wuauclt.exe in XP Pro

I would like to know how "wuauclt.exe ", an ME auto updater, showed up as a running process in my Task Manager. I have Auto-Update service disabled (except for when I need an update from MS, now!) and I was gone for the weekend, with the computer off. Where did this thing come from? How do I make sure it doesn't come back? How did it get in???

Johanna

 

I have it on my machine, Johanna. I thought it was always there. Actually, I have 2, wuauclt1 and wuauclt. They are the same versions but different sizes (?).

I deleted the files and immediately got a message to insert my XP SP2 CD to replace missing Windows files. The same ones were replaced in both System32 and the dllcache.

If I'm not mistaken, that is the exe responsible for creating the tray icon for autoupdates. Do you have the service disabled or just the preference set in sysdm.cpl?

It could be this trojan:

http://www.symantec.com/avcenter/venc/data/backdoor.clt.html

In any case, I have re-evaluated this whole autoupdating thing and now think it is actually a good idea. With SP2 (or possibly some other extensions to Group Policy that I added), there is a setting for how much bandwidth to allow the BITS service. Default is to use all idle bandwidth for the transfer of updates. Since this service transfers the updated files only during idle bandwidth periods, you can get the updates downloaded with ease. I have it set to notify before downloading and after downloading (before installing), so I just go to the download folder and copy the update out onto my update CD so that I have a copy of it and then allow the installation to take place.

It really saves a lot of time and trouble. Instead of searching for downloads of updates, they are delivered to me without my even having to do anything.

 

When I installed Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB867801) last week, I had to enable two services (Bits and Auto Update) to use the MS site. I disabled them again after the update. I have never had wuauclt.exe in the Task Manager until yesterday, and to my surprise, I found Auto Update service was set to Automatic. No one used my computer over the weekend, and it was offline. So, I disabled the service again, and took it out of the start up, where it had already placed itself. I'm checking each boot to see if it returns. It hasn't, yet. Tomorrow I will reenable the two services, use the MS update site again, and see if it returns. I disable auto update on everything as a matter of routine, and MS Updates gets disabled before I even go online, after a reinstall. It has been off for nearly a year, until that brief period last week. Now that the MS Update site has become so particular, I'm glad I have my past updates listed and burned to cd. SP2 is going on a clean install, slipstreamed, maybe next week.

I also combed through the Norton Event logs, and find no record of MS communication to turn on Auto Updates. Nothing out of order, there. Hmmm... mystery.

Johanna

 

It could be this:
http://www.sophos.com/virusinfo/analyses/trojcultb.html

 

No, it's a legit MS .exe, not a Trojan. No scans or searches have turned up anything suspicious. Norton is the only thing allowed to auto update, and my "rules" are strict. Thanks for the heads up, though.

Johanna

 

Hi Johanna,

wuauclt.exe Windows Update AutoUpdate Client

I have it as well on a Home system in the System32 folder, been ther since the beginning, so this is not Pro vs Home issue.

A lot of MS's processes don't like getting shut down and try reinstating themselves a few times before giving up.

One thought - don't know how much of a difference it would make, did you shut update off thru the Control Panel or in the Services page?

Regards - Charles

 

I shut it off in admin tools> Services and then checked the Control Panel. The Auto Update box looks completely different than it ever did before. No, I have NOT installed SP2 yet. At least I didn't have to change the settings there- whether they were left alone, or whether disabling in Services changed it, I don't know. If anyone remembers when (if) their Auto Update box changed appearance, it might help me figure out what turned on Auto Update, and, more importantly, HOW??? I suspect the v5 update I had to accept from MS to update...

Johanna

 

Yes, that sceen shot looks familiar - saw it on one of the SP2 "comming attractions ", don't remember where. After SP2 install, that's what the update dialog box will look like.

Regards - Charles

 

Christer,
My settings were "Disabled" in Services and the Control Panel, and have been for nearly a year, except for that brief interruption when I installed the v5 update to get the CSU for IE. When I returned from a long weekend (comp was shut off and offline) that exe was in my startup, and I noticed it right away in Task Mgr, because I'd never seen it on my system before. I then disabled Auto Update AGAIN from Services, checked the Control Panel under System, noticed the new dialog box, and said "Hmmmm... "

Following Abraxas' post, I searched for the exe. I found a version created the first time I did a WU after the last clean install, and a version named wuauclt1.exe created a week before I updated to v5. AU was not running in until I booted Monday morning, and the original wuauclt file was suddenly present, and running, not the second. (One of the reasons they let you join Tweakers Anonymous is that you have your running processes memorized. I mean, what ordinary user even looks there???)

I want to know how to make sure AU can't turn itself on without permission from me, that's all. I want to know why Norton didn't log it, and I want to know how it got in my Start Up. I unticked wuauclt.exe and deleted it with Mike Lin's StartUpCPL, too, for good measure, where it was displayed under the HKLM Run key.

Abraxas, I can see your point about auto downloading at your convenience, but I like to strictly control my security policy, and it bugs me that this "snuck in" more than anything else. No harm done, but it crept up on me, and I don't like that!

Johanna

 

Hi Johanna,

I turned auto update on this morning. Sygate didn't log it. What caught it is System Safety Monitor.

The Service that's starting up is wuauserv and, don't know for sure, I think 'piggy backs' on the Generic Host Process for Win32 which I've given permission for. I assume you have as well.

Regards - Charles

 

No, Generic Host Process for Win32 does not have permission to access the internet, but from what I read last night, you are correct that wuauclt does piggyback on it. It has not reappeared since I disabled AWU in Services, and as soon as my ISP starts working normally again, I'm going to enable WU, and see if wuauclt.exe shows up again in Task Manager. I've been through Norton specifically to block any MS "phoning home" (Why, for heavens' sake, does WE or Word need to call home everytime I use them?) so I want to know what triggered it to run.

I realized when I enabled WU temporarily that "things could happen ", but I did not expect the changes after a couple of reboots. Somehow, there is a hole, and I need to find it. If MS can get in, someone else can. I just got lucky that the "intrusion" was from a "trusted source ".

Johanna

 

Johanna, could we clarify this issue.

You NEVER give Win32 permission, or do you have it asking?

AFAIK, when Win32 wants out, you have to let it out, otherwise you don't cruise the net, at least that's the way I remember it; haven't dealt with this for a long time.

Regards - Charles

 

Hi Christer,

It coincides with the "reminder ". So whatever that reminder interval is, that's when it shows up in TM and then "disappears ".

Regards - Charles

 

http://www.windowsbbs.com/showpost.php?p=172936&postcount=16

CharlesVar, I have no problems with any online activities with Generic Host Process for Win32 completely blocked by Norton. I am not on a network.

Johanna

 

Sometimes your machine can get slowed down appreciably by the repeated attempts by legitimate system services to access the net. It must appear a lot in your logs.

Any particular reason you don't allow the OS net access?

 

Abraxas,
I have never noticed a change in system performance with it on or off. I have let it call home, and I have disabled it, and there is no appreciable difference. When I first went online, it was a slow computer on dial up, and I got into the habit of stopping unnecessary services from running and blocking software from internet access with Norton, just to preserve as much "ooommph" as possible. Later, when I got cable internet, and a better computer, I left most of the settings the same, since every internet communication is a potential "open door ". If something goes horribly wrong at MS, and I boot my computer, since it doesn't call home, I shouldn't be affected. I have to initiate contact. I realize that sounds paranoid, but when you consider all the different software that is capable of accessing the internet (more than 200 internet accessing apps on this system) it makes sense to limit net activity to the bare minimum for security. I strictly limit and control all internet activity, which is why this wuauclt.exe caught me off guard. I configure Norton's rules, and Norton is the only thing that goes online without prompt from me.

I guess the fact that MS could turn on my WU w/o asking makes my paranoia a bit justified? What if they decided to make other changes? What if a "Bad Guy" intercepted every Gen Host Proc request? I have enough problems dealing with the aftermath of my tweaking than to invite cosmic disaster!

Johanna

 

Johanna,

You're right, I just tried it, and I'm here. I do remember that it created some problem - just don't remember what. Maybe it was what Abraxas reffered to performance wise.

That does leave the issue of what turned on wuauclt.exe, but FWIW, if you block the Win32, I don't think it got out or in for that matter. Whatever it is, I think it's internal.

Regards - Charles

 

Yes, Charles, I know I can block all MS communication w/o a problem on my stand alone computer- I've been doing it successfully for the better part of the last 3 years. What concerns me is HOW did wuauclt get "turned on" in the first place? As soon as I figure out that part, I will know how to keep it from happening again. That is my goal.

Johanna