a stealth install or nothing.
A few Web forums have already started to discuss the updated files, which bear the version number 7.0.6000.381. The only explanation found at Microsoft's site comes from a user identified as Dean-Dean on a Microsoft Communities forum. In reply to a question, he states:
"Windows Update Software 7.0.6000.381 is an update to Windows Update itself. It is an update for both Windows XP and Windows Vista. Unless the update is installed, Windows Update won't work, at least in terms of searching for further updates. Normal use of Windows Update, in other words, is blocked until this update is installed."Windows Secrets contributing editor Susan Bradley contacted Microsoft Partner Support about the update and received this short reply:
"7.0.6000.381 is a consumer only release that addresses some specific issues found after .374 was released. It will not be available via WSUS [Windows Server Update Services]. A standalone installer and the redist will be available soon, I will keep an eye on it and notify you when it is available."Unfortunately, this reply does not explain why the stealth patching began with so little information provided to customers. Nor does it provide any details on the "specific issues" that the update supposedly addresses.
System logs confirm stealth installs
In his forum post, Dean-Dean names several files that are changed on XP and Vista. The patching process updates several Windows\System32 executables (with the extensions .exe, .dll, and .cpl) to version 7.0.6000.381, according to the post.
In Vista, the following files are updated:
1. wuapi.dll
2. wuapp.exe
3. wuauclt.exe
4. wuaueng.dll
5. wucltux.dll
6. wudriver.dll
7. wups.dll
8. wups2.dll
9. wuwebv.dll
In XP, the following files are updated:
1. cdm.dll
2. wuapi.dll
3. wuauclt.exe
4. wuaucpl.cpl
5. wuaueng.dll
6. wucltui.dll
7. wups.dll
8. wups2.dll
9. wuweb.dll
These files are by no means viruses, and Microsoft appears to have no malicious intent in patching them. However, writing files to a user's PC without notice (when auto-updating has been turned off) is behavior that's usually associated with hacker Web sites. The question being raised in discussion forums is, "Why is Microsoft operating in this way?"
How to check which version your PC has
If a system has been patched in the past few months, the nine executables in Windows\System32 will either show an earlier version number, 7.0.6000.374, or the stealth patch: 7.0.6000.381. (The version numbers can be seen by right-clicking a file and choosing Properties. In XP, click the Version tab and then select File Version. In Vista, click the Details tab.)
In addition, PCs that received the update will have new executables in subfolders named 7.0.6000.381 under the following folders:
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups.dll
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll
Users can also verify whether patching occurred by checking Windows' Event Log:
Step 1. In XP, click Start, Run.
Step 2. Type eventvwr.msc and press Enter.
Step 3. In the tree pane on the left, select System.
Step 4. The right pane displays events and several details about them. Event types such as "Installation" are labeled in the Category column. "Windows Update Agent" is the event typically listed in the Source column for system patches.
On systems that were checked recently by Windows Secrets readers, the Event Log shows two installation events on Aug. 24. The files were stealth-updated in the early morning hours. (The time stamp will vary, of course, on machines that received the patch on other dates.)
To investigate further, you can open the Event Log's properties for each event. Normally, when a Windows update event occurs, the properties dialog box shows an associated KB number, enabling you to find more information at Microsoft's Web site. Mysteriously, no KB number is given for the WU updates that began in August. The description merely reads, "Installation Successful: Windows successfully installed the following update: Automatic Updates."
No need to roll back the updated files
Again, it's important to note that there's nothing harmful about the updated files themselves. There are no reports of software conflicts and no reason to remove the files (which WU apparently needs in order to access the latest patches). The only concern is the mechanism Microsoft is using to perform its patching, and how this mechanism might be used by the software giant in the future.
I'd like to thank reader Angus Scott-Fleming for his help in researching this topic. He recommends that advanced Windows users monitor changes to their systems' Registry settings via a free program by Olivier Lombart called Tiny Watcher. Scott-Fleming will receive a gift certificate for a book, CD, or DVD of his choice for sending in a comment we printed.
I'll report further on this story when I'm able to find more information on the policies and techniques behind Windows Update's silent patches. Send me your tips on this subject via the Windows Secrets contact page.
Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.
Bump for later
Tough call. Here’s why.
Let’s say these were not computers, but stereos. I’m an idiot who never keeps my stereo up to date, and hackers are turning my stereo up all hours of the night at full blast - playing Britney Spears new song. As my neighbors, you would hate me.
At some point, to keep the peace, it might be advantageous to slip something into my stereo that either a) keeps the hackers from playing Britney Spears music at high volume at their whim or b) failing that, turning the volume all the way down so no one else suffers due to my stupidity.
Now, I would certainly be angry for you breaking into my stereo, especially since you, the builder of my stereo, did such a bang-up job on it in the first place that all of these fixes are required and especially since some of your fixes have been known to destroy cds (data and programs), but ultimately, much suffering would be abated.
Also, we know the reason this is being done is so George Bush can read your hard drive. ;-)
Lovely.
Some may argue that Windows Update is not a mission-critical part of the application, but this is a horrible precedent.
Microsoft: All your computer are belong to us.
None on mine.
Love my Apple Mac Pro.
Aha! That’s what happened!
I was wondering why it paused during shutdown to install files.
I have Windows Update blocked by my firewall, it has to ask permission to contact MS, which I won’t allow unless I want a new update, which I don’t...;)
LOL!
Can anybody tell me about Linux? Microsoft is starting to bother me, though they haven’t done anything personally to my computer yet.
FYI ;o)
BUMP!
“We need the “givernment” to control all computer operating systems and network access so that the citizens can safely read the news we feel is safe for them to consume on the Internet. As such, we will be federalizing Microsoft and all internet content and service providers immediately.”
- President Hillary Rotten Clinton. April 2011
There are problems in every direction. Windows users who don’t update their machines are a security problem to others as well as themselves, which is one of the primary reasons Microsoft has moved in this direction. On the other hand, it’s wrong in principle for them to do stealth updates without informing users. And it should rightly worry ITs of large corporations, who rely on careful testing of updates on mission critical computer systems.
I leave windows update turned on on my various computers, because I can only occasionally clean up all the laptops that my kids use, and I find that I can’t always rely on them to do manual updates and cleanups. I do the same on my computer because although I almost always update it manually on Microsoft Tuesdays, I want it to update if I am off on vacation and the kids are home using it. There are problems any way you slice it.
The business with svchost.exe is something I have noticed over the past few years. You can see it if you open the task manager and click the processes tab. It sometimes ties up all of the computer’s memory, to the point where there is no room left for anything else to operate. When and why it does this seems unpredictable. I haven’t been bothered so much by it recently, but it’s still noticeable on occasion, if not as bad as it was.
There's plenty of information on the web about Linux.
Start with these:
There are various "distributions" of Linux which vary in focus and features. The two above, Ubuntu and Mandriva, are very polished and complete desktop distributions. You can download CD or DVD image files (.ISO) for free, which you can then burn onto your own disc(s).
Depending on your hardware and needs, Linux has a very good chance of doing everything you need to do on your PC for free.
That you know of...
Is there a difference between Ubuntu Linux and a regular Linux? Or am I just babbling?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.