Microsoft updates Windows without users' consent

Home

WinFind

Reviews

Polls

Contact

Past issues

Upgrade

Prefs

Unsubscribe

Windows Secrets Newsletter • Issue 122 • 2007-09-13 • Circulation: over 270,000

Contents
TOP STORY: Microsoft updates Windows without users' consent
KNOWN ISSUES: How to run Microsoft Update using Firefox
WACKY WEB WEEK: Nintendo promises Wii bit of excitement
PC TUNE-UP: Serious Visual Basic flaw remains unpatched
PATCH WATCH: Only four patches this Patch Tuesday
YOUR SUBSCRIPTION: How to change your address or unsubscribe

For links to every topic in this issue, scroll down to the Index

ADS

Free scan: increase your PC speed now

Free scan: increase your PC speed now
PC Pitstop's Free Optimize Scan will automatically diagnose problems with your PC and give you a custom report detailing issues that are hurting your PC's performance. Scan your PC for free today!
www.pcpitstop.com

Be more productive in Microsoft Outlook

Be more productive in Microsoft Outlook
Save time in Outlook with these powerful utilities: Attachment Save — automatically save attachments when e-mail arrives, Schedule Recurring E-mail — send regularly occurring e-mails, and more. See our entire list of 36 powerful add-ins on our Web site.
www.SperrySoftware.com

Backup your data with ZipBackup

Backup your data with ZipBackup
Finally, a backup program that is easy to use. ZipBackup's Wizard makes backups a snap for beginners. Filtering, scheduling, and disk spanning make it a powerful tool for experts. For a limited time, Windows Secrets readers receive 25% off.
www.zipbackup.com

See your ad here

TOP STORY

Microsoft updates Windows without users' consent

Scott Dunn

By Scott Dunn

Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates.

Many companies require testing of patches before they are widely installed, and businesses in this situation are objecting to the stealth patching.

Files changed with no notice to users

In recent days, Windows Update (WU) started altering files on users' systems without displaying any dialog box to request permission. The only files that have been reportedly altered to date are nine small executables on XP and nine on Vista that are used by WU itself. Microsoft is patching these files silently, even if auto-updates have been disabled on a particular PC.

It's surprising that these files can be changed without the user's knowledge. The Automatic Updates dialog box in the Control Panel can be set to prevent updates from being installed automatically. However, with Microsoft's latest stealth move, updates to the WU executables seem to be installed regardless of the settings — without notifying users.

When users launch Windows Update, Microsoft's online service can check the version of its executables on the PC and update them if necessary. What's unusual is that people are reporting changes in these files although WU wasn't authorized to install anything.

This isn't the first time Microsoft has pushed updates out to users who prefer to test and install their updates manually. Not long ago, another Windows component, svchost.exe, was causing problems with Windows Update, as last reported on June 21 in the Windows Secrets Newsletter. In that case, however, the Windows Update site notified users that updated software had to be installed before the patching process could proceed. This time, such a notice never appears.

For users who elect not to have updates installed automatically, the issue of consent is crucial. Microsoft has apparently decided, however, that it doesn't need permission to patch Windows Updates files, even if you've set your preferences to require it.

Microsoft provides no tech information — yet

To make matters even stranger, a search on Microsoft's Web site reveals no information at all on the stealth updates. Let's say you wished to voluntarily download and install the new WU executable files when you were, for example, reinstalling a system. You'd be hard-pressed to find the updated files in order to download them. At this writing, you either get a stealth install or nothing.

A few Web forums have already started to discuss the updated files, which bear the version number 7.0.6000.381. The only explanation found at Microsoft's site comes from a user identified as Dean-Dean on a Microsoft Communities forum. In reply to a question, he states:

"Windows Update Software 7.0.6000.381 is an update to Windows Update itself. It is an update for both Windows XP and Windows Vista. Unless the update is installed, Windows Update won't work, at least in terms of searching for further updates. Normal use of Windows Update, in other words, is blocked until this update is installed."

Windows Secrets contributing editor Susan Bradley contacted Microsoft Partner Support about the update and received this short reply:

"7.0.6000.381 is a consumer only release that addresses some specific issues found after .374 was released. It will not be available via WSUS [Windows Server Update Services]. A standalone installer and the redist will be available soon, I will keep an eye on it and notify you when it is available."

Unfortunately, this reply does not explain why the stealth patching began with so little information provided to customers. Nor does it provide any details on the "specific issues" that the update supposedly addresses.

System logs confirm stealth installs

In his forum post, Dean-Dean names several files that are changed on XP and Vista. The patching process updates several Windows\System32 executables (with the extensions .exe, .dll, and .cpl) to version 7.0.6000.381, according to the post.

In Vista, the following files are updated:

1. wuapi.dll
2. wuapp.exe
3. wuauclt.exe
4. wuaueng.dll
5. wucltux.dll
6. wudriver.dll
7. wups.dll
8. wups2.dll
9. wuwebv.dll

In XP, the following files are updated:

1. cdm.dll
2. wuapi.dll
3. wuauclt.exe
4. wuaucpl.cpl
5. wuaueng.dll
6. wucltui.dll
7. wups.dll
8. wups2.dll
9. wuweb.dll

These files are by no means viruses, and Microsoft appears to have no malicious intent in patching them. However, writing files to a user's PC without notice (when auto-updating has been turned off) is behavior that's usually associated with hacker Web sites. The question being raised in discussion forums is, "Why is Microsoft operating in this way?"

How to check which version your PC has

If a system has been patched in the past few months, the nine executables in Windows\System32 will either show an earlier version number, 7.0.6000.374, or the stealth patch: 7.0.6000.381. (The version numbers can be seen by right-clicking a file and choosing Properties. In XP, click the Version tab and then select File Version. In Vista, click the Details tab.)

In addition, PCs that received the update will have new executables in subfolders named 7.0.6000.381 under the following folders:

c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups.dll
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll

Users can also verify whether patching occurred by checking Windows' Event Log:

Step 1. In XP, click Start, Run.

Step 2. Type eventvwr.msc and press Enter.

Step 3. In the tree pane on the left, select System.

Step 4. The right pane displays events and several details about them. Event types such as "Installation" are labeled in the Category column. "Windows Update Agent" is the event typically listed in the Source column for system patches.

On systems that were checked recently by Windows Secrets readers, the Event Log shows two installation events on Aug. 24. The files were stealth-updated in the early morning hours. (The time stamp will vary, of course, on machines that received the patch on other dates.)

To investigate further, you can open the Event Log's properties for each event. Normally, when a Windows update event occurs, the properties dialog box shows an associated KB number, enabling you to find more information at Microsoft's Web site. Mysteriously, no KB number is given for the WU updates that began in August. The description merely reads, "Installation Successful: Windows successfully installed the following update: Automatic Updates."

No need to roll back the updated files

Again, it's important to note that there's nothing harmful about the updated files themselves. There are no reports of software conflicts and no reason to remove the files (which WU apparently needs in order to access the latest patches). The only concern is the mechanism Microsoft is using to perform its patching, and how this mechanism might be used by the software giant in the future.

I'd like to thank reader Angus Scott-Fleming for his help in researching this topic. He recommends that advanced Windows users monitor changes to their systems' Registry settings via a free program by Olivier Lombart called Tiny Watcher. Scott-Fleming will receive a gift certificate for a book, CD, or DVD of his choice for sending in a comment we printed.

I'll report further on this story when I'm able to find more information on the policies and techniques behind Windows Update's silent patches. Send me your tips on this subject via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.

ADS

Do-it-yourself home renovations

Do-it-yourself home renovations
Highly recommended site for anyone who wants to build a set of stairs, construct a backyard shed, deck, picnic table, gazebo, dog house, etc., or even build a house. Get e-mailed answers to your questions about your own project from an expert.
www.daveosborne.com

Get your product seen by 270,000 readers

Get your product seen by 270,000 readers
Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 270,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement.
www.WindowsSecrets.com

See your ad here

KNOWN ISSUES

How to run Microsoft Update using Firefox

Diane Korngiebel

By Diane Korngiebel

The Sept. 6 issue of Windows Secrets explained how to automate Internet Explorer 7 to access Microsoft Update once a month.

But some readers expressed displeasure at the thought of using the dreaded IE 7 even for this relatively safe chore.

Firefox add-in runs Microsoft Update like IE

Scott Dunn's article asserted that IE 7 is a requirement in order to run Microsoft Update. (MU is a Windows Update superset that patches Microsoft Office in addition to Windows itself.) However, Ramona Lane sends this useful tip:

"There is an 'IE Tab' extension that lets Firefox users update with the Windows Update feature. The IE Tab extension is located at the Mozilla add-ons site."

Thanks, Ramona! The IE Tab extension lets you switch between Firefox and IE rendering. Once installed, I had no trouble using the IE Tab add-on to run Microsoft Update. According to Mozilla's Web site, the IE Tab works with Firefox versions 1.5 through 3.0a5. I used it with 2.0.0.6.

To install the IE Tab, go to the add-ons site using the above link. Choose Install Now. The installer will restart Firefox when finished or prompt you to do so before the changes will take effect.

To add the IE Tab button to your Firefox Toolbar, right-click the toolbar and choose Customize. Drag the IE Tab icon and drop it where you want it. When clicked, the IE Tab button will swap rendering engines.

Once you've done this, you can use Firefox with Scheduled Tasks in XP; however, keep in mind that only administrators can install updates. The scheduling steps are slightly different from the ones provided in the last issue:

Step 1: Choose Start, All Programs, Accessories, System Tools, Scheduled Tasks.

Step 2: In the Scheduled Tasks window, double-click Add Scheduled Task.

Step 3: In the Scheduled Task Wizard, click Next. Then click Browse.

Step 4: Select Mozilla Firefox from the list. If you don't see it, use the Browse button to locate Firefox.exe and click Open.

Step 5: In the next step of the wizard, select Monthly and click Next.

Step 6: Specify a start time. Select the second radio button and specify the second Tuesday. Leave all months checked. Click Next.

Step 7: Enter your account name and password for an administrator account. Click Next.

Step 8: Check the box for opening advanced properties and click Finish.

Step 9: When the Firefox Properties dialog box opens, click at the end of the line in the Run box. Type a space followed by the URLs for each tab you want to open, separated by spaces. For example, when you're done, the finished command should read something like this:

"C:\Program Files\Mozilla Firefox\firefox.exe" www.update.microsoft.com secunia.com/software_inspector

Step 10: Click OK. Enter your account name and password again, if prompted. Click OK.

MyUninstaller is another removal-tool option

Scott's article also provided a step-by-step guide on how to remove old software. For those of you who'd like a program that does much of the legwork for you, however, Joe de Fide has this advice:

"I have found that MyUninstaller is an invaluable asset, as it has a search function that will not only look at the name of the program, but look at the program's property sheet as well. You can also double-click on a program's name to see the property sheet."

We haven't tested MyUninstaller, but PC World columnist Steve Bass has recommended it.

Get reminders for Secunia Software Inspector

When checking for unpatched software, it makes sense to run the latest version of Software Inspector. Timothy McGowan points out that Secunia offers an e-mail reminder:

"This free e-mail update will 'notify you whenever the online Software Inspector is improved and updated.'

"Go to Secunia Software Inspector, run the test to completion, and you'll get a message: 'As an additional free service, Secunia offers to notify you whenever the Software Inspector is improved and updated. Do you wish to subscribe?' Click through and submit a valid e-mail address. That is all it takes."

Thanks, Tim. You can also sign up for the reminder service without completing the test. Go to the Secunia Software Inspector Web page using the above link. Under "Other" (in the right-hand column), click the link for the Reminder Service. You will be asked to provide an e-mail address. Then click Subscribe.

Finding the hidden Secunia privacy policy

Some readers expressed concerns over Secunia's difficult-to-find privacy policy. Jon Larimore criticizes Secunia for the omission:

"I had intended to pass along a link to Software Inspector to several friends, but when doing so, I wanted to reassure them that no personal information would be 'lifted' from their computers by Secunia during the inspection process. Unfortunately, I could find no Privacy Policy statement of any kind anywhere on their Web site. So I sent their webmaster a note.

"The response was: 'It is right here.'

"I hope Secunia will take the hint and include a link to the Privacy Policy at the bottom of each Web page."

Readers Lane, de Fide, McGowan, and Larimore will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you readers' comments on our recent articles. Diane Korngiebel is assistant managing editor of WindowsSecrets.com.

TELL A FRIEND

How you can share this information

We love it when you send your friends links to our articles. But please don't forward your copy of our e-mail newsletter to people, which subjects us to spam complaints. Instead, simply suggest that your friends visit this issue's permanent Web address, shown below. A complete index at the bottom of the Web page provides you with hyperlinks to any article you'd like to recommend.

The address of this issue is http://WindowsSecrets.com/comp/070913

EDITOR'S BOOKSHELF

Windows Vista Secrets

Get the tips you need about Windows Vista
The all-new Windows Vista Secrets helps novices and experts alike understand Microsoft's latest operating system. "To really appreciate what is in Vista, you almost need to read through the leading book on the product, Windows Vista Secrets, by Brian Livingston and Paul Thurrott," writes Rob Enderle, principal analyst of the Enderle Group, in TechNewsWorld. "It's 595 pages of things you can do with this product — most of which you probably wouldn't have discovered for some time, let alone right at first." Check the book out now for tips you can use.
More information: United States (B&N) / Canada / Elsewhere

Spam-Proof Your E-Mail Address, 2nd Ed.

Spam-Proof Your E-Mail Address, 2nd Ed.
This 32-page e-book by Brian Livingston gives you step-by-step instructions that can prevent 97% of the spam that would otherwise clog an e-mail account. You could call it "Livingston's Spam Secrets." The PDF e-book is the result of months of experiments and tests we conducted. We now receive little or no spam to the addresses we used as guinea pigs. These tests show that you can make your e-mail addresses invisible to spammers, not just battle an ever-growing flood. The methods we describe work with Windows, Apple, and Linux and don't require any filters or block lists — but you can use those in addition to the book's techniques, if you wish. More info

WACKY WEB WEEK

Nintendo promises Wii bit of excitement

Happy feet

We all know that gadgets are supposed to make our lives easier and more productive. Technology should give us time to pursue hobbies and interests, like tripping the light fantastic or playing ball in the park with the kids.

But what of the person who has no time for real life? The answer seems to be Wii Fit, a device that lets you enjoy life to the fullest without ever leaving the comfort of your own home.

As evidened by this Nintendo product video — with voiceover by SarcasticGamer — Wii Fit is the one-stop source of entertainment for the entire family. Play the video

INDEX

The following topics appear in the free version

TOP STORY	Microsoft updates Windows without users' consent
	Files changed with no notice to users
	Microsoft provides no tech information — yet
	System logs confirm stealth installs

KNOWN ISSUES	How to run Microsoft Update using Firefox
	Firefox add-in runs Microsoft Update like IE
	MyUninstaller is another removal-tool option
	Get reminders for Secunia Software Inspector
	Finding the hidden Secunia privacy policy

WACKY WEB WEEK	Nintendo promises Wii bit of excitement

You get all of the following in the paid version
PC TUNE-UP	Serious Visual Basic flaw remains unpatched
	Watch out for .vbp file extensions
	Free stand-alone disk defragmentation tool
	Beware of Windows encrypting file system "gotchas"
	Tasklist useful, Process Explorer better

PATCH WATCH	Only four patches this Patch Tuesday
	Patching dear old Clippy is a top priority
	MSN Messenger needs new version instantly
	Server admins need a few patches
	Daylight Saving Time fun yet again!
	Malicious Software Removal Tool lives anew

Paid subscribers can access all old and new paid newsletter content Make a contribution to support our research into Windows and you'll immediately be able to read and search through scores of valuable articles. In addition, paid subscribers are entitled to download valuable content that we license for you at least once every calendar quarter. To upgrade, simply make a contribution of any amount you choose. If you do this by Sept. 19, 2007, you'll instantly be sent the full, paid version of today's newsletter. To upgrade to the paid version of the Windows Secrets Newsletter, please visit our upgrade page. Thanks in advance.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, plus the week of Thanksgiving and the last two weeks of August and December.

Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editorial Director: Brian Livingston. Editor-at-Large: Fred Langa. Associate Editor: Scott Dunn. Contributing Editors: Susan Bradley, Mark Edwards, Woody Leonhard, Chris Mosby, Ryan Russell. Research Director: Vickie Stevens. Program Director: Brent Scheffler.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Copyright © 2007 by WindowsSecrets.com LLC. All rights reserved.