S
Silicon neuron
Guest
http://windowssecrets.com/comp/070913/#story1
By Scott Dunn
Microsoft has begun patching files on Windows XP and Vista without users'
knowledge, even when the users have turned off auto-updates.
Many companies require testing of patches before they are widely installed,
and businesses in this situation are objecting to the stealth patching.
Files changed with no notice to users
In recent days, Windows Update (WU) started altering files on users' systems
without displaying any dialog box to request permission. The only files that
have been reportedly altered to date are nine small executables on XP and
nine on Vista that are used by WU itself. Microsoft is patching these files
silently, even if auto-updates have been disabled on a particular PC.
It's surprising that these files can be changed without the user's
knowledge. The Automatic Updates dialog box in the Control Panel can be set
to prevent updates from being installed automatically. However, with
Microsoft's latest stealth move, updates to the WU executables seem to be
installed regardless of the settings - without notifying users.
When users launch Windows Update, Microsoft's online service can check the
version of its executables on the PC and update them if necessary. What's
unusual is that people are reporting changes in these files although WU
wasn't authorized to install anything.
This isn't the first time Microsoft has pushed updates out to users who
prefer to test and install their updates manually. Not long ago, another
Windows component, svchost.exe, was causing problems with Windows Update, as
last reported on June 21 in the Windows Secrets Newsletter. In that case,
however, the Windows Update site notified users that updated software had to
be installed before the patching process could proceed. This time, such a
notice never appears.
For users who elect not to have updates installed automatically, the issue
of consent is crucial. Microsoft has apparently decided, however, that it
doesn't need permission to patch Windows Updates files, even if you've set
your preferences to require it.
Microsoft provides no tech information - yet
To make matters even stranger, a search on Microsoft's Web site reveals no
information at all on the stealth updates. Let's say you wished to
voluntarily download and install the new WU executable files when you were,
for example, reinstalling a system. You'd be hard-pressed to find the
updated files in order to download them. At this writing, you either get a
stealth install or nothing.
A few Web forums have already started to discuss the updated files, which
bear the version number 7.0.6000.381. The only explanation found at
Microsoft's site comes from a user identified as Dean-Dean on a Microsoft
Communities forum. In reply to a question, he states:
"Windows Update Software 7.0.6000.381 is an update to Windows Update itself.
It is an update for both Windows XP and Windows Vista. Unless the update is
installed, Windows Update won't work, at least in terms of searching for
further updates. Normal use of Windows Update, in other words, is blocked
until this update is installed."
Windows Secrets contributing editor Susan Bradley contacted Microsoft
Partner Support about the update and received this short reply:
"7.0.6000.381 is a consumer only release that addresses some specific issues
found after .374 was released. It will not be available via WSUS [Windows
Server Update Services]. A standalone installer and the redist will be
available soon, I will keep an eye on it and notify you when it is
available."
Unfortunately, this reply does not explain why the stealth patching began
with so little information provided to customers. Nor does it provide any
details on the "specific issues" that the update supposedly addresses.
System logs confirm stealth installs
In his forum post, Dean-Dean names several files that are changed on XP and
Vista. The patching process updates several Windows\System32 executables
(with the extensions .exe, .dll, and .cpl) to version 7.0.6000.381,
according to the post.
In Vista, the following files are updated:
1. wuapi.dll
2. wuapp.exe
3. wuauclt.exe
4. wuaueng.dll
5. wucltux.dll
6. wudriver.dll
7. wups.dll
8. wups2.dll
9. wuwebv.dll
In XP, the following files are updated:
1. cdm.dll
2. wuapi.dll
3. wuauclt.exe
4. wuaucpl.cpl
5. wuaueng.dll
6. wucltui.dll
7. wups.dll
8. wups2.dll
9. wuweb.dll
These files are by no means viruses, and Microsoft appears to have no
malicious intent in patching them. However, writing files to a user's PC
without notice (when auto-updating has been turned off) is behavior that's
usually associated with hacker Web sites. The question being raised in
discussion forums is, "Why is Microsoft operating in this way?"
How to check which version your PC has
If a system has been patched in the past few months, the nine executables in
Windows\System32 will either show an earlier version number, 7.0.6000.374,
or the stealth patch: 7.0.6000.381. (The version numbers can be seen by
right-clicking a file and choosing Properties. In XP, click the Version tab
and then select File Version. In Vista, click the Details tab.)
In addition, PCs that received the update will have new executables in
subfolders named 7.0.6000.381 under the following folders:
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups.dll
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll
Users can also verify whether patching occurred by checking Windows' Event
Log:
Step 1. In XP, click Start, Run.
Step 2. Type eventvwr.msc and press Enter.
Step 3. In the tree pane on the left, select System.
Step 4. The right pane displays events and several details about them. Event
types such as "Installation" are labeled in the Category column. "Windows
Update Agent" is the event typically listed in the Source column for system
patches.
On systems that were checked recently by Windows Secrets readers, the Event
Log shows two installation events on Aug. 24. The files were stealth-updated
in the early morning hours. (The time stamp will vary, of course, on
machines that received the patch on other dates.)
To investigate further, you can open the Event Log's properties for each
event. Normally, when a Windows update event occurs, the properties dialog
box shows an associated KB number, enabling you to find more information at
Microsoft's Web site. Mysteriously, no KB number is given for the WU updates
that began in August. The description merely reads, "Installation
Successful: Windows successfully installed the following update: Automatic
Updates."
No need to roll back the updated files
Again, it's important to note that there's nothing harmful about the updated
files themselves. There are no reports of software conflicts and no reason
to remove the files (which WU apparently needs in order to access the latest
patches). The only concern is the mechanism Microsoft is using to perform
its patching, and how this mechanism might be used by the software giant in
the future.
I'd like to thank reader Angus Scott-Fleming for his help in researching
this topic. He recommends that advanced Windows users monitor changes to
their systems' Registry settings via a free program by Olivier Lombart
called Tiny Watcher. Scott-Fleming will receive a gift certificate for a
book, CD, or DVD of his choice for sending in a comment we printed.
I'll report further on this story when I'm able to find more information on
the policies and techniques behind Windows Update's silent patches. Send me
your tips on this subject via the Windows Secrets contact page.
Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also
a contributing editor of PC World Magazine, where he has written a monthly
column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit)
with Jesse Berst and Charles Bermant.
By Scott Dunn
Microsoft has begun patching files on Windows XP and Vista without users'
knowledge, even when the users have turned off auto-updates.
Many companies require testing of patches before they are widely installed,
and businesses in this situation are objecting to the stealth patching.
Files changed with no notice to users
In recent days, Windows Update (WU) started altering files on users' systems
without displaying any dialog box to request permission. The only files that
have been reportedly altered to date are nine small executables on XP and
nine on Vista that are used by WU itself. Microsoft is patching these files
silently, even if auto-updates have been disabled on a particular PC.
It's surprising that these files can be changed without the user's
knowledge. The Automatic Updates dialog box in the Control Panel can be set
to prevent updates from being installed automatically. However, with
Microsoft's latest stealth move, updates to the WU executables seem to be
installed regardless of the settings - without notifying users.
When users launch Windows Update, Microsoft's online service can check the
version of its executables on the PC and update them if necessary. What's
unusual is that people are reporting changes in these files although WU
wasn't authorized to install anything.
This isn't the first time Microsoft has pushed updates out to users who
prefer to test and install their updates manually. Not long ago, another
Windows component, svchost.exe, was causing problems with Windows Update, as
last reported on June 21 in the Windows Secrets Newsletter. In that case,
however, the Windows Update site notified users that updated software had to
be installed before the patching process could proceed. This time, such a
notice never appears.
For users who elect not to have updates installed automatically, the issue
of consent is crucial. Microsoft has apparently decided, however, that it
doesn't need permission to patch Windows Updates files, even if you've set
your preferences to require it.
Microsoft provides no tech information - yet
To make matters even stranger, a search on Microsoft's Web site reveals no
information at all on the stealth updates. Let's say you wished to
voluntarily download and install the new WU executable files when you were,
for example, reinstalling a system. You'd be hard-pressed to find the
updated files in order to download them. At this writing, you either get a
stealth install or nothing.
A few Web forums have already started to discuss the updated files, which
bear the version number 7.0.6000.381. The only explanation found at
Microsoft's site comes from a user identified as Dean-Dean on a Microsoft
Communities forum. In reply to a question, he states:
"Windows Update Software 7.0.6000.381 is an update to Windows Update itself.
It is an update for both Windows XP and Windows Vista. Unless the update is
installed, Windows Update won't work, at least in terms of searching for
further updates. Normal use of Windows Update, in other words, is blocked
until this update is installed."
Windows Secrets contributing editor Susan Bradley contacted Microsoft
Partner Support about the update and received this short reply:
"7.0.6000.381 is a consumer only release that addresses some specific issues
found after .374 was released. It will not be available via WSUS [Windows
Server Update Services]. A standalone installer and the redist will be
available soon, I will keep an eye on it and notify you when it is
available."
Unfortunately, this reply does not explain why the stealth patching began
with so little information provided to customers. Nor does it provide any
details on the "specific issues" that the update supposedly addresses.
System logs confirm stealth installs
In his forum post, Dean-Dean names several files that are changed on XP and
Vista. The patching process updates several Windows\System32 executables
(with the extensions .exe, .dll, and .cpl) to version 7.0.6000.381,
according to the post.
In Vista, the following files are updated:
1. wuapi.dll
2. wuapp.exe
3. wuauclt.exe
4. wuaueng.dll
5. wucltux.dll
6. wudriver.dll
7. wups.dll
8. wups2.dll
9. wuwebv.dll
In XP, the following files are updated:
1. cdm.dll
2. wuapi.dll
3. wuauclt.exe
4. wuaucpl.cpl
5. wuaueng.dll
6. wucltui.dll
7. wups.dll
8. wups2.dll
9. wuweb.dll
These files are by no means viruses, and Microsoft appears to have no
malicious intent in patching them. However, writing files to a user's PC
without notice (when auto-updating has been turned off) is behavior that's
usually associated with hacker Web sites. The question being raised in
discussion forums is, "Why is Microsoft operating in this way?"
How to check which version your PC has
If a system has been patched in the past few months, the nine executables in
Windows\System32 will either show an earlier version number, 7.0.6000.374,
or the stealth patch: 7.0.6000.381. (The version numbers can be seen by
right-clicking a file and choosing Properties. In XP, click the Version tab
and then select File Version. In Vista, click the Details tab.)
In addition, PCs that received the update will have new executables in
subfolders named 7.0.6000.381 under the following folders:
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups.dll
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll
Users can also verify whether patching occurred by checking Windows' Event
Log:
Step 1. In XP, click Start, Run.
Step 2. Type eventvwr.msc and press Enter.
Step 3. In the tree pane on the left, select System.
Step 4. The right pane displays events and several details about them. Event
types such as "Installation" are labeled in the Category column. "Windows
Update Agent" is the event typically listed in the Source column for system
patches.
On systems that were checked recently by Windows Secrets readers, the Event
Log shows two installation events on Aug. 24. The files were stealth-updated
in the early morning hours. (The time stamp will vary, of course, on
machines that received the patch on other dates.)
To investigate further, you can open the Event Log's properties for each
event. Normally, when a Windows update event occurs, the properties dialog
box shows an associated KB number, enabling you to find more information at
Microsoft's Web site. Mysteriously, no KB number is given for the WU updates
that began in August. The description merely reads, "Installation
Successful: Windows successfully installed the following update: Automatic
Updates."
No need to roll back the updated files
Again, it's important to note that there's nothing harmful about the updated
files themselves. There are no reports of software conflicts and no reason
to remove the files (which WU apparently needs in order to access the latest
patches). The only concern is the mechanism Microsoft is using to perform
its patching, and how this mechanism might be used by the software giant in
the future.
I'd like to thank reader Angus Scott-Fleming for his help in researching
this topic. He recommends that advanced Windows users monitor changes to
their systems' Registry settings via a free program by Olivier Lombart
called Tiny Watcher. Scott-Fleming will receive a gift certificate for a
book, CD, or DVD of his choice for sending in a comment we printed.
I'll report further on this story when I'm able to find more information on
the policies and techniques behind Windows Update's silent patches. Send me
your tips on this subject via the Windows Secrets contact page.
Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also
a contributing editor of PC World Magazine, where he has written a monthly
column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit)
with Jesse Berst and Charles Bermant.