PC rebooting? The cause may be MS OneCare

Scott dunn By Scott Dunn

Installing Windows Live OneCare, Microsoft’s downloadable security suite, changes the settings of Automatic Updates without notifying users or honoring their update preferences.

This behavior may explain reports that Windows has been mysteriously installing patches and rebooting itself, even though users had completely shut down the Automatic Updates function.

Users surprised by change to AU settings

I reported on Sept. 13 that Windows Update (WU) periodically installs a set of nine executable files without notice to users, even if Automatic Updates (AU) is set to “notify me but don’t automatically install.” On Sept. 27, I wrote that the executable files silently installed by AU starting in July prevent Windows XP from installing any security patches at all if XP was repaired using its original CD.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



Many companies and individuals have a policy of carefully testing for negative side-effects in Microsoft patches before allowing them to be installed. It’s particularly surprising for these users, who’ve carefully configured their Windows machines to install patches manually, to find that their machines have been updated and rebooted anyway.

A blog named AeroXperience posted comments on Oct. 10 saying Windows Update was forcing such reboots. Users around the globe wrote in to the blog’s forum, saying their settings had mysteriously been switched to automatically install patches, and their PCs restarted at 3:00 a.m. (the default install time in the Automatic Updates control panel). Many commenters swore that they’d previously configured the control panel to prevent such installations.

AeroExperience blamed Windows Update for making the changes to users’ systems. ZDNet blogger Mary Jo Foley repeated the accusation on Oct. 12, adding fuel to the fire.

In a response on Oct. 12, Microsoft Update program manager Nate Clinton denied that Automatic Updates had made any changes to users’ AU settings. The posting was later updated to include several possible explanations, all of which include the user choosing to turn on AU when prompted by some software or installer.

But user choice plays no role in changing AU settings when installing Windows Live OneCare.

My finding is that Windows Live OneCare silently changes the AU settings. This explains at least some of the complaints that have been reported so far. Users could have installed OneCare — even a free-trial version — at any time in the recent past and been unaware of any changes until Automatic Updates forced a reboot in the wee hours.

In repeated tests on Windows XP and Vista, I installed Windows Live OneCare, which costs U.S. $49.95 per year after a 90-day free trial. In every case, OneCare changed a machine’s Automatic Updates settings to fully automatic.

It did so even when Automatic Updates had been completely disabled. In Windows XP, this state is known as “Turn off Automatic Updates.” In Vista, it’s called “Never check for updates.” In no case did the OneCare installer give any indication that a machine’s Automatic Updates settings would be changed.

Worse, OneCare silently enables Windows services that had been carefully disabled using Microsoft’s own configuration utilities (as I explain below).

Whereas OneCare is a downloadable and therefore optional security suite, Automatic Updates is a built-in service for patching Windows. AU is capable of downloading and installing updates from Microsoft at a preset time.

Windows Users can choose from four options for updates:

1. Automatic;

2. Download updates for me, but let me choose when to install them;

3. Notify me but don’t automatically download or install them; and

4. Turn off Automatic Updates.

XP users can change these settings using the Control Panel applet called Automatic Updates. Vista users must first launch the Windows Update control panel and then click Change settings in the upper-left corner.

OneCare installer turns on disabled services

Surprisingly, the installation of OneCare silently changes Automatic Updates settings to automatically install patches and reboot the system, despite defensive measures a user might take to prevent this.

Users are not warned of changed settings. Early in the installation process, users are invited to read OneCare’s feature summary. They are informed that using the service means agreeing to the Microsoft Online Privacy Statement as well as the OneCare privacy supplement.

These documents mention the updating of OneCare’s virus and spyware definitions, but they do not indicate any dependence on Windows Updates. Moreover, the statements say nothing about changing your Automatic Updates settings.

Pages at the OneCare site, such as Service Overview, state that the service “works with Microsoft Update.” Similarly, another overview link at the bottom of the page displays a table of features that mentions “Microsoft Update integration.” But again, users are not warned that their AU settings may be changed.

More important, no warning is given in the application during or after installation. Instead, the software simply reports: “Windows Live OneCare is up-to-date and your status is good.”

An obscure online help topic for OneCare does admit to turning on Automatic Updates, but the information is buried under “Frequently asked questions about other updates for Microsoft programs” (click “What does Windows Live OneCare to do help manage and maintain my computer’s software updates?”). But this hard-to-find paragaraph is hardly adequate notice to new users of the service.

Services are affected, too. OneCare’s installer even overrides settings made using the Services management console. Turning off Automatic Updates (using option 4, mentioned above) doesn’t actually disable two related services, which continue to run in the background. Because these services might some day install something without authorization, many users run a utility called services.msc to disable them. In XP, one affected service is called Automatic Updates, while in Vista it’s called Windows Update. The other service is known as Background Intelligent Transfer Services (BITS) in both versions of the operating system.

Even if these two services have been manually set to Disabled, the OneCare installer changes their startup type to Automatic and restarts them.

The changes are unavoidable. The silent changes made by OneCare cannot be prevented by disconnecting a system from the Internet during installation. Doing so only prevents OneCare from being installed, since its installer requires an Internet connection.

Furthermore, uninstalling OneCare does not return a system’s Automatic Updates setting to its previous state. AU remains set to install updates and reboot the PC automatically.

How to work around OneCare’s settings change

If you wish to use OneCare, but you want updates to be installed only when you’re first notified, the only workaround is to install the program and then change Automatic Updates back to your preferred settings. If you install OneCare when Windows is not likely to phone home, you should be able to change AU before any updates are automatically installed. (Installing OneCare at any time other than 3:00 a.m. should do the trick.)

After you’ve installed OneCare, it doesn’t change your Automatic Updates settings again. But OneCare does flag the disabled Automatic Updates as an “urgent” matter that you should correct. In this situation, the OneCare icon in the taskbar tray turns a bright shade of red, which you may find annoying.

An alternative workaround is to buy and use security software other than Microsoft’s.

In the past, to be sure, some third-party security applications have also had the problem of changing users’ Automatic Updates settings. For example, the May 25, 2006, issue of Windows Secrets noted that Norton Internet Security silently changed Automatic Updates to automatic (if auto-updating was turned on in the Norton suite).

Since that time, however, most security applications have learned to refrain from tampering with user settings.

For the sake of comparison, I installed Norton 360, Norton Internet Security, McAfee Internet Security Suite, and the ZoneAlarm Internet Security Suite. The McAfee product and both of the two Norton products flagged Automatic Updates as a security problem if it was disabled, and provided ways to turn it back on, but none of them changed the setting. The ZoneAlarm suite did not note a disabled copy of AU as a problem, nor did it change the setting.

At this point, Windows Live OneCare appears to be the only major security package that changes users’ preferences without notice.

If you have more information, we’d love to hear about it. Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your tips via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the magazine’s Here’s How section.
= Paid content

All Windows Secrets articles posted on 2007-10-25: