Microsoft updates Windows without users' consent

Windows Secrets ^ | 13 September 2007 | Scott Dunn

[ShadowAce]

Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates.

Many companies require testing of patches before they are widely installed, and businesses in this situation are objecting to the stealth patching.

Files changed with no notice to users
In recent days, Windows Update (WU) started altering files on users' systems without displaying any dialog box to request permission. The only files that have been reportedly altered to date are nine small executables on XP and nine on Vista that are used by WU itself. Microsoft is patching these files silently, even if auto-updates have been disabled on a particular PC.

It's surprising that these files can be changed without the user's knowledge. The Automatic Updates dialog box in the Control Panel can be set to prevent updates from being installed automatically. However, with Microsoft's latest stealth move, updates to the WU executables seem to be installed regardless of the settings — without notifying users.

When users launch Windows Update, Microsoft's online service can check the version of its executables on the PC and update them if necessary. What's unusual is that people are reporting changes in these files although WU wasn't authorized to install anything.

This isn't the first time Microsoft has pushed updates out to users who prefer to test and install their updates manually. Not long ago, another Windows component, svchost.exe, was causing problems with Windows Update, as last reported on June 21 in the Windows Secrets Newsletter. In that case, however, the Windows Update site notified users that updated software had to be installed before the patching process could proceed. This time, such a notice never appears.

For users who elect not to have updates installed automatically, the issue of consent is crucial. Microsoft has apparently decided, however, that it doesn't need permission to patch Windows Updates files, even if you've set your preferences to require it.

Microsoft provides no tech information — yet
To make matters even stranger, a search on Microsoft's Web site reveals no information at all on the stealth updates. Let's say you wished to voluntarily download and install the new WU executable files when you were, for example, reinstalling a system. You'd be hard-pressed to find the updated files in order to download them. At this writing, you either get a stealth install or nothing.

A few Web forums have already started to discuss the updated files, which bear the version number 7.0.6000.381. The only explanation found at Microsoft's site comes from a user identified as Dean-Dean on a Microsoft Communities forum. In reply to a question, he states:

"Windows Update Software 7.0.6000.381 is an update to Windows Update itself. It is an update for both Windows XP and Windows Vista. Unless the update is installed, Windows Update won't work, at least in terms of searching for further updates. Normal use of Windows Update, in other words, is blocked until this update is installed."

Windows Secrets contributing editor Susan Bradley contacted Microsoft Partner Support about the update and received this short reply:

"7.0.6000.381 is a consumer only release that addresses some specific issues found after .374 was released. It will not be available via WSUS [Windows Server Update Services]. A standalone installer and the redist will be available soon, I will keep an eye on it and notify you when it is available."

Unfortunately, this reply does not explain why the stealth patching began with so little information provided to customers. Nor does it provide any details on the "specific issues" that the update supposedly addresses.

System logs confirm stealth installs
In his forum post, Dean-Dean names several files that are changed on XP and Vista. The patching process updates several Windows\System32 executables (with the extensions .exe, .dll, and .cpl) to version 7.0.6000.381, according to the post.

In Vista, the following files are updated:
1. wuapi.dll
2. wuapp.exe
3. wuauclt.exe
4. wuaueng.dll
5. wucltux.dll
6. wudriver.dll
7. wups.dll
8. wups2.dll
9. wuwebv.dll

In XP, the following files are updated:
1. cdm.dll
2. wuapi.dll
3. wuauclt.exe
4. wuaucpl.cpl
5. wuaueng.dll
6. wucltui.dll
7. wups.dll
8. wups2.dll
9. wuweb.dll

These files are by no means viruses, and Microsoft appears to have no malicious intent in patching them. However, writing files to a user's PC without notice (when auto-updating has been turned off) is behavior that's usually associated with hacker Web sites. The question being raised in discussion forums is, "Why is Microsoft operating in this way?"

How to check which version your PC has
If a system has been patched in the past few months, the nine executables in Windows\System32 will either show an earlier version number, 7.0.6000.374, or the stealth patch: 7.0.6000.381. (The version numbers can be seen by right-clicking a file and choosing Properties. In XP, click the Version tab and then select File Version. In Vista, click the Details tab.)

In addition, PCs that received the update will have new executables in subfolders named 7.0.6000.381 under the following folders:

c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups.dll
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll

Users can also verify whether patching occurred by checking Windows' Event Log:

Step 1. In XP, click Start, Run.

Step 2. Type eventvwr.msc and press Enter.

Step 3. In the tree pane on the left, select System.

Step 4. The right pane displays events and several details about them. Event types such as "Installation" are labeled in the Category column. "Windows Update Agent" is the event typically listed in the Source column for system patches.

On systems that were checked recently by Windows Secrets readers, the Event Log shows two installation events on Aug. 24. The files were stealth-updated in the early morning hours. (The time stamp will vary, of course, on machines that received the patch on other dates.)

To investigate further, you can open the Event Log's properties for each event. Normally, when a Windows update event occurs, the properties dialog box shows an associated KB number, enabling you to find more information at Microsoft's Web site. Mysteriously, no KB number is given for the WU updates that began in August. The description merely reads, "Installation Successful: Windows successfully installed the following update: Automatic Updates."

No need to roll back the updated files
Again, it's important to note that there's nothing harmful about the updated files themselves. There are no reports of software conflicts and no reason to remove the files (which WU apparently needs in order to access the latest patches). The only concern is the mechanism Microsoft is using to perform its patching, and how this mechanism might be used by the software giant in the future.

I'd like to thank reader Angus Scott-Fleming for his help in researching this topic. He recommends that advanced Windows users monitor changes to their systems' Registry settings via a free program by Olivier Lombart called Tiny Watcher. Scott-Fleming will receive a gift certificate for a book, CD, or DVD of his choice for sending in a comment we printed.

I'll report further on this story when I'm able to find more information on the policies and techniques behind Windows Update's silent patches. Send me your tips on this subject via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.

[wastedyears]

I guess

Side note: I like your tagline.

[litehaus]

The two above, Ubuntu and Mandriva, are very polished

How quick are they? As quick as what....Vista/XP/2000/95 or what?

[RachelFaith]

My God!

I am so glad I have a Mac!

[kitchen]

Spybot Tea Timer notifies me every time MS tries to redirect to their site. I've also installed xp-antispy on my 3 XP boxes. Now, if someone could explain a ram partition and how to locate all the index.dat files there (rather than on the HD), so they are deleted upon shut down, I'd be real happy.

[N3WBI3]

Well you can defiantly try GAIM which I think comes on Ubuntu, that is an AOL chat agent and AOL offers a web portal to check your AOL mail..

There is also this thread which explains how to use evolution (the email client on ubuntu) to connect to AOL's mail servers.

[wastedyears]

Thanks

[N3WBI3]

No problem, and if you have any more questions feel free to freep mail me..

[Salo]

What entity does due process on the internet? I'm not (intentionally, anyway) being a jerk, but I can't think of anyone you could appeal to.

Yes, and any intrusion on that property 'for the public good' sure as hell better not be by a private corporation and it better not be done without due process.

[N3WBI3]

What entity does due process on the internet? I'm not (intentionally, anyway) being a jerk, but I can't think of anyone you could appeal to.

Due process would be the jurisdiction over the person. Who do you go to if you're being spammed? who do you goto if you've been hacked? Here in the US that might be the FBI, Local authorities, ....

If things were so bad the MS absolutely positively had to push out their updates they could go to the govt and say 'We need to push this its vital to the safety of internet users and the government' they could, perhaps, come to an arrangement. While there is no process in place now that does *not* allow MS to play the cowboy and invade my PC..

[js1138]

I’m not goint to judge this issue. Anyone disturbed by it has options, including installing a firewall that blocks this activity. Every magazine I read recommends installing a two-way firewall, though none that I read recommend turning off updates. If I were a paranoid corporate user, I would certainly use a firewall and manage the updates manually.

I will say, however, that I have automatic updates turned on for several dozen machines for several years and have never seen a virus or any other malware, nor any of the blue screens and misbehavior that others claim come with the MS territory.

I’m not sure I have much sympathy with people who do not keep their systems up to date.

[Salo]

Like I said, IMO, a tough call - people like you are not a problem. Other people really are a problem, and it may be that we’re coming to a tipping point. I don’t know if there’s a politically good way to handle something like this, but this may be a technical band aid.

[N3WBI3]

Like I said, IMO, a tough call

I can see why you might say that but its not a tough call to let a company secretly invade people property, even if its for the greater good.

Other people really are a problem, and it may be that we’re coming to a tipping point.

Maybe a structure needs to be put into place where the government can work with software providers in such a manner that would not totally allow them to do things in the background.

If the government asked them to do this in private its even worse! I would understand if it was a (computer will explode Friday morning if you don't do this) but after the fact they gotta let people know!. What the heck does the option to turn off automatic updates mean if is just remotely overridden (and that, my friend, is the bigger question!).

Now I have to go Bank of America wants me to reverify my account information and I have some dealings with a rather nice deposed young prince in Nigeria.

[Señor Zorro]

I would submit to you that Apple's OS X is fundamentally more sound than any Windows variant

Before the next statement, I just want to say that I agree wholeheartedly.

and the need for Apple to resort to MS tactics isn't as critical.

Wrong. The difference is that Apple can't do it AND get away with it. They're too small with too many people buying their products who actually have enough knowledge to be ticked about something like this. Microsoft is huge. We all know what will happen here. Microsoft will lose a handful of customers and that's about it. Most of the world, home users especially (who don't know their mouse from their taskbar), will continue on their merry way. When Apple was dominant, oh how long ago, they were quite the locked down little party. But times have changed and they just can't do what they used to.

[sit-rep]

Hmmmmm... Gives ya a little more to think about now that the Chi-Coms are now making computers, actually software for MS.

It’s only a matter of time before we are totally exposed I reckon...

hiredhand, I understand what you are saying. The unfortunate situation on my end is, I am totally invested in MS. All the software programs I would have to replace would cost me a fortune... ie, Visual Studio—a programming suit w/an IDE(Integrated Development Environment) itself costs about 5K. You know what I got going over there, and this VS is a nice little tool to have. Any programmer in C, C++, C# or anything under that umbrella uses VS.

Basically, it would take me ten years to convert...

[hiredhand]

Now, now! :-) I've seen your work and you are TALENTED! I don't think it would take all that long for you to "wean" yourself from MS. Working in a Unix/Linux environment is just a "different" way of doing things. If you already know any flavor of "C", then you're ahead of the curve already!

I don't do a terrible lot of "C" programming. One of my kids used to and he said that gcc (ships with most distros of Linux) would compile "ANSI C", C+, C++.

What galls me is that MS "expects" us to pay 5K for what's FREE in the open source world. Yes, it's a different philosophy, but it's a bit like the difference between the mainframe programming "world", and the Unix programming "world".

For the better part of five years, I pulled in a big salary developing and implementing network software solutions through custom apps written in Perl, Expect, TCL/Tk, and shell....ALL free...and about 99.9% on a Linux or FreeBSD system. Only once or twice did I have to use a Windows box. Even now, I work for a large state agency, and we use a LOT of Linux. In fact, our WAN management and alerting system runs on Linux, as does our SMTP server, and DNS servers....and several internal servers that do "boring" (but essential) functions. :-)

I think you'd do JUST fine with it! Just grab a distribution (I personally like Debian) and start with an older, unused PC....and keep in touch with people like me so we can get you unstuck when you get stuck. :-) That's how we all did it. :-)

As you've already pointed out, the ChiComs are a valid concern. But historically, it's been very difficult to insert malicious code into the source code for open source operating systems because there are SO many people who scrutinize it. MS has a very small percentage of these people performing "due dilligence", and I get the definite impression that they're just not looking out for my "best interest". :-)

[ShadowAce]

Any programmer in C, C++, C# or anything under that umbrella uses VS.

I'm not advocating anything here--but check out Eclipse and Quanta Plus in the Linux environment. They are both IDEs that run under Linux.

The best way to check them out is to (I haven't done this exactly this way yet), boot up a Live CD (Like Fedora 7 Live). It should have both of those in there already. If it doesn't, then find a machine you can install Fedora on. I know Fedora carries both of those IDEs (and a couple more, I think).

[zeugma]

Well you can defiantly try GAIM which I think comes on Ubuntu, that is an AOL chat agent and AOL offers a web portal to check your AOL mail..

I believe GAIM is now called Pidgin.

 As for email, Thunderbird is a good choice as well.
 

[N3WBI3]

Keep me in the loop, Im more of a systems guy but I love messing around with Perl, Bash, TK, PHP..

[sionnsar]

Can anybody tell me about Linux? Microsoft is starting to bother me, though they haven’t done anything personally to my computer yet.

I use Kubuntu 7.04 Linux at home and love it. (Some say Ubuntu is more Mac-like, Kubuntu Windows-like.)

Let's start with the downsides:
1) Help is frequently poor, often "expert-friendly." This is improving and there are online forums for assistance -- I have often found answers there.
2) Drivers for some devices are not available, buggy, or require "experts" to install (mostly due to steps it writer assumed the reader would know). The last is helped by checking the forums again, the middle tends to resolve itself in time: the flaky Kubuntu 6.06 driver for my Lexmark printer is not available in 7.04; switched to a supported HP and it all works well!
3) Software. There's not a lot being sold for Linux -- and your Windows software might or might not run in a Windows emulator.
4) System tools. Kubuntu 7.04 has some excellent tools, but their usage is not always clear (see #1). This is improving dramatically.

Upsides:

1) Software! There's a LOT available for free, and a package manager (think Add/Remove Software) to manage what you've installed or want to uninstall. I use a graphics image program called The GIMP -- on Windows and Linux. World's least intuitive UI (I had to buy a book), but I am told as powerful as Photo$hop.

I'm not expert but I have played with a lot of different distributions over the past 10 years; Linux has come a long ways and just seems to be getting better.

[zeugma]

Update to this thread. Probably needs a new thread of its own...

 

---

 http://windowssecrets.com/articlePrint.php?uaid=070927-03

Top Story, September 27, 2007, Issue 124

Stealth Windows update prevents XP repair

By Scott Dunn

A silent update that Microsoft deployed widely in July and August is preventing the "repair" feature of Windows XP from completing successfully. Ever since the Redmond company's recent download of new support files for Windows Update, users of XP's repair function have been unable to install the latest 80 patches from Microsoft.

Repaired installations of XP can't be updated

Accounts of conflicts with XP's repair option came to our attention after Microsoft's "silent install" of Windows Update (WU) executable files, known as version 7.0.600.381, was reported in the Sept. 13 and 20 issues of the Windows Secrets Newsletter.

The trouble occurs when users reinstall XP's system files using the repair capability found on genuine XP CD-ROMs. (The feature is not present on "Restore CDs.") The repair option, which is typically employed when XP for some reason becomes unbootable, rolls many aspects of XP back to a pristine state. It wipes out many updates and patches and sets Internet Explorer back to the version that originally shipped with the operating system.

Normally, users who repair XP can easily download and install the latest patches, using the Automatic Updates control panel or navigating directly to Microsoft's Windows Update site.

However, after using the repair option from an XP CD-ROM, Windows Update now downloads and installs the new 7.0.600.381 executable files. Some WU executables aren't registered with the operating system, preventing Windows Update from working as intended. This, in turn, prevents Microsoft's 80 latest patches from installing — even if the patches successfully downloaded to the PC.

I was able to reproduce and confirm the problem on a test machine. When WU tries to download the most recent patches to a "repaired" XP machine, Microsoft's Web site simply states: "A problem on your computer is preventing the updates from being downloaded or installed." (See Figure 1.)

Figure 1. After a repair install of XP, which resets the operating system to its original state, Windows Update can't install the 80 most-recent patches from Microsoft.
__________

Most ordinary Windows users might never attempt a repair install, but the problem will affect many administrators who must repair Windows frequently. Anyone who runs XP's repair function will find that isolating the cause of the failed updates is not a simple matter.

Beginning in July, it is not possible for Windows users to install updates without first receiving the 7.0.6000.381 version of nine Windows Update support files. (See my Sept. 13 story for details.) If Automatic Updates is turned on, the .381 update will be installed automatically. If AU is not turned on, you'll be prompted to let Windows Update upgrade itself before you can installing any other updates. Consequently, users are forced to get the silent update before they can attempt to install Microsoft's latest security patches.

The problem apparently arises because seven of the DLLs (dynamic link library files) used by WU fail to be registered with Windows. If files of the same name had previously been registered — as happened when Windows Update upgraded itself in the past — the new DLL files are registered, too, and no problem occurs. On a "repaired" copy of XP, however, no such registration has occurred, and failing to register the new DLLs costs Windows Update the ability to install any patches.

Registering DLL files is normally the role of an installer program. Unlike previous upgrades to WU, however, Microsoft has published no link to an installer or a downloadable version of 7.0.6000.381. Strangely, there's no Knowledge Base article at all explaining the new version. The lack of a KB article (and the links that usually appear therein) makes it impossible for admins to run an installer to see if it would correct the registration problem.

One possible fix is to install an older version of the Windows Update files (downloadable from Step 2 of Microsoft Knowledge Base article 927891) over the newer version. This involves launching the installer from a command line using a switch known as /wuforce.

That corrects the registration problem, although even in this case you must still accept the .381 stealth update (again) before you can get any updates. The fact that the /wuforce procedure solves the problem suggests that the installer for .381 is the source of the bug.

Manually registering files solves the problem

If you find that Windows Update refuses to install most patches, you can register its missing DLLs yourself. This can be accomplished by manually entering seven commands (shown in Step 2, below) at a command prompt. If you need to run the fix on multiple machines, it's easiest to use a batch file, as Steps 1 through 5 explain:

Step 1. Open Notepad (or any text editor).

Step 2. Copy and paste the following command lines into the Notepad window (the /s switch runs the commands silently, freeing you from having to press Enter after each line):

regsvr32 /s wuapi.dll
regsvr32 /s wuaueng1.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wucltui.dll
regsvr32 /s wups2.dll
regsvr32 /s wups.dll
regsvr32 /s wuweb.dll

Step 3. Save the file to your desktop, using a .bat or .cmd extension.

Step 4. Double-click the icon of the .bat or .cmd file.

Step 5. A command window will open, run the commands, and then close.

The next time you visit the Windows Update site, you should not have any problem installing the latest patches.

In my articles in the last two weeks on the silent installation of the Windows Update support files, I stated that the stealthy upgrade seemed harmless. Now that we know that version .381 prevents a repaired instance of XP from getting critical patches, "harmless" no longer describes the situation. The crippling of Windows Update illustrates why many computer professionals demand to review updates for software conflicts before widely installing upgrades.

"I understand the need to update the infrastructure for Windows Update," says Gordon Pegue, systems administrator for Chavez Grieves Engineers, a structural engineering firm in Albuquerque, N.M. "But I think Microsoft dropped the ball a little bit communicating how the system works. Administrators should know these sorts of things, in case problems arise."

A Microsoft spokeswoman offered to provide an official response about the situation, but I received no reply by press time.

If you ever need to run the repair option on XP, first see the detailed description provided by the Michael Stevens Tech Web site.

I'd like to thank Windows Secrets contributing editor Susan Bradley for her help in bringing reports of this problem to light.

Have a tip about Windows? Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your comments via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the magazine's Here's How section.