微软将在用户不知情的情况下升级系统
Microsoft updates Windows without users' consent
By Scott Dunn
Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates.
Many companies require testing of patches before they are widely installed, and businesses in this situation are objecting to the stealth patching.
Files changed with no notice to users
In recent days, Windows Update (WU) started altering files on users' systems without displaying any dialog box to request permission. The only files that have been reportedly altered to date are nine small executables on XP and nine on Vista that are used by WU itself. Microsoft is patching these files silently, even if auto-updates have been disabled on a particular PC.
It's surprising that these files can be changed without the user's knowledge. The Automatic Updates dialog box in the Control Panel can be set to prevent updates from being installed automatically. However, with Microsoft's latest stealth move, updates to the WU executables seem to be installed regardless of the settings — without notifying users.
When users launch Windows Update, Microsoft's online service can check the version of its executables on the PC and update them if necessary. What's unusual is that people are reporting changes in these files although WU wasn't authorized to install anything.
This isn't the first time Microsoft has pushed updates out to users who prefer to test and install their updates manually. Not long ago, another Windows component, svchost.exe, was causing problems with Windows Update, as last reported on June 21 in the Windows Secrets Newsletter. In that case, however, the Windows Update site notified users that updated software had to be installed before the patching process could proceed. This time, such a notice never appears.
For users who elect not to have updates installed automatically, the issue of consent is crucial. Microsoft has apparently decided, however, that it doesn't need permission to patch Windows Updates files, even if you've set your preferences to require it.
Microsoft provides no tech information — yet
To make matters even stranger, a search on Microsoft's Web site reveals no information at all on the stealth updates. Let's say you wished to voluntarily download and install the new WU executable files when you were, for example, reinstalling a system. You'd be hard-pressed to find the updated files in order to download them. At this writing, you either get a stealth install or nothing.
A few Web forums have already started to discuss the updated files, which bear the version number 7.0.6000.381. The only explanation found at Microsoft's site comes from a user identified as Dean-Dean on a Microsoft Communities forum. In reply to a question, he states:
"Windows Update Software 7.0.6000.381 is an update to Windows Update itself. It is an update for both Windows XP and Windows Vista. Unless the update is installed, Windows Update won't work, at least in terms of searching for further updates. Normal use of Windows Update, in other words, is blocked until this update is installed."
Windows Secrets contributing editor Susan Bradley contacted Microsoft Partner Support about the update and received this short reply:
"7.0.6000.381 is a consumer only release that addresses some specific issues found after .374 was released. It will not be available via WSUS [Windows Server Update Services]. A standalone installer and the redist will be available soon, I will keep an eye on it and notify you when it is available."
Unfortunately, this reply does not explain why the stealth patching began with so little information provided to customers. Nor does it provide any details on the "specific issues" that the update supposedly addresses.
System logs confirm stealth installs
In his forum post, Dean-Dean names several files that are changed on XP and Vista. The patching process updates several Windows\System32 executables (with the extensions .exe, .dll, and .cpl) to version 7.0.6000.381, according to the post.
In Vista, the following files are updated:
1. wuapi.dll
2. wuapp.exe
3. wuauclt.exe
4. wuaueng.dll
5. wucltux.dll
6. wudriver.dll
7. wups.dll
8. wups2.dll
9. wuwebv.dll
In XP, the following files are updated:
1. cdm.dll
2. wuapi.dll
3. wuauclt.exe
4. wuaucpl.cpl
5. wuaueng.dll
6. wucltui.dll
7. wups.dll
8. wups2.dll
9. wuweb.dll
These files are by no means viruses, and Microsoft appears to have no malicious intent in patching them. However, writing files to a user's PC without notice (when auto-updating has been turned off) is behavior that's usually associated with hacker Web sites. The question being raised in discussion forums is, "Why is Microsoft operating in this way?"
How to check which version your PC has
If a system has been patched in the past few months, the nine executables in Windows\System32 will either show an earlier version number, 7.0.6000.374, or the stealth patch: 7.0.6000.381. (The version numbers can be seen by right-clicking a file and choosing Properties. In XP, click the Version tab and then select File Version. In Vista, click the Details tab.)
In addition, PCs that received the update will have new executables in subfolders named 7.0.6000.381 under the following folders:
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups.dll
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll
Users can also verify whether patching occurred by checking Windows' Event Log:
Step 1. In XP, click Start, Run.
Step 2. Type eventvwr.msc and press Enter.
Step 3. In the tree pane on the left, select System.
Step 4. The right pane displays events and several details about them. Event types such as "Installation" are labeled in the Category column. "Windows Update Agent" is the event typically listed in the Source column for system patches.
On systems that were checked recently by Windows Secrets readers, the Event Log shows two installation events on Aug. 24. The files were stealth-updated in the early morning hours. (The time stamp will vary, of course, on machines that received the patch on other dates.)
To investigate further, you can open the Event Log's properties for each event. Normally, when a Windows update event occurs, the properties dialog box shows an associated KB number, enabling you to find more information at Microsoft's Web site. Mysteriously, no KB number is given for the WU updates that began in August. The description merely reads, "Installation Successful: Windows successfully installed the following update: Automatic Updates."
No need to roll back the updated files
Again, it's important to note that there's nothing harmful about the updated files themselves. There are no reports of software conflicts and no reason to remove the files (which WU apparently needs in order to access the latest patches). The only concern is the mechanism Microsoft is using to perform its patching, and how this mechanism might be used by the software giant in the future.
I'd like to thank reader Angus Scott-Fleming for his help in researching this topic. He recommends that advanced Windows users monitor changes to their systems' Registry settings via a free program by Olivier Lombart called Tiny Watcher. Scott-Fleming will receive a gift certificate for a book, CD, or DVD of his choice for sending in a comment we printed.
I'll report further on this story when I'm able to find more information on the policies and techniques behind Windows Update's silent patches. Send me your tips on this subject via the Windows Secrets contact page.
By Scott Dunn
Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates.
Many companies require testing of patches before they are widely installed, and businesses in this situation are objecting to the stealth patching.
Files changed with no notice to users
In recent days, Windows Update (WU) started altering files on users' systems without displaying any dialog box to request permission. The only files that have been reportedly altered to date are nine small executables on XP and nine on Vista that are used by WU itself. Microsoft is patching these files silently, even if auto-updates have been disabled on a particular PC.
It's surprising that these files can be changed without the user's knowledge. The Automatic Updates dialog box in the Control Panel can be set to prevent updates from being installed automatically. However, with Microsoft's latest stealth move, updates to the WU executables seem to be installed regardless of the settings — without notifying users.
When users launch Windows Update, Microsoft's online service can check the version of its executables on the PC and update them if necessary. What's unusual is that people are reporting changes in these files although WU wasn't authorized to install anything.
This isn't the first time Microsoft has pushed updates out to users who prefer to test and install their updates manually. Not long ago, another Windows component, svchost.exe, was causing problems with Windows Update, as last reported on June 21 in the Windows Secrets Newsletter. In that case, however, the Windows Update site notified users that updated software had to be installed before the patching process could proceed. This time, such a notice never appears.
For users who elect not to have updates installed automatically, the issue of consent is crucial. Microsoft has apparently decided, however, that it doesn't need permission to patch Windows Updates files, even if you've set your preferences to require it.
Microsoft provides no tech information — yet
To make matters even stranger, a search on Microsoft's Web site reveals no information at all on the stealth updates. Let's say you wished to voluntarily download and install the new WU executable files when you were, for example, reinstalling a system. You'd be hard-pressed to find the updated files in order to download them. At this writing, you either get a stealth install or nothing.
A few Web forums have already started to discuss the updated files, which bear the version number 7.0.6000.381. The only explanation found at Microsoft's site comes from a user identified as Dean-Dean on a Microsoft Communities forum. In reply to a question, he states:
"Windows Update Software 7.0.6000.381 is an update to Windows Update itself. It is an update for both Windows XP and Windows Vista. Unless the update is installed, Windows Update won't work, at least in terms of searching for further updates. Normal use of Windows Update, in other words, is blocked until this update is installed."
Windows Secrets contributing editor Susan Bradley contacted Microsoft Partner Support about the update and received this short reply:
"7.0.6000.381 is a consumer only release that addresses some specific issues found after .374 was released. It will not be available via WSUS [Windows Server Update Services]. A standalone installer and the redist will be available soon, I will keep an eye on it and notify you when it is available."
Unfortunately, this reply does not explain why the stealth patching began with so little information provided to customers. Nor does it provide any details on the "specific issues" that the update supposedly addresses.
System logs confirm stealth installs
In his forum post, Dean-Dean names several files that are changed on XP and Vista. The patching process updates several Windows\System32 executables (with the extensions .exe, .dll, and .cpl) to version 7.0.6000.381, according to the post.
In Vista, the following files are updated:
1. wuapi.dll
2. wuapp.exe
3. wuauclt.exe
4. wuaueng.dll
5. wucltux.dll
6. wudriver.dll
7. wups.dll
8. wups2.dll
9. wuwebv.dll
In XP, the following files are updated:
1. cdm.dll
2. wuapi.dll
3. wuauclt.exe
4. wuaucpl.cpl
5. wuaueng.dll
6. wucltui.dll
7. wups.dll
8. wups2.dll
9. wuweb.dll
These files are by no means viruses, and Microsoft appears to have no malicious intent in patching them. However, writing files to a user's PC without notice (when auto-updating has been turned off) is behavior that's usually associated with hacker Web sites. The question being raised in discussion forums is, "Why is Microsoft operating in this way?"
How to check which version your PC has
If a system has been patched in the past few months, the nine executables in Windows\System32 will either show an earlier version number, 7.0.6000.374, or the stealth patch: 7.0.6000.381. (The version numbers can be seen by right-clicking a file and choosing Properties. In XP, click the Version tab and then select File Version. In Vista, click the Details tab.)
In addition, PCs that received the update will have new executables in subfolders named 7.0.6000.381 under the following folders:
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups.dll
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll
Users can also verify whether patching occurred by checking Windows' Event Log:
Step 1. In XP, click Start, Run.
Step 2. Type eventvwr.msc and press Enter.
Step 3. In the tree pane on the left, select System.
Step 4. The right pane displays events and several details about them. Event types such as "Installation" are labeled in the Category column. "Windows Update Agent" is the event typically listed in the Source column for system patches.
On systems that were checked recently by Windows Secrets readers, the Event Log shows two installation events on Aug. 24. The files were stealth-updated in the early morning hours. (The time stamp will vary, of course, on machines that received the patch on other dates.)
To investigate further, you can open the Event Log's properties for each event. Normally, when a Windows update event occurs, the properties dialog box shows an associated KB number, enabling you to find more information at Microsoft's Web site. Mysteriously, no KB number is given for the WU updates that began in August. The description merely reads, "Installation Successful: Windows successfully installed the following update: Automatic Updates."
No need to roll back the updated files
Again, it's important to note that there's nothing harmful about the updated files themselves. There are no reports of software conflicts and no reason to remove the files (which WU apparently needs in order to access the latest patches). The only concern is the mechanism Microsoft is using to perform its patching, and how this mechanism might be used by the software giant in the future.
I'd like to thank reader Angus Scott-Fleming for his help in researching this topic. He recommends that advanced Windows users monitor changes to their systems' Registry settings via a free program by Olivier Lombart called Tiny Watcher. Scott-Fleming will receive a gift certificate for a book, CD, or DVD of his choice for sending in a comment we printed.
I'll report further on this story when I'm able to find more information on the policies and techniques behind Windows Update's silent patches. Send me your tips on this subject via the Windows Secrets contact page.
近日,微软(Microsoft)未经用户许可就开始新一轮的Windows XP、Windows Vista系统升级,就算你关闭了系统自动更新功能,也难微软的“魔掌”。许多公司都会在装系统之间测试系统补丁,他们都很不接受那种神不知鬼不觉的“秘密”打补丁的做法。对此Windows Secrets网站撰文揭开了本次微软秘密升级系统的真相。
未告知用户就升级系统
不久前,微软的系统升级服务软件Windows Update(WU)开始对用户的系统文件进行修改,但之前并没有任何用户看到请求允许的对话框出现。据说只有9个Windows XP系统可执行文件和9个Vista系统可执行文件被修改了,而这些都是WU自用文件。微软悄无声息地给这些文件打了补丁,哪怕系统自动更新功能被关闭也无法避免。
无法想象在用户不允许的情况下,这些文件是如何被更新的。我们都知道,安装系统后可以在“控制面板”里的“系统属性”中进行设置,如果需要,你可以关闭“自动更新”功能。但是从微软最近的“秘密行动”来看,系统文件更新与这一设置毫不相干,否则不可能在用户不知情的情况下进行系统升级。
![]()
在用户使用Windows Update软件时,微软在线服务就会自动监测用户电脑上可执行文件的版本,必要时会自行升级。尽管WU没有自动安装任何东西,但是这些文件也会被修改——这是很让人无法理解的地方。
大部分用户都比较乐意自己手动升级系统,但微软似乎对此不予理睬,因为这已经不是微软第一次强迫用户更新系统。不久前,Windows XP中的一个系统文件 svchost.exe 就曾给Windows Update带来不小的麻烦,后来此事在6月21日的Windows秘密通讯(Windows Secrets newsletter)中披露。尽管当时很多人对此大为不满,但至少微软已经告诉用户在执行补丁程序前要先安装升级软件。而这一次,微软一句话都没有说。
微软官网也没有相关信息
还有更奇怪的事情,在微软官方网站上找不到任何与此次系统升级有关的内容,而一些网站上已经出现了不少与本次系统升级有关的讨论,值得关注的有Microsoft Communities论坛里的一个帖子:一个名叫“Engel”的用户在8月22日发现系统下载并安装了Windows Update Software 7.0.6000.381,他没有启动自动更新,在Google里他也找不到任何证据表明这个与系统升级有关,同时他也很好奇怎么在微软官网上也没有任何相关信息。后来,一个名为“Dean-Dean”的网友回答了他的问题,概括如下:
·Windows Update Software 7.0.6000.381是Windows XP、Windows Vista系统的WU自动更新版本。除非安装了自动更新,否则Windows Update不会起作用。换言之,如果不安装系统更新,是不能使用Windows Update的。
![]()
系统记录证实微软秘密安装未知文件
在Microsoft Communities论坛里,Dean-Dean列举了几个Windows XP、Vista系统中被修改过的文件。补丁程序把数个Windows\System32可执行文件升级为“7.0.6000.381版”,其中文件的扩展名包括.exe、.dll、.cpl。
在Windows Vista系统中,以下文件被更新过:
1. wuapi.dll
2. wuapp.exe
3. wuauclt.exe
4. wuaueng.dll
5. wucltux.dll
6. wudriver.dll
7. wups.dll
8. wups2.dll
9. wuwebv.dll
在Windows XP系统中,以下文件被更新过:
1. cdm.dll
2. wuapi.dll
3. wuauclt.exe
4. wuaucpl.cpl
5. wuaueng.dll
6. wucltui.dll
7. wups.dll
8. wups2.dll
9. wuweb.dll
这些文件绝对不是病毒,微软也没有将它们视为恶意程序。但是在没有通知用户的情况下就擅自修改这些文件(自动更新功能被关闭),这跟黑客攻击网站有什么区别?在Microsoft Communities论坛里有人忍不住发帖质问:“为什么微软要这么做?”
![]()
如何检查电脑中使用何种版本
如果过去几个月内系统被打过补丁,那么Windows\System32的9个可执行文件的版本号不是7.0.6000.374,就是被偷偷打过补丁的7.0.6000.381。(右键单击文件,在属性中查看文件版本号。在XP系统中点击Version Tab,然后选择文件版本;在Vista中点击Details Tab。)
此外,系统被更新过的电脑会在子文件夹中出现几个“7.0.6000.381”可执行文件,路经是:
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups.dll
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll
大家可以通过事件查看器来检查自己的电脑有没有被自动打补丁,步骤如下:
1. XP系统,开始--运行
2. 输入eventvwr.msc,回车
3. 在事件查看器左边的树形结构中选择“系统(System)”
4. 之后右边会显示事件的具体信息。事件类型,如“安装(Installation)”会在“分类”中有所注明,在“来源”一栏中会出现“Windows Update Agent”以说明这是系统补丁。
8月24日,Windows Secrets的部分网友发现在系统中出现了两个“Installaion”事件。这些文件就是微软在当天早些时候悄悄安装在用户电脑中的。(当然打过补丁后,电脑的时间戳会有所变化。)
如果要进一步搞清真相,你可以打开事件查看器看看每一个事件的具体信息。一般来说,每出现一个Windows更新事件,事件查看器都会显示一个相关的KB号码,这样可以方便你在微软官网上找到更多相关信息。诡异的是,八月份开始的WU升级并没有提供任何KB号码,仅出现这么一句话:“Installation Successful: Windows successfully installed the following update: Automatic Updates.(安装成功:Windows成功安装以下更新内容:自动更新。)”
最后我们要说的是,本次系统文件自动更新并不会造成危害。目前也没有任何证据表明这次自动更新出现问题,所以也就没有必要删除更新过的文件。但我们关心的是,以后微软这个软件业巨鳄是不是还会用这种“全自动”的方式更新系统?
未告知用户就升级系统
不久前,微软的系统升级服务软件Windows Update(WU)开始对用户的系统文件进行修改,但之前并没有任何用户看到请求允许的对话框出现。据说只有9个Windows XP系统可执行文件和9个Vista系统可执行文件被修改了,而这些都是WU自用文件。微软悄无声息地给这些文件打了补丁,哪怕系统自动更新功能被关闭也无法避免。
无法想象在用户不允许的情况下,这些文件是如何被更新的。我们都知道,安装系统后可以在“控制面板”里的“系统属性”中进行设置,如果需要,你可以关闭“自动更新”功能。但是从微软最近的“秘密行动”来看,系统文件更新与这一设置毫不相干,否则不可能在用户不知情的情况下进行系统升级。
在用户使用Windows Update软件时,微软在线服务就会自动监测用户电脑上可执行文件的版本,必要时会自行升级。尽管WU没有自动安装任何东西,但是这些文件也会被修改——这是很让人无法理解的地方。
大部分用户都比较乐意自己手动升级系统,但微软似乎对此不予理睬,因为这已经不是微软第一次强迫用户更新系统。不久前,Windows XP中的一个系统文件 svchost.exe 就曾给Windows Update带来不小的麻烦,后来此事在6月21日的Windows秘密通讯(Windows Secrets newsletter)中披露。尽管当时很多人对此大为不满,但至少微软已经告诉用户在执行补丁程序前要先安装升级软件。而这一次,微软一句话都没有说。
微软官网也没有相关信息
还有更奇怪的事情,在微软官方网站上找不到任何与此次系统升级有关的内容,而一些网站上已经出现了不少与本次系统升级有关的讨论,值得关注的有Microsoft Communities论坛里的一个帖子:一个名叫“Engel”的用户在8月22日发现系统下载并安装了Windows Update Software 7.0.6000.381,他没有启动自动更新,在Google里他也找不到任何证据表明这个与系统升级有关,同时他也很好奇怎么在微软官网上也没有任何相关信息。后来,一个名为“Dean-Dean”的网友回答了他的问题,概括如下:
·Windows Update Software 7.0.6000.381是Windows XP、Windows Vista系统的WU自动更新版本。除非安装了自动更新,否则Windows Update不会起作用。换言之,如果不安装系统更新,是不能使用Windows Update的。
系统记录证实微软秘密安装未知文件
在Microsoft Communities论坛里,Dean-Dean列举了几个Windows XP、Vista系统中被修改过的文件。补丁程序把数个Windows\System32可执行文件升级为“7.0.6000.381版”,其中文件的扩展名包括.exe、.dll、.cpl。
在Windows Vista系统中,以下文件被更新过:
1. wuapi.dll
2. wuapp.exe
3. wuauclt.exe
4. wuaueng.dll
5. wucltux.dll
6. wudriver.dll
7. wups.dll
8. wups2.dll
9. wuwebv.dll
在Windows XP系统中,以下文件被更新过:
1. cdm.dll
2. wuapi.dll
3. wuauclt.exe
4. wuaucpl.cpl
5. wuaueng.dll
6. wucltui.dll
7. wups.dll
8. wups2.dll
9. wuweb.dll
这些文件绝对不是病毒,微软也没有将它们视为恶意程序。但是在没有通知用户的情况下就擅自修改这些文件(自动更新功能被关闭),这跟黑客攻击网站有什么区别?在Microsoft Communities论坛里有人忍不住发帖质问:“为什么微软要这么做?”
如何检查电脑中使用何种版本
如果过去几个月内系统被打过补丁,那么Windows\System32的9个可执行文件的版本号不是7.0.6000.374,就是被偷偷打过补丁的7.0.6000.381。(右键单击文件,在属性中查看文件版本号。在XP系统中点击Version Tab,然后选择文件版本;在Vista中点击Details Tab。)
此外,系统被更新过的电脑会在子文件夹中出现几个“7.0.6000.381”可执行文件,路经是:
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups.dll
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll
大家可以通过事件查看器来检查自己的电脑有没有被自动打补丁,步骤如下:
1. XP系统,开始--运行
2. 输入eventvwr.msc,回车
3. 在事件查看器左边的树形结构中选择“系统(System)”
4. 之后右边会显示事件的具体信息。事件类型,如“安装(Installation)”会在“分类”中有所注明,在“来源”一栏中会出现“Windows Update Agent”以说明这是系统补丁。
8月24日,Windows Secrets的部分网友发现在系统中出现了两个“Installaion”事件。这些文件就是微软在当天早些时候悄悄安装在用户电脑中的。(当然打过补丁后,电脑的时间戳会有所变化。)
如果要进一步搞清真相,你可以打开事件查看器看看每一个事件的具体信息。一般来说,每出现一个Windows更新事件,事件查看器都会显示一个相关的KB号码,这样可以方便你在微软官网上找到更多相关信息。诡异的是,八月份开始的WU升级并没有提供任何KB号码,仅出现这么一句话:“Installation Successful: Windows successfully installed the following update: Automatic Updates.(安装成功:Windows成功安装以下更新内容:自动更新。)”
最后我们要说的是,本次系统文件自动更新并不会造成危害。目前也没有任何证据表明这次自动更新出现问题,所以也就没有必要删除更新过的文件。但我们关心的是,以后微软这个软件业巨鳄是不是还会用这种“全自动”的方式更新系统?
因为微软在技术上不想输嘛!这还不简单!