Broadband Tech > Security > Security > Microsoft updating files on computers

Microsoft updating files on computers

Seems one of my default setting XP SP2 virtual machines doesn't have the latest MU files and has AU disabled. I'll leave it on overnight logged in as an administrator to see if anything happens.

The last time people cried updates were installing automatically (KB912919) nothing happened, then again they also were saying that it didn't create a backup and that MS was attempting to cover things up.

Might be because I regularly use a non-admin account and by default AU won't let non-admins install or show anything.

reply to Everready
I noticed this early in September and posted the following to several forums trying to track this down.

All

I'm running a little program called Tiny Watcher ("Tiny Watcher: keep your Windows clean" »www.donationcoders.com/kubicle/watcher/) that is a sort of poor-mans freeware HIDS (XP Pro SP2, IE6). Once a night I run in on a test system looking for stuff that has changed in critical areas, and recently it notified me that two files, wups.dll and wups2.dll, in the system32 directory had changed. I finally got around to investigating this and I found that even though I have Automatic Updates set to "Notify", this update was installed stealthily at 3:30 one morning.

I found a thread on the Microsoft Community groups which sort-of discusses this:
Critical Update slipped in through the back door -- in Announcements
»preview.tinyurl.com/39gsrr -- the full URL is a 281-character
monster:
»www.microsoft.com/communities/ne···81d9a960
Here's an excerpt:
------- Included Stuff Follows -------
"dean-dean" wrote:

> Hi Engel,
>
> Windows Update Software 7.0.6000.381 is an update to Windows Update
> itself. It is an update for both Windows XP and Windows Vista. Unless
> the update is installed, Windows Update won't work, at least in terms of
> searching for further updates. Normal use of Windows Update, in other
> words, is blocked until this update is installed.
>
> In Vista, it updates the following System32 files to version
> 7.0.6000.381:
>
> wucltux.dll
> wuauclt.exe
> wuaueng.dll
> wups2.dll
> wuapi.dll
> wudriver.dll
> wups.dll
> wuapp.exe
> wuwebv.dll
>
> In XP, it updates the following system32 files to version 7.0.6000.381:
>
> wuweb.dll
> wuaueng.dll
> wuapi.dll
> wucltui.dll
> wuaucpl.cpl
> cdm.dll
> wuauclt.exe
> wups2.dll
> wups.dll
>
> Hope this helps.

--------- Included Stuff Ends ---------

Well, it certainly appears that Microsoft is installing updates without permission or consent. I have Windows Update set to "Notify" (XP Pro SP2, IE6), and I run WU manually. The date-time stamp of the directory where wups.dll v7.0.6000.381 is loaded (C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.600 0.381\ for the curious) is 8/24/07. When I check "Installed Updates" on the WU site I see that I ran WU on 8/15 (forAugust's Black Tuesday) and again on 8/29 (for KB933360). I checked all of the updates that occurred after the 7/30 date-time stamp of wups.dll and wups2.dll, and none of them list either file in the "File Information" section for Windows XP.

Interestingly a search at microsoft.com for "wups.dll 7.0.6000.381" turns up NOTHING while a search for "wups.dll 7.0.6000.374" turns up a couple of hits, one of which is this KB article "When you use Automatic Updates to scan for updates or to apply updates to applications that use Windows Installer, you experience issues that involve the Svchost.exe process"
»support.microsoft.com/default.aspx/kb/932494 ...

I checked my Event Viewer log for anything interesting on 8/24 and I found an entry at 3:34 AM where the Windows Update Agent installed _something_:

>> Installation Successful: Windows successfully installed the following update: Automatic Updates

All of the other "Windows Update Agent" Event-19 entries in the System Log include a KB number in the event listing:

>> Installation Successful: Windows successfully installed the following update: Update for Windows XP (KB933360)

I checked on other XP desktops I have handy, all of which are also set to "Notify" _AND_ all of which have non-Admin users and I see date-time stamps from 8/21 through 8/24 for the wups.dll install-directories %SYS32%\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\.

This update is particularly disturbing. I find it both curious and very annoying that Microsoft still hasn't learned not to sneak around behind people's backs.

I'm curious, does anyone running a WSUS server on their network also have this stealth update on any of their systems? Is this something that was also distributed through WSUS or is this just something that was installed by folks running WU directly from Microsoft?

TIA

Angus

I never installed the last couple of versions of Microsoft Update software because I refuse to install WGA anymore. Therefore, no reason to visit the Microsoft Update site and therefore no reason to install updated Microsoft Update software. And I keep Auto Updates disabled.

I run XP SP2 Home. All of the versions I have from the files on that list are 5.8.0.2469, and date from last November (when I reinstalled the OS) or before.

Sometimes, being an obstinate SOB has it's rewards.

reply to angussf
I have the original versions of all those files mentioned from my original WinXP installation, but then I have always updated WinXP manually by downloading the patch files. I guess Microsoft will not be invading my PC secretly.

I've always disabled Automatic Updates from Administrative Tools-->Services. When you disable Auto Update from the control panel, Auto Updates service actually still runs. Wonder if the covert update would work if you disabled Auto Updates from Services?

Anyways I actually run Win2k which apparently is not affected, but this little "behind the scenes" update to me is serious. What if in the future Redmond decides to push more covert "updates" or other "advantages" on to your PC without your consent?

reply to Everready

reply to Everready
Auto updates 'off' (but running). No changes detected on my system.

---
Guesswork: if you have 'notify' set, then Windows Update can't notify you about critical OS changes until you're running the current version of Windows Update. Therefore, it has to update WIndows Update, and someone decided it wasn't necessary to ask to do so, since it's really part of the update delviery mechanism and not the actual OS being updated.

(I've noticed similar things when updating manually in the past - if there's a new Windows Update, you have to go through the palaver of updating Update before you can find out what you need to update).

reply to AB

said by AB:

I never installed the last couple of versions of Microsoft Update software because I refuse to install WGA anymore. Therefore, no reason to visit the Microsoft Update site and therefore no reason to install updated Microsoft Update software. And I keep Auto Updates disabled.

I run XP SP2 Home. All of the versions I have from the files on that list are 5.8.0.2469, and date from last November (when I reinstalled the OS) or before.

Sometimes, being an obstinate SOB has it's rewards.

reply to Everready
Just disabling Automatic Updates is not enough. You also have to turn off, or disable BITS.
--
I threw out the map a long time ago. Now I follow my own direction!

reply to Everready
here is another thread where someone had some issues as a result of the files' being automatically updated:

»wuacuclt.exe

angussf, i think that "tiny watcher" program can come it handy, seeing that some malware, these days, is infecting "sys" files as a means of running at startup.. hopefully it will alert about any changed "sys" files..

reply to Everready
If I were the least bit worried about Microsoft for any reason I wouldn't run their software. Period.

Many of you are paranoid about the government, and would never let them muck around in your system as a result. Yet Microsoft has surpassed the government as the big boogieman to be afraid of. at least in some people's mind.

How ironic then that there are so many of you who are running Microsoft in spite of that. Do you really think that turning off some upper tier function of Windows will protect you from that so-called-evil?

They wrote it from the ground up. So they can sneak in at the ground floor if they were so inclined, I'm sure. So how does what we do on the surface of things help any?

I look at it like this- if someone who is really really good at programming and Windows can write a widget that can sneak in under our radar, like a frogman swimming in just below the surface. Then Microsoft is the nuclear submarine that can rest quietly on the ocean floor and see and hear all.

It should tell you something that a bunch of witless politicians are running the world, and not Microsoft or a pack of black-hat hackers.
--
You're an American. You get a free pass, but nobody rides for free.

reply to Everready
Can I disable Background Intelligent Transfer Service?

reply to Everready
Also on »windowssecrets.com/2007/09/13/01···-consent from »yro.slashdot.org/article.pl?sid=···/1259202 ...

reply to Sindows 7

reply to Sindows 7
I disabled it more than a year ago and have had no issues at all. I don't use Microsoft automatic updates and have not run into any software that complains about that service not running. Shouldn't hurt to try shutting down.

Regards,

Ender
--
My Jeep is not an SUV. Your SUV is not a Jeep.

reply to Everready
There was a report of Slashdot of the same happening on Windows 2000, so it's not just XP.

This can't happen if the AU service is off. The articles are misleading in saying it happens with AU "off"; what they mean is the service is running but the option is set to not install automatically.

You don't need either the AU or the BITS service if you get patches manually; you do need them for Windows Update site or Automatic Updates feature.

The windowssecrets.com article linked by antdude has detail on how to detect this and check versions.

reply to Mele20