Why does wuauclt.exe run at startup?

[John Corliss]

I'm running XP Home SP2 and my system is configured so that I don't use
automatic update. I don't even have the icon in the tray or allow my
system to check for available updates. Instead, I prefer to periodically
check for updates myself and install them when they're available.

I don't like anything happening to my computer without my say-so.

What I've noticed is that in spite of my desire that Windows Update not
run automatically, the wuauclt service starts anyway, about 30 seconds
after login. I notice that this process doesn't show in the standard
Task Manager but *does* show when I run Sysinternals' "Process Explorer"
(note that Microsoft bought Sysinternals out recently.)

The process runs for awhile and then quietly goes away.

What is this process doing? Is it trying to call home for some reason?
<paranoia>Is it alerting Microsoft that I'm online so that they can hook
me into some kind of "supercomputer" array and steal processing
cycles?</paranoia>

My understanding is that I can't block it with my firewall if I want to
be able to install updates.

So again, can anybody explain why wuauclt.exe runs at startup even
though I have tried to configure my computer so that it doesn't?

 

[NewScience]

If you use an application called FileMon, www.sysinternals.com, you would
see that it is checking your system and verifying that all updates
downloaded have been installed. If some updates have been downloaded on
last session, but have not been installed yet, WUAUCLT.exe, will display the
Update Shield in the System Tray and prompt for installation.

If a download was interrupted on last session, it tries to detect if there
is a current network connection, in order to finish the download(s).

Microsoft is slowly moving the entire network operations of the OS to
DSL/Cable/... - in other words - non-dialup. This is causing major problems
for the many people out there still operating with a dial-up modem card,
since the underlying network operations is slowly removing the detection of
a close network connection.

Under DSL/Cable,... you don't have to worry about Close on Last Connection,
since there is none.

 

[PA Bear]

Got Defender?

 

[John Corliss]

Thanks for that info.

Two things I'd like to mention though:

1. I have (as I mentioned) autoupdate turned off. Thus, checking to see
if an update has been installed is not necessary. Besides, when you go
to the Microsoft update site, the process is "download and install", not
"download and install later", unless I'm missing something.

2. On my system, I have created a power switch for the cable modem (a
Motorola Surfboard) so that I can turn it off whenever I like. There's
something about cable modems not (usually) having an on-off switch that
I find Orwellianly 1984ish in the extreme. I'm aware that the modem has
a panic button on the top that allows me to go offline instantly, but
the modem is still powered up. Since I didn't design and build the
thing, I have no way of knowing if certain inbound connections are
severed. However, when I turn that modem's power off, there is
absolutely NO WAY that I'm online!

If you use an application called FileMon, www.sysinternals.com, you would
see that it is checking your system and verifying that all updates
downloaded have been installed. If some updates have been downloaded on
last session, but have not been installed yet, WUAUCLT.exe, will display the
Update Shield in the System Tray and prompt for installation.

If a download was interrupted on last session, it tries to detect if there
is a current network connection, in order to finish the download(s).

So why does it stay on so long once it detects that there's no download
to finish? In fact, why should it try to detect a connection if it
determines that there is no incomplete download?

Naw, this whole thing stinks to high heaven to me.

Microsoft is slowly moving the entire network operations of the OS to
DSL/Cable/... - in other words - non-dialup. This is causing major problems
for the many people out there still operating with a dial-up modem card,
since the underlying network operations is slowly removing the detection of
a close network connection.

Under DSL/Cable,... you don't have to worry about Close on Last Connection,
since there is none.

I loath the fact that I'm forced to have to install networking software
on my *single-user, non-LAN home computer*. It's bloat that just opens
the door for security and performance problems.

 

[John Corliss]

No. Why?

Got Defender?

I'm running XP Home SP2 and my system is configured so that I don't use
automatic update. I don't even have the icon in the tray or allow my
system to check for available updates. Instead, I prefer to periodically
check for updates myself and install them when they're available.

I don't like anything happening to my computer without my say-so.

What I've noticed is that in spite of my desire that Windows Update not
run automatically, the wuauclt service starts anyway, about 30 seconds
after login. I notice that this process doesn't show in the standard
Task Manager but *does* show when I run Sysinternals' "Process Explorer"
(note that Microsoft bought Sysinternals out recently.)

The process runs for awhile and then quietly goes away.

What is this process doing? Is it trying to call home for some reason?
<paranoia>Is it alerting Microsoft that I'm online so that they can hook
me into some kind of "supercomputer" array and steal processing
cycles?</paranoia>

My understanding is that I can't block it with my firewall if I want to
be able to install updates.

So again, can anybody explain why wuauclt.exe runs at startup even
though I have tried to configure my computer so that it doesn't?

 

[R. McCarty]

Unless you set the System Service "Automatic Updates" to disabled,
then the SVCHost instance Netsvcs will load/execute Wuaserv at boot.
This will in turn call Wuauclt.Exe.

 

[Rock]

What I've noticed is that in spite of my desire that Windows Update not
run automatically, the wuauclt service starts anyway, about 30 seconds
after login.

What is this process doing? Is it trying to call home for some reason?
<paranoia>Is it alerting Microsoft that I'm online so that they can hook
me into some kind of "supercomputer" array and steal processing
cycles?</paranoia>

<major paranoia>Who else might it be alerting, eh?<major paranoia>

 

[Rock]

2. On my system, I have created a power switch for the cable modem (a
Motorola Surfboard) so that I can turn it off whenever I like. There's
something about cable modems not (usually) having an on-off switch that I
find Orwellianly 1984ish in the extreme. I'm aware that the modem has a
panic button on the top that allows me to go offline instantly, but the
modem is still powered up. Since I didn't design and build the thing, I
have no way of knowing if certain inbound connections are severed.
However, when I turn that modem's power off, there is absolutely NO WAY
that I'm online!

How do you know it doesn't have an internal power source that kicks in when
you turn off the line power, which also starts a hidden video camera to
record all your actions and transmit that along with computer activities, to
someone, somewhere, on the net?

 

[NewScience]

1. As posted later in post, unless you turn off Automatic Updates AND BITS
in SERVICES.MSC, you are not completely disabling Windows Update. And if
you install Windows Defender, it will auto check for updates (if you set it
up to do that). Also Windows Live Toolbar, and Messenger.

2. Nice on your modem, but that doesn't help the X number of million people
who still operate using internal 56K modems. Plus I'm from the old school
.... I like software to work as designed.

 

[John Corliss]

How do you know it doesn't have an internal power source that kicks in
when you turn off the line power, which also starts a hidden video
camera to record all your actions and transmit that along with computer
activities, to someone, somewhere, on the net?

Good point. 80p>

 

[John Corliss]

Many thanks for replying.

What I've done at this point is to simply temporarily rename the
C:\WINDOWS\system32\wuauclt.exe file to C:\WINDOWS\system32\wuauclt.exebak.

As a result, it doesn't run at startup and when I need updates, I'll
temporarily rename it back to what it was.

Now that you mention BITS though, that service seems like a target which
is ripe for exploitation by hackers. And it always seems to be running
on my system. Really don't like that at all.

I don't use Windows Defender, so not a problem. I have third-party
browser extensions, install on demand (both by Internet Explorer and by
Others) and installation of desktop items disabled in Internet Options
and wouldn't dream of ever enabling any of them. Thus, no toolbars. In
fact, I don't even use IE unless I'm updating. Also have disabled and
have completely removed Windows Messenger.

 

[John Corliss]

Thanks for that info. Seems like reenabling that service would be easier
than the other method I just started using, which is to temporarily
rename the Wuauclt.Exe file.

 

[John Corliss]

<major paranoia>Who else might it be alerting, eh?<major paranoia>

Why, Fatherland Security, of course. 80p>

To be serious though, I really wish that all the networking software
built into XP was optional. I'm not on a LAN (single-user, non LAN, home
computer) and IMO having that stuff built into the OS is a major source
of security issues. It's also bloat and IMO slows down the OS.

 

[NewScience]

By turning off Automatic Updates and BITS ... that should be enough to
siable wuauclt.exe.

Instead of renaming back/forth, you could just turn-off the Execution
permission bits (Security) for all types of users (Administrators, Users,
Power Users, SYSTEM, ...).

 

[PA Bear]

Kos Defender auto-updates via, er..., Automatic Updates.

Options in several third-party applications can disallow such changes (i.e.,
you change it but the new setting doesn't "stick"). These include Ad-aware's
Ad-Watch, Spybot Tea Timer, SpywareBlaster, SpySweeper, Norton AntiVirus,
McAfee VirusScan and/or Antispyware, and Zone Alarm (Free and Pro).

 

[Asher_N]

Thanks for that info.

Two things I'd like to mention though:

1. I have (as I mentioned) autoupdate turned off. Thus, checking to
see if an update has been installed is not necessary. Besides, when
you go to the Microsoft update site, the process is "download and
install", not "download and install later", unless I'm missing
something.

You are missing something. It's making sure that a) the last update
session finished downloading eerything, and b) that everything that was
downloaded was indeed installed.

What happens if your connection goes down in the middle of an update?

Plus, wuauclt is more than auto update. It needs to start to see the
status of the auto-update switch and to see if there is an alternate
source for updates. I use WSUS. Auto-update is truned off, but wuauclt
still checks, sees that updates need to come from WSUS and then checks
with it.