locked
off topic - Automatic Updates SVCHost.exe Problem and Wuauclt.exe RRS feed

  • General discussion

  • Hello

    Ok, I've done some research and have broken every svchost process into their own process. And over the course of 4 days one svchost process stuck out. Of course it was running the Windows Automatic Updates but the process potential grows. There are roughly 500 computers in our environment that this is happening on and we have our Polices set to look for updates every 3 hours. I know Windows by defauklt goes out every 22 hours. So over the course of 4 days the svchost process for automatic updates is now sitting around 92mb and the wuauclt.exe process is sitting at 46mb. So every 3 hours these files grow. Is there anything that can be done besides reducing the time for looking for new updates and disabling updates. Also when did this problem with Windows start. Thanks in advance for any help.

    Monday, March 26, 2007 1:43 PM

All replies

  • I have to assume that you aren't talking about Windows Live OneCare, so this question should really be posed in the XP newsgroups. There's also a Windows Update newsgroup that may be helpful. You're off topic for this forum. Public newsgroups:

    http://www.microsoft.com/communities/newsgroups/default.mspx

    -steve

    Monday, March 26, 2007 3:34 PM
    Moderator
  • all the XP newsgroups/forums on this topic have been pulled.  Yet it's a real problem. Greg
    Wednesday, April 25, 2007 1:01 PM
  •  gmayer0 wrote:
    all the XP newsgroups/forums on this topic have been pulled.  Yet it's a real problem. Greg

     

    The Windows Update newsgroup is here: http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=microsoft.public.windowsupdate&lang=en&cr=US

    Nobody pulls posts from the newsgroups unless they are spam.

    -steve

    Wednesday, April 25, 2007 1:53 PM
    Moderator
  •  

    I found the answer in the microsoft forums: an MVP moved it to the top but I want to make sure you find it too!

     

    i turned off automatic updates: restarted: went to windowsupdate.microsoft.com choose CHANGE SETTINGS and at the bottom GET OFF MICROSOFT UPDATE; CHOOSE Windows update (the old way) 

     

    do your updates that way till you're fully patched.

     

    (at the time of this posting: i haven't turned automatic updates back on: but background intelligent updater service is on)

     

    please try this and if you find a solution that works for you: please post it back to the forums! it really helps all of us!

    Wednesday, May 9, 2007 3:13 PM
  • This is what I did to fix the problem.  I haven't pushed in a gpo script yet, but will soon.

     

    http://www.fugnut.com

     

     

    Friday, June 1, 2007 6:54 PM
  • I found the www.fugnut.com material very useful and I plan on installing the KB patch from Microsoft.

     

    I was having a similar problem., and I was getting various pop-up errors during startup of the form:

     

    "The instruction 0x7c911e58 referenced memory at 0x544f4f52.  The memory could not be read."

    "The instruction 0x7c910de3 referenced memory at 0xfffffffff8.  The memory could not be read."

    "The instruction 0x7c901010 referenced memory at 0x8000000001e.  The memory could not be read."

    "The instruction 0x7c901010 referenced memory at 0x000000003b.  The memory could not be read."

    "The instruction 0x7c91847c referenced memory at 0xfffffffff8.  The memory could not be read."

     

    and others.

     

    I went searching for more information on the web about the problem, and they lead to a possible trojan had slipped through my existing protection (Norton Internet Security 2007 + router security).

    http://www.file.net/process/wuauclt.exe.html

     

    The wuauclt.exe file sizes described in the URL above did NOT match my size 53,080 bytes.  The wuauclt.exe file I had also had no icon associated with it.  The suspect file also had a modification date of 4/16/2007 at 10:45:20 PM.  It had a version number of 7.00.6000.374.  The file was located in the C:\Windows\System32 folder, and C:\Windows\System32\dllcache folder.  The company name was Microsoft, but that could be easily spoofed.

     

    This URL mentions on the bottom of the page that some malware camouflage themselves as wuauclt.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. 

     

    The other symptom that I had was that whenever the illegal memory reference errors mentioned above occurred, wuauclt.exe was running as a child of svchost.exe.  If I clicked the button to terminate the process, Windows XP Pro became unstable, and would eventually hang.  If I left the error window open and did not try to terminate or debug the process, Windows XP Pro would continue, but impared.  My login often causes Norton LiveUpdate to start to update the a/v files, and these processes took much longer times to complete ... yet the wuauclt.exe process was not consuming CPU.

     

    I rebooted into safe mode and tried to turn off Windows automatic updates.  The control panel app showed that automatic updates were off.  I rebooted into normal mode, and (the fake) wuauclt.ext process would still launch. 

     

    Interesting note:  Norton Internet Security generates a warning alert if Windows Automatic Updates are disabled ... and NIS in this instance said all was well.  This was obviously incorrect.

     

    I went back into my backups.  I use multiple partitions and do partition-to-partition backup. 

     

    Other than the suspect version, the next most recent version I fould had a file size of 124,184 and a modificaton date of 5/26/2005.  Thew version number was 5.8.0.2469. The file size matched one of the known file sizes reported in http://www.file.net/process/wuauclt.exe.html

     

    My 5/5 backup was clean.  All backups after 5/12 were bad.  The problem had occured between those times.

     

    Searching for other versions of wuauclt.exe, I found 2 additional copies.  These were in the folders:

    \WINDOWS\ServicePackFiles\i386      file size 111,104 bytes, modification time August 04, 2004, 12:56:58 AM (with icon)

    WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989 (same specs)

     

    I booted to safe mode, and carefully renamed the suspect wuauclt.exe file in Windows\System32 and \Windows\System32\dllcache.  I then copied the clean version from my 5/5 backup into both folders and rebooted into normal mode.

     

    Upon coming up in normal mode, I received no illegal memory reference error pop-ups.  Norton Internet Security immediately reported that Windows automatic updates were disabled, which was correct.  No processes seemed to be looping in the background, and wuaclt.exe was NOT running.  All looked well.

     

    I re-enabled automatic updates, and then did a manual Windows update.  The Windows update wizard said that I first needed to download and install the latest version of Windows updating software.   I held my breath and tried it.

     

    It downloaded the 4/17.2007 version that was problematic, with a file size of 53,080 bytes.  This file also did not have an icon. The Windows Update site that it also "registered" the program.   I compared the just updated file with the renamed one, and they were the exactly the same.

     

    I won't know the results until I reboot.  Perhaps the "registration" of the new wuauctl.exe program will make a difference.  I will post the conclusion in a few minutes after I reboot.  If the problem persists, I will try the Microsoft hotfix download referenced in www.fugnut.com.

     

    ...to be continued....

     

     

     

    Saturday, June 2, 2007 4:00 AM
  • Continuing on...

     

    Sorry for the delay.  We had some severe thunderstorms and I lost my cable broadband connection.

     

    Everything looks OK.  The problematic version of wuauclt.exe that was reinstalled by Windows update is NOT causing problems.  It looks like the re-update and the "registration" done by the Windows update wizard worked.  I don't know exactly what the "registration" for wuauclt.exe comprises ... but I am stable.

     

    Please see my previous post for the details of troubleshooting was done before.

     

    If the problem should re-occur, I know I can boot to safe mode and replace the wuauclt.exe file in Windows/System32 and /Windows/System32/dllcache with the previous version.  Then I would follow the Microsoft hotfix download and msi installer update discussed in www.fugnut.com.  I have downloaded the Microsoft install files and am ready, if needed.

     

    The URLs for the Microsoft fixes follow, for those of you who need them.  In my case, since I am now stable, I will NOT install the Microsoft Hotfix until it is released via normal procedures which involves larger amounts of regression testing.  According to the KB article, the fixes will be released as part of the normal Windows Update by June 30.  For us who were having difficulties, that is a long time to wait.

     

    These solutions are very recent.  They were posted on May 22.

     

    The Microsoft solution is 2 part.  You need to update the MSI component first, then install the hotfix for wuauclt.exe (which requires the uodated MSI component). 

     

    Here are the Microsoft links.

     

    KB Article 932494

    When you use Automatic Updates to scan for updates or to apply updates to applications that use Windows Installer, you experience issues that involve the Svchost.exe process,

     

    http://support.microsoft.com/kb/932494/en-us

     

    KB Article 927891

     You receive an access violation error and the system may appear to become unresponsive when you try to install an update from Windows Update or from Microsoft Update.

     

    http://support.microsoft.com/default.aspx/kb/927891

     

    Good luck to you all.  Hopefully this post will help you avoid the hours of troubleshooting that I and the others on this thread went through. 

     

     

     

     

     

     

    Sunday, June 3, 2007 2:40 AM
  • Thanks for the detailed information, David1253.

    -steve

    Monday, June 4, 2007 1:13 AM
    Moderator
  • Currently my wuauclt.exe is the 53,080 version but my firewall caught it attempting to connect to two ip addresses, the first one belongs to akamai.net which since akamai does electronic software delivery is possibly a legitimate connection... the other ip belonged to Level 3 Communications, Inc which is a major backbone provider... but it seems odd to me that a microsoft updater would instead of connecting to microsoft tries to connect to two other companies first when checking for updates... the most mysterious aspect of this is that the time these connections were triggered was when the computer screensaver was loaded...  not when the computer was rebooted, but exactly when the screensaver loaded.... i have had no real problems with the automatic updater, or anything, and it does not constantly run... and the file size and location are referenced as being legitimate sizes/locations for most people.

     

    btw, the reason my firewall blocked these connections was because the wuaclt.exe attempted to use svchost.exe to make its connection to the internet.  i have mcaffee security suite, as well as comodo's products loaded and neither of them detect my file as being a trojan, still i wonder why automatic updates go through 3rd party webservers...

    Wednesday, August 29, 2007 4:55 PM
  • Check out http://www.winforumz.com/windows/modules.php?name=Forums&file=viewtopic&p=2495873

     

    It seems that the reader_sl process can also cause svchost.exe to hang.

    Friday, February 22, 2008 1:06 AM