Protect yourself from silent Windows updates

Scott dunn By Scott Dunn

Microsoft has confirmed Windows Secrets’ Sept. 13 story that Windows Update periodically installs certain files even if you’ve selected a “do not install” option.

Many companies and individuals require prior notification before any files are changed, so I explain today how you can completely prevent silent installs, if you wish.

Microsoft acknowledges the lack of notice

In my Sept. 13 article, I reported that Windows Update (WU) has been silently installing nine small executable files on Windows XP and Vista, despite the fact that users had disabled auto-installation. The files that WU has overwritten to date consist of benign support files — but many Windows users expressed outrage that any process was installing files without notification.

Reaction from Microsoft to the article was almost immediate. In a post the same day on the Microsoft Update Product Team Blog, program manager Nate Clinton confirmed that updates to Windows Update itself are performed without notifying users. This is true even if users specify Let me choose when to install them or Notify me but don’t automatically download or install (two of the four options available to users).

In his statement, Clinton acknowledged that the silent file writes are not what users expect after they disable automatic installs:

  • “The point of this explanation is not to suggest that we were as transparent as we could have been; to the contrary, people have told us that we should have been clearer on how Windows Update behaves when it updates itself. This is helpful and important feedback, and we are now looking at the best way to clarify WU’s behavior to customers so that they can more clearly understand how WU works.”
Soon after Clinton’s post, Vista product manager Nick White wrote his own response to the reactions pouring in from angry Windows users:
  • “Your comments are completely understandable and I’m making sure the WU team is well aware of how the community feels on this issue. You’ll note in Nate’s post (the one I linked to) that we freely admit to having fallen down on this issue and that we can, and should, do better when it comes to behaviors of this type and the necessary disclosure of same. Please know that we hear what you have to say and are taking your feedback seriously. (I, for one, want to avoid similar events in the future, as reactive posts such as this one are not what I want to spend my time blogging about.)”
Clinton’s initial explanation, which suggested that Windows Update had no choice but to install support files silently, drew a large number of critical remarks from Microsoft’s normally supportive developer community. For example, a commenter identified as TheDave wrote that WU could easily notify users that updates were needed:
  • “The situation I am describing is *exactly* the same thing as happens with a out of the box XP SP2 install, you see a WU update available and nothing more. Once you install WU, you see the dozens of other updates available. Works great in theory, and in practice.

    “There is absolutely no excuse for updating executable code on a customer’s machine when the customer has selected a choice of ‘but let me choose whether to install them.’ Period. Full stop. No exceptions.”

Independent test labs confirm the behavior

One of the first test centers to independently confirm WU’s silent installs was eWeek Labs. An eWeek analyst, Andrew Garcia, published a blog entry on Sept. 13 documenting the logs of two test machines that had been set to Notify but do not install updates. According to Garcia, even though one of the PCs hadn’t been touched in months, both machines showed evidence that version 7.0.6000.381 of the files had been installed in August.

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.

= Paid content

All Windows Secrets articles posted on 2007-09-20: