Windows XPPost your Windows XP related questions here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
I would like to know how "wuauclt.exe", an ME auto updater, showed up as a running process in my Task Manager. I have Auto-Update service disabled (except for when I need an update from MS, now!) and I was gone for the weekend, with the computer off. Where did this thing come from? How do I make sure it doesn't come back? How did it get in???
Johanna
Didn't find the information you thought to find? Check out these Similar Threads
I have it on my machine, Johanna. I thought it was always there. Actually, I have 2, wuauclt1 and wuauclt. They are the same versions but different sizes (?).
I deleted the files and immediately got a message to insert my XP SP2 CD to replace missing Windows files. The same ones were replaced in both System32 and the dllcache.
If I'm not mistaken, that is the exe responsible for creating the tray icon for autoupdates. Do you have the service disabled or just the preference set in sysdm.cpl?
In any case, I have re-evaluated this whole autoupdating thing and now think it is actually a good idea. With SP2 (or possibly some other extensions to Group Policy that I added), there is a setting for how much bandwidth to allow the BITS service. Default is to use all idle bandwidth for the transfer of updates. Since this service transfers the updated files only during idle bandwidth periods, you can get the updates downloaded with ease. I have it set to notify before downloading and after downloading (before installing), so I just go to the download folder and copy the update out onto my update CD so that I have a copy of it and then allow the installation to take place.
It really saves a lot of time and trouble. Instead of searching for downloads of updates, they are delivered to me without my even having to do anything.
Last edited by Abraxas; 17th August 2004 at 21:33.
When I installed Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB867801) last week, I had to enable two services (Bits and Auto Update) to use the MS site. I disabled them again after the update. I have never had wuauclt.exe in the Task Manager until yesterday, and to my surprise, I found Auto Update service was set to Automatic. No one used my computer over the weekend, and it was offline. So, I disabled the service again, and took it out of the start up, where it had already placed itself. I'm checking each boot to see if it returns. It hasn't, yet. Tomorrow I will reenable the two services, use the MS update site again, and see if it returns. I disable auto update on everything as a matter of routine, and MS Updates gets disabled before I even go online, after a reinstall. It has been off for nearly a year, until that brief period last week. Now that the MS Update site has become so particular, I'm glad I have my past updates listed and burned to cd. SP2 is going on a clean install, slipstreamed, maybe next week.
I also combed through the Norton Event logs, and find no record of MS communication to turn on Auto Updates. Nothing out of order, there. Hmmm... mystery.
No, it's a legit MS .exe, not a Trojan. No scans or searches have turned up anything suspicious. Norton is the only thing allowed to auto update, and my "rules" are strict. Thanks for the heads up, though.
I shut it off in admin tools> Services and then checked the Control Panel. The Auto Update box looks completely different than it ever did before. No, I have NOT installed SP2 yet. At least I didn't have to change the settings there- whether they were left alone, or whether disabling in Services changed it, I don't know. If anyone remembers when (if) their Auto Update box changed appearance, it might help me figure out what turned on Auto Update, and, more importantly, HOW??? I suspect the v5 update I had to accept from MS to update...
I suspect the v5 update I had to accept from MS to update...
Yes, that sceen shot looks familiar - saw it on one of the SP2 "comming attractions", don't remember where. After SP2 install, that's what the update dialog box will look like.
Johanna,
I don't have SP2 yet but v.5 of the Windows Update Engine was installed recently with the same changes as You have. I don't remember it changing any settings, though ...... ...... !
Christer,
My settings were "Disabled" in Services and the Control Panel, and have been for nearly a year, except for that brief interruption when I installed the v5 update to get the CSU for IE. When I returned from a long weekend (comp was shut off and offline) that exe was in my startup, and I noticed it right away in Task Mgr, because I'd never seen it on my system before. I then disabled Auto Update AGAIN from Services, checked the Control Panel under System, noticed the new dialog box, and said "Hmmmm..."
Following Abraxas' post, I searched for the exe. I found a version created the first time I did a WU after the last clean install, and a version named wuauclt1.exe created a week before I updated to v5. AU was not running in until I booted Monday morning, and the original wuauclt file was suddenly present, and running, not the second. (One of the reasons they let you join Tweakers Anonymous is that you have your running processes memorized. I mean, what ordinary user even looks there???)
I want to know how to make sure AU can't turn itself on without permission from me, that's all. I want to know why Norton didn't log it, and I want to know how it got in my Start Up. I unticked wuauclt.exe and deleted it with Mike Lin's StartUpCPL, too, for good measure, where it was displayed under the HKLM Run key.
Abraxas, I can see your point about auto downloading at your convenience, but I like to strictly control my security policy, and it bugs me that this "snuck in" more than anything else. No harm done, but it crept up on me, and I don't like that!
Johanna,
I have it set to notify prior to downloading and installing. It never gets past notifying, though!
Maybe WU was happy with that but not with You disabling it?
What is said to be new with SP2 is that the default setting is automatic for WU but it seems to be v.5 of WU and not SP2 that has this default setting.
At the first reboot after installing v.5, I started TaskManager a.s.a.p to see what was running. wuauclt.exe was running but disappeared after a few seconds and I haven't seen it since that time.
I turned auto update on this morning. Sygate didn't log it. What caught it is System Safety Monitor.
The Service that's starting up is wuauserv and, don't know for sure, I think 'piggy backs' on the Generic Host Process for Win32 which I've given permission for. I assume you have as well.
Regards - Charles
Last edited by charlesvar; 18th August 2004 at 13:54.
No, Generic Host Process for Win32 does not have permission to access the internet, but from what I read last night, you are correct that wuauclt does piggyback on it. It has not reappeared since I disabled AWU in Services, and as soon as my ISP starts working normally again, I'm going to enable WU, and see if wuauclt.exe shows up again in Task Manager. I've been through Norton specifically to block any MS "phoning home" (Why, for heavens' sake, does WE or Word need to call home everytime I use them?) so I want to know what triggered it to run.
I realized when I enabled WU temporarily that "things could happen", but I did not expect the changes after a couple of reboots. Somehow, there is a hole, and I need to find it. If MS can get in, someone else can. I just got lucky that the "intrusion" was from a "trusted source".
You NEVER give Win32 permission, or do you have it asking?
AFAIK, when Win32 wants out, you have to let it out, otherwise you don't cruise the net, at least that's the way I remember it; haven't dealt with this for a long time.
At the first reboot after installing v.5, I started TaskManager a.s.a.p to see what was running. wuauclt.exe was running but disappeared after a few seconds and I haven't seen it since that time.
Christer
Hi Christer,
It coincides with the "reminder". So whatever that reminder interval is, that's when it shows up in TM and then "disappears".
