hiding windows updates using the registry

[Guest]

Hello,

Is there a way to hide updates using the registry? I know how to do it
through internet explorer and automatic updates, but that means each computer
will have to be done individually and would take to many man hours. If we
were able to deploy a quick registry edit though our deployment software it
would be a time saver.

The reason we need this is because KB-912812 affected our clinical systems
and it needed to be removed, but of course Automatic updates will just
re-install it at a later time. So we had to disable Automatic updates and
un-install KB-912812 for the time being with two quick registry edits and
that is not a viable solution.

Any help would be appreciated.

-Thanks

 

[Carey Frisch [MVP]]

Visit http://www.kellys-korner-xp.com/xp_tweaks.htm and scroll
down to Item No. 384.

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

---------------------------------------------------------------------------­----------------

:

| Hello,
|
| Is there a way to hide updates using the registry? I know how to do it
| through internet explorer and automatic updates, but that means each computer
| will have to be done individually and would take to many man hours. If we
| were able to deploy a quick registry edit though our deployment software it
| would be a time saver.
|
| The reason we need this is because KB-912812 affected our clinical systems
| and it needed to be removed, but of course Automatic updates will just
| re-install it at a later time. So we had to disable Automatic updates and
| un-install KB-912812 for the time being with two quick registry edits and
| that is not a viable solution.
|
| Any help would be appreciated.
|
| -Thanks

 

[Steven L Umbach]

If there are specific updates that you do not want to apply then you will
need to do them manually or implement WSUS [free] if you are using an Active
Directory domain. That way you will use an internal server that goes to
Windows Updates to download the updates and then you approve the ones that
you want to be issued to your client computers and the computer download
approved updates from the WSUS server. --- Steve

http://www.microsoft.com/windowsserversystem/updateservices/default.mspx

 

[Guest]

Thank you for trying. I saw that before but it is for showing updates within
add/remove programs. I need something more specific in hiding crtical updates
from Automatic updates. It maybe related to cookies, but I can not find
anything related to this. Again thanks for helping.

 

[Guest]

You are 100% correct, but we have not implemented a WSUS server as of yet and
I am not sure when it will be implemented. The problem is the support group
needs to deal with it in a different way then it is now, which is shutting
off Automatic Updates because there are far to many computers to manually
hide the KB-912812 patch. Plus we do not want to be vulnerable to future
attacks because Windows is not patching itself. Until that is implemented we
are trying to find an alterative solution because that dream could be a
while.

Again, Thank you for all your help.

If there are specific updates that you do not want to apply then you will
need to do them manually or implement WSUS [free] if you are using an Active
Directory domain. That way you will use an internal server that goes to
Windows Updates to download the updates and then you approve the ones that
you want to be issued to your client computers and the computer download
approved updates from the WSUS server. --- Steve

http://www.microsoft.com/windowsserversystem/updateservices/default.mspx

Hello,

Is there a way to hide updates using the registry? I know how to do it
through internet explorer and automatic updates, but that means each
computer
will have to be done individually and would take to many man hours. If we
were able to deploy a quick registry edit though our deployment software
it
would be a time saver.

The reason we need this is because KB-912812 affected our clinical systems
and it needed to be removed, but of course Automatic updates will just
re-install it at a later time. So we had to disable Automatic updates and
un-install KB-912812 for the time being with two quick registry edits and
that is not a viable solution.

Any help would be appreciated.

-Thanks

 

[Steven L Umbach]

Wow. That is too bad as WSUS sounds like a good solution and you have
current impetus to push for implementing it. I don't know of another
solution offhand but I suggest you post in the
Microsoft.public.windowsupdate newsgroup and post the same there saying you
can not implement WSUS currently and if a way is known to trick Windows
Updates into thinking an update has been installed by finding out what it
looks for whether it be a signed file or registry entry. --- Steve

You are 100% correct, but we have not implemented a WSUS server as of yet
and
I am not sure when it will be implemented. The problem is the support
group
needs to deal with it in a different way then it is now, which is shutting
off Automatic Updates because there are far to many computers to manually
hide the KB-912812 patch. Plus we do not want to be vulnerable to future
attacks because Windows is not patching itself. Until that is implemented
we
are trying to find an alterative solution because that dream could be a
while.

Again, Thank you for all your help.

If there are specific updates that you do not want to apply then you will
need to do them manually or implement WSUS [free] if you are using an
Active
Directory domain. That way you will use an internal server that goes to
Windows Updates to download the updates and then you approve the ones
that
you want to be issued to your client computers and the computer download
approved updates from the WSUS server. --- Steve

http://www.microsoft.com/windowsserversystem/updateservices/default.mspx

Hello,

Is there a way to hide updates using the registry? I know how to do it
through internet explorer and automatic updates, but that means each
computer
will have to be done individually and would take to many man hours. If
we
were able to deploy a quick registry edit though our deployment
software
it
would be a time saver.

The reason we need this is because KB-912812 affected our clinical
systems
and it needed to be removed, but of course Automatic updates will just
re-install it at a later time. So we had to disable Automatic updates
and
un-install KB-912812 for the time being with two quick registry edits
and
that is not a viable solution.

Any help would be appreciated.

-Thanks

 

[DarkReverser]

Solved.

The settings are stored in "DataStore.edb" found in SoftwareDistribution/Datastore/
Database files are tricky to handle and they must be closed properly otherwise they will be corrupt. So you have selected the updates you want to hide. Let it download all the other updates. When it's ready to install those updates, turn off the computer without installing the updates. Start up again, pressing F8 to enter Safe Mode, copy that file to another location (windows update doesn't run in safe mode). Now you have the golden file, you have to put onto each system while windows update is off. Probably the most intelligent solution would be a runonce script put on an nlite XP iso.

for /f "tokens=3 delims=\:" %%k in ('reg query hklm\system\mounteddevices^') do if exist %%k:\$OEM$\Fixes.exe set CDROM=%%k
set Fixes="%CDROM%:\$OEM$\Fixes.exe"

:: Fixes
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Installing Prerequisites..." /t REG_SZ /d %Fixes% /f

Where fixes.exe refers to an SFX which extracts said file that you backed up to overwrite the original file, but since runonce happens before windows updates loads its ok. The problem is you may experience windows update issues so you should integrate into the SFX and execute after extraction, the following script:

net stop wuauserv
cd %systemroot%\SoftwareDistribution
ren Download Download.old
net start wuauserv
net stop bits
net start bits
net stop cryptsvc
cd %systemroot%\system32
ren catroot2 catroot2old
net start cryptsvc

DarkReverser
Supreme Master of XP