Bill Pfeifer said:
I searched for the files, and they are in both System32 and dllcache. The
versions are the same in those directories.
All of them are also in:
C:\WINNT\$NtUninstallKB867282-IE6SP1-20050127.163319$
Browseui.dll Mshtml.dll Shdocvw.dll wininet.dll are also in:
C:\WINNT\$NtUninstallKB890923-IE6SP1-20050225.103456$
The versions in those 2 directories are all older than the ones in System32
and dllcache.
I searched for the folder "SoftwareDistribution" with no result.
Sorry for the confusion. SoftwareDistribution is a WUv5 directory.
I guess this proves my understanding about your OS.
As I wrote, I can't remember where WUv4 downloads to and installs from.
My hazy recollection is that it isn't anywhere as specific so you will either have to
widen the filter, get some better hints from somebody else, or guess and get lucky.
(I would have hoped that the update portion of the FileMon filter would at least snag
an update.exe in operation if there was one of them involved. E.g. I think I mentioned
that the filter I like to use now (for WUv5) is update;SoftwareDistribution which has the
effect of interleaving trace entries of writes to the folder with whatever logging is being
done in WindowsUpdate.log (Windows Update.log in your case.))
Hmm... speaking of getting lucky. Do you have any extra large partitions?
(I mean partitions or drives which contain more freespace other than the System partition.)
I seem to recall that WUv4 tries to download to and install from the partition
which has the most freespace. If that is a rarely used drive you could use
the drive letter (plus the colon) as a useful filter to see if that is where things
are going. Also, of course, if 867801 creates an install log it may contain
some incidental clues about where the files are coming from, which you could
then incorporate into your filter when you need to understand why the install
is repeating, etc.
Are you unsure of whether the update is just being installed or both downloaded
and installed? Could you use the AU Custom Install to do that? E.g. if you set
AU's option to be "Notify me but don't automatically download or install..."
and you get prompted that there are updates ready to be installed you would know
that the update had already been downloaded and was just waiting to be installed
(from somewhere). Only if that turned out to be the source of your loop would it really
be necessary to identify where the files had been downloaded to (e.g. using FileMon.)
BTW I just remembered some of the quirky things that used to happen to me with WUv4
which could be relevant for your case. I normally downloaded and installed updates
using AU's double prompt method. However, occasionally I did see the same
update offered more than once (i.e. I was prompted to download one I had already
installed, even several days later.). In that case what I found I had to do was redownload
and reinstall the update manually using the WU site instead. That AFAIR always shut up
the extraneous prompt.
When you're downloading and installing using WU AFAIR you don't get a chance to stop
at just the download portion (which is annoying IMO because then I feel I have to be more
careful about what I have open while the download is proceeding, e.g. so what is open
doesn't interfere with what needs to be changed, even though that only really matters,
if it matters at all, when the install phase of an update is occurring.)
Contrary to what I may have come across, I'm actually pretty dumb when it
comes
to the operating system. I did download and run filemon with the filtering
you
suggested, but I don't know how to interpret the result.
You're doing fine.
As I mentioned above, you would have to be lucky if this filter found anything really useful
for WUv4. I would expect at least that the update portion would show you when
writes were being done to Windows Update.log and if you added iuhist you would
see any writes being done to that log too. Since you know the name of the update
you are trying to install you could tack on 867801 too. E.g. if a subdirectory is created
called that you would be able to see all the files being added under it. Etc.
Hmm... I just thought of another approach which might work better in this case
instead of filters since we really don't have any clear ideas of any patterns to use.
FileMon has some checkboxes on the bottom which apparently would allow us to focus
only on writes. You could try using an unlimited filter (e.g. an asterisk) with that.
If there were too many writes to things such as the registry, pagefile, etc. you could
use the Exclude filter to specify those and then see if what was left gave a clearer
picture of what was happening. This idea would be most useful for analysing
the download phase but could also help to some extent with the the install phase too.
(E.g. though you would be able to see where the install was coming from
you would be able to see what it did.)
Pardon my ignorance, but I'm lost here.
Sorry. Ignore my ramble about other possibilities for filecheck and focus on the registry check.
RegMon is another tool from SysInternals which works similar to FileMon.
The filter I suggested for it was Hotfix;867801 based on the information contained in
http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx
(MSN search for
867801
)
Note that you have to expand
[+] Security Update Information
and
[+] Internet Explorer 6 SP1...
to find:
<quote>
You may also be able to verify the files that this security update has installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2298d453-bcae-4519-bf33-1cbf3faf1524}
</quote>
Oops. Evidently I was looking at the wrong expansion when I suggested the above filter.
So instead of Hotfix you would need to use something from that information. However,
the 867801 portion of the filter might still allow something relevant to turn up. Etc.
Good luck
Robert
---
